Surviving an Oracle License Audit: What You Need to Know in Advance
Which notification do you fear more?
A letter from your country’s federal tax authority (FTA) informing you that your business will be audited to ensure you’ve met your full tax obligations?
A letter from Oracle’s License Management Services (LMS) enforcement unit notifying you that your company has been selected for a license audit or license review?
Assuming you’ve not deliberately violated either the tax laws or the terms of your Oracle licenses, you’re arguably better off hearing from your FTA than from Oracle.
That’s because as complicated as both the tax laws and Oracle’s licensing agreements are, most businesses rely heavily on certified tax accountants to help them navigate the maze of tax regulations and avoid costly landmines; while most Oracle users attempt to interpret and comply with their software license agreements on their own.
What’s even worse for Oracle users is that their likelihood of being audited may be more than ten times greater than the probability that their company will face a governmental tax audit. Indeed, based on common practice, you can expect to be audited once every 3-4 years by Oracle or by one of its LMS partners.
Whose fines and penalties are worse – the tax collector’s or the Oracle auditors? That’s debatable. But you should know for certain that being caught out of compliance by Oracle represents a huge financial risk that can easily run five, six or even seven figures, and in some rare cases eight or nine figures.
The Oracle audit process is no breeze, either. In its lawsuit stemming from an Oracle compliance dispute, candy maker Mars, Inc. provided the software licenser 233,089 pages of documents between May 13, 2015 and September 2, 2015, alone. The two companies eventually reached an out-of-court settlement for an undisclosed sum.
In the end, there is no need to fear either a tax audit or a software licensing audit, if your business understands the process and has taken the required steps to ensure it operates consistently in accordance with its responsibilities.
In this series of posts, titled, “Surviving an Oracle License Audit,” I’ll demystify the Oracle audit process, and provide you valuable insights on actions to take to enter and exit the process with your wallet intact.
To begin, let’s address the topic:
What You Need to Know in Advance of an Oracle Audit
How Often Will We Be Audited?
Generally, it’s not a question of whether you’ll be audited by Oracle, only a question of when. Although my colleagues and I know of instances of businesses that have faced annual audits, the common practice is for you to be audited once every 3-4 years.
The audit cycle, especially for database and middleware licenses, frequently correlates with your company’s hardware updates. Since end-users typically renew their hardware every 3-4 years, that’s about how often Oracle’s auditors come calling.
If Oracle gets any sense that your business is non-compliant, or if when it conducted a previous audit its review was limited to only a portion of the software programs you deploy, your company will probably face more frequent audits.
How Much Time Will We Have to Prepare for an Audit?
Officially, Oracle gives you 45 days. To make certain Oracle gets your attention, it will send its audit notification letter to your CFO and your CIO. In turn, Oracle will request that your company designate a single individual to coordinate the audit from your side and serve as Oracle’s point of contact.
The 45-day heads-up is never enough time to be completely prepared for an audit, unless you began much earlier, anticipating that sooner or later an audit was inevitable.
Indeed, the ideal time to retain an independent software advisory firm, such as The Software Consulting Group, is well ahead of an audit notification. Doing so allows you to gather the necessary information, effectively use and manage your software investments on an ongoing basis, and be in a position to save money at your next audit.
Be aware that when you signed your Oracle agreement, you most likely agreed to the company’s right to audit your use of its software programs. (There are a limited number of end-users that don’t have an audit clause or have one that provides for a non-audit period.) While 45 days is the stated notice period of most contracts, Oracle’s auditors often will try to begin their audit even sooner.
How Does Oracle Decide Which Clients to Audit?
Oracle maintains that it audits companies randomly, and perhaps that is the case for some of its end-users.
But most often Oracle clients are “nominated” for the “honor” of being examined by a client’s own sales representative, when that representative suspects non-compliance.
It falls to Oracle’s License Management Services (LMS) evaluators to then assess the potential size of a client’s financial exposure and to decide whether to proceed with an audit. LMS, itself, at times independently instigates a risk analysis and subsequent audit.
Just as with your FTA, which is more likely to audit tax filers who the agencies’ sophisticated algorithms detect making common errors, so, too, Oracle looks for red flags that experience has shown correlate highly with non-compliance.
These triggers include:
The passage of too much time since your last audit or your last Oracle contract renewal. Given the rapidly evolving nature of the hardware on which Oracle software runs, Oracle calculates that the more time that has passed, the greater the likelihood that your business is at risk for non-compliance.
Changes in your business structure, including mergers, acquisitions, and divestitures of legal entities usually correlate with changes in software deployment. Such structural developments often require a renegotiation of Oracle’s licenses to remain in compliance.
When a company installs more or larger-capacity servers and a more flexible hardware structure – such as virtualization through VMware – the odds are very good that the end-user must also buy additional Oracle licenses or face compliance issues and fines.
Invite an Audit
Oracle audits can be black holes of times, attention, and ultimately money. Savvy end-users can’t avoid an inevitable Oracle audit, but if they come to one fully prepared, they can emerge unscathed after a relatively painless process.
Remember, the time to respond to your company’s Oracle audit notification letter is long before it ever arrives.
The Software Consulting Group will help you understand your software usage and any potential areas of exposure while there is still plenty of time to reduce your audit risks and save money. We encourage you to invite an audit – not from Oracle, but from our veteran team of independent auditors. SCG uses a secure, user-friendly, secure online license management tool that helps capture the right data and translate it into understandable, actionable information.
When you have the right information within quick reach, you’ll be fully prepared for an Oracle audit whenever it arises, and you’ll be enabled to manage informed, cost-effective decisions about your IT resources and spend.
Contact us at firstname.lastname@example.org or +1 888 466 2899 to learn more about how SCG can help.