202008.31
Off
0

Preparing for the Inevitable SPLA Audit

in Microsoft Audits

If your company uses a Microsoft Service Provider License Agreement (SPLA)—and it probably does if Microsoft considers you to be in the commercial hosting business—you will be audited at some point. Typically, Microsoft SPLA customers are audited once every three years.

When that time comes, it is important to know how your company may be impacted and what you can do in advance to prepare. It is not an easy task; the auditors Microsoft hires (typically one of the Big Four accounting firms) use strategies that put the onus on the audited company to prove that it owns the right type and number of licenses. It is easier than you might think to be found non-compliant, and the financial exposure your company can face is significant. I have seen many cases where the amount requested exceeds the annual profit the company makes reselling  Microsoft licenses.

One of the most important preparation steps is understanding your licensing rights and contractual obligations. The first step is understanding the SPLA licensing model. There are two basic types: Subscriber Access Licenses and Core Licenses.

Subscriber Access Licenses (SAL) are assigned to authorized users and permit unlimited software deployments as long as they are accessed only by users to which they have been assigned. In other words, this license covers users who are accessing your hosted infrastructure. That means you must assign a user SAL to every person authorized to access the software, not just those who actually access it. This can become a point of contention in an audit because often, SPLA providers do not configure their systems in a way that limits those who are technically authorized to access the software. Instead, they allow anyone to access the software and count the number of people who access it in a given month.

Taking that approach can cause big problems. During an audit, auditors will examine your Active Directory groups. If they find a group that is not restricted by security classification or organizational unit, they will conclude that each user requires a SAL.

All of this confusion tends to arise from Microsoft’s definition of “use”. In the Microsoft world, you are a user if you have the credentials to access the software, not if you actually use it in a given time period. It is an important distinction, and it pays to get it right before an audit occurs. Putting in place strict, centralized server administration to avoid unauthorized access and the ability to accurately measure access are the keys to avoiding this issue.

Core Based Licenses: These licenses are assigned to the hardware itself instead of to users. If you know the licensing rules and how to count the cores, it is not too difficult to get it right. Many SPLA providers choose to  license the physical hosts with a Windows Server Data Center license, which comes with unlimited virtualization, and then license the number of cores on each physical host.

PREPARING FOR AN AUDIT

When you are notified of an impending audit, first examine the signed agreements to confirm that the scope and entities identified in the audit notice letter are correct. When companies operate multiple entities or divisions, the contractual right may be with a particular entity. Make sure you understand, and ensure that you are matching the scope of what the audit is asking for with what you plan to give them.

Before providing auditors with data they request, provide a non-disclosure agreement (NDA) that details the confidentiality of the audit data and processes to be followed during the audit. The NDA should be signed by all parties.

Next, estimate your SPLA audit exposure. In other words, what are the auditors likely to find, and how much will it cost your company?

Typically auditors start with an audited month to determine if there has been any under reporting.  Determining exposure can be difficult to estimate—and therefore defend—often due to poor record-keeping or misunderstanding how users are counted in Active Directory. Sometimes, the licensing model may even have changed over time. For example, Windows Server is now licensed based on cores, but it used to be licensed based on processors. If the count did  not change when the rules changed, the company could easily be found non-compliant.

Once the auditors have chosen a month to examine, they will collect all available data and determine if a gap in licensing existed during that month. Typically, auditors assume you are out of compliance by the same amount from the beginning of the contract. For example, if your company is spending $10,000 on Microsoft SPLA licenses per month but the audit reveals that you owe an extra $5,000 per month because of under reporting, auditors will multiply that $5,000 by the number of months you have been under contract, or a period of time for the prior contract. They often look back as far as 60  months. In this scenario, you would owe Microsoft $5,000 x 36, or $180,000. That number would then be multiplied by 1.25 percent as a penalty. By the time you add on auditor fees—typically $25,000 to $50,000—you could be on the hook for $275,000.

AFTER AN AUDIT

Even if your company emerges from the auditing process facing a stiff fine, there are ways to reduce it significantly, through negotiation. Before entering a SPLA audit settlement negotiation, though, it is important to do your own research to corroborate or challenge the audit findings. This is critical, because it is not unusual for audit investigations to come up with erroneous numbers.  Often, this is because auditors are working with incomplete or faulty data. When faced with data gaps, auditors often make assumptions, which may be incorrect.

Once everyone is on the same page and agree on a settlement, make sure to address these issues:

Installment payments: It is not always necessary to pay the entire amount up front. Often, you can negotiate structured payments or payment plans.

Release of liability: If you are going to pay for an audit time period, make sure you get a release that confirms that the issue is closed, and that Microsoft auditors will not re-examine the findings.

Audit forbearance: Microsoft has the right to audit companies yearly, but it is perfectly reasonable to request a longer period of time without an audit. This type of breathing period is commonly granted in settlements, but must be negotiated.

Confidentiality: Require Microsoft and its auditors to agree not to publicize the settlement, disparage your company, or divulge it in any way.

There are times, however, when the two sides cannot reach a mutually acceptable agreement. When that happens, companies have two choices: either terminate the SPLA and move from Microsoft to a different infrastructure, or proceed to litigation.   For most companies, moving away from or litigating with Microsoft is not an option.

If you are dealing with a Microsoft SPLA audit, you need experienced counsel to protect your rights.  If you are looking for the right law firm to defend your company in a Microsoft SPLA audit, call Scott & Scott, LLP at 214-880-8711.