Cisco License Compliance Audits
External products and services audits from hardware and software vendors or third-party auditing entities are the “way of the world” with large technology firms.
Audits also have become a common way for Cisco to ensure compliance with its Indirect Channel Partner Agreement (“ICPA”) terms. We have seen a recent uptick in audits conducted by Cisco against its reseller partners.
This increases the global financial and compliance risks for IT service firms that resell Cisco products and services. If you have entered into an ICPA with Cisco, you need to be prepared for what might be around the corner.
If it hasn’t happened already, you may receive a letter or e-mail from Cisco or its designated audit firm (in many cases, a law firm-owned business named True Pedigree) notifying you that it intends to take a closer look at your sales of its products and your compliance with its channel partner rules.
Being prepared and following a few basic steps can help you to address any potential claims and to reduce the stress from the Cisco audit experience.
The lawyers at Scott & Scott LLP have represented and successfully defended many small to medium-sized companies in U.S. Cisco audit matters.
Why are Cisco ICPA audits necessary?
They aren’t necessary. However, by conducting audits, Cisco is following in the footsteps of most other major technology companies in the US by seeking to protect its intellectual property.
It may surprise you to hear that Cisco has over 35,000 employees and operates in 115 counties. A significant portion of its product sales globally are conducted through channel partners. As a result, many thousands of channel partners worldwide are subject to potential Cisco audit activity by having accepted the terms of Cisco’s agreements, which almost always require licensees to submit upon demand to audits conducted by Cisco or its chosen auditors.
For example, the audit clause in Cisco’s ICPA includes the following language:
Registered Partner will maintain all records relating to the purchase, sale, storage and disposition of all Products and Services, including those existing in electronic form (“Records”) for a period of not less than two (2) years from the date of purchase.
Records will include, at a minimum, documentation specifying the individual or entity from which the Products and Services were acquired, master files, product numbers, serial numbers, description, quantities purchased, shipped and sold, customer or supplier name, address, date of purchase or sale, cost of purchase or sale price, and delivery address.
Ensuring compliance with Cisco ’s channel partner rules also has become more challenging in light of rapidly changing market conditions created by the pandemic.
Six steps to successfully respond to a Cisco ICPA audit notice
Prevention is always better than a cure with technology audits. However, if it’s too late and you’ve already been informed of an impending audit, don’t panic.
You can take some simple steps to prepare for what’s coming.
- Identify who is requesting the audit
Has your audit been requested directly by Cisco or by a third-party entity investigating on Cisco’s behalf?
Check your ICPA and End User License Agreement (EULA) for details on Cisco’s right to conduct an audit with reasonable notice (which typically lasts for up to three years after termination of the ICPA).
- Conduct your own internal Cisco audit
You need to conduct a comprehensive audit of your purchases, sales, and deployments of Cisco products and services. This can be particularly challenging for resellers and end-users, so you might want to seek third-party assistance from professionals who are well-versed in Cisco’s channel and End-User licensing rules.
- Review the terms of the license agreement
Many organizations never read their ICPA or EULA. It’s important to check your Cisco agreement and review the terms applicable to your business. For example, if you resell Cisco products and services, you will need to be prepared to demonstrate that all purchases were from an authorized source and that all sales were to end users. The Cisco ICPA defines unauthorized products as:
Unauthorized Cisco Product means any genuine Cisco Product or Cisco Service that Registered Partner purchases or acquires from, either directly or indirectly, any party other than Cisco and/or an Authorized Source or sells to any party other than an End User. Unauthorized Cisco Products do not include Non-Genuine Products.
This provision requires the Cisco channel partner to make sure it fully understands the status of all of its suppliers and to ensure that all of its customers are End Users as defined under the applicable Cisco partner agreement.
Cisco’s ICPA provides significant remedies for Cisco when a reseller has sold Non-Genuine Products. Interestingly, Cisco’s ICPA defines a Non-Genuine Product as any product or service that was purchased through an unauthorized source or sold to someone other than an End User. In contrast, U.S. law generally would consider a product to be not genuine only if it was a counterfeit or a phony.
