Control 3.5: Cost Allocation and Budget Tracking
Control ID: 3.5
Pillar: Reporting
Regulatory Reference: SOX 302/404, GLBA 501(b), OCC 2011-12, FINRA Rule 4511, FINRA Regulatory Notice 25-07, SEC Rule 17a-4(b)(4) (financial records)
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Establish defensible cost visibility, allocation, and budget governance for Microsoft 365 Copilot, Copilot Studio, AI Builder, Dataverse, and Azure-based AI services. This control supports accurate chargeback to business units, threshold-based budget alerting, license-utilization optimization, and the production of financial books-and-records evidence sufficient to support SOX 404 ITGC walkthroughs, FINRA Rule 4511 supervisory evidence, and SEC Rule 17a-4(b)(4) records-retention obligations.
Implementation requires named owners (Finance, AI Governance Lead, Power Platform Admin), a CFO- or Controller-approved rate card, and WORM-equivalent retention for chargeback artifacts. Tooling supports these obligations; it does not satisfy them.
Why This Matters for FSI
- SOX 302 / 404 (ITGC): Material IT expenditures require a documented allocation methodology, variance analysis, and management certification. AI services are an emerging cost category that external auditors increasingly scope into IT general controls walkthroughs.
- GLBA 501(b) Safeguards Rule: Information-security program costs (including AI-agent monitoring and DLP) must be funded and tracked; the FTC's 2023 amendments expect documented Board reporting on the safeguards program, which depends on accurate cost roll-ups.
- OCC 2011-12 / Federal Reserve SR 11-7 (Model Risk): Third-party AI/model spend (including M365 Copilot, Azure OpenAI consumption, and AI Builder credits) requires documented oversight, budget controls, and ongoing performance evaluation against cost expectations.
- FINRA Rule 4511 + Regulatory Notice 25-07: Technology-of-record evidence — including the financial cost of producing supervisory and audit records — must be preserved as part of books and records.
- SEC Rule 17a-4(b)(4): Financial records (including cost-allocation methodology, rate cards, and chargeback ledgers) must be retained in non-rewriteable, non-erasable (WORM) format for the regulatory retention period.
- Examiner scrutiny: FINRA, the SEC, the OCC, the Federal Reserve, and state banking regulators routinely sample IT spend governance during cycle exams; AI-agent cost attribution is a new line item examiners are explicitly asking about (FINRA 25-07).
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
This control wires together four Microsoft surfaces that, together, can produce examiner-defensible cost evidence for AI-agent workloads:
- Microsoft 365 admin center → Copilot → Billing & usage: Pay-as-you-go (PAYG) billing policies and Copilot Credit policies (GA April 2026) scope consumption to specific Entra ID groups, attaching usage to a designated Azure subscription/resource group for cost-center attribution.
- Power Platform admin center → Resources → Capacity (and Analytics): Per-environment storage, AI Builder credit, Copilot Studio message, and Power Automate run consumption.
- Azure Cost Management + Billing: Tag-based cost views, exports to storage, scheduled exports to Power BI, and budget alerts (notification-only — Azure budgets do not auto-cap spend).
- Microsoft Cost Management for Microsoft 365 (Billing → Cost Management): Department- and policy-level Copilot consumption breakdowns, including the high-usage-users report (GA March 2026).
| Capability | Description | Primary Surface |
|---|---|---|
| Capacity Monitoring | Track Dataverse, AI Builder, Copilot Studio, and Power Automate consumption per environment | Power Platform admin center → Resources → Capacity |
| Cost Attribution | Map consumption to a business unit via Entra ID security-group → billing-policy mapping and Azure tags | M365 admin center + Azure tags |
| Budget Alerts | Notification-only thresholds (50 / 75 / 90 / 100 %) on Azure scope; no automatic shutoff | Azure Cost Management → Budgets |
| Chargeback Reporting | Monthly reports for Finance and business units, retained as books and records | Power BI / Excel + Purview retention |
| License Optimization | Identify inactive Copilot seats and underutilized Power Platform capacity | M365 admin center + PPAC |
| High-Usage Users | Surface accounts driving disproportionate Copilot consumption | M365 admin center → Copilot → Usage |
Budgets Are Notification-Only
Azure Cost Management budget alerts emit notifications when thresholds are crossed; they do not block, throttle, or revoke access. Cost containment in M365 Copilot PAYG also relies on notifications, not enforcement. Hard-cap behavior — if required for SOX 404 or board-mandated risk appetite — must be implemented via process (e.g., automated suspension of agents via Control 2.1 environment policies, deactivation of billing policies, or removal from the assigned Entra ID security group).
