Verified Self Audit vs. a Full SPLA Audit: What's the Difference and How Can I Tell?
It’s audit season! That wonderful time of year when you walk into your office Monday morning and see either a Fedex Overnight letter with Microsoft letterhead informing you that you’ve been selected for an audit or maybe just an email in your inbox (or forwarded to you from whoever is listed as the primary contact on your SPLA agreement) notifying you. Nothing like receiving a message saying you’re going to have lot of unexpected work hitting you over the next few months! Not to mention the actual money itself you may be forced to pay.
A few weeks ago, we made a post about the common Microsoft Audit terms you should be aware of. See here if you missed it (https://splatalk.altariscloud.com/know-your-microsoft-spla-audit-terminology-the-definitive-spla-audit-terms-and-acronym-guide-part-1)
One common question that’s come up a lot since that post was around the difference between a SPLA VSA (SPLA Verified Self Audit) and a SPLA full audit. Not surprising at all considering Microsoft’s audit notification season is ramping up and once you’ve received a notification letter in the mail, it’s not always clear what the implications are. In case you were wondering, there are also One Commercial Partner (hosting sales) compliance motions and Microsoft SAM team compliance motions but we’ll focus on the more common License and Contract Compliance (LCC) initiated audits for this post.
At a high level, VSAs and Full Audits are similar. Both are formal invocations of the audit clause within the MBSA you’ve signed. Both have elements of data collection, both are used to identify compliance gaps in your reporting and both are used as methods to get you to true-up with Microsoft. The method of execution between the two however is very different. Traditionally a VSA was meant to be a more light-weight audit. They are meant to be used on SPLA Service Providers with seemingly less complex environments where Microsoft could avoid using 3rd party audit firms and, instead, rely on their own vendor teams to capture data, analyze it, build a report, and handle the settlement negotiation. The model was something that Microsoft greatly benefited from because they didn’t need to spend the money hiring Deloitte, KPMG, E&Y, or PWC. SPLA Service Providers preferred it too since a full audit with one of the Big Four meant extended engagement time, being stuck with the auditor fee bill if they were found out of compliance, and more wasted resources. Plus, the process is typically just easier with VSAs since there are fewer points of contact, simpler means of data collection via templates and running a few light tools.
Full audits are those where the data collection, analysis, and report creation are done by one of the Big Four firms. They (supposedly) have the expertise in auditing larger or more complex SPLA Service Providers and are (theoretically) more capable of delivering an accurate and complete (depending on whose perspective you take) report. These have a cost associated that Microsoft will pass on to you if you’re found out of compliance. To be clear, these aren’t contingency based engagements for them. They are under fixed fee models and the fee varies based on audit size and complexity. Process wise, there is an “onsite” component to these where the auditors come and visit you for a few days.
Now, how do you know which one you’ve been selected for? Even this isn’t always that obvious. Overall though, you’ll know based on 1.) the notification letter – It often times indicates whether it’s a VSA or full audit 2.) You’ll know based on who reaches out to you to setup a kickoff call. When LCC notifies a SPLA Service Provider to inform them that they have been selected for an audit, a physical letter is sent out and they reach out via email. If they copy E&Y, KPMG, Deloitte, or PWC on it it’s probably a Full Audit.
Regardless of which type of notification you receive, in all cases you need to remember that, no matter how much lipstick they put on it, these audits are conducted to maximize the amount of revenue Microsoft receives. Audits are tricky to navigate on their own, let alone a SPLA audit where there is a historical component. If you have any questions about your SPLA, especially how to ensure that you are protected before that notification even hits your door click here to learn more about our team’s services and if you have any questions on your SPLA at all schedule some time with us below for a free consultation.
Remember, stay SPLAwesome!