CPAs Should Audit Their Cloud Providers’ Licensing

When it comes to assisting their clients, CPAs are famous for being meticulous, which likely prevents them from being as meticulous when it comes to their own affairs. One thing we have noticed recently is how little firms audit their technology providers. As a result, we have created this quick guide on how and why you should audit some of your technology providers.   

There are 2 reasons to look at and audit your cloud provider’s licensing reports: 

1) To ensure they are following their vendors licensing standards, especially because if they are not, your firm may be culpable in a licensing infraction.

2) To fact check. Some companies love to talk about how big they are or how many companies they have using their service. The proof is always in the licensing report. 

So, what do you ask for? Ask for the main list of vendors they are using, a high-level license report, and a contact at the company to validate the licenses. The reason you ask for a vendor contact to validate is that if they are being less than truthful it is easy to whip up a PDF that looks official. This is why an audit is important.  

For example: 

Microsoft: 

• The program is called Microsoft CSP (Cloud Service Provider) or SPLA (Service Provider License Agreement) 
• How many Office 365 users do they pay for monthly? 
• How many RDS (Remote Desktop) licenses are they paying for? 
• Ask for a contact at their VAR (value-added reseller) and/or Microsoft to validate.  
• In most cases cloud providers must go through a reseller, that is normal. 

Citrix:  

• The program is called a Cloud Solution Provider and they should be paying fees on each user. Citrix does not allow a provider to buy perpetual licenses and assign them to their clients.  
• How many users and what specific SKU are you paying Citrix for? 
• Contact at Citrix (must be Citrix) to validate

Intuit: 

• Any cloud provider you use should be an approved host as that is the only group of people that can host Intuit products.  
• Ask for the report they send Intuit. Do these numbers jive and make sense? 
• Ultimately the firm is responsible for ensuring only the people who have a license use a license, keep this in mind. Someone at the firm should be keeping track.  

Adobe: 

• There is no form licensing program nor report.
• Adobe doesn’t allow a cloud provider to provide a license to its users, Adobe requires a direct relationship with each company/entity that uses the product. 
• If for whatever reason your cloud provider says they can provide you the license, you should dive in deeper and ask for proof, etc.  

This list covers an audit with the high–level basics and will quickly allow you to collect some information on the integrity of a cloud provider. If a company is uncomfortable sharing this information with you, that may be telling.