Pricing Disclaimer
This control intentionally does not publish per-unit list prices. Microsoft Copilot, Copilot Studio message, AI Builder credit, and Dataverse storage prices change frequently and vary by program (EA, MCA, MCA-E, MPSA, sovereign clouds). Source current rates from your Microsoft account team or the Microsoft 365 Copilot pricing page and the Power Platform licensing guide. Use those rates to populate the firm's CFO/Controller-approved rate card; do not embed list prices in this framework.
M365 Copilot Billing Policy Constraints
Each tenant supports up to 50 active Copilot billing policies. Once a billing policy is created, its scope assignment is immutable — to change which Entra ID group it covers, the policy must be deleted and recreated. Plan the policy taxonomy and approval workflow before creation; document deletions and recreations as change records under your written supervisory procedures (FINRA Rule 3110).
Key Configuration Points
- Adopt a documented environment-naming convention that encodes business unit, zone, and lifecycle stage (e.g.,
WEALTH-Z3-PROD) so consumption can be attributed without manual reconciliation. - Apply a mandatory Azure tag set (
CostCenter,BusinessUnit,Zone,Owner,Application) via Azure Policy so that resources lacking tags are reported as policy violations. - Create M365 Copilot billing policies (PAYG and/or Copilot Credit) per business unit, scoped to an Entra ID security group; record the immutable scope decision in a change ticket.
- Configure scheduled Cost Management exports (daily, amortized) to a Storage account with immutability policy enabled, so exports can serve as 17a-4(b)(4) financial records.
- Build a Power BI workspace (or use the Cost Management connector) showing cost by business unit, agent, environment, and 13-month trend; restrict access via row-level security to BU-owners and Finance.
- Configure Azure Cost Management budget alerts at 50 / 75 / 90 / 100 % with distribution to BU owner, Finance, and AI Governance Lead; document the escalation path because alerts do not enforce.
- Establish a monthly chargeback close process with Finance sign-off, rate-card version pinning, and a CFO/Controller-approved variance threshold (typically ±5 %).
- Retain chargeback ledgers, rate cards, and variance memos in Microsoft Purview retention or another WORM-compliant store for the firm's records-retention period (commonly 6 years for FINRA Rule 4511 / SEC Rule 17a-4 firms).
