Do’s and don’ts during an Oracle audit

As a professional, you definitely heard about ‘audits’, most probably in a financial context. A financial audit is an examination and evaluation of the financial records of a company, to make sure that they are an accurate reflection of the transactions they claim to represent. This term has been seen in a negative light, since it comes with some kind of stress and pressure for the company that is evaluated and implies that something is wrong.

Similar to the financial audit, there is a range of other kinds of audits, but we’ll focus today on software audits. A software licensing audit means that the software vendor will verify if your company is deploying and using the software in such a way that is matching the terms and conditions of the licenses purchased with it. To verify the compliance, the vendor will look at the software usage, the number of licenses and the related contracts.

As each software license agreement includes some sort of audit clause, any company that is using software programs can expect to be audited at some point. The clause states that the audit can take place once per year, but that’s not always the case. Besides the audit clause, there are many other situations when a software publisher can select a company for an audit. Examples include termination of support maintenance, mergers and acquisitions, growth in number of employees, agreement expiration and so on. You can find more details in our article “What may trigger a software audit?”. As simple as it may seem at the first glance, a software licensing audit is a very serious and complex process, since any negative results can have a huge financial and legal impact on a company.

Oracle audits

In this article, we will dive into the execution of an Oracle audit, which generally occurs every 3-4 years, but it can happen annually, as stated in the audit clause of the agreement. As a standard, you will receive a letter from Oracle License Management Services, informing that you have been selected for an audit. However, we noticed that some companies are confused when it comes to the terms Oracle uses when it comes to audits: “Oracle Business review”, “License review” and “Oracle audit”. In case Oracle starts an official audit by referring to the audit clause included the license agreement, it will state that you are being selected to perform an Oracle License Review. However, all of the previously mentioned terms mean in the end the same: an audit. During any of these reviews you are required to provide deployment and usage data towards Oracle, so that they can validate your compliance position.

Moving forward, we will share with you the major do’s and don’ts that can help you easily navigate through the (Oracle) audit process. It’s good to keep in mind that you don’t have to do this alone and that we can help – from audit preparation and compliance analysis to advising you on how to negotiate during the audit to get the best results.

Do’s to protect your company during an Oracle audit

Cooperate with Oracle

Every Oracle agreement says that you are required to provide “reasonable assistance and access to information” during the course of an audit. Not doing this can cause legal disputes or even (worst case) the cancellation of your support maintenance and your license agreement. An audit can be delayed, but you can do that in a smart way. It’s ok to delay it so that you have time to put all your ducks in a row, but don’t just dismiss it. Because it’s an official formal procedure that all Oracle customers have agreed to comply with (you included), you should just cooperate. 

Organize internally for the audit

Make sure that you have the proper resources available to support you during the audit. You can create an internal team and agree on the approach: determine the appropriate people that will be involved, create a strategy and a tactical plan (implemented by a cross functional operational team). Try to find out the exact scope of the audit, duration or any other limitations of scope that may include geography, legal entities, product categories, environments, device types, days of the week, times of the day, etc. Create a communication protocol to control the information flow or a single point of contact. 

Gather the entitlement documents and review them

Gather all the Oracle documents that you have and make a list of the ones that you’re missing. Then you can ask Oracle to provide copies of all the relevant agreements on your list (e.g., order documents, OLSA, OMA, etc.). This will allow you to ensure that Oracle is not auditing products which they have no right to audit and it will also offer you a clear overview of all your purchased licenses. Plus, you will get a better view on your contractual agreements to understand the terms and conditions.

Check SAM tools, deployment and usage data

Verify all the internal data before going to the battlefield. Keep track of the software that is deployed and used, how it is used and who is using the software. Most companies think that if they are using a (Oracle Verified) SAM tool, they are safe, which is not necessarily true. You will need to have full control which, besides the tools, require you to have the processes, the right people and knowledge to understand the data collected. For example, SAM tools can create software inventory and compliance reports, but often the software allocation applied by the tool is not aligned with the metric definitions in your contracts. And how does your tool capture all the necessary virtualization details?

Most people take it lightly, thinking “How difficult can it be to count licenses?”, but there is a reason why an audit done by Oracle itself can take 3 to 6 months from start to completion. Their team spends a lot of time and resources in order to look into all the details and to validate the compliance position. Our advice is to review your licenses every year. This way, you still have opportunities to remediate, optimize and become compliant before the audit letter comes in.

Ask for help

Proactive management of license entitlements is key to avoid being landed with unexpected additional cost and you can do that by performing an internal audit. It’s all in the details: if there is no clarity on the real license entitlements or on the real deployment and licensable usage it can translate into missed information and possible risks. Of course, it is recommended to do this before the audit letter lands on your desk. Nevertheless, even if you already got the letter, you can still use the help of independent experts in licensing, as their advice can make it easy to save time and money. We can share our knowledge and assist you in every step of the process.

Review the audit report you receive from Oracle

The audit is over and there is no turning back. So, what can you do now? At the end of the audit, it’s a bit late to change the results, but you can learn from this and prepare better next time: review the audit report you receive from Oracle, check any discrepancies and ask for explanations regarding the differences. This can help you take preventive measures in the future and optimize your usage. Start performing annual internal reviews on your license usage to have a better management of your software assets.

Don’ts during an Oracle audit 

Don’t assume that you can manage the audit by yourself

Most companies think that if they have SAM tools and an IT department, it’s easy to handle the audit all by themselves, but most of the times, the reality is different. Why? Because even if they have specialists in house, Oracle software licensing is a very complex field that is difficult to be covered by an internal IT department. Especially because there are also a lot of documents involved. And why to expose yourself to unnecessary risks when help is available and there are experts who can assist you and protect your interests in case of an audit?

Don’t share all your data with Oracle

You can respond to the audit letter, but don’t provide more information than what has been reasonably requested. Don’t share any technical data before it is checked internally. If there is an issue identified from the shared data, Oracle will raise that as a compliance issue which requires a commercial resolution. So, analyze your data and protect yourself! At this point, you might need some expert assistance to analyze and interpret the raw data, to highlight only what’s in scope.

Don’t assume that your SAM tool will offer full control over your licenses

Don’t rush to believe that your internal SAM tool can do everything to manage your licenses properly. SAM tools are useful, but they cannot provide automated compliance just by one click, they have some limitations that require manual work to get the required value specific for your own type of business. So, they work very well complemented by knowledge.

Don’t purchase anything from Oracle during the audit

During the audit period, you should stop any new purchases from Oracle (if possible) and try to figure out what is the compliance gap you have and how to fix it. Ideally, this should be done before the audit starts. If you perform a pro-active license review and get compliant, you won’t need to pay Oracle anything the next time you are audited. In case you discover any license gap, it is better to purchase the licenses before the audit starts because this will put you in a stronger position to negotiate.