Microsoft audits can be overwhelming if you aren’t prepared for the work ahead. Understanding the audit process and where to start can take some of the pressure off. Here is an overview of the Microsoft SPLA Audit process and a few tips to help you prepare for your next Microsoft SPLA audit.
What is SPLA?
SPLA stands for Services Provider License Agreement and is Microsoft’s pay-as-you-go license program for hosters. If you host Microsoft software either directly or indirectly for commercial benefit, then you most likely already have a SPLA agreement or need to sign one. While SPLA is flexible and allows for scaling up and down on a monthly basis, it can be equally confusing to interpret the rules for SPLA.
Hosters are expected to apply the long and convoluted SPUR (Services Provider Use Rights) to unique scenarios and accurately report usage to their reseller each month. This often results in partners either under-reporting (exposing themselves to compliance risk), or over-reporting (unnecessary over-spending that could otherwise be contributing towards their profits).
Why does Microsoft conduct audits?
As with most major software publishers, Microsoft conducts formal audits with its business customers in an effort to help them achieve or maintain license compliance, and to protect Microsoft’s intellectual property rights. The MBSA (Microsoft Business & Services agreement) contains an “audit clause” that entitles Microsoft to conduct an audit through an independent third party, typically a certified public accounting firm. Additionally, the standard SPLA agreement contains a “How Compliance is Verified” section that speaks to how Microsoft will request “relevant records” and how licensees must “promptly” provide the data requested by the independent auditor.
How does the Microsoft SPLA Audit Work?
- The audit letter: To initiate the audit, Microsoft’s License and Contract Compliance (LCC) division will send your organization a notification letter that will indicate Microsoft’s intent to execute the audit clause.
– Kick-off call: Within a few days of receiving the audit letter, the designated independent audit firm will reach out to schedule a kick-off call. During this call, the auditors will explain the processes and procedures involved, the data collection toolset you can leverage, and the timeline for the audit. During this call, auditors may ask questions to understand what your hosted offerings are and how your infrastructure is set up.
- The next step is to collect the data requested by the auditors. Broadly, the data requested will fall under the following categories:
Script / tool outputs:
- Active Directory machine and user listings
- Virtual environment exports with host-guest-cluster relationships
- Software inventory
- Features users have the ability to access (to determine SAL levels required for Exchange, SharePoint, Skype for Business, etc.)
- Internal tracking information that shows how you arrived at your monthly SPLA reporting numbers
- Billing information – for what you’re billing your customers
- Agreements you have with your customers
- Software assurance verification forms
Analysis and Reporting: Once all data has been collected, the audit firm will analyze the data and put together an audit report known as an ELP (Effective License Position). While most of the work during this phase is on the auditors, it is crucial that you review each draft of the report thoroughly and provide specific feedback to the auditors. What most licensees do not immediately realize is that this is where your first phase of negotiations begins! A partner that specializes in SPLA licensing (Anglepoint) can help you interpret the report and minimize exposure during this crucial phase.
– Settlement: Once the ELP has been finalized, auditors will hand off the report to Microsoft for resolution. Microsoft will send you a financial summary of the audit findings. Ideally, at this point, the ELP is final and the discussion is mostly around making a favorable settlement. Licensing experts, either in-house or through a partner, can again help you optimize these negotiations by distinguishing licensing “gotchas” from legitimate non-compliance issues that need a true up. It’s worth noting that if a non-compliance of 5% or greater is found, Microsoft has the rights to recover the audit costs from you as well as charge you 125% of the actual price for the licenses owed.
How are Microsoft SPLA Audits different from perpetual licensing audits?
- Going through an audit targeting perpetual licensing can be an onerous exercise in itself, but Hosters face an additional set of unique challenges during a SPLA audit. If you have a SPLA agreement it is only a matter of time before you are audited by Microsoft.
– Look-back period: SPLA audits involve a historical reconciliation that can go back up to 3 years. This means licensees must maintain historical records showing how they arrived at monthly reporting numbers. In the absence of historical data, auditors are able to “extrapolate” for historical findings, often to the detriment of the licensee and in favor of Microsoft.
– Actual use versus Ability to use: Product use rights under SPLA are different from those under agreements that pertain to perpetual licensing. Throughout a SPLA audit, auditors will look for data on the ability to access a certain piece of software, as opposed to actual use.
– BYOL and license mobility: Hosters often allow end customers to bring their own licenses (e.g., through their customer’s EA) to the hosted environment. Verifying compliance for these scenarios makes up a significant component of the SPLA audit.
How can you prepare for your Microsoft SPLA audit?
One of the most common questions we hear from SPLA licensees is “What activities might trigger an audit?”. Our experience has shown that the following activities are likely to raise red flags:
– Stagnant reporting
– Missed monthly reporting
– No (or low) reporting in spite of marketing hosted offerings
– M&A activity
Regardless, you can expect to be audited on average, once every three years. So how do you prepare to face an audit?
Understand your hosted offerings and software dependencies. Start by collecting information on all hosted offerings that exist across the board in your company. Then filter for those that leverage Microsoft software either directly or indirectly. Ensure all such software is licensed through the appropriate channel (typically SPLA). Finally, know the right metrics to report for each product.
– Leverage the right tools. A third-party SAM tool that periodically discovers new machines and users will help you stay abreast with changes in your environment.
– Maintain historical data. Clearly documented reporting history that includes details on which machines and users contributed towards each month’s reporting will minimize the scope for assumptions on the part of the auditors.
– You (the hoster) are responsible for ensuring compliance in BYOL (Bring your own license) scenarios! Know if you are authorized to allow your customers to bring their own licensing to multi-tenant environments. Do the licenses being brought by the end customer carry software assurance? Are you maintaining the associated software assurance verification forms?
– Perform periodic health checks. Frequent internal audits or independent health checks performed by a partner not only help provide a fresh perspective on potential compliance issues, but also help identify potential over-spending and savings opportunities.
– Understand that effective software asset management is a result of people, process, and technology working together in harmony. Many hosters have sophisticated tools deployed that are designed to assist with accurate SPLA reporting, but without the right people to draw insights and apply this data to unique scenarios and create organization-wide SAM policies and processes, they often miss the mark. Partners like Anglepoint with decades of licensing and SAM experience can help you bridge this gap.
Things to know throughout the Microsoft SPLA audit process
– You drive the timeline. Even though Microsoft and the auditors will try to enforce one themselves. If you need a postponement to take care of critical business activities, request one earlier in the process than later.
– You are not required to use the tools the audit firm provides. If you already have in-house or third-party tools that can provide the fields and information needed for the audit, you can leverage them instead of the tools the audit firm provides.
– Hold off on providing any data you have questions on. Understand how and why the auditors will use every data field being requested. Do not volunteer more information than you need to!
– Set the right context. The auditors may be licensing experts, but they will never know as much about your environment as you do. Keep the auditors honest and help them make the most cost-effective assignments by helping them understand your hosting model and setting the right context.
– Review every draft of the audit report thoroughly. Question all assumptions and provide timely feedback.
– Ensure any concessions negotiated during the settlement process are clearly documented. This will set you up for success in case of a future negotiation or audit settlement.
With these tools and knowledge in your arsenal, you are better equipped to face a Microsoft SPLA audit. However, facing an audit or staying compliant with SPLA can still be overwhelming. This is where Anglepoint can help. Our team of experienced ex- SPLA auditors provides a wide range of SPLA services ranging from point-in-time reporting health checks to SPLA managed services (complete outsourcing of SPLA reporting function). If you have already received an audit letter, you do not have to go it alone. Please reach out to us at anglepoint.com/schedule to schedule time to talk with an SPLA expert.