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal Productivity) | Shared cost pool funded by IT; identify the top-decile consumer monthly using the high-usage-users report; no per-user chargeback | Allocation overhead exceeds materiality; outlier identification protects against anomalous spend |
| Zone 2 (Team Collaboration) | Department-level allocation via Copilot billing policy; quarterly chargeback; BU-owner attestation; budget alerts at 75 / 90 / 100 % | Team budgets are managed at the department level; quarterly cadence aligns with most internal close cycles |
| Zone 3 (Enterprise Managed) | Agent-level cost attribution (via environment per agent or Dataverse table-level tagging); monthly chargeback to Finance by the 5th business day; pre-deployment budget approval; variance memos for ±5 % deviations; 6-year WORM retention of all artifacts | High-stakes regulated workloads (advisor copilots, lending decisioning, surveillance) require granular books-and-records and a documented approval path that examiners can trace |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Power Platform Admin | Configure capacity views, enforce environment naming + tag policy, export PPAC capacity data on the monthly cadence |
| AI Administrator | Create and maintain M365 Copilot PAYG and Credit billing policies; assign Entra ID security groups; produce monthly Copilot usage exports |
| Entra Global Admin | Initial setup of Copilot billing policies (one-time tenant-wide action); subsequent operations delegate to AI Administrator under PIM |
| Finance / Controller | Approve rate card; sign off on monthly chargeback ledgers; own variance memos; maintain SOX 404 ITGC documentation |
| AI Governance Lead | Set budget thresholds; convene variance reviews; escalate sustained over-budget conditions to the AI Governance Committee |
| Compliance Officer | Confirm chargeback artifacts are retained per FINRA 4511 / SEC 17a-4(b)(4); evidence the retention configuration during exams |
| Business Unit Owner | Sign off on department budget; receive and respond to budget alerts; provide attestation on quarterly chargeback |
Related Controls
| Control | Relationship |
|---|---|
| 3.1 - Agent Inventory | Agent metadata supplies the CostCenter / BusinessUnit attributes that this control aggregates |
| 3.2 - Usage Analytics | Usage volumes (messages, sessions) drive consumption-based cost calculations |
| 2.1 - Managed Environments | Environment structure (per-BU or per-agent) is the primary cost-attribution boundary |
| 2.2 - Environment Groups | Environment groups enforce zone-aligned policy and cost rollups |
| 1.9 - Data Retention and Deletion Policies | Defines the WORM retention store used for 17a-4(b)(4) chargeback records |
| 2.6 - Model Risk Management (OCC 2011-12, SR 11-7) | Cost is one input to the model-risk cost-benefit assessment for AI agents |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- All AI-related Microsoft consumption is captured in Cost Management exports with <5 % variance to the invoice / Microsoft Customer Agreement statement for the period; the variance memo is signed by Finance.
- Business-unit attribution is accurate: every Azure resource and every Copilot billing policy traces to a documented
CostCenterand Entra ID security-group assignment; untagged resources are reported as Azure Policy non-compliant. - Budget alerts have fired (live or in test) at each configured threshold (50 / 75 / 90 / 100 %), and alert distribution lists are current. The control owner has documented that alerts are notification-only and that the firm has a separate enforcement mechanism for hard caps.
- Monthly chargeback reports are delivered to Finance by the 5th business day, are signed off by Finance and the BU owner, and are written to a WORM-compliant store (Purview retention label or storage immutability) within the same close window.
- Inactive Copilot license seats (>30 days no activity) are reported monthly; reclamation actions are tracked.
- Cost trends are visible in a Power BI dashboard (or Cost Management view) with at least 13 months of history (so year-over-year comparison is possible at any point).
- Quarterly: an evidence sample (one Copilot billing policy, one Azure budget, one chargeback ledger, one variance memo) is pulled and verified against the SOX 404 walkthrough script; the sample, walkthrough, and tester sign-off are retained as evidence.
- Sovereign-cloud parity: tenants in GCC / GCC High / DoD have documented which surfaces (e.g., Microsoft 365 Copilot PAYG, Cost Management exports) are not yet at parity and what manual compensating controls bridge the gap.
Additional Resources
- Azure Cost Management overview
- Azure budgets — create and manage
- Schedule Cost Management exports
- Power Platform licensing and pricing
- Power Platform capacity (Dataverse, AI Builder, Copilot Studio messages)
- Microsoft 365 Copilot pay-as-you-go billing policies
- Microsoft 365 Copilot — view costs and billing
- Azure Policy —
Require a tag and its value on resources - Microsoft Purview retention policies (records retention surface for chargeback artifacts)
Agent Essentials Billing (Preview)
Note: The following resources are preview documentation and may change.
Microsoft's Agent Deployment Checklist Category 8 covers billing and capacity management:
- Agent-level cost attribution via Blueprint metadata
-
Capacity planning guidance for enterprise deployments
-
Microsoft Learn: Agent Deployment Checklist (Preview) - Category 8 billing and capacity requirements
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current