Control 4.8: Cost Allocation and License Optimization

Control ID: 4.8 Pillar: Operations & Monitoring Regulatory Reference: Sarbanes-Oxley §§302/404 (Internal Controls over Financial Reporting), 12 CFR part 30, appendix D (OCC Heightened Standards), FFIEC IT Examination Handbook Last Verified: 2026-06-07 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish governance controls for Copilot license cost tracking, per-department cost allocation, usage-based license optimization, ROI tracking, and budget forecasting to support compliance with internal financial controls, fiduciary obligations, and regulatory expectations for responsible technology spending in financial services environments.

Why This Matters for FSI

Microsoft 365 Copilot represents a significant per-user licensing cost that scales with deployment breadth. With the introduction of a pay-as-you-go (PAYG) billing option, institutions now face additional governance complexity: managing both fixed per-seat costs and variable metered costs within a unified cost governance framework. For financial institutions, this cost governance is not merely a procurement concern -- it intersects with multiple regulatory and fiduciary obligations:

Sarbanes-Oxley §§302/404: For publicly traded financial institutions, internal controls over financial reporting require that material technology expenditures are properly authorized, allocated, and reported. If Copilot license costs are material to a department's budget, the allocation methodology becomes part of the institution's internal control framework. The PAYG model's variable nature requires additional authorization, Azure subscription budget alerts, and escalation procedures so cost variances are detected and acted on through SOX ITGC procedures.

Fiduciary Obligations: Banks and credit unions owe fiduciary duties to depositors and members. Investment advisers owe fiduciary duties to clients. Demonstrating that the institution exercises prudent stewardship over technology spending -- including active license optimization, notification-only PAYG budget thresholds, and documented disablement procedures for hard stops -- supports these obligations.

12 CFR part 30, appendix D (OCC Heightened Standards): The OCC expects large banks to maintain effective frameworks for identifying, measuring, monitoring, and controlling operational risks, which include technology cost management. Uncontrolled or poorly tracked AI licensing costs -- particularly variable PAYG costs that can spike unexpectedly -- could indicate governance weaknesses. Budget notifications, Azure budget alerts, anomaly monitoring, and documented disablement authority demonstrate responsible cost governance under OCC expectations.

FFIEC IT Examination Handbook: The FFIEC expects institutions to conduct cost-benefit analyses for technology investments and to monitor ongoing costs relative to projected benefits. The FFIEC also expects that cost-benefit analyses comparing licensing models (per-seat versus PAYG) are documented and periodically reviewed. License optimization directly supports this expectation.

From a practical standpoint, Copilot licenses that remain assigned to inactive users represent both a financial waste and a governance gap -- the institution is paying for licenses that may not be actively governed if the user is not engaging with the tool. Under the PAYG model, the equivalent risk is ungoverned usage that continues after notification thresholds are reached unless the policy owner takes escalation or disablement action.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Control Description

Pay-As-You-Go Billing Model

Microsoft 365 Copilot pay-as-you-go is administered through billing policies rather than simple tenant-wide enablement. Administrators create billing policies in M365 Admin Center > Copilot > Billing & usage > Billing policies, tie each policy to an Azure subscription and a responsible set of users or groups, optionally add notification-only budget thresholds and email recipients, and then connect that policy on the Pay-as-you-go services tab to supported Copilot services such as Microsoft 365 Copilot Chat, SharePoint agents, and Retrieval API. PAYG is disabled by default until a billing policy is connected to a service. Microsoft Learn states that PAYG budgets trigger email notifications but do not enforce a spending cap or stop usage after the threshold is exceeded.

Per-Seat vs. Pay-As-You-Go Governance Comparison

Factor	Per-Seat License	Pay-As-You-Go
Pricing model	Fixed licensed-user count	Metered Azure charges based on actual service usage
Predictability	Highly predictable	Variable and dependent on policy coverage plus usage
Access model	License assignment	Users or groups covered by a connected billing policy
Features included	Full Microsoft 365 Copilot suite	Specific connected services such as Copilot Chat
Governance overhead	License assignment, inventory, and reclamation	Billing policy ownership, budgets, notifications, and cost review
FSI consideration	Predictable spend for stable populations	Flexible access that requires tighter approval and monitoring

PAYG Governance Controls

The variable cost structure of the PAYG model requires governance controls that differ materially from per-seat license management:

Billing policy ownership: Assign each billing policy to a named cost owner and approved business scenario.
Notification-only budgets: Add budget thresholds and email notifications to each active billing policy, and document that PAYG usage continues until an administrator changes policy or access configuration.
Azure budget alerts: Configure matching Azure budget alerts on the linked subscription or resource group because PAYG charges flow through the Azure subscription.
Scoped access: Connect billing policies only to approved services and approved users or groups.
Hard-stop runbook: Define who can remove users or groups, disconnect a billing policy from a service, or disable billable Copilot capabilities through Cloud Policy when a true spend stop is required.
Cost review: Monitor costs in M365 Admin Center > Billing > Cost Management and Microsoft Cost Management.
Self-service oversight: Review Settings > Org settings > Self-service trials and purchases because self-service is managed per product, not through a single tenant-wide off switch.

License Cost Tracking

Microsoft 365 Copilot licensing costs should be tracked at multiple levels, incorporating both per-seat and PAYG components:

Cost Component	Description	Tracking Method
Base License Cost	Per-user Microsoft 365 Copilot seats	Microsoft billing portal / EA agreement
PAYG Metered Cost	Usage-based charges for services connected to a billing policy	M365 Admin Center > Billing > Cost Management and Microsoft Cost Management for the linked Azure subscription
Prerequisite Licenses	M365 E3/E5 or equivalent required for Copilot	Included in total cost of ownership
Add-on Licenses	Copilot for specific workloads (for example, Sales or Service)	Separate license tracking
Governance Tooling	Additional licenses for governance (Purview, Defender, Viva Insights)	Incremental cost allocation
Training and Change Management	Costs for user enablement and adoption programs	Project cost tracking
Administrative Overhead	IT staff time for Copilot governance and management	Time allocation tracking

Per-Department Allocation

License costs should be allocated to consuming departments for accurate financial reporting:

Allocation Method	Description	Best For
Direct Assignment	Costs charged to the department of the assigned user	Departments with dedicated license pools
Headcount-Based	Costs distributed proportionally by department headcount	Broad enterprise deployments
Usage-Based	Costs allocated based on actual Copilot usage metrics	Mature deployments with usage analytics
Hybrid	Combination of fixed allocation and usage-based variable	Large institutions with varying adoption

High-Usage User Monitoring and Message Pack Tracking

The M365 Admin Center now provides high-usage user monitoring capabilities (March 2026) that are directly relevant to PAYG cost governance:

High-usage user identification: Administrators can identify users with significantly above-average Copilot interaction volumes, supporting both governance review and cost forecasting for consumption-based billing.
Message pack tracking: For organizations using PAYG billing, message pack consumption is now visible in Cost Management, enabling FSI finance and compliance teams to track variable Copilot consumption against budgeted thresholds.
Budget governance integration: High-usage patterns should be correlated with billing policy budget notifications and Azure budget alerts to detect cost anomalies before they become material spend variances.

FSI finance and compliance teams should incorporate high-usage monitoring into their periodic cost reviews. Variable consumption under the PAYG model requires visibility into which users and groups are driving metered charges, and whether that usage aligns with the approved business justification documented in the billing policy. Organizations should verify that high-usage thresholds are calibrated to their specific billing structure and risk tolerance.

Usage-Based License Optimization

Active monitoring of license utilization identifies optimization opportunities:

Optimization Action	Trigger	Expected Savings
License Reclamation	User inactive for 60+ days	Full license cost recovery
Role-Based Right-Sizing	Low usage in specific roles	Reassignment to higher-value roles
Feature-Specific Optimization	Users only using one Copilot surface	Evaluate if lower-cost alternatives exist
Seasonal Adjustment	Temporary usage patterns (e.g., audit season)	Temporary license assignment/removal
Departing Employee Recovery	Employee termination or transfer	Immediate license reclamation

License Reclamation Policy

Establish clear criteria for license reclamation:

Inactivity Threshold: Define the number of days of non-use before a license is flagged for reclamation (recommend 60 days for financial institutions)
Grace Period: Provide a notification period before reclamation (recommend 14 days)
Exemptions: Document exemptions (e.g., employees on approved leave, seasonal roles)
Reactivation Process: Define how a user can request license reassignment after reclamation
Manager Notification: Notify the user's manager before reclaiming a license

