Control 4.8: Cost Allocation and License Optimization

Control ID: 4.8 Pillar: Operations & Monitoring Regulatory Reference: SOX Section 404 (Internal Controls over Financial Reporting), OCC Heightened Standards, FFIEC IT Examination Handbook Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish governance controls for Copilot license cost tracking, per-department cost allocation, usage-based license optimization, ROI tracking, and budget forecasting to support compliance with internal financial controls, fiduciary obligations, and regulatory expectations for responsible technology spending in financial services environments.

Why This Matters for FSI

Microsoft 365 Copilot represents a significant per-user licensing cost that scales with deployment breadth. With the introduction of a pay-as-you-go (PAYG) billing option, institutions now face additional governance complexity: managing both fixed per-seat costs and variable metered costs within a unified cost governance framework. For financial institutions, this cost governance is not merely a procurement concern -- it intersects with multiple regulatory and fiduciary obligations:

SOX Section 404: For publicly traded financial institutions, internal controls over financial reporting require that material technology expenditures are properly authorized, allocated, and reported. If Copilot license costs are material to a department's budget, the allocation methodology becomes part of the institution's internal control framework. The PAYG model's variable nature requires additional budget authorization controls to prevent cost overruns from undermining SOX ITGC procedures.

Fiduciary Obligations: Banks and credit unions owe fiduciary duties to depositors and members. Investment advisers owe fiduciary duties to clients. Demonstrating that the institution exercises prudent stewardship over technology spending -- including active license optimization and budget cap enforcement for PAYG billing -- supports these obligations.

OCC Heightened Standards: The OCC expects large banks to maintain effective frameworks for identifying, measuring, monitoring, and controlling operational risks, which include technology cost management. Uncontrolled or poorly tracked AI licensing costs -- particularly variable PAYG costs that can spike unexpectedly -- could indicate governance weaknesses. Budget caps and monitoring demonstrate responsible cost governance under OCC expectations.

FFIEC IT Examination Handbook: The FFIEC expects institutions to conduct cost-benefit analyses for technology investments and to monitor ongoing costs relative to projected benefits. The FFIEC also expects that cost-benefit analyses comparing licensing models (per-seat versus PAYG) are documented and periodically reviewed. License optimization directly supports this expectation.

From a practical standpoint, Copilot licenses that remain assigned to inactive users represent both a financial waste and a governance gap -- the institution is paying for licenses that may not be actively governed if the user is not engaging with the tool. Under the PAYG model, the equivalent risk is ungoverned usage that accumulates charges without management visibility or budget authorization.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Control Description

Pay-As-You-Go Billing Model

Microsoft 365 Copilot pay-as-you-go is administered through billing policies rather than simple tenant-wide enablement. Administrators create a billing policy tied to an Azure subscription and a responsible set of users or groups, optionally add a budget and email notifications, and then connect that policy to supported Copilot services such as Microsoft 365 Copilot Chat, SharePoint agents, and Retrieval API. PAYG is disabled by default until a billing policy is connected to a service.

Per-Seat vs. Pay-As-You-Go Governance Comparison

Factor	Per-Seat License	Pay-As-You-Go
Pricing model	Fixed licensed-user count	Metered Azure charges based on actual service usage
Predictability	Highly predictable	Variable and dependent on policy coverage plus usage
Access model	License assignment	Users or groups covered by a connected billing policy
Features included	Full Microsoft 365 Copilot suite	Specific connected services such as Copilot Chat
Governance overhead	License assignment, inventory, and reclamation	Billing policy ownership, budgets, notifications, and cost review
FSI consideration	Predictable spend for stable populations	Flexible access that requires tighter approval and monitoring

PAYG Governance Controls

The variable cost structure of the PAYG model requires governance controls that differ materially from per-seat license management:

Billing policy ownership: Assign each billing policy to a named cost owner and approved business scenario.
Budget and notifications: Add a budget limit and email notifications to each active billing policy.
Scoped access: Connect billing policies only to approved services and approved users or groups.
Cost review: Monitor costs in M365 Admin Center > Cost Management and Microsoft Cost Management.
Self-service oversight: Review Settings > Org settings > Self-service trials and purchases because self-service is managed per product, not through a single tenant-wide off switch.