Accordingly, Resellers can be accused of selling Non-Genuine Products any time they purchased products and services from a vendor that Cisco does not authorize or sells a product to anyone other than an End User. This places a very high burden of diligence and record keeping on the Cisco channel partner in order to be able to successfully defend against a Cisco audit.
- Compile all documentation to prove Compliance with Cisco Agreements
Next, you need to make sure you that your team is keeping accurate records that align with the requirements of Cisco’s audit clause and that demonstrate your compliance with Cisco’s channel requirements. If you have not been systematically maintaining those records prior to Cisco’s initiation of an audit, then you should begin reviewing and compiling the records that you have available to respond to the auditors.
For a smooth audit process, make sure you have the records available to track each Cisco product and service that you have purchased, sold or deployed. You will need to demonstrate that all purchases were from authorized distributors (other proof that the product is genuine or that SmartNet was activated may not be sufficient) and that all sales were made to End Users.
You may also be asked to provide documentation of the value that you are adding for your End User customers. For example, the ICPA requires that the Partner be able to demonstrate how it added value in each transaction as follows:
Added Value Requirement. Each time a Registered Partner Resells Services or Products to an End User, Registered Partner will include its Added Value. Registered Partner must be able to demonstrate Products to prospective End Users at the End User’s location and make Professional Services available for each Product Resold by Registered Partner.
The same agreement defines added value and makes it clear that network design services that don’t involve managed services or cloud do not meet the added value requirement as follows:
Added Value is the non-Cisco component or portion of the total solution which Registered Partner provides to End Users. Examples of Added Value are pre- and post-sales network design, configuration, trouble-shooting, managed services, cloud services, and support and the sale of complementary products and services that comprise a significant portion of the total revenues received by Registered Partner from an End User of Cisco Products.
Registered Partner acknowledges that telesales, catalog sales, and sales over the Internet do not include Added Value if inbound communications from the prospective End User purchaser were exclusively prompted by something other than a face-to-face interaction between Registered Partner’s sales representative and such prospective End User. Registered Partner further acknowledges that providing financing options and/or network services (unless such network services comprise managed and/or cloud services) to End Users does not constitute Added Value.
Accordingly, to prepare for a Cisco audit you need to be able to demonstrate you are meeting the Added Value requirement in the Cisco agreements.
- Negotiate a Cisco audit resolution
After the auditors complete their investigation and produce their audit report, you may notice that the Cisco audit findings are not accurate or that they do not align with your own findings. For instance, a particular use case may be disputed. You may believe that it is permitted under ICPA, but Cisco claims that you have violated the terms of the agreement.
In such a case, you may be able to provide extra documentation to prove your case or to negotiate a resolution notwithstanding a disagreement about the facts or the application of the agreement to those facts.
If you are involved in a Cisco audit, there is a good chance Cisco will make a financial demand in order to settle the claim. When evaluating a settlement offer from Cisco alleging violation of the agreement, it is important to understand what, if any, economic injury Cisco may have sustained.
If Cisco lost money because a dealer did not adhere to the terms of the ICPA, for example, Cisco would likely be able to recover the economic injury it sustained as measured by the position it would have been in but for the alleged breach of the agreement. A Cisco claim alleging a technical violation of the Cisco agreement without provable economic loss should be scrutinized carefully before it is settled.
As in all cases, liability facts have to be evaluated separately from the damages' calculation, which should be measured in terms of the fair market value of the products and services that would have been sold but for the alleged breach. If there would be no marginal revenue or profit in the absence of the alleged breach, then direct damages have not been legally established.
Need assistance with a Cisco audit?
You do not have to violate the terms of your Cisco agreement for Cisco to pursue an audit against you. If you are reselling Cisco products it is likely that you eventually will be audited merely to ensure compliance with your Cisco agreement.
Ultimately, though, absent intentional misuse of their intellectual property, even the most aggressive vendors would rather retain you as a partner and gain future income from their relationship with you, rather than litigating against you.
This means that the vendor may be open to the possibility of a negotiation process. The presence of an experienced lawyer can assist you during this and during the entire audit process.
Book a free consultation with a technology lawyer at Scott & Scott. We understand the Cisco audit process and can walk you through the steps required.