Copilot Surface Coverage

Surface	Cost Tracking Relevance	Notes
M365 Copilot (base)	Primary license cost	Per-user license covers the licensed M365 Copilot suite
Microsoft 365 Copilot Chat (PAYG)	Metered cost under connected billing policy	Available for approved users or groups without assigning full Copilot seats
Copilot Pages and Copilot Notebooks (PAYG)	Metered cost when used outside a paid Copilot license	Include in billing-policy approvals, budget notifications, and Azure budget alerts
SharePoint agents and declarative agent operations (PAYG)	Metered cost under connected billing policy or agent meter	Tie each approved agent scenario to a cost owner and service connection
Microsoft Copilot Retrieval API (Preview)	Metered cost under connected billing policy	Track query usage against approved workload justification
Copilot for Sales	Additional license	Separate SKU for CRM-integrated features
Copilot for Service	Additional license	Separate SKU for service desk features
Copilot for Finance	Additional license	Separate SKU for finance-specific features
Copilot Studio	Consumption-based	Custom copilot and agent scenarios may bill through Copilot Studio message meters
Prerequisite M365 License	Foundational cost	Must be factored into total cost of ownership

Governance Levels

Baseline

Maintain a current inventory of all Copilot licenses (type, quantity, assignment), including any active PAYG billing policies and the users or groups they cover. Track licenses by department:

Connect-MgGraph -Scopes "Directory.Read.All","Reports.Read.All"
$copilotSku = (Get-MgSubscribedSku | Where-Object SkuPartNumber -eq "MICROSOFT_365_COPILOT").SkuId
Get-MgUser -All -Property "DisplayName,Department,UserPrincipalName,AssignedLicenses" |
  Where-Object { $_.AssignedLicenses.SkuId -contains $copilotSku } |
  Select-Object DisplayName, Department, UserPrincipalName |
  Export-Csv "CopilotLicensees-ByDept.csv" -NoTypeInformation

Track total Copilot licensing cost monthly, including both per-seat and PAYG metered costs — Portal: M365 Admin Center > Reports > Microsoft 365 Copilot usage; M365 Admin Center > Copilot > Billing & usage; M365 Admin Center > Billing > Cost Management
Implement basic license allocation to departments based on user assignment; use per-seat licensing only for maximum cost predictability at Baseline
Establish a license reclamation process for departing employees

Generate quarterly license utilization reports showing assigned vs. active usage — Graph API (beta): GET /beta/reports/getMicrosoft365CopilotUserCountSummary(period='D30') and GET /beta/reports/getMicrosoft365CopilotUsageUserDetail(period='D30')

# Microsoft 365 Copilot usage report APIs are beta-only and return CSV;
# they require the Microsoft.Graph.Beta.Reports module.
Import-Module Microsoft.Graph.Beta.Reports
Connect-MgGraph -Scopes "Reports.Read.All"
Get-MgBetaReportMicrosoft365CopilotUsageUserDetail -Period "D30" -OutFile "CopilotUsage.csv"

Define the license request and approval process for new Copilot assignments
If PAYG is used, document the billing policy owner, connected service, notification-only budget thresholds, covered users or groups, linked Azure subscription, and hard-stop runbook — Portal: M365 Admin Center > Copilot > Billing & usage

Implement usage-based license optimization with 60-day inactivity threshold
Enable PAYG billing for occasional users with documented approval workflow; configure billing-policy budget notifications, Azure budget alerts, and escalation owners before enabling PAYG access — Portal: M365 Admin Center > Copilot > Billing & usage
Create department-level cost allocation reports for internal chargeback or showback, including separation of per-seat and PAYG costs using billing policy ownership and Cost Management data
Reconcile billing policy coverage to the correct cost center monthly
Establish ROI tracking that compares license costs to measured productivity benefits and observed usage patterns; use per-user detail reports where available and document PAYG service coverage at the group level
Automate license reclamation notifications for inactive users
Integrate license cost data with the institution's financial planning system
Conduct quarterly license optimization reviews with department stakeholders, including whether stable PAYG populations should move to full seats
Track total cost of ownership including governance tooling, training, and administration

