Talk to an Expert

Oracle Audits - Everything You Should Know

What is an Oracle audit?

An Oracle audit is when Oracle invokes their contractual privilege to “audit Your use of the Programs to ensure Your use of the Programs is in compliance with the terms of the applicable order and the Master Agreement.” (Oracle TOMA, Schedule P, Section 8).


The audit is invoked when a representative of Oracle License Management Services (LMS) or Global Licensing and Advisory Services (GLAS) sends a letter to the customer’s contractual contact informing them of the audit, and providing other details of the audit process. This audit letter may or may not contain all of the pertinent information about the audit, or the customer’s rights and obligations, but it does signal the start of the formal process.


Some customers try to avoid an Oracle audit, believing that an informal review process will be less risky. Most times the opposite is true. The license agreement provides the customer with certain rights that are important to maintain in ensuring that the process is a true reflection of license compliance, instead of a sales process that tries to extract more revenue than is required.  

Download our ebook


Understanding Oracle audits

How do I know if I am at risk for an audit?

With the understanding that audits are less about compliance, and more about Oracle revenue generation, the reason a customer would be on an audit list is if Oracle felt they were not receiving enough revenue from that customer. This could be based on size of the business compared to the Oracle usage footprint, or platform factors such as virtualization or cloud usage. 

I don't think I have received an audit letter, could I still be under audit from Oracle?

A formal audit only comes with an audit notice. Many times, Oracle sales personnel will offer a “license review” that is intended to be a strictly informational benefit to the customer. This informal review may even involve LMS or GLAS audit personnel in the process. Customers have reported to us that they have been assured by the sales reps that there is no obligation to purchase licenses if a deficiency is found. This, of course, is a specious assurance. If any deficiency is found, the sales reps will provide high-pressured, time-limited proposals for resolution, without giving the customer any time to independently validate the results, or attempt to remediate spurious or unintended problems.

 

The sales reps prefer to do an informal license review as opposed to a formal audit because they typically are concluded in much less time, resulting in a faster sales close cycle. One of the main issues that a customer (typically unknowingly) encounters in an informal license review is the lack of contractual protections and due process.

What types of Oracle audits or reviews are there?

Formal Review

Oracle triggers an audit via email & PDF to customer. Terms of the license agreement apply. For multiple agreements, the customer may request clarified terms from Oracle.

"Friendly" Review

Oracle reps pose as friendly reviewers, pressure customers for compliance deals, but often neglect audit clause due-process protections.

Customer Request Review

Customers inviting Oracle for compliance validation often face shocking deficiency claims. No protection from Oracle’s unreasonable interference.

What is the audit process?

The process that Oracle would like the customer to follow in the audit is not necessarily that process that we recommend in staging an appropriate defense. We never recommend cheating Oracle, but we also do not like it when Oracle intimidates or bullies their customers into a rushed process that ends up with excess and inappropriate fees being assessed.
 
Oracle’s intended process starts with a kickoff meeting, and then involves the customer accessing their online audit portal to answer questions about their use of Oracle software. The customer will be asked to download audit discovery scripts, and a Server Worksheet to disclose details of where Oracle is installed, running, or deployed in a virtual or cloud environment. Once Oracle receives the information, they will spend time analyzing the data and develop a report. This report will inevitably identify license deficiencies and the sales team will then provide proposals to remediate those claimed liabilities.
 
We typically recommend taking control of the audit away from Oracle and conducting the process according to your contractual obligations, and Oracle’s actual license rights. Oracle auditors are notorious for asking for customer information that we believe is beyond the scope of the license agreement. In these cases, we assertively push back while asserting our contractual position.

Is the Oracle Assurance Service a lower risk than a formal audit?

It may actually be a higher risk. The Oracle Assurance Service claims to “build confidence through transparency.” What is really happening is an LMS audit without contractual protections of the Audit clause. Some customers request this service from Oracle thinking that it will be a friendly, transparent process. It will invariably lead to a demand from Oracle for the purchase of costly licenses, or pressure to accept an Unlimited License Agreement or Oracle Cloud migration.

ORACLE AUDIT READINESS

Are you in the middle of an Oracle audit or do you fear one might be coming?

With hundreds of audit-defense engagements under our belt, let us help you face this time-consuming, risky, and confusing experience successfully.

Talk to an expert

How to avoid Oracle audit risks

What are the typical audit triggers?

