An auditor's document list is not a formality. Each request tests a specific part of your Effective License Position, and what you hand over shapes the number. Here is what gets asked for and what each request is really after.
When a third party accounting firm opens a formal audit under the MBSA audit clause, it sends a data request. It can feel administrative, a list of exports and spreadsheets. It is not. Every item is chosen to reconcile your deployment against your entitlement, and the gaps between those two numbers are where exposure lives.
The auditor wants to know what is installed and running. That means inventory exports, server lists, virtualization configuration, and increasingly cloud telemetry from Azure and Microsoft 365. The purpose is to count actual use, because use, not purchase, is what the license must cover. The trap is scope. An over broad export can pull in decommissioned machines, test environments, or duplicates that inflate the count. Precise, scoped data protects the real position.
Against deployment, the auditor sets your entitlement, the licenses you actually own and the rights that come with them. They will ask for purchase records, agreement documents, and Software Assurance status. This is where many organizations lose ground they did not need to, simply because entitlement is scattered across resellers, acquisitions, and old agreements. Assembling a complete entitlement picture often recovers rights a first pass missed.
Some of the largest swings come from how systems are built, not how many exist. The auditor asks for configuration data because licensing rules turn on architecture: how virtual machines map to hosts, how cores are counted, how failover and disaster recovery are arranged. A single misread of a virtualized environment can multiply a finding. Documented, accurate architecture is one of the strongest defenses you have.
Even with everything you provide, the auditor and Microsoft reconcile against Microsoft's own counting methodology and its own telemetry from Azure, Microsoft 365, and management tooling. This is why a clean SAM tool report is not the end of the story. Your tool answers your way. Microsoft's calculation answers Microsoft's way, and Microsoft's calculation governs. In 2026, anomaly detection on that telemetry is often what triggered the audit in the first place.
| Request | What it tests |
|---|---|
| Inventory and server exports | Actual deployment count |
| Purchase and agreement records | Entitlement you can prove |
| Virtualization configuration | How licenses multiply across hosts |
| Cloud telemetry | Use Microsoft can already see |
Provide what is asked for, accurately, and no more. Scope every export. Reconcile your own position first so you never learn your number from the auditor. Keep the 5 percent clause in view, because crossing it means reimbursing verification costs and buying licenses at 125 percent of price. And remember that the Effective License Position the report produces is negotiated afterward.
If an auditor is already asking questions, our Microsoft audit defense service sits between you and the auditor from first letter to final settlement.
Weekly intelligence on Microsoft and SPLA audit moves and the buyer side defenses that work.