Regulated

Include Copilot license cost allocation in SOX internal control testing scope, including PAYG budget-notification authorization and escalation controls as part of IT general controls
For PAYG deployments: review billing policy budgets, notification routing, Azure budget alerts, connected services, and hard-stop runbooks monthly, and document the authorization hierarchy for policy changes
Present license cost and ROI analysis to the board technology or risk committee, including the decision basis for per-seat versus PAYG populations
Maintain formal cost-benefit documentation per FFIEC expectations, including documented analysis of which user populations are assigned seats versus connected to billing policies
Implement automated license lifecycle management tied to HR systems (hire/transfer/terminate)
Conduct quarterly PAYG cost anomaly reviews to detect unusual usage spikes or unexpected policy coverage changes
Conduct annual independent review of license optimization effectiveness
Document license allocation methodology for auditor review, including the mapping between billing policies, services, and cost owners
Maintain 7-year records of license assignments, cost allocations, and PAYG usage reports

Setup & Configuration

Step 1: Establish License Inventory

Navigate to M365 Admin Center > Billing > Licenses

Document all Copilot-related licenses:

License Type              Purchased    Assigned    Available    Monthly Cost
──────────────────────────────────────────────────────────────────────────────
Microsoft 365 Copilot     [qty]        [qty]       [qty]        $XX/user
Copilot for Sales         [qty]        [qty]       [qty]        $XX/user
Copilot for Service       [qty]        [qty]       [qty]        $XX/user
Copilot Studio            [units]      N/A         N/A          $XX/unit

Record enterprise agreement terms, discount rates, and renewal dates

Step 1b: Configure Pay-As-You-Go Billing (If Applicable)

For organizations adopting the PAYG model for occasional or seasonal users:

Navigate to M365 Admin Center > Copilot > Billing & usage.
On the Billing policies tab, create or review the billing policy tied to the correct Azure subscription, resource group, and region.
Add the approved users or groups to the billing policy and document the responsible cost owner.
On the Budget page or tab, add budget thresholds and email notification recipients. Treat these thresholds as alerting controls only: PAYG usage can continue after a threshold is exceeded.
On the Pay-as-you-go services tab, connect the billing policy to the approved service, such as Microsoft 365 Copilot Chat, SharePoint agents, or other billable Copilot services approved for the tenant.
Configure matching Azure budget alerts on the linked subscription or resource group so finance receives subscription-side notifications for PAYG charges.
Document the hard-stop runbook, including who can remove covered users or groups, disconnect a billing policy from a service, or disable billable Copilot capabilities through Cloud Policy.
Review usage and charges in M365 Admin Center > Billing > Cost Management and Microsoft Cost Management.
Review Settings > Org settings > Self-service trials and purchases and document the per-product status for Microsoft 365 Copilot and adjacent self-service products.

Step 2: Configure License Assignment Groups

Use Entra ID group-based licensing for structured assignment:

Create Entra ID groups for each Copilot license pool:
Copilot-Licensed-FrontOffice
Copilot-Licensed-BackOffice
Copilot-Licensed-Compliance
Copilot-Licensed-IT
Assign Copilot licenses to groups in Entra ID > Groups > [Group] > Licenses
Document group membership criteria and approval process

Step 3: Implement Usage Monitoring

Connect Copilot usage reports (Control 4.5) to license assignment data
Create a monthly report identifying:
Users with licenses assigned but zero usage in the past 30 days
Users with licenses assigned but minimal usage (fewer than 5 interactions per month)
Users with high usage who might benefit from additional Copilot features
Establish review workflow for optimization recommendations

Step 4: Configure Cost Allocation

Map Copilot license assignments to cost centers via Entra ID attributes:
```
User > Department > Cost Center > License Type > Monthly Cost
```
Create monthly cost allocation report: | Department | Users Licensed | Active Users | Monthly Cost | Cost per Active User | |-----------|---------------|-------------|-------------|---------------------| | Trading | XX | XX | $XXX | $XX | | Wealth Mgmt | XX | XX | $XXX | $XX | | Operations | XX | XX | $XXX | $XX | | Compliance | XX | XX | $XXX | $XX |
Distribute cost reports to department heads for budget management

Step 5: Establish License Reclamation Workflow

Define automation rules (using Power Automate or equivalent):
Trigger: User inactive in Copilot for 60 consecutive days
Action 1: Send notification to user and manager (14-day grace period)
Action 2: If no activity after grace period, remove from Copilot license group
Action 3: Log reclamation event for audit trail
Define exemption categories:
Approved medical or personal leave
Seasonal roles with predictable inactive periods
New hires in onboarding (first 30 days exempt)
Document reactivation request process

Financial Sector Considerations

PAYG Model and Sarbanes-Oxley §§302/404 Controls: The PAYG model introduces variable AI spending that requires budget-notification authorization, Azure subscription alerting, and escalation controls as part of IT general controls over financial reporting. Sarbanes-Oxley §§302/404 (Management Assessment of Internal Controls, 15 U.S.C. § 7262) requires that material IT expenditure controls are documented and testable. Variable PAYG costs should be reconciled between billing policy configuration, M365 Admin Center and Microsoft Cost Management reports, and internal cost allocation records.

