SPLA-Audit Exposure Difficult to Estimate

One of the first steps we typically recommend to businesses facing software audits from any source is to try to estimate the financial exposure related to those audits. Doing so allows a company to allocate its resources more efficiently and to set aside reserves or make other financial preparations in advance of settlement, when auditors often demand quick action in order to secure more favorable terms.

Unfortunately, not all audits are created equal, and potential financial exposure sometimes can be difficult or even impossible to reliably estimate at the outset of a matter. Audits demanded by Microsoft in connection with Services Provider License Agreements (SPLAs) are good examples. Under the SPLA license model, companies send monthly reports to software resellers with product quantities that are calculated based on the Microsoft software resources allocated to hosting-services customers during the reporting month. That model leads to a number complicating factors, including the following:

  • Historical Extrapolations In the absence of historical data regarding past software usage, the approach typically applied by Microsoft’s auditors is to take a “snapshot” of audit data and then to compare that usage level against reported licenses throughout the entire audit period, effectively assuming no growth in the hosting environment. Obviously, this is a wholly inaccurate representation of actual usage for most businesses, but it shifts the burden to the audited entity to propose an appropriate method to extrapolate the actual usage levels. Whether a particular proposal is acceptable to Microsoft can be difficult to predict.
  • Variable License Metrics For some products, the license model may have changed over time, such that current software deployments that require a certain kind of license now would have required a different license in the past. Windows Server licensing is a good example. Variable license metrics like that can greatly complicate the process of preparing an accurate exposure analysis.
  • Uncertain User Counts For user counts associated with products licensed on a Subscriber Access License (SAL) basis, the default assumption of Microsoft’s auditors typically is to use the number of “Active” accounts in Active Directory as the count of users authorized to access the software. However, many service providers use different methods to calculate user counts that may result in lower numbers of authorized users than reflected in AD, especially if those providers do not periodically clean up their AD registries. As with the appropriate extrapolation method, it can be difficult to convince Microsoft that an alternative user metric should apply.

For all of these reasons, it is critical to implement thorough and mature software-asset management practices in all environments to be licensed under SPLA. Microsoft and its auditors are experts at capitalizing on the ambiguous nature of Microsoft’s license agreements, and businesses caught unprepared can find themselves facing crippling audit exposure.