Microsoft SPLA Self-Assessment – What It Is, and How to Respond
Many of our clients have been contacting us in recent weeks (mid-late 2017) regarding notices they received from Microsoft requesting an internal self-assessment of their license positions under their Services Provider License Agreements (SPLAs). Naturally, many of those clients have questions about that process and the ramifications of cooperating with Microsoft.
For those who may be unaware, SPLA is the principal licensing framework that Microsoft uses in order to enable online service providers to incorporate Microsoft’s software products in the solutions that those providers host for their customers over the Internet. Unlike traditional license agreements, which typically entail capital expenditures in order to acquire perpetual software licenses that can last longer than the term of the purchasing agreement, SPLA entails a monthly reporting model. Each month, service providers measure their usage of Microsoft products in their hosted environments, and they report that usage to authorized SPLA resellers. The resellers then generate invoices based on those reports, which the service providers typically pay as an operating expense.
Like all commercial Microsoft licensing agreements, SPLA gives Microsoft the right to conduct audits to verify that its products are being used (and reported) consistent with applicable licensing terms. In many cases, Microsoft designates third-party firms, such as KPMG, Deloitte or Pricewaterhouse, to gather the necessary inventory data and to prepare a report comparing the usage previously reported under SPLA against the deployments measured based on the audit data. Microsoft then reviews the auditors’ reports, and the audited companies then usually place supplemental license orders under their SPLAs in order to resolve any under-reporting identified through the audit process. For service providers with high volumes of monthly usage, the dollar amounts of those supplemental orders can be well into the millions of dollars.
Under most SPLAs, Microsoft has the express right to require its SPLA licensees to complete the self-assessment process in lieu of submitting to a “traditional” SPLA audit conducted according to the process described above. However, even if that right were not stated in the SPLA, we would recommend that our clients comply with the self-assessment process in an effort to avoid any more burdensome audit activity to be undertaken by a third-party auditor. The self-assessment process represents a much more favorable framework for verifying compliance with SPLA, for at least the following reasons:
- No deployment or usage information needs to be submitted to Microsoft. In most cases, the self-assessment process typically is completed when a licensee provides a signed, written certification confirming that it has completed an internal review and either (1) that all SPLA usage has been properly reported, or (2) that a supplemental report has been submitted in order to resolve any identified, past under-reporting. It usually is not necessary to provide Microsoft with any deployment counts or any further details regarding the results of the internal review.
- No under-reporting penalties appear to apply. The SPLA self-assessment notice message typically requires only that a licensee report additional license quantities to the reseller in order to resolve any past errors. In other SPLA audits, Microsoft has the right to apply a contractual penalty for any under-reporting, and that penalty typically consists of 25% markup over list SPLA prices. The self-assessment notice does not indicate that the contractual penalty would apply for any supplemental orders placed as a result of the self-assessment process.
We therefore ordinarily recommend that our clients cooperate with SPLA self-assessment requests.
In theory, the self-assessment process should mirror a SPLA licensee’s monthly reporting process. If the licensee has mature software asset management (SAM) processes in place, then each month it should be gathering and archiving all the data that it should require in order to confirm its usage of any Microsoft products installed in its environment. For that reason, a confident licensee in that position could sign and return the requested self-assessment certification immediately upon receiving the self-assessment request.
However, many licensees are not in that position, and for them, the self-assessment represents an excellent opportunity to assess and review their internal monthly reporting processes. We regularly work with SPLA licensees to conduct those sorts of initiatives, identifying tools that would be capable of gathering information relevant to licensing information as well as reports that should be generated and gathered each month in order to confirm usage levels. While the kinds of reporting used will vary, depending on the kinds of Microsoft products being licensed under SPLA, the typical set of reports includes the following:
- Hardware Inventory – One or more reports identifying all physical and virtual servers and the operating systems running on those machines.
- Software Inventory – One or more reports showing all Microsoft products installed on the computers identified in the hardware inventory.
- Virtualization Data – Reporting that maps virtual machines to their physical hosts and provides relevant information regarding those hosts’ hardware configurations.
- Active Directory – Reporting that identifies the computers included in the hosting domain(s) and also the user groups and accounts with access to those computers.
- Secondary Inventories – While not requested in every audit, Microsoft’s auditors also may ask for secondary data sources to validate the completeness of the device inventories generated from the other sources identified above. The list of devices from an anti-virus solution is a common request.
We also typically advise our clients to create and maintain archives of all reports gathered each month in order to support their SPLA reports, so that historical usage may be validated during any SPLA conducted in the future by one of Microsoft’s selected audit firms. Absent that kind of historical data repository, Microsoft’s auditors often attempt to extrapolate historical usage levels based on data collected during the audit – those extrapolated findings often are inaccurate and can result in inflated SPLA audit resolution demands from Microsoft.
Business leaders who receive self-assessment requests from Microsoft should work with their teams to determine their level of confidence regarding the monthly SPLA-reporting practices. If there is any doubt regarding the maturity of those practices, then the team should undertake an initiative to implement any appropriate improvements and, absent any unique concerns, to provide a timely response to the self-assessment request. If the team believes that it lacks any subject-matter expertise in order to complete that initiative, then it makes sense to engage a knowledgeable attorney to assist with the process.