12 CFR part 30, appendix D (OCC Heightened Standards) and Cost Governance: The OCC's Heightened Standards for large banks (12 CFR Part 30, Appendix D) require effective governance frameworks for operational risk, which includes technology cost management. Uncontrolled PAYG spending — where costs can scale unexpectedly with usage and continue after budget notifications — could indicate governance weakness during OCC examinations. Budget alerting, Azure budget alerts, anomaly monitoring, and tested disablement procedures demonstrate responsive cost governance aligned with OCC expectations.

FFIEC Cost-Benefit Analysis Expectation: The FFIEC IT Examination Handbook (Management Booklet, Section II.D on IT Planning) expects institutions to conduct cost-benefit analyses for technology investments and to document these analyses for examiner review. When choosing between per-seat and PAYG models for Copilot Chat access, institutions should document the user populations, approval basis, expected usage pattern, and the governance controls applied to each model.

SOX Material Expenditure: If Copilot licensing represents a material technology expenditure, the cost allocation methodology should be documented and testable as part of SOX ITGC procedures. Auditors may request evidence that license costs are properly authorized, allocated to the correct cost centers, and reconciled to vendor invoices. For PAYG deployments, this includes Azure Commerce billing reconciliation against internal PAYG usage reports.

Fiduciary Cost Management: Investment advisers who pass technology costs through to clients (as part of advisory fees) should verify that Copilot costs are appropriately allocated and that the fee disclosure reflects AI tool costs. Unjustified technology spending could raise fiduciary concerns.

Regulatory Capital Considerations: For banks and broker-dealers, technology costs affect operating expenses, which in turn affect capital ratios. Large-scale Copilot deployments should be factored into budget forecasting and capital planning processes.

Vendor Concentration Risk: Copilot licensing deepens the institution's dependency on Microsoft. Cost tracking should include consideration of vendor concentration risk and the potential cost of switching or de-platforming. This supports FFIEC third-party risk management expectations.

Budget Governance: Financial institutions typically require multi-level approval for technology expenditures above certain thresholds. The initial Copilot procurement and subsequent expansions should follow the institution's technology investment approval process, with documented business justification and expected ROI.

License True-Up Risk: Enterprise agreements often include annual true-up provisions. Institutions should track actual license consumption against contracted quantities to avoid unexpected true-up costs. License reclamation helps manage this risk.

Verification Criteria

#	Verification Step	Expected Result
1	Review license inventory in M365 Admin Center	Inventory current and reconciled to vendor billing, including PAYG user groups
2	Verify department-level cost allocation reports	Reports produced monthly with accurate department mapping for both per-seat and PAYG costs
3	Confirm license reclamation process is operational	Inactive users identified and reclamation workflow functioning
4	Verify PAYG budgets and notifications are configured (if PAYG enabled)	Active billing policies have notification-only budgets, recipient groups, Azure budget alerts, and escalation owners configured
5	Review ROI tracking documentation	ROI analysis updated quarterly with actual metrics and documented per-seat versus PAYG population decisions
6	Verify group-based license assignment	Licenses assigned via Entra ID groups, not individual assignment
7	Confirm budget forecast includes Copilot costs	Current fiscal year budget includes both per-seat licensing and PAYG estimated cost line items
8	Review license utilization report	Report shows assigned vs. active usage with optimization recommendations
9	Verify PAYG cost anomaly monitoring	M365 Admin Center and Microsoft Cost Management review evidence exists, unusual usage is investigated, and hard-stop actions are documented when thresholds are exceeded
10	Verify audit trail for license changes	Assignment, reclamation, billing-policy changes, and PAYG enablement events are logged and retrievable

Additional Resources

FSI Copilot Governance Framework v1.4.0 - April 2026