Navigating an Oracle Software Audit – Here’s What To Expect

You received a letter from Oracle informing you that your company has been selected for an Oracle license audit, and now you’re asking yourself—why me?!  Take a deep breath and remain calm.  You’re not in an enviable situation but what you do or don’t do now can greatly impact the outcome of the audit.  The clock starts ticking once you have an audit letter in hand, so let’s discuss what you can expect and how to navigate the Oracle license audit process.

Why is Oracle Auditing You?

Oracle’s sales teams can initiate an audit if they suspect non-compliance, which we have suspiciously found to happen more often once price protections have expired and/or the licensee’s products or metrics are out of date.  Unfortunately, even if you think you have followed Oracle’s licensing rules, you may have unknowingly fallen out-of-compliance.  This was the case for many Oracle Java users after Oracle made changes to Java Standard Edition (SE).

Beyond major changes like that of Java, Oracle’s licensing policies can change any time and don’t exist in one central place.  While some can be in your contract, others are in website URLs that Oracle can modify at any time without your knowledge.

We have seen several business events and scenarios that are likely to trigger an Oracle audit.  For example, businesses that run Oracle databases on VMware for server virtualization tend to have greater chances of being audited.  However, you also could have been systematically selected for an audit by Oracle’s License Management Services (LMS), which tends to occur every 3-5 years.

What Will Oracle Ask You to Do?

Oracle will initiate the audit by sending you a letter stating their intent to conduct an Oracle license audit, or they may refer to the audit as a “license review”.  The letter will specify the purpose of the audit and will verify the quantity and type of Oracle products currently licensed, validate the current usage, and reconcile the license entitlement with the actual license usage.  This letter will be accompanied by an Oracle Server Worksheet, an Excel sheet that requests in-depth information about your IT infrastructure.  Additionally, Oracle will almost certainly request that you run their scripts on your servers, which will generate reports for you to return to Oracle detailing the results.

What Are Your Obligations?

Ignoring the audit request is not a viable option.  Your agreement likely provides Oracle with the right to initiate a software audit if they provide you with 45 days advanced notice of their intent to conduct an audit, and includes the affirmative obligation that you “cooperate with Oracle’s audit and provide reasonable assistance and access to information.”

You may have developed some savvy delay tactics over the years, but unfortunately those will likely be viewed and interpreted as non-cooperation.  In many Oracle contracts, non-cooperation is considered a material breach.  This is not a desirable outcome because Oracle will then turn the matter over to their legal team, who are far less amenable to negotiation.

First, confirm receipt of Oracle’s letter and designate a single point of contact with Oracle.  This is also an excellent time to seek outside assistance from contract negotiation consultants.

You are probably now asking, “What do I actually need to provide to Oracle?”  Well, Oracle’s “search warrant” is not unlimited.  For instance, you are not obligated to run the scripts Oracle requested.  Additionally, your agreement may include language stating that the “audit shall not unreasonably interfere with your normal business operations”.  This limits Oracle’s ability to conduct a fishing expedition and completely disrupt your business.  However, it is worth mentioning that this language varies based on Oracle’s license agreement template at the time you executed your contract.

The level of effort that your company needs to put forth in assisting Oracle with the audit is a complicated issue.  In short, you are only required to cooperate and provide reasonable assistance and access to information about your Oracle software deployment and usage details.

Take These Steps to Prepare Your Oracle Audit Defense

Oracle has a myriad of licensing rules, policies and requirements, so the sheer breadth of material to review can be overwhelming.  However, developing a deep understanding of Oracle’s current licensing policies and your Oracle footprint is a critical part of preparing to defend your organization against the audit.

Based on our experience advising clients during Oracle audit negotiations, we recommend that you do the following as soon as possible:

1. Internally review your Oracle contracts for specific rights and obligations that may have been negotiated relating to the audit.

2. Determine your contractual license levels from all Order Forms.  Do not rely on Oracle to send you missing contracts.  Customers must maintain proper record of all current contracts and license entitlements.

3. Identify your actual deployed licenses based on the associated product license metrics.

4. Provide notice of the audit to all internal parties who have communications with Oracle to ensure that all further communications with Oracle flow through the single point of contact.

These steps will allow you to properly prepare by identifying your rights and licensing gaps prior to the audit and any subsequent negotiations.

A Compliance Gap is Discovered

If the results of your Oracle audit reveal that you are under-licensed, then I have a bit of bad news for you.  Your Oracle agreement probably says that you have 30 days to pay for:

1. The requisite licenses required to bring you in compliance

2. The go-forward maintenance fees for the remainder of the year on the requisite licenses

3. The back maintenance fees on the requisite licenses pro-rated to the date when your company began using the licenses and became non-compliant.

Per the standard terms of Oracle’s agreement, you have 30 days to pay, otherwise Oracle can terminate your license and support.  This is a non-viable option for almost every organization, as ceasing to use the Oracle software within 30 days is simply not practical.  The slight bit of good news is that any active price protections typically apply to the commercial resolution of your compliance issue, provided there are no restrictions in the price protection language.

Our complimentary Baseline Assessment uses Oracle’s current policies to determine your potential compliance and cost exposure as well as identify optimization opportunities.  This gives you the opportunity to proactively take corrective action internally to reduce your out-of-compliance exposure and empowers you to approach Oracle in a manner of your choosing to negotiate any required license purchases.

Related Blogs