SPLA Audit

SPLA Audit

Microsoft can audit any service provider they choose at any time. But there are some things that could increase your risks for getting an SPLA audit, including:

    • Mergers and acquisitions – especially purchasing another company
    • Hosting software from a third-party
    • Higher or lower SPLA reporting
    • Discrepancies on related products (Office/RDS, SharePoint/SQL, etc.)
    • Forgetting/missing or avoiding a SPLA report
    • Reporting minimal usage despite advertising hosting offerings
    • Provide solutions on Microsoft Software as a Service without a SPLA agreement
Asset-84-compressor

Audit types

In general, there are 3 different types of audits:

    • Independent audit
    • Self-certification audit
    • Verified self-assessment (VSA)

The independent audit

This is typically conducted by KPMG, Deloitte, E&Y etc. appointed by Microsoft

An independent audit is time-consuming, frequently adversarial and in most cases expensive.

The reason for this is that the auditor, even though they are independent, in many cases, will making assumptions that favored Microsoft to the detriment of the service provider.

The internal hourly spend on an independent audit is often in the hundreds and sometimes even higher.

Self-certification audit

This audit type allows the service provider to choose between 2 options of certifications:

  • The first certification includes a completed review that shows no shortfalls in the number of reported licenses was revealed.
  • The second certification, which is required, if shortfalls were revealed adds two additional things to the first certification:
  • Ordering of adequate licenses to cover all prior unlicensed usage
  • Implementation of corrective measures to ensure accuracy in future reporting periods

The internally hourly spend on a self-certification depends on the internal processes, level of automation and historic documentation, etc.

Verified self-assessment (VSA)

This audit type shares components from both the independent audit and the self-certification audit.

As with the independent audit, a vendor coordinates the audit, including:

  • Setting the scope,
  • Requesting data and
  • Analyzing inventory and usage data versus licensing.

But as with the self-certification it is the service provider that is responsible for the data collection, and delivering this to the auditor/vendor.

The internally hourly spend on a self-certification depends on the internal processes, level of automation and historic documentation, etc.

It is worth noting, that in some SPLA agreements it is stated that an audit must be performed by an independent auditor. A vendor conducting a VSA may not be an independent auditor, but may have a closer relationship to Microsoft. Typically, these can be identified by their email address, which contains a “v-“, like: “v-“name”@microsoft.com“.

Asset-46-compressor

What to do in relation to an audit and how to prepare.

Rule number 1: Respond to the auditor and their requests in a timely and professional manner – Provide the requested information but nothing more. If the auditor perceives you to be uncooperative, they will most like assume you are trying to avoid the audit or mislead them on specific things.

Rule number 2: Be careful when accepting timelines/deadlines suggested by the auditor, providing data is often more time-consuming that you might think and you will benefit from having the time to deliver the right data.

Rule number 3: License rules can often be interpreted differently and not everything is clearly described. The auditor’s interpretation may not be satisfying for you – Seek advice, if in doubt.

2 simple statements in relation to preparation:

  • First of all, changing the past for audit purposes is a fraud.
  • Secondly, you should run your daily business as you expect to get audited tomorrow.

These 2 statements may seem a bit harsh, but look a bit deeper into what they mean for your business, especially the second it means “If you are not in control of:

  • What is installed,
  • Who has access during the reporting month,
  • Which changes were influencing licensing in each reporting month,
  • How did you calculate the licenses needed, and
  • Documentation on all of the above.

Then you are not fully prepared for an audit or self-assessment.

Your best defense for audit purposes is documentation – as described above – and this is a key feature in the SPLA manager application.

Asset-47-compressor

Did you know…?

Even though Microsoft appoints the auditor, it is the auditor that chooses the tools and processes for the audit?

Getting audited is not a random lottery? Even though some say it is, your chances of getting audited relates to several factors, like:

  • Everybody should expect to get audited every 3rd year (even though some have not been audited in 7 or 8 years).
  • The indications mentioned earlier on this page will also increase the chance of an audit,
  • If you have been audited and it became costly for you, someone might check up on you to validate if you are in better control – after 2-3 years.

You don’t have to go through the audit on your own? You can seek advice from your SPLA reseller/distributor or engage with a SAM expert, like Scott & Scott, splalicensing.com or others.

Do you want to go back to SPLA Licensing?