The most common audit triggers we have encountered are: use of VMware virtualization technology, unlicensed use of Java, customer M&A activity, customer revenue growth, customer employee count growth, customer news reports of innovations or activities that might require Oracle technology, customer rejection of an Oracle sales proposal, not selecting the Oracle proposal in a solution RFP, etc.

What are the risks that I should plan for?

  1. Be sure to monitor or regularly check database feature usage to ensure that unlicensed software is not being used.
  2. Ensure that virtual environments keep Processor-based Oracle software contained to licensed hosts.
  3. Regularly evaluate public cloud usage of Oracle software to avoid costly sprawl. This includes overallocated cloud resources, and uncontrolled software deployments. Learn how to Manage Oracle Database Licensing and Feature Usage in AWS.
  4. Understand your Java desktop and server usage, and Oracle’s license subscription requirements.

What rights do I have in an Oracle audit?

The license agreement that you entered into with Oracle when purchasing software contains some standard language that outlines the customer’s rights in the audit process. Some customers may have specialized language in their agreement (either from negotiation with Oracle, or due to legal requirements in the country in which that customer resides) that could provide additional audit rights, or even extra audit obligations. Oracle auditors will typically adhere to the standard language unless the customer asserts their unique privileges.

 

The standard rights that a customer has, as referenced in the online TOMA, include the following:

  1. 45 days written notification from Oracle of intent to audit. In the past, Oracle ignored this right, with attempts to start the audit within three days of notice. More recently we have seen Oracle auditors acknowledge this notification period, but still try to accelerate things.
  2. The scope of the audit is limited to the “applicable order and the Master Agreement.” The audit notice will typically indicate a scope, but it will be important to establish the contractual boundaries of that scope. Confirming contractual boundaries includes mapping the ordering document (especially product names and metrics) to the definitions (e.g., “installed and/or running” for Processor and Named User Plus metrics).
  3. The “audit shall not unreasonably interfere with Your normal business operations.” Sometimes an audit notice may come at a most inopportune time. This might be while the customer is in the middle of a system migration, or critical resources are unavailable for an extended period of time, etc. If the audit will cause an unreasonable interference with the customer’s business operations, then it is your right to push back and have the audit rescinded, or delayed. 

What compliance problems can I remediate before I report to Oracle?

This is a topic that you should discuss with your legal team, but in general, if you are deriving a benefit from a vendor’s software, you should have a license to cover that usage. If you find that you have been using unlicensed database features, for example, you need to decide if that was intentional or not, and if you would like to continue using those features going forward. If so, then you would approach Oracle to procure the necessary licenses. If that usage was unintentional, and you do not want to continue using it, then the most important thing is to immediately stop those processes or people that were invoking the unlicensed features.
 
If you are being audited, then you should talk to your legal counsel about the effective date of the audit notice. Most of the client attorneys we have worked with consider the date of the audit notice letter as the effective date for reporting the usage. This means that trying to “clean things up” after the audit notice date could cause legal problems.
 
It is better to evaluate your current-state compliance and make the appropriate changes/purchases before a formal audit notice is received. In other words, you really want to know what Oracle is going to find before they come knocking at your door.
 
ORACLE AUDIT READINESS

Are you in the middle of an Oracle audit or do you fear one might be coming?

With hundreds of audit-defense engagements under our belt, let us help you face this time-consuming, risky, and confusing experience successfully.

Talk to an expert

How to respond to an Oracle audit

How should I respond to an Oracle audit notice?

The most critical thing is to not rush to respond to an Oracle audit notice. The audit clause in your license agreement likely gives you a 45 day notification period. While we take a very aggressive stance in defending our customers against Oracle overreach, it is important to be seen as participating in the audit.

 

Even though we do not recommend giving in to all of the auditor’s demands for data, meetings, and other things, responding with an acknowledgement of having received the audit notice will indicate an intent to remain professional in the process.

If an audit notice comes, do I need to freeze my Oracle environment, or can I make changes?

While you may need to settle up your usage against license entitlement as of the date of the audit notice, that does not mean that you should put your whole business and IT operation on hold. If you need to make certain changes to your environment during an audit, then it would be best to clearly document those changes, including the pre-change condition, what was changed, who did it, the date/time, and the post-change condition.

What obligations do I have in an Oracle audit?

As part of the license agreement:

  1. “You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information reasonably requested by Oracle.”
  2. The following is not in every agreement, but is in the TOMA we link to: “Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle.” This is a tricky area, since Oracle audit scripts are known to gather information outside of the contractually valid scope of the audit.
  3. The audit, its data, and results, are confidential according to the Nondisclosure terms of the agreement (see below).
  4. You agree to remedy any non-compliance “within 30 days of written notification of that non-compliance.” This is also tricky because Oracle routinely reports incorrect results in their compliance notification reports.

What are the most common audit findings?

The most common audit findings from Oracle are not necessarily the ones that our customers end up paying the most money to resolve. The most common issue that Oracle raises in an audit is the use of virtualization technology. Their claims of needing to license every virtual host because of the possibility of a virtual machine moving to an unlicensed environment are specious, and not backed up by the license agreement. In the hundreds of audits that we have defended for our customers, the virtualization issue has come up every time the customer is deployed in a virtual environment.
 
Oracle has literally claimed deficiencies of hundreds of millions of dollars for customers using such technology. When our customers follow our recommendations on how to push back on such claims, they have been successful in getting Oracle to eliminate those findings from the audit report. Sometimes Oracle will insist on language in the audit close letter that they do not agree with our virtualization position, but ultimately the customers have not had to pay the outrageous fees Oracle originally claimed.
 
The most common areas we have seen where customers have had to pay Oracle in actual audit deficiencies are as follows:
  1. Uncontrolled, or even unintentional use of database options and/or packs that show a period of usage longer than about 1 month.
  2. Lack of core or host containment in a virtual environment resulting in a larger environment than the licenses would cover.
  3. Not understanding Oracle’s license rules that require licensing of development, test, disaster recovery, or other non-production environments.
  4. Deploying Oracle software to a cloud environment without sufficient understanding of how many licenses will be required.
These risks are all avoidable with appropriate compliance monitoring, and governance.
 
Don’t be caught off guard during an audit. Read Navigating Oracle Audits today. 

Can I share confidential information about my Oracle environment with a third-party service provider?

The Nondisclosure clause (section 8 of the referenced TOMA) states that “Each party may disclose Confidential Information only to those employees or agents or subcontractors who are required to protect it against unauthorized disclosure in a manner no less protective than under the Master Agreement.” The vast majority of customer legal advisors that we have worked with have been comfortable that with our own NDAs and services agreements, that House of Brick meets the definition of protected “agent or subcontractor.” 

 
Some other audit defense service providers may recommend that you enter into a new NDA especially for the purpose of the audit. We have not found that such an agreement is necessary since the parties are already bound by obligations of confidentiality. Of course, each customer should validate this with their own legal counsel.

How do I conclude an Oracle audit?

Concluding an audit with Oracle is sometimes not well defined, although we prefer to have a formal acknowledgment that all activities are complete. Once the auditors conclude their analysis, they turn the resolution negotiation over to the sales team for the “commercial resolution.” This means you pay them money for the audit to wrap up. Since we have rarely, if ever, seen an audit report that was 100% accurate, we recommend keeping the auditors involved to eliminate those errors and disputes before attempting any commercial resolution.


This will frustrate both the audit and sales teams at Oracle, but it is ultimately in the customer’s best interest. We never recommend compromising with Oracle on the audit fees, preferring instead to insist on settling at the exact deficiency amount, if any. Some customers we have worked with have made a business decision that a certain offer of resolution from Oracle is sufficient enough that they want to just end the process. In each case, we recommend a careful review of the audit close documentation for any “gotchas” that might get thrown in.

ORACLE AUDIT READINESS

Are you in the middle of an Oracle audit or do you fear one might be coming?

With hundreds of audit-defense engagements under our belt, let us help you face this time-consuming, risky, and confusing experience successfully.

Talk to an expert

Oracle Audits in the cloud

Is migrating to the cloud an audit trigger?

Oracle has a keen interest in their customers migrating to Oracle Cloud solutions. When a customer decides to migrate to another public cloud they lose their sales opportunity. This can often lead to an audit where they can explore your license footprint and identify ways to try and push you back toward OCI.

Oracle on AWS related articles

Questions

Solve Your Most Complex Cloud and Operational Challenges with Experts by Your Side.

House of Brick focuses on cloud adoption & secure management for enterprise applications and databases
Talk To Our Experts

House of Brick Technologies LLC © 2024