Two sentences for the busy reader. A SPLA audit is run by an independent Big Four accounting firm acting under the audit clause in your Microsoft Business and Services Agreement, and its authority is broad but not unlimited. Knowing exactly who the auditor is, who instructs them, and what they can compel is the first lever a hoster has to keep the process inside its proper boundaries.
Who actually conducts the audit
The letter arrives from Microsoft, but Microsoft does not run a SPLA audit itself. It appoints a third party. For the Services Provider License Agreement that third party is almost always one of the Big Four accounting firms, engaged as an independent verifier rather than as a sales team. The distinction matters. The auditor is paid to produce a defensible position, not to sell you licenses, and that gives you a different set of conversations than a partner led review would.
The auditor reports to Microsoft, not to you. Their findings flow back to the Microsoft licensing compliance team, who own the commercial outcome. The auditor sizes the gap. Microsoft decides what to do with it. Understanding that split tells you where to argue mechanics, which is with the auditor, and where to argue commercials, which is with Microsoft.
The authority they hold under the agreement
The audit clause sits inside the Microsoft Business and Services Agreement, the same master agreement that governs your SPLA. It gives the auditor the right to verify your compliance with reasonable notice, during business hours, and with reasonable cooperation from you. Those three words, reasonable notice, business hours, and reasonable cooperation, are the frame for everything that follows.
Inside that frame the auditor can request a defined and substantial set of records. The common requests are predictable:
- Your monthly SPLA reports for every reporting cycle in scope, normally the full 36 month lookback.
- Server and infrastructure inventories, including virtualization hosts, and the configuration data that shows how Microsoft workloads are deployed.
- Daily authentication or access counts where a product is licensed on a Subscriber Access License basis.
- Customer contracts and onboarding records that show who consumed the software and under what terms.
- Usage logs and management tooling exports that let them reconcile what was deployed against what was reported.
What they cannot demand
The clause is a verification right, not an open warrant. The auditor is entitled to what it reasonably needs to confirm your SPLA position. It is not entitled to a fishing expedition across your whole business, to data unrelated to Microsoft licensing, or to immediate production with no notice. You can require that the engagement runs to an agreed scope and timetable, that requests come in writing, and that they map to specific products and periods. A request you cannot tie back to a licensing question is a request you can ask the auditor to justify.
How the two sides differ from an end customer audit
A hoster audit is not the same animal as an end customer audit, and the auditor knows it. An end customer audit produces an Effective License Position, a single reconciliation of deployment against entitlement at a point in time. A SPLA audit tests every month across the lookback, because SPLA is pay as you consume and compliance is a monthly obligation. The auditor is therefore looking for months where reporting fell short, not just a current snapshot.
| Role | Who | What they control |
|---|---|---|
| Audit sponsor | Microsoft licensing compliance | Scope, the decision to audit, and the final settlement |
| Auditor | Independent Big Four firm | The technical reconciliation and the sizing of any gap |
| Reporting party | You, the hoster | The evidence, the timetable, and the right to challenge the method |
| Buyer side defense | Independent advisor | Rebuilding the monthly position and separating fixed fees from the negotiable uplift |
Why the opening request list is wider than the answer
Auditors open broad because broad is efficient for them and revealing about you. The first request list will usually ask for more than the audit strictly needs. That is not a trap so much as a default. Your job is to respond completely to what is in scope and to seek clarification on the rest, rather than emptying every drawer on day one. A controlled, accurate, well mapped response signals discipline, and discipline is what shifts the tone of the engagement.
The defensive posture from the first letter
From the moment the notice lands, you want a single point of contact, a written log of every request and response, and an internal reconstruction of your monthly position running in parallel with the auditor's work. The auditor will build their number from your infrastructure data. You want your own number, built from your operations records, ready to put beside it. When the two differ, and they almost always do, the gap is the negotiation.
This is the same reporting discipline that prevents exposure in the first place: monthly Subscriber Access License reports filed on time, sealed daily authentication counts, customer mapping for each reported block, product version mapping, and documented multi tenant boundaries. Where that discipline exists, the auditor has little room to inflate. Where it is thin, your reconstruction is what fills the gap before Microsoft does.
What to do next
If you have received an audit notice, or you expect one, read the full guide before you answer the first data request. It walks through the lookback, the evidence that holds, and the difference between back fees you cannot move and the uplift you can.
When the exposure is real, our SPLA audit defense team challenges the counting before back fees are set.