You’ve heard the stories [or shall we say nightmares] about Oracle audits. And you have always feared what an Oracle audit might reveal should your organization be the subject of an audit. And rightfully so, as there are many missteps one can take throughout the audit process that can make your audit from bad to worse. Outlined in this guide are the 12 pro tips for overcoming an Oracle audit at every step of the process.
Audit Notification
Pro Tip #1: Verify That it is a Formal Audit
There is no such thing as an informal audit. You are only required to respond to formal audit requests from Oracle LMS. Some consultants suggest that there are different types of Oracle audits. This is false. When you are being audited, you will receive a letter detailing the audit notice from Oracle LMS. Any other request for information is just a discovery request from a nosey sales rep trying to drive their sales or tip you off to the audit department. You do not need to respond to requests from anyone besides Oracle LMS or third-party auditors Oracle has hired to execute an audit. Yes, you read that correctly. Oracle is conducting so many audits that they had to outsource a portion of auditing their customers to other vendors.
Pro Tip #2: Seek Professional [Unbiased] Advice
Yes, this is us saying you should employ us, and here’s why: We know all of Oracle’s auditing practices and can better prepare you for an audit and push back against requests that are not contractually obligated. We can identify common areas where Oracle pressures customers into believing they have more substantial compliance risks than they contractually do. 100% of our customers who have completed our Compliance and Optimization Review have a compliance issue according to Oracle LMS standard auditing practices. However, 87% of these customers don’t owe as much as Oracle claims. Having an expert that can distinguish these discrepancies is the difference of millions of dollars in audit fees.
NOTE: Beware of ex-Oracle employees or organizations that are too aligned with Oracle. While they may be well-versed in audits, their ideas behind compliance are often aligned with those of Oracle LMS. Many times these consultants lack the technical capabilities to understand more complex solutions such as re-platforming or consolidation [which are ways you can save money without sacrificing performance.
Pro Tip #3: Do Not Tell Oracle Any Information [Yet]
Anything you say or do will be held against you in an Oracle audit. You should be wary of your “good relationship” with Oracle. We cannot tell you the number of times customers believe being on “good” terms with their Oracle sales rep will spare them from being audited. Too often, sharing information with your Oracle sales rep is what leads to a formal audit. They exploit that good relationship by using casual conversation as discovery opportunities about potential underlying compliance issues.
Oracle’s aggressive audit tactics play counter to the idea of having a good relationship with the organization. Oracle relies on the nature of these relationships and sees a higher rate of uncontested audit fees as a result of the customer’s fear of spoiling a good position with Oracle. They give customers the illusion of “We cut you a deal.” Often that “deal” is no deal at all and a gross overreach of your Oracle contractual obligations.
Acknowledgment
Pro Tip #4: Determine the Scope
An audit request may include vague specifics surrounding what information they are collecting. You don’t want to provide more information than necessary. Many times, audits do not cover every Oracle product and license you may own. Make sure to request a detailed description of what is being audited to gain clarity. Failure to request specifics requires your organization to expose everything and increases the possibility of revealing more compliance issues resulting in a more significant audit bill.
Pro Tip #5: Establish a Timeline
An audit request may include vague specifics surrounding what information they are collecting. You don’t want to provide more information than necessary. Many times, audits do not cover every Oracle product and license you may own. Request a detailed description of what products are under audit to gain clarity. Failure to request specifics requires your organization to expose everything and increases the possibility of revealing more compliance issues resulting in a more significant audit bill.
Once the final audit findings are delivered, you have 30 days to pay any fees. Previously Oracle had been releasing preliminary findings and providing time to challenge these. More recently, Oracle is going straight to the final findings and providing less time to contest and review their audit results. Ultimately, they are collecting money faster with less contention from their auditee.
STANDARD ORACLE CONTRACT AUDIT CLAUSE
Upon 45 days written notice, Oracle may audit your use of the programs. You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information. Any such audit shall not unreasonably interfere with your normal business operations. You agree to pay within 30 days of written notification any fees applicable to your use of the programs in excess of your license rights. If you do not pay, Oracle can end your technical support, licenses and/or this agreement.
Pro Tip #6: Create Points of Negotiation
- Require a non-disclosure agreement [NDA]
- Especially important if a third party is doing the audit on Oracle’s behalf
- Request details on the script
- What does it do?
- Does it open up any security issues?
- Does it collect customer info?
- Push the start date
- Request a sample size for auditing
- 5% is generally acceptable
- Request an outline of everything required in the audit
- Establish an acceptable timeframe to contest audit findings
Oracle holds all the cards as they have created the contracts that govern the audit process. And of course, contracts, inherently, protect the intellectual property owner. While you have an uphill battle against the audit process, you can create points of negotiation that give the illusion of compromise without really losing any ground.
Responding
Pro Tip #7: Do Not Provide More Information Than is Absolutely Necessary
After you’ve gained clarity on the scope, and negotiated a sampling size of the audit, stick to it. Only show the cards that are necessary within the audit. Everything you expose to them is potential for them to uncover compliance issues, especially if you have deployed Oracle in a virtualized environment, such as VMware. Show them ONLY what is relevant in the virtualized environment that is dedicated to running Oracle. Oracle LMS will often claim that you need to license everything in a virtualized environment, and that is false.
Pro Tip #8: Respond to Audit Requests Honestly but Carefully
During your audit, Oracle gives you access to the Oracle LMS portal. The audit portal includes a questionnaire about your company and your environment. At first, it begins with harmless questions inquiring about your company size, industry, employees, etc…. However, it quickly turns to more prying questions about your Oracle usage, diving into virtualization, high availability, and disaster recovery requirements, often opening the door to usage scrutiny.
In addition to the questionnaire, you will also have to complete a worksheet on every Oracle product you own, known as the Oracle Server Worksheet or OSW. Prepare to spend some time on this worksheet, especially if you have a lot of licenses and different products. A licensing expert can come in handy in filling out this sheet correctly. We find that Columns ‘H’ [Options in Use] and ‘I’ [Management Packs in Use] give our customers the most amount of trouble. Filling out this sheet inaccurately will raise flags for Oracle to investigate further.
Pro Tip #9: Reconcile the Scripts with Your Worksheet
Think of the script results as an answer key to your worksheet. If one doesn’t match the other, Oracle will look at this as a warning sign. Maybe you don’t know what products you own, where or how they are deployed, or possibly all of the above. They’ll use this worksheet to their advantage to target areas that may not be included in the negotiated scope of your audit to uncover other compliance issues.
Audit Findings
Pro Tip #10: Ask Questions
Make a list of detailed questions in your response in contesting fees. Ask Oracle to explain any wrongful use [if any]. Also, request supporting evidence of any and all claims. Clarifying details will help poke holes in compliance issues that are not contractural obligated.
Pro Tip #11: Push Back
87% of our clients were told they owe more than they were contractually obligated, as found here in our customer success story: The Oracle Audit Playbook: Health Exchange Found Out of Compliance by More Than $14M. Oracle threatened the Exchange with a bankrupting audit bill and settled on a solution that still cost the customer millions of dollars more than they should have paid. Don’t pay more than you absolutely need.
Pro Tip #12: Negotiate
Everything is negotiable, but every negotiation is not easy. Experience is key when selecting who will help you with your Oracle audit. We have a pricing database of Oracle customers of all sizes detailing what they paid for each product. We can assure you are receiving the best deal. Additionally, we have negotiated terms in settling audit disputes that have saved customers millions in audit fees, either reducing the bill or even eliminating it altogether. If you choose to negotiate with Oracle directly here are a few common areas where Oracle is willing to bend:
- Request that any unused licenses may be exchanged against any license obligations for different products.
- Request that license obligations be purchased at a reasonable market discount instead of the list price.
If you are concerned about an Oracle audit, have received an Oracle audit notice, or are currently in the middle of an Oracle audit, contact LicenseFortress today.