Oracle Audit Strategy and What to Expect in 2023

Key findings from the report include that there is no evidence that audit activity is decreasing, even with the shift to cloud. In fact, 38% of respondents indicated that moving workloads to cloud has increased compliance concerns. Furthermore, there is a clear trend that audits are being targeted on SMEs – specifically organizations with between 250 & 1,000 employees. 83% of companies of that size reported having been audited in the past three years. 

However, it’s not all doom and gloom. It was interesting to note that on average 9 out of 10 audits were conducted in a friendly and professional manner. 

For more insights from the report listen to the podcast where we also delve deeper into Oracle’s audit strategy and priorities for 2023 and beyond. 

To read the report in full click here.

Introduction

Welcome to the ITAM Review Podcast. News, reviews and resources for ITAM, SAM and software licensing professionals.

AJ Witt:

Hello everyone. Welcome to this podcast from the ITAM Review presented in conjunction with LicenseFortress. This is our first podcast of 2023. Yes, we’re there already. We’re recording this in early January when it’s dark and miserable outside. So we’re going to talk about some brighter things, mainly Oracle’s bright red logo and other things on this. So this… I’m joined today by Mike Corey from LicenseFortress. Hi, Mike.

Mike Corey:

Hey, how you doing?

AJ Witt:

Hi. And also Dean Bolton from LicenseFortress. Hi, Dean.

Dean Bolton:

Hello all.

AJ Witt:

Hi. Those of you who have listened to these podcasts, I think this is probably our third or fourth one that we’ve done with LicenseFortress. We like to kind of get the guys in to have a chat about all things Oracle, what’s coming along, what we’ve seen in the past year and so on. And so today what we’re going to do is touch on the results of a survey that LicenseFortress ran last year, looking at kind of what the audit landscape is like, not just for Oracle but in general.

So we’re going to touch on a few findings from that survey and we’re going to wrap up as well with having a bit of a chat about what we can all expect from Oracle in 2023, so what are the things we should be paying attention to.

Cloud Doesn’t Eliminate Audit Risk

And so one of the first things that came out of this survey that LicenseFortress did was that cloud doesn’t really make audit risk go away, which is interesting because I’m sure many of us have had that conversation whereby, oh, we’ll just move it to the cloud and then everything’s tracked and we can see our consumption and therefore we shouldn’t run into any compliance issues.

Clearly that isn’t the case and many respondents to the survey felt that cloud has actually increased their audit risk. I’m wondering, first question to you guys, what are the specific issues to pay attention to about Oracle in the cloud?

New Licensing Metrics and Increased Complexity

Dean Bolton:

I think there’s a couple things and what jumps to mind first is, one, the cloud is very flexible, but it also increases complexity from a software asset management perspective. You had a little bit of barrier to entry before, because if you wanted to spin up something new 20 years ago, you had to order a new system and it was hard to lose track of that thing. It was a physical item, right? Virtualization came along, made it a little bit easier to spin up some new stuff, gave more flexibility, but also made it more difficult to control things. The cloud has kind of turbocharged that, right? Anybody with a credit card can spin up an environment, download some software and cause problems. So I think the big thing around that is, you have a new complexity level in there that is probably an order of magnitude more difficult to manage from a software asset management perspective than before.

The other piece of it is with that additional flexibility and complexity, there’s all kinds of new licensing metrics that come into play. I mean, with Oracle, Azure, Amazon, you have bring your own license, you have license included, you have metrics that are brand new that don’t translate over. They’ve taken products that exist before and on-prem, and they’ve mapped them in not clear and transparent ways into some of their SaaS offerings. And so I think those two things really just make it much more difficult and complex to manage all of these different licenses and metrics in the cloud.

Resource Strain on IT Staff

Mike Corey:

Yeah, I guess I would just add to that in the decade that we’ve been helping companies with license compliance, we’ve yet to find anybody compliant, because the IT staffs are stretched too thin. In fact, a lot of times when they have a software asset management tool, it’s not even deployed correctly. So it’s giving misinformation. And now we’ve just added another layer to an IT staff that’s already overworked trying to do more with less, and so they just can’t manage what they already have. And now you add this, and as Dean said, new licensing metrics, new types of licenses, it is just a nightmare for the internal IT staff and the business risk can be astronomic.

AJ Witt:

Yeah, yeah, I mean, I know all three of us have come from technical backgrounds. We’ve been that person installing software and running up systems based on a request that’s come through. And I don’t know about you guys, but certainly when I was a server technician, I wasn’t necessarily paying too much attention to licensing. I didn’t really understand it. It’d be kind of, oh yeah, just get this stuff installed quickly next, next, next, next, next, and suddenly you’ve gone in and installed a bunch of options that you didn’t actually want to use, but hey, they’re installed, and yes, Oracle will find that stuff if you let them. So yeah, I think that’s reality. And then with cloud you’ve got, as you say, there’s even less control. With physical servers, you obviously had to have a log onto the server, so someone would’ve given you those admin rights and so on. That isn’t always the case with cloud.

Dean Bolton:

Yep, exactly.

AJ Witt:

Yeah. So we talked about how kind of cloud doesn’t necessarily reduce audit risk.

Post-Pandemic Audit Activity

The second point from the survey was really that, yeah, audits are still going ahead. We are seeing audit activity out there probably increasing slightly. Would you agree that it’s increased probably a little bit since sort of 2020, 2021, where maybe it dropped off due to the pandemic? Is there a bit of stored-up demand from publishers?

Mike Corey:

So a great finding of the survey is that because of the pandemic, the survey surmises that audits have increased. And really it comes down to revenue. Companies got really hurt by the pandemic and are hurting for revenue, and they have to find it and they’re turning to their clients, their existing clients, as a way to generate easy revenue. And so I always say to people, audits are not about software compliancy, audits are about revenue generation for the vendors. It makes you an easy target for them. And then I go back to that data point that we always talk about.

The Financial Risk of Non-Compliance

In the decade we’ve been helping companies, we’ve yet to find somebody compliant. We’ve even had customers hit a billion dollars in compliancy issues. Can you imagine what that could mean to a business trying to write a check like that?

AJ Witt:

Well, exactly. I mean, that’s an existential threat, isn’t it? And we have seen that. We have seen companies who are not necessarily on the back of Oracle audits cease trading based on software audits. I can think of a couple of examples of quite large organizations just being finished by a compliance charge. Yeah.

Mike Corey:

And the other thing that the survey says, it’s not the small companies they’re going after, 250 employees and less. It’s the middle-sized company, that 250 to 1000 employees. It seems to be the new sweet spot. And I think it really comes down to they have less resources, they have less ability to defend themself. And then right behind that is the companies a thousand people or more where absolutely they know there’s easy money to be had. And so as a small company, you’re probably going to fall under the radar, but if you’ve got over 250 employees, that survey shows you have about a 60%, 70% chance of an audit within three years. And I think it goes up to about 80% within five years. In most companies, quite a few had multiple audits. So the vendors clearly see revenue opportunity here.

AJ Witt:

And it’s likely to be at that sort of size, 250 to 1000, where you are not going to have great ITAM processes in place. You probably may not have an ITAM tool, you probably don’t even have a dedicated ITAM person. It will be someone’s job on the side side of doing something else, be it someone in infrastructure or someone who orders software, keeps a record of these things. So we certainly see that from ITAM Review data as to at what point do you get more than one person doing ITAM? And yes, certainly it’s way above 1000 employees.

Mike Corey:

ITAM is like security. Everybody knows they need security, but most companies don’t really pay attention to security to the level they should till after the break-in happens. And then all of a sudden they get religion and they make major investments in security. And I think ITAM falls into that bucket to a certain extent. We know we need it, we know it’s good business practice, we preach to people constantly, but the organizations are trying to do more with less, but then they have to pay that big audit bill and then all of a sudden they realize, well maybe we need to make an investment here. And then of course they turn to software, which I think is a necessary component to solving the problem. But software doesn’t solve the entire problem. There’s a lot more than knowing what you have, it’s understanding what the vendor tactics are, understanding what the contract interpretations are, right, catching options being turned on that we’re unlicensed. There’s a lot more to just throwing software at the problem. We think it’s a very small piece of the problem solution.

Dean Bolton:

And I think just to follow up on that is… AJ, you’re right. The size you have to have a dedicated ITAM person is probably above that thousand mark. But even then, you have to make sure they’re integrated in there. Because all too often we see these vendors do an audit, and as Mike said, you’re in within three years, 60% chance, five years, 80% chance. So it’s coming, right? But then when the audit happens, if you have ITAM, they’re not connected to the technical team and they handle it separately. So you get this request from the vendor to go run the scripts or provide this data, you kick it over to the technical team, they go ahead and do it, send the data back, and by then, it’s too late. The horse has basically left the barn. And now you got a real problem on your hands in terms of how to handle that audit in there.

And with a lot of the vendors we work with, you’re talking about some business-critical, mission-critical systems. So it’s not like you can just turn them off. If you have a developer tool that you’re using and there’s an issue with the vendor, they audit, you might fight with them and ultimately decide, we don’t need this tool, not a big deal. There’s replacements on there. But if you’re talking about something like an Oracle database which runs your ERP system, you can’t turn that off or otherwise your business shuts down and you might be looking at something like 50 million dollars. In a lot of these cases, that’s a low number to transition to another system. And so you can very quickly get stuck between a rock and a hard place on a lot of these issues.

AJ Witt:

Yeah, I certainly recognize that. I got my first gig in ITAM off the back of an Oracle audit that had gone horribly wrong for my employer. And it was exactly that actually, it was a disconnect between the people that were doing license compliance, who were seen as kind of record keepers in clerical and not very senior in the organization. And they had no say over the technical teams at all. So they had no real mandate to go out there and say, look guys, you need to make changes here. And that ended up costing them seven figures.

And so the approach was, well, we need to do this properly. So kind of a small number compared to many Oracle audits, but actually we weren’t a strategic Oracle user, which was even worse in a way. It wasn’t business critical, but we ended up paying that money. So in some ways, you’re paying for software that you’re not really using, which is even worse. So I mean, you mentioned those figures as well around how expensive these audits can be, and I know it’s another finding from the survey is that Oracle audits are among the most expensive to navigate. I’m wondering why that is and maybe how we can approach reducing those, particularly the hidden costs of running the audit internally and having the right people and so on.

Dean Bolton:

Yeah, well, I mean, one of the things why Oracle audits are so expensive is just the price tag on a lot of the products, right? And that’s true for Oracle and a lot of the other vendors. Microsoft has expensive products. IBM, SAP, VMware, they all have expensive products because they put billions of dollars into the research part of it. So I think that part of it is justified from the vendors and rightfully so. The problem becomes when, as a customer, you don’t know what you’re really paying, and you don’t have an idea of how to value that investment. I like the analogy of you’re going to an auto dealer and you’re buying a car and they’re not giving you the bill until three years later. It’s an impossible way to do business. It’s an impossible way to buy a car. But that’s what happens very often.

And so we talk about this all the time, the landscape is changing, it’s very dynamic. If you have a large ITAM staff that can handle a lot of these different vendors, I think you can manage it, but you’re talking about some of the largest companies out there to do that. Otherwise, you kind of really do need to have outside experts who are paying attention to this on a daily basis, keeping abreast of all the different changes that happen, keeping abreast of the technical changes that come in. I mean, we’ve seen a lot of things over the years that would make customers’ decisions different than when they first made the investment.

A simple example is we had a customer who’s been with Oracle for 15 years. When they first started with them, they went enterprise edition just for the partitioning feature. Well, they had 15 years of performance improvements in there, and so they were able to actually make a change in there. They didn’t need partitioning because of hardware updates. And so they were able to take a step back, reevaluate that downgrade to the standard edition and save themselves quite a bit of money. And it’s those type of things that you always have to be on top of. It’s really tough to keep on top of that while you’re doing your day-to-day IT actions and operations. And sometimes you just need to, whether it’s with an external consultant or not, just take a step back and look at the forest from a high level.

AJ Witt:

So I’m wondering, this is something I encountered, not actually for an Oracle audit but for something else, was how should an internal team go about convincing their management that they need to get somebody, an expert in to help with this? Just wondering here, I had some difficult conversations around this, because my CIO thought it was my job to manage a really big audit, whereas I was very aware that I didn’t have all the necessary detailed knowledge and skills to navigate this alone, but obviously bringing an external team in as an additional cost there. How would you go about convincing management to onboard an external expert?

Dean Bolton:

I think the number one thing I would say, and the biggest part of it is the legal expertise that’s required now. I think for a long time there was a lot of focus on the technical part of audits in there, especially from vendors like Oracle. And obviously when it’s that piece of it, I think management takes a look and says, we have a technical team, how come you guys can’t handle this audit? What we’ve seen over the past three to five years now is a focus on the non-technical piece of audits.

If you’ve had mergers and acquisitions, the terms and conditions around your licensing in there, the geographic restrictions, the limitations on usage in there, is it part of your cloud agreement? Has there been a consolidation or product change in there? And just those pieces are so specialized that I think that would be kind of my number one point in there is bring in outside experts that have the legal expertise to interpret these contracts. They’ve done it on a regular basis in there and can really bring that, because it just becomes such a critical part of audit defense and these engagements going forward.

Mike Corey:

Yeah, I guess I’d even add to that, customers think they have Oracle full use licenses and that means they can use it for anything. Well, that’s not the interpretation that Oracle takes on it. And so they’re quite shocked when all of a sudden Oracle starts questioning the license type. Well, where did they deploy that license? Or the fact that the contract didn’t really spell out they had a right to use it outside the US or outside the UK. And so it’s really these contractual technicalities, as he said, that are becoming more and more focused by the vendor during the audit.

And really the in-house staff is at a huge disadvantage. They can have a legal staff, they can be excellent, but these contracts are purposely convoluted, they’re confusing, there’s lack of clarity. And unless you’re a law firm that’s dealing with the day in and day out, frankly, you’re at a huge disadvantage. We find it interesting when big companies have internal lawyers and they talk to our lawyers and they get a big sigh of relief because they realize, wow, they were really outside their level of expertise. Thank God we now have lawyers we can talk to who can explain to us at our level why this is a treacherous path we’re potentially going down.

AJ Witt:

Right. So it’s that kind of technical complexity alongside the contractual legal complexity. And an in-house legal team isn’t necessarily going to see enough of these contracts to have the expertise in-house to be able to do this. So I guess that’s the issue there is that in-house legal is obviously quite good at dealing with certain things, which is kind of contract law, business law, but more specifically software licenses are a whole different level of agreement. And I mean, of course as well, these are relatively new things. I mean, those standard business contracts have been around for decades, whereas software contracts are still relatively new in the legal world.

Dean Bolton:

And they’re constantly changing. So I think that piece of it is a hundred percent true. The contractual piece of it is becoming very, very important, but I don’t want to overstate it in there. The technical piece is still critical in there, too, and being able to not just get the audit done, but to get it done successfully and have a strategy in place on it. On the technical side, being able to review answers before they’re provided to the vendor, I think is still critically important in there. And we’ve seen it many, many times. We’ve been brought in at every phase of a customer audit. And being able to come in and help on the front end of it and review all of the technical answers and setups and details before they’re provided to the vendor, just can make a huge amount of difference in terms of what the outcome of any of those audits are.

Mike Corey:

So think about this, most large companies have an independent audit of their financials every year. It’s frankly a sound business practice, and they do that to mitigate business risk. Why wouldn’t you want… And if you don’t have a software asset management strategy in place, you don’t have software in place, you don’t have a team in place, wouldn’t you at least once want to have somebody look under the covers to see if there is a business risk there? Now, I can tell you statistically, you have a problem. I don’t know if it’s a million dollar problem or a 500 million dollar problem.

So to me, at a minimum, they should at least do a one-time look under the covers. But here’s the real leverage point. If we come in proactively, you’re not under a vendor audit and we find problems, we work with you to resolve those problems, legally. When the vendor audits you two years later, you’re under no obligation to say, oh, by the way, I accidentally ran Oracle on this giant cluster for six months, and by the way, I owe you 5 million dollars. You’re under no obligation. You merely are under an obligation to answer the questions and say, where is Oracle installed and/or running now? And that goes from most major vendors.

AJ Witt:

That’s a really great point about having this external validation and tying that in with how finance operate because yeah, it’s kind of legally mandated in many cases. And finance don’t trust their own adding up right. I mean, they want to have that external audit to validate what they’re doing, and now we’re talking orders of magnitude here in terms of millions of dollars in euros and pounds and everything else out there. Why wouldn’t you want to get that validated before you commit to an agreement with Oracle? I mean, surely you should do due diligence on that and have that external validation from experts of whether you are right. That’s the whole point of a financial audit. So why not apply that to a software audit?

Dean Bolton:

I mean, AJ, even in addition to that though, in a financial audit, you’re basically just making sure that everything adds up. And so the end result of it is, hey, everybody input the numbers correctly. The nice thing about the IT asset management audit is that while compliance is still the lion share of what we’re worried about because of the dollar figures involved, there can be significant cost savings by that external audit in there. A lot of customers have shelfware that they’re still paying for that they don’t need.

As you said before with that example, you were working at a company that had Oracle that didn’t really need it. And with the way a lot of these vendors do their licensing with support costs being 20, 22, 25 percent of the license costs due each year, you can get some significant savings by taking a look at that and really aligning your license with your usage. I mean, we’ve had customers where we come in, take a look at it and we have identified 50% of their spend is for shelfware and able to save them that immediately on their next renewal. And we’re talking hundreds of thousands of dollars just by doing that review and having a step back and working to optimize what you’ve purchased and what you’re using.

AJ Witt:

Yeah, I-

Mike Corey:

But the other thing is, you have to have an ongoing relationship. So Oracle, Microsoft, these are quality vendors. They try to be pretty above board of what they’re doing overall. But you have another class of vendors, these are not small companies, where they’re going in and they’re taking the downloaded contracts and they’re changing terms, and the DVAs installing the software, not thinking about it. And then a year or two later, they’re auditing them knowing that they’ve changed the terms of the MSA, unbeknownst to the client, and have created a compliancy gap. And so you want to have this ongoing relationship so that you’re making purchases. Am I getting the right discount? I’m surprised how many customers don’t realize they’re really not getting an appropriate discount for the size of the purchase. Is there a change in the agreement that could have impacts to my previous purchases? And so you want that ongoing relationship to make sure that you know what you’re purchasing, you know you’re paying the right price for it, and you know that the terms on changing in a manner that could affect other things that you’ve previously purchased.

Wrapping Up and Looking Ahead to 2023

AJ Witt:

Yeah. Cool. I wanted to wrap up today just really kind of looking ahead a little bit to what’s coming this year from Oracle and indeed from others, but primarily from Oracle. What should we be paying attention to this year? I mean, the first thing I was going to bring up was should we be expecting further price rises given sort of where the global economy’s going? Are we seeing that already?

Dean Bolton:

Well, in some sense, yeah. So I mean, Oracle’s made changes so that they can increase the price with what they’re calling a country adjustment, but basically an inflation adjustment from what used to be 4% was the cap and now it’s 8%. And we’ve seen those start to come into play now, so I think those are definitely out there and a concern that I think across all industries, but including the software, this is an opportunity to change your pricing and vendors are definitely doing that.

AJ Witt:

Yeah, so that’s the global inflation rate adjustment that goes onto maintenance contracts every year?

Dean Bolton:

Yes.

AJ Witt:

They’ve just sort of moved the cap up a little bit from four to eight percent, which is a significant increase for your budget, particularly for… If you’ve been paying that support fee for a number of years to Oracle, then you’ve kind of known where it was going to be, and now you may be in for a surprise, I guess. So yeah.

Mike Corey:

I also think that these are publicly traded companies, the majority of them. They have shareholders and they have to show that revenue is increasing. And when you’re in a recession or you’re in a bad economy, you’re not going to get that revenue in the traditional means. As an existing customer, once again, you’re becoming an easy target through a software audit, and so you’re going to see them building up their auditing team capabilities. You’re going to see more outsourcing to maybe some of the big accounting firms to come in and do more audits, because there’s a direct correlation to more audits equates to more revenue. And I think that’s exactly why you’re seeing the shift towards those companies with 250 to under 1000 employees. They’re targeting them more frequently, because they’re building up these auditing capabilities.

AJ Witt:

And then it’s likely that size organization may be making job cuts, so they’ve got even less capacity to deal with this stuff, so they’re a very easy target. I mean, certainly the ITAM Review’s been around long enough to have seen the last recession. And there was a significant uptick in audits in 2009, 2010, 2011, which coincided with revenues dropping for… Oracle went into negative revenue growth for a few quarters around that time. And yeah, lo and behold, audits were a way of getting out of that. So yeah, in a recession, expect audits I think is the key takeaway here. Should we be looking for anything around Java this year?

Oracle’s Increasing Focus on Java Audits

Dean Bolton:

Yeah, I think so. One of the things that we’re definitely looking at right now is… So Oracle started auditing for Java. I think there’s going to be an uptick in that, that more customers are going to get formal Java notices or Java reviewed as part of their other audits around database middleware applications in there. So I definitely expect to see an uptick in that. What we’re wondering, though, is if there’s going to be a technical component for that Java audit in there. We’ve heard rumblings that Oracle is working on basically scripts or a tool to track Java usage within a customer. We haven’t seen that yet, but it does follow their standard pattern of how they do audits for new products. So we expect that to be coming around. I think 2023 is probably about the time when they’ll start doing that. So I think those are something that we’re expecting and waiting to see later this year.

The Rise of Soft Audits

Mike Corey:

We’re also seeing, specifically around Java, but we’re seeing it elsewhere, we call the soft audit, where they just reach out to you and start asking questions. And customers don’t