License Cost Tracking

Microsoft 365 Copilot licensing costs should be tracked at multiple levels, incorporating both per-seat and PAYG components:

Cost Component	Description	Tracking Method
Base License Cost	Per-user Microsoft 365 Copilot seats	Microsoft billing portal / EA agreement
PAYG Metered Cost	Usage-based charges for services connected to a billing policy	M365 Admin Center Cost Management and Azure Cost Management
Prerequisite Licenses	M365 E3/E5 or equivalent required for Copilot	Included in total cost of ownership
Add-on Licenses	Copilot for specific workloads (for example, Sales or Service)	Separate license tracking
Governance Tooling	Additional licenses for governance (Purview, Defender, Viva Insights)	Incremental cost allocation
Training and Change Management	Costs for user enablement and adoption programs	Project cost tracking
Administrative Overhead	IT staff time for Copilot governance and management	Time allocation tracking

Per-Department Allocation

License costs should be allocated to consuming departments for accurate financial reporting:

Allocation Method	Description	Best For
Direct Assignment	Costs charged to the department of the assigned user	Departments with dedicated license pools
Headcount-Based	Costs distributed proportionally by department headcount	Broad enterprise deployments
Usage-Based	Costs allocated based on actual Copilot usage metrics	Mature deployments with usage analytics
Hybrid	Combination of fixed allocation and usage-based variable	Large institutions with varying adoption

Usage-Based License Optimization

Active monitoring of license utilization identifies optimization opportunities:

Optimization Action	Trigger	Expected Savings
License Reclamation	User inactive for 60+ days	Full license cost recovery
Role-Based Right-Sizing	Low usage in specific roles	Reassignment to higher-value roles
Feature-Specific Optimization	Users only using one Copilot surface	Evaluate if lower-cost alternatives exist
Seasonal Adjustment	Temporary usage patterns (e.g., audit season)	Temporary license assignment/removal
Departing Employee Recovery	Employee termination or transfer	Immediate license reclamation

License Reclamation Policy

Establish clear criteria for license reclamation:

Inactivity Threshold: Define the number of days of non-use before a license is flagged for reclamation (recommend 60 days for financial institutions)
Grace Period: Provide a notification period before reclamation (recommend 14 days)
Exemptions: Document exemptions (e.g., employees on approved leave, seasonal roles)
Reactivation Process: Define how a user can request license reassignment after reclamation
Manager Notification: Notify the user's manager before reclaiming a license

Copilot Surface Coverage

Surface	Cost Tracking Relevance	Notes
M365 Copilot (base)	Primary license cost	Per-user license covers all M365 Copilot features
Microsoft 365 Copilot Chat (PAYG)	Metered cost under connected billing policy	Available for approved users or groups without assigning full Copilot seats
Copilot for Sales	Additional license	Separate SKU for CRM-integrated features
Copilot for Service	Additional license	Separate SKU for service desk features
Copilot for Finance	Additional license	Separate SKU for finance-specific features
Copilot Studio	Consumption-based	Pay-per-use for custom copilot scenarios
Prerequisite M365 License	Foundational cost	Must be factored into total cost of ownership

Governance Levels

Baseline

Maintain a current inventory of all Copilot licenses (type, quantity, assignment), including any active PAYG billing policies and the users or groups they cover. Track licenses by department:

Connect-MgGraph -Scopes "Directory.Read.All","Reports.Read.All"
$copilotSku = (Get-MgSubscribedSku | Where-Object SkuPartNumber -eq "MICROSOFT_365_COPILOT").SkuId
Get-MgUser -All -Property "DisplayName,Department,UserPrincipalName,AssignedLicenses" |
  Where-Object { $_.AssignedLicenses.SkuId -contains $copilotSku } |
  Select-Object DisplayName, Department, UserPrincipalName |
  Export-Csv "CopilotLicensees-ByDept.csv" -NoTypeInformation

Track total Copilot licensing cost monthly, including both per-seat and PAYG metered costs — Portal: M365 Admin Center > Reports > Microsoft 365 Copilot usage; M365 Admin Center > Billing > Pay-as-you-go services; M365 Admin Center > Cost Management
Implement basic license allocation to departments based on user assignment; use per-seat licensing only for maximum cost predictability at Baseline
Establish a license reclamation process for departing employees
Generate quarterly license utilization reports showing assigned vs. active usage — Graph API: GET /reports/microsoft365CopilotUsageSummary(period='D30') and GET /reports/getMicrosoft365CopilotUserDetailReport(period='D30')
```
Connect-MgGraph -Scopes "Reports.Read.All"
Get-MgReportMicrosoft365CopilotUsageSummary -Period "D30" |
  ConvertFrom-Json | Export-Csv "CopilotUsage.csv" -NoTypeInformation
```
Define the license request and approval process for new Copilot assignments
If PAYG is used, document the billing policy owner, connected service, budget notifications, and covered users or groups — Portal: M365 Admin Center > Billing > Pay-as-you-go services

Implement usage-based license optimization with 60-day inactivity threshold
Enable PAYG billing for occasional users with documented approval workflow; configure billing-policy budgets and notifications before enabling PAYG access — Portal: M365 Admin Center > Billing > Pay-as-you-go services
Create department-level cost allocation reports for internal chargeback or showback, including separation of per-seat and PAYG costs using billing policy ownership and Cost Management data
Reconcile billing policy coverage to the correct cost center monthly
Establish ROI tracking that compares license costs to measured productivity benefits and observed usage patterns; use per-user detail reports where available and document PAYG service coverage at the group level
Automate license reclamation notifications for inactive users
Integrate license cost data with the institution's financial planning system
Conduct quarterly license optimization reviews with department stakeholders, including whether stable PAYG populations should move to full seats
Track total cost of ownership including governance tooling, training, and administration

Regulated

Include Copilot license cost allocation in SOX internal control testing scope, including PAYG budget authorization controls as part of IT general controls
For PAYG deployments: review billing policy budgets, notification routing, and connected services monthly, and document the authorization hierarchy for policy changes
Present license cost and ROI analysis to the board technology or risk committee, including the decision basis for per-seat versus PAYG populations
Maintain formal cost-benefit documentation per FFIEC expectations, including documented analysis of which user populations are assigned seats versus connected to billing policies
Implement automated license lifecycle management tied to HR systems (hire/transfer/terminate)
Conduct quarterly PAYG cost anomaly reviews to detect unusual usage spikes or unexpected policy coverage changes
Conduct annual independent review of license optimization effectiveness
Document license allocation methodology for auditor review, including the mapping between billing policies, services, and cost owners
Maintain 7-year records of license assignments, cost allocations, and PAYG usage reports

Setup & Configuration

Step 1: Establish License Inventory

Navigate to M365 Admin Center > Billing > Licenses

Document all Copilot-related licenses:

License Type              Purchased    Assigned    Available    Monthly Cost
──────────────────────────────────────────────────────────────────────────────
Microsoft 365 Copilot     [qty]        [qty]       [qty]        $XX/user
Copilot for Sales         [qty]        [qty]       [qty]        $XX/user
Copilot for Service       [qty]        [qty]       [qty]        $XX/user
Copilot Studio            [units]      N/A         N/A          $XX/unit

Record enterprise agreement terms, discount rates, and renewal dates

Step 1b: Configure Pay-As-You-Go Billing (If Applicable)

For organizations adopting the PAYG model for occasional or seasonal users:

Navigate to Microsoft 365 Admin Center > Billing > Pay-as-you-go services.
Create or review the billing policy tied to the correct Azure subscription.
Add the approved users or groups to the billing policy and document the responsible cost owner.
Add a budget limit and email notifications to the billing policy.
Connect the billing policy to the approved service, such as Microsoft 365 Copilot Chat.
Review usage and charges in M365 Admin Center > Cost Management and Microsoft Cost Management.
Review Settings > Org settings > Self-service trials and purchases and document the per-product status for Microsoft 365 Copilot and adjacent self-service products.

Step 2: Configure License Assignment Groups

Use Entra ID group-based licensing for structured assignment:

Create Entra ID groups for each Copilot license pool:
Copilot-Licensed-FrontOffice
Copilot-Licensed-BackOffice
Copilot-Licensed-Compliance
Copilot-Licensed-IT
Assign Copilot licenses to groups in Entra ID > Groups > [Group] > Licenses
Document group membership criteria and approval process

Step 3: Implement Usage Monitoring

Connect Copilot usage reports (Control 4.5) to license assignment data
Create a monthly report identifying:
Users with licenses assigned but zero usage in the past 30 days
Users with licenses assigned but minimal usage (fewer than 5 interactions per month)
Users with high usage who might benefit from additional Copilot features
Establish review workflow for optimization recommendations

Step 4: Configure Cost Allocation

Map Copilot license assignments to cost centers via Entra ID attributes:
```
User > Department > Cost Center > License Type > Monthly Cost
```
Create monthly cost allocation report: | Department | Users Licensed | Active Users | Monthly Cost | Cost per Active User | |-----------|---------------|-------------|-------------|---------------------| | Trading | XX | XX | $XXX | $XX | | Wealth Mgmt | XX | XX | $XXX | $XX | | Operations | XX | XX | $XXX | $XX | | Compliance | XX | XX | $XXX | $XX |
Distribute cost reports to department heads for budget management

Step 5: Establish License Reclamation Workflow

Define automation rules (using Power Automate or equivalent):
Trigger: User inactive in Copilot for 60 consecutive days
Action 1: Send notification to user and manager (14-day grace period)
Action 2: If no activity after grace period, remove from Copilot license group
Action 3: Log reclamation event for audit trail
Define exemption categories:
Approved medical or personal leave
Seasonal roles with predictable inactive periods
New hires in onboarding (first 30 days exempt)
Document reactivation request process

Financial Sector Considerations

PAYG Model and SOX Section 404 Controls: The PAYG model introduces variable AI spending that requires budget authorization controls as part of IT general controls over financial reporting. SOX Section 404 (Management Assessment of Internal Controls, 15 U.S.C. § 7262) requires that material IT expenditure controls are documented and testable. Variable PAYG costs should be reconciled between billing policy configuration, Cost Management reports, and internal cost allocation records.

OCC Heightened Standards and Cost Governance: The OCC's Heightened Standards for large banks (12 CFR Part 30, Appendix D) require effective governance frameworks for operational risk, which includes technology cost management. Uncontrolled PAYG spending — where costs can scale unexpectedly with usage — could indicate governance weakness during OCC examinations. Budget caps and anomaly monitoring demonstrate responsive cost governance aligned with OCC expectations.

FFIEC Cost-Benefit Analysis Expectation: The FFIEC IT Examination Handbook (Management Booklet, Section II.D on IT Planning) expects institutions to conduct cost-benefit analyses for technology investments and to document these analyses for examiner review. When choosing between per-seat and PAYG models for Copilot Chat access, institutions should document the user populations, approval basis, expected usage pattern, and the governance controls applied to each model.

SOX Material Expenditure: If Copilot licensing represents a material technology expenditure, the cost allocation methodology should be documented and testable as part of SOX ITGC procedures. Auditors may request evidence that license costs are properly authorized, allocated to the correct cost centers, and reconciled to vendor invoices. For PAYG deployments, this includes Azure Commerce billing reconciliation against internal PAYG usage reports.

Fiduciary Cost Management: Investment advisers who pass technology costs through to clients (as part of advisory fees) should verify that Copilot costs are appropriately allocated and that the fee disclosure reflects AI tool costs. Unjustified technology spending could raise fiduciary concerns.

Regulatory Capital Considerations: For banks and broker-dealers, technology costs affect operating expenses, which in turn affect capital ratios. Large-scale Copilot deployments should be factored into budget forecasting and capital planning processes.

Vendor Concentration Risk: Copilot licensing deepens the institution's dependency on Microsoft. Cost tracking should include consideration of vendor concentration risk and the potential cost of switching or de-platforming. This supports FFIEC third-party risk management expectations.

Budget Governance: Financial institutions typically require multi-level approval for technology expenditures above certain thresholds. The initial Copilot procurement and subsequent expansions should follow the institution's technology investment approval process, with documented business justification and expected ROI.

License True-Up Risk: Enterprise agreements often include annual true-up provisions. Institutions should track actual license consumption against contracted quantities to avoid unexpected true-up costs. License reclamation helps manage this risk.

Verification Criteria

#	Verification Step	Expected Result
1	Review license inventory in M365 Admin Center	Inventory current and reconciled to vendor billing, including PAYG user groups
2	Verify department-level cost allocation reports	Reports produced monthly with accurate department mapping for both per-seat and PAYG costs
3	Confirm license reclamation process is operational	Inactive users identified and reclamation workflow functioning
4	Verify PAYG budgets and notifications are configured (if PAYG enabled)	Active billing policies have budgets and notification routing configured
5	Review ROI tracking documentation	ROI analysis updated quarterly with actual metrics and documented per-seat versus PAYG population decisions
6	Verify group-based license assignment	Licenses assigned via Entra ID groups, not individual assignment
7	Confirm budget forecast includes Copilot costs	Current fiscal year budget includes both per-seat licensing and PAYG estimated cost line items
8	Review license utilization report	Report shows assigned vs. active usage with optimization recommendations
9	Verify PAYG cost anomaly monitoring	Cost Management review evidence exists and unusual usage is investigated
10	Verify audit trail for license changes	Assignment, reclamation, billing-policy changes, and PAYG enablement events are logged and retrievable

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026