The Services Provider License Agreement, or SPLA, is how Microsoft licenses hosters, managed service providers, and outsourcers that deliver its software to external customers. It is not a one time purchase. It is a monthly program where you report what you used and pay for it as you go. A SPLA audit is the verification of that reporting, and because the program is monthly, the audit is unusually granular. It does not ask whether you are compliant today. It asks whether you were compliant in every single month it can reach.
This article explains what a SPLA audit actually is, who runs it, what it covers, and why its structure matters so much for the defense. For the complete method, the SPLA audit defense guide takes it further.
Pay as you consume, verified every month
The defining feature of SPLA is that it is pay as you consume. Each month you report your usage to Microsoft through your reseller and pay for what you reported. Because billing happens monthly, compliance is judged monthly too. The auditor does not look at a single snapshot. It reconstructs your position for every reporting cycle in scope and checks each one.
A SPLA audit is not one verification. It is thirty six of them, one per month.
That monthly structure is the single most important thing to understand. A gap in one month is its own finding. A gap that repeats across many months compounds, because each month carries its own back fee and its own potential uplift. This is why a small recurring reporting error can grow into a large number over a full lookback, and why the defense has to be built month by month rather than in aggregate.
Who runs the audit and under what authority
A SPLA audit is conducted by a Big Four accounting firm acting as an independent third party. Its authority comes from the audit clause in the Microsoft Business and Services Agreement, the MBSA. Under that clause the auditor can request a wide range of records, and the scope of what it can ask for surprises many hosters the first time.
- Deployment records showing what Microsoft software ran and where
- Server configuration data, including core and processor counts
- Customer contracts that establish who was served and on what terms
- Usage logs and authentication data that evidence actual consumption
The auditor is not your reseller and not a sales contact. It is an accounting firm with a defined mandate, and it will follow the evidence. That cuts both ways: an auditor that follows evidence will also follow the evidence you provide in your own favor, which is the foundation of the defense.
The 36 month lookback
SPLA audits typically reach back 36 months. That window is what turns a reporting habit into a financial exposure. Everything you reported, and everything you should have reported, across three years is in scope. The lookback is also why reporting discipline matters more than any single month's accuracy: the audit rewards consistent, evidenced reporting and punishes drift that accumulates quietly over time.
The practical consequence is that the defense is largely about reconstruction. To answer the auditor you have to rebuild your true monthly position for each of those months, on your own evidence, and compare it to what the auditor proposes. The hoster that can reconstruct its base credibly controls the conversation. The one that cannot is left accepting the auditor's reconstruction by default.
Back fees and the penalty uplift behave differently
A SPLA finding has two parts, and they do not behave the same way. Separating them is central to the defense, because effort spent arguing the wrong one is effort wasted.
| Component | What it is | Negotiable? |
|---|---|---|
| Back fees | The license cost you should have paid, at the price file rate, for use you under reported | No, the price file is fixed |
| Penalty uplift | An additional charge of 25 to 125 percent depending on severity, duration, and nature of the under reporting | Yes, this is where the argument lives |
Back fees at the price file rate are not negotiable. If you genuinely under reported, you owe the license cost. The uplift is different. It ranges from 25 to 125 percent and depends on factors you can speak to: how severe the gap was, how long it persisted, and whether it reflects an honest reporting error or something worse. The defense concentrates its energy on the uplift, and on shrinking the under reported base that drives the back fee in the first place.
Why structure decides the outcome
Everything about a SPLA audit comes back to its structure: monthly cycles, a 36 month reach, a Big Four auditor with broad authority, and a finding split between fixed fees and a negotiable uplift. A hoster that understands this can prepare for it, reconstruct its base, separate the two components, and argue the uplift down. A hoster that treats the audit as a single compliance check, judged on today's position, walks into a process built to compound every gap it can find.
A buyer side advisor defends the SPLA audit the way it is actually built: month by month, evidence first, with the back fee and the uplift handled separately. Our guarantee applies here too: we reduce your exposure or we reimburse our service fee, and with gainshare you pay only from verified savings. To go deeper into the mechanics and the defense, download the SPLA audit defense guide.
If an auditor is already asking questions, we defend the full 36 month lookback through our SPLA audit defense work.