March 07, 2018

Oracle customers that are considering a switch to third-party support sometimes ask us if terminating their Oracle support contract will trigger an audit. We tell them that there are numerous audit triggers. Spinnaker Support has transitioned hundreds of organizations to third-party support and we are aware of just a few customers that went through an audit as a result.

Have you received the dreaded letter that you are under an Oracle license audit? If this is your first time going under audit with Oracle, you may be thinking “Why us?” But if you are a longtime Oracle customer, you know to expect this letter every 3-5 years. The question isn’t a matter of “Why” it’s a matter of “When.”

Oracle publicly states that audits are conducted at random. However, certain events (or non-events) can trigger an audit sooner than others. In this blog, we will discuss common triggers, what to do when you see an Oracle audit notification, and how to prepare for the inevitable.

Common Oracle Audit Triggers

Certain events, the most common of which are listed below may trigger an Oracle audit.

  • Failure to renew an Unlimited Licensing Agreements (ULAs)
  • A recent merger or acquisition
  • Hardware and/or software consolidation projects
  • Virtualization
  • Few or no new software purchases, no revenue generating opportunities for Oracle
  • A significant decrease in license spend
  • Not moving to Oracle cloud offerings
  • A history of non-compliance

There are other reasons that Oracle selects a company for review, but the main goal is simple: to find customers in non-compliance, which typically results in new revenue opportunities for Oracle.

What to Do When You Get an Oracle Audit Letter

An Oracle license review and an Oracle audit are essentially the same thing. The license review is just a nicer way of saying “You are being audited!” If you get a letter that makes specific reference to your agreement and the section that gives them rights to review your usage, then you are formally audited. Customers typically have 45 days to respond to an audit letter, so you will have some time to get organized and prepared before submitting your response. Here’s how to start:

Gather Licensing Agreements

  • Compile all your organizations’ licensing agreements that specify the licensed software, types and counts for purchased licensing, the prices paid for those licenses, and annual support contract.
  • If you cannot locate your licensing agreements, Oracle is obligated to provide you a copy of your license agreement upon request.

Identify Unlicensed Oracle Products

  • Oracle makes it very easy for IT departments to fall into non-compliance, so it’s important for organizations to determine if there are any unlicensed products or features that were inadvertently activated. For example, Oracle often delivers enhancements in updates or patches that activate automatically without your knowledge or consent. In other instances, Oracle does not require a license key or security code to download and install a product – which means you could very well be using a product in a manner that’s inconsistent with your contract.
  • Make sure you understand what is operational in your environment versus what is on your license contract (ULA).

Understand Virtualization Compliance Risks

  • One area that Oracle has historically targeted for audits is virtualization, which can be tricky to prove compliance vs. non-compliance. It is essential to provide any additional communication that may have included system architecture evaluation before licensing, what was included and not required to be included in your license agreement per Oracle.
  • Organizations need to understand how their virtual environments are configured and how or if they utilize Oracle programs.

Oracle Audit Tips

If this all sounds confusing, that’s because it is. But, remember – Oracle’s audit rights are weak, and you may have more power than you think. Here are some tips for navigating your next Oracle license review.

  • Oracle has no right to enter your company’s premises

If you do choose to let Oracle or its license management service onto your property; get it in writing.

  • Assign a named individual through which all communication with Oracle is filtered

It is often in your IT department’s best interest to control the communications with Oracle under a single contact or legal professional.

  • Oracle’s provided audit scripts or tools are not mandatory to run

You should evaluate if the scripts provided by Oracle are collecting information on items you are not contractually obligated to provide prior to turning over information. Only provide information on products that are included in the audit.

  • Oracle’s right to audit does not include a license review by any third parties

You are only obligated to assist the Oracle group named in your Oracle Master Agreement. You are not obligated to provide any information to or work with a third party.

  • Beware of providing Oracle with more information than is necessary  

You should not have to produce licenses you hold, nor should Oracle be examining your IT infrastructure. You do not need to disclose information about areas in which programs might or could be used – but are not.

The Results of an Oracle License Review

Hopefully, Oracle determines that your company is properly using all of your licenses. If the results of your Oracle Audit review determines you are under-licensed, then you are not alone. Unfortunately, you likely only have 30 days to purchase the additional licenses to bring you compliance. You will also need to pay any maintenance fees associated with those additional licenses, as well as back-maintenance fees which will be based on the pro-rated amount from when you began over-using your stated number of licenses. Oracle can terminate your usage and support within 30 days if you do not pay up! Don’t fall into the trap of purchasing cloud licenses as a concession to make the audit penalties go away. You can end up paying way more in the long run on rising subscription services and annual support fees on software that was never intended to be implemented.

You Can’t Avoid an Oracle Audit, But There is Help

Spinnaker Support can help you navigate through audit preparations and outline expectations. Our Legal and Contracts department cannot directly advise clients through an audit but can provide insight from previously-audited customers and industry partnerships that specialize in audit reviews. We recommend reviewing Building the Case for Third-Party Support, which offers some insight for moving away from Oracle Support. For many customers, the Oracle audit process and tactics have created bad will and it may be time to look for alternative options.

For another opinion, click here.