201711.06
Off
0

Seven Lessons I learned representing clients in Oracle Audits

Over the last several years, more and more Oracle customers are receiving notices that they have been selected for an Oracle license review or software audit that it reviews the license position of all of its customers worldwide.  That means if your company has not participated in a software license review with Oracle, the odds are very high that such a review will be forthcoming at some time in the future.  When a company receives a notice from Oracle that it is commencing an audit, many companies are unprepared.

Here are seven tips I have learned over the last decade that can help a company prepare both before and after receiving an audit notice.

  1. Know your license terms with Oracle, including any licensing restrictions.

Many long-term Oracle customers have difficulty locating their agreements with Oracle and have to ask Oracle for the relevant agreements at the onset of the audit.   Oracle relationships can span several decades, and customers often struggle to find the relevant documents.  In addition to the Oracle Master Agreement (“OMA”), the Oracle License and Services Agreement (“OLSA”), and the Software License and Services Agreement (“SLSA”) Oracle often adds additional terms and conditions in Ordering Documents.  Finally, Oracle also expects customers to be aware of and comply with various other policies (e.g., the partitioning policy dealing with virtualization).  Keeping close tabs on your active agreements can reduce the risk that your company will unnecessarily agree to participate in an audit because it cannot find the custom amendment that exempted that customer from the audit.

It is also critical for customers to have access to their license agreements because the customers should regularly be comparing the license grant and terms against all use cases to ensure that the current agreement allows for all the current and contemplated use cases.  All too often, Oracle customers are shocked in an audit that no one thought to review the license terms before virtualizing the server environment or allowing third-parties to access the software.

  1. It is critical to regularly review your Oracle environment against Oracle’s license metrics.

Companies using Oracle products should proactively review the environment at least twice per year to ensure proper use of the software.  It is not enough to review the Oracle environment in the light most favorable to the customer.  To truly prepare for the eventuality an Oracle license review, the licensee needs to ensure that it is reviewing the data the same way that Oracle’s License Management Services (“LMS”) team will review the data.

  1. Understanding Oracle’s use policies.

Whether it related to virtualization, clustering, or partitioning, whenever a licensee makes a change to its infrastructure, it needs to understand the licensing implications for those changes.  This can be more difficult than it sounds.  Many of Oracle’s policies are not incorporated into the license documents, and there is a great deal of misinformation about Oracle’s rules and restrictions.  Understanding how Oracle will view the environment is important to preparing for the software audit that is likely to come.

  1. Identify the scope of the audit.

When an enterprise Oracle customer receives an audit notice, it should carefully consider the scope of the audit.  In some cases, the customer has no ability to control foreign assets, which could be subject to different licensing terms and international laws.  For many enterprise customers, limiting an audit to a specific geographic region may make sense.  This could ensure that all of the licenses under review are subject to the same license terms, there are no language gaps, the relevant teams are local, and the hardware is located in the jurisdiction being audited.

Additionally, if the licensee is part of the Oracle PartnerNetwork (“OPN”), it should determine whether the internal development deployments are in the scope of the audit.  Finally, if the licensee distributes software to any third party, identify at the outset of the audit if Oracle expects you to audit end users as well as internal use.

  1. How to discover Oracle deployments.

During an audit, Oracle LMS regularly conducts the data gathering, but occasionally, Oracle uses the services of a third-party auditor.   Licensees are often unsure how to collect data that would be acceptable to Oracle.  During the early stages of the audit, LMS will likely ask whether there are any software tracking tools in the environment, if there are no such tools, LMS may offer the use of a combination of Oracle scripts and software.  Before using the proffered tools to collect data about Oracle deployments in the environment, licensees should consult with their systems and security teams to determine whether there are any concerns about the use of third-party tools on the network. Also ensure that all parties understand what, if any, responsibility the auditors will take if something goes wrong when the internal team uses the tools.

  1. How to find entitlements for Oracle products.

Although licensees should know how to identify entitlements for products still installed in the environment, it can sometimes be difficult to locate entitlements for older products, especially if those products are no longer in use.  If a product is installed but is no longer in use, the best practice is to decommission the product in advance of receiving an audit notification.  During the internal review identified above in number 2, many customers start with reviewing the most recent maintenance renewals, as those may contain data regarding the current number of entitlements.  For historical information, it may become necessary to reach out to resellers or research the licensee’s archives to find information about quantities of licenses that may not be under support.

  1. Audit Resolution

At the conclusion of the audit, the licensee should have comfort that all disputes have been resolved and it is now in compliance with its license requirements.  Audit resolutions should also include a full release of any claims that Oracle had as of the date of the resolution.

As the saying goes, when it comes to Oracle audits, the best defense is a good offense.  Having regular internal license reviews with experienced resources, identifying any gaps in documentation or reporting capabilities, and ensuring the license grants cover all of the licensee’s use cases can greatly reduce the potential exposure that may result from a Oracle license review.