Many businesses contact Scott & Scott, LLP regarding Services Provider License Agreement (SPLA) audits after providing extensive information to Microsoft’s auditors and receiving compliance demands that would be ruinous for their bottom lines, if paid in full. At that stage, it might be difficult to “un-ring the bell” with respect to the data allegedly underlying the compliance calculations, forcing an audited business to consider other options – including litigation – for reaching a resolution. In many cases, however, the shock of the opening demand can be mitigated or avoided in advance by taking a couple critical first steps upon receipt of a SPLA audit notice:
•Talk to Your Attorneys. It is critical for company legal teams to be involved in the audit process from the beginning. SPLA audit notices often are collegial in tone and may fly under the radar and into the inboxes only of company IT teams. However, these matters often result in multi-million-dollar compliance demands, even for companies whose current, monthly SPLA spend may be $20,000 or less. Contrary to how Microsoft may characterize them, SPLA audits are not true-ups, and they are not “routine,” in the sense that many audited businesses may interpret that term. They are very serious matters that deserve as much attention as any other claim involving substantial, potential legal and financial exposure.
• Know the Agreements. Newer SPLA form agreements generally include broad audit rights in Microsoft’s favor, but many businesses may be operating under older forms that are less permissive. It is therefore crucial to ensure that the terms of the agreements identified by Microsoft in its audit notice are consistent with the demands reflected in the notice letter. This includes ensuring that the entity responding to the audit is the entity named in the notice.
• Set the Ground Rules. Even if the SPLA in question incorporates broad audit rights in Microsoft’s favor, in many cases it is still possible to obtain one or more pre-audit agreements with Microsoft and the auditors to set all parties’ expectations with regard to what information will be collected, how it will be collected, and how that information will be used by the receiving parties. Confidentiality is an important concern to address here, but so are things like which networks or datacenters are to be included in the inventory, and whether that inventory will include an on-site inspection (a potentially expensive and time- and resource-consuming audit tactic many businesses prefer to avoid.