How to Survive an Oracle License Audit and Manage Compliance
Have you received notice of an impending Oracle license audit?
If so, it’s not necessarily time to panic. It’s normal practice for Oracle to audit its customers — software license audits are a significant revenue source for the company.
Many well-meaning companies have fallen out of compliance with Oracle’s licensing requirements, not because the company is trying to defraud Oracle, but simply because Oracle’s license obligations are difficult to understand, and it is a challenge to monitor compliance.
Companies can have a better chance of achieving compliance and avoiding significant fines if they take some sensible measures to comply with Oracle’s license requirements.
Bear in mind, however, that after you submit audit data requested by Oracle’s license management services (“LMS”) team, the compliance demand you receive from Oracle may not accurately reflect your license position. In fact, it often overlooks your entitlements and resolves all ambiguities in Oracle’s favor.
Because of the opportunity for profits from licensing fees, Oracle often focuses on “low-hanging fruit” and attempts to maximize its revenue by auditing the customers who are most likely to pay.
The key to surviving an Oracle license audit and meeting compliance requirements without also harming your organization is to be prepared so that you can respond promptly with accurate, detailed data.
Let’s take a look at how to get the necessary processes in place to save you money, limit risk, and reduce future compliance headaches…
1. Define your audit process
Do not skip the planning stage or panic and start trying ot buy licenses in an attempt to fix past mistakes.
It may be the case that Oracle is deployed in many areas of the organization. It is important to get organized, understand how Oracle is deployed across all departments, and involve the necessary individuals in the audit planning process:
- Gather your technical people together to form a full picture of Oracle usage within the organization.
- Include senior personnel from all affected departments – CIO, procurement, finance, legal, as well as IT.
- Appoint one person to act as the main contact for the audit and to conduct interactions with Oracle.
- Define the main processes to respond to the audit, create the rules that everyone will follow, assign roles and seek insights from previous audits.
2. Examine your Oracle contract in detail
Has your legal team actually read your Oracle contract in full?
Even if Oracle has updated its terms and conditions, it is likely still legally bound by the terms of the contract in effect when it purchased the software. As such, it is critical to understand what that contract says.
Examine it, consider Oracle’s requests, and then ask yourself:
- Are we compliant or non-compliant?
- If we are non-compliant, how much will it cost to fix?
- How much will legal action with Oracle cost?
Generally speaking (with a few exceptions), you need a license for every installation of Oracle software– regardless of whether it has been used.
Going to court may be an option but only in cases where millions of dollars are in dispute. In the majority of cases, it is better to maintain the relationship and to work together on the audit for a mutually beneficial solution.
3. Take stock of all of your Oracle installations
The next step is taking stock of your “Oracle estate” and find out exactly which software has been installed and accessed in your organization.
For many audits, Oracle requests that you use their proprietary LMS script. However, it may be possible to use other Oracle-approved or already deployed solutions to inventory the installations.
When you’re gathering the relevant data on installations, consider the following common risks and oversights in organizations using Oracle software:
- Licensing editions/packs/options: many programs have certain features, packs and options already installed that must be disabled to avoid licensing fees. Sometimes, users do not successfully disable the extra features and are required to pay for these unnecessary additions to the license.
- Exceeding the permitted number of users: most products licensed by user count have specified named user plus (NUP) minimums. This metric is based on the number of users and devices that connect to the Oracle database.
- Processor license counts: Oracle has a unique way of calculating the number of processor licenses required, which requires multiplying the processor by Oracle’s Core Factor to determine the number of licenses needed.
- Virtual machines: if Oracle is running virtually (such as in a cloud environment), you may be required to purchase licenses for all computers in the cluster.
4. Determine your level of Oracle compliance
After you have planned your audit, identified the appropriate team members, conducted an internal investigation, and identified the main risks, it’s time to evaluate the current level of compliance.
In step three, you considered the most common risks and oversights that organizations encounter. Now it’s time to evaluate your compliance in each of these key areas:
Editions, packs and options compliance
Determine whether any users have accessed features, packs, or options associated with the Oracle products you are using, especially if they should have been disabled.
If any of your users have the authorization to access the Oracle software, you will be expected to pay for it regardless of whether it has actually been used.
Count up all of the processors on which an Oracle product is installed, multiply by the Oracle Core Factor, and check the number of licenses you have. Any shortfall will be expected to be made up.
To be compliant, non-licensed servers must be either failover servers (where the failover server is used for 10 days or less per year) or used for testing the restoration of a physical backup (up to four times a year and for no longer than two days at a time).
Check how many licenses you need for virtual machines running on host servers and whether your system is partitioned correctly, using approved Oracle partitioning technology (the “Oracle Partition Policy”).
5. Carefully consider any solutions offered by Oracle during an audit
After you’ve submitted your data for the Oracle audit, be prepared for an attempt to “sell” you a variety of solutions: either licenses to cover a shortfall according to the audit data or upselling existing solutions.
Carefully consider any Unlimited License Agreements offered during or after an audit. This will be presented as a way to use certain solutions without worrying about compliance. However, after three years, you are expected to count and certify your compliance.
Also, before committing to one of Oracle’s cloud solutions, consider the ramifications of a hybrid solution. Your CIO and business team can advise you on what will be the best Oracle set up for the future based on your longer-term IT strategy.
Compare what Oracle is offering you with other similar solutions available on the market, and don’t be afraid to negotiate.
If you need assistance with the Oracle audit process, the software lawyers at Scott & Scott LLP provide a free 30-minute consultation to get you started.
Over the years, Scott & Scott LLP has helped more than 250 organizations navigate the complexities of the software audit process.
To learn more about how we can help you, contact [email protected] by email or contact us directly online.