What is a Microsoft SPLA Verified Self-Audit?

If you provide commercial hosting services using Microsoft’s Service Provider License Agreement (SPLA), you may become a target of an ever-increasing variety of license audits from Microsoft and its vendors.  The latest flavor of a Microsoft SPLA audit is the verified self-assessment or VSA.  The SPLA verified self-assessment differs from both the independent audit and the Self-Certification audit being used by Microsoft.  Traditionally, Microsoft audited service providers using independent auditors such as KPMG, E&Y, and Deloitte.  These audits were time-consuming, expensive, and frequently adversarial, with the so-called independent auditors making assumptions that favored Microsoft to the detriment of the service provider.

A newer audit model Microsoft launched is the SPLA certified self-assessment.   Unlike an independent audit, the self-assessment process does not require the service provider to provide evidence of deployments but instead to choose between two options of certifications.  The first SPLA certification option allows the service provider to affirm that a review has been undertaken and revealed that there was no shortfall in licenses reported.  The second SPLA certification option allows the service provider to affirm that a review has been undertaken and adequate licenses have been ordered to cover all prior unlicensed usage along with an implementation of corrective measures for future reporting periods.  While self certifications present certain challenges, they can usually be completed in 45 days with little third-party involvement.  Once a true-up order is placed and the certification is completed, the SPLA certification process typically concludes without the need to share evidence or haggle over license interpretation.

The newest Microsoft SPLA audit is the verified self-assessment, also known as the VSA.  The verified self-assessment shares components of the SPLA independent audit and the SPLA self-certification audit.  Like the independent audit, Microsoft uses a vendor to coordinate the audit, make data requests, and analyze the deployment data.  Most SPLA agreements require vendors  conducting the audit to be independent.  The vendors in a verified self assessment are not independent.  They frequently will be masquerading as Microsoft employees, but are not.  A service provider can identify these vendors by the “v-“ at the beginning of the provider’s e-mail address Microsoft assigns to them. Like the self-certification audit, the service provider is expected to do the data collection and prepare worksheets to be verified by Microsoft.  Deployment data and other relevant data collection is submitted and there is no opportunity or expectation that a certification of compliance will be submitted.  Both the self certification and the verified self assessment are lower cost and more scalable options for Microsoft to target service providers.  If you have been targeted by Microsoft for a SPLA audit, you need experienced counsel to protect your rights.