SPLA Audit Defense Guide

SPLA is Microsoft's monthly licensing program for hosters, managed service providers, and outsourcers that deliver Microsoft software to external customers. It is pay as you consume. You report each month, and compliance is verified for every monthly reporting cycle, not just your current position. A SPLA audit does not photograph today. It reviews every monthly cycle across a 36 month window, so a single recurring error becomes 36 instances of that error.

A Big Four firm conducts the audit under the MBSA audit clause as an independent third party with broad authority. It can request deployment records, server configuration data, customer contracts, and usage logs. Treat every request as a question of scope and evidence rather than a reflex to hand over everything.

Hosters apply the SPUR, the Services Provider Use Rights, and report SAL or processor counts each month. Misapplied SPUR cuts both ways. Under reporting is a compliance risk that the lookback magnifies. Over reporting quietly wastes margin month after month.

This distinction decides where you fight. Back fees at the price file rate are not negotiable. The penalty uplift is. The uplift ranges from 25 to 125 percent depending on severity, duration, and the nature of the under reporting. The whole commercial battle is fought on the uplift and on the scope of what is counted.

Figures are indicative and depend on your agreement and the facts.

The hosters that survive an audit cleanly share the same habits, in place before the auditor arrives because the window to correct a reporting mistake is short.

• Monthly SAL reports submitted on time, every month
• Sealed daily authentication counts
• Customer mapping for each reported SAL block
• Product version mapping kept current
• Documented multi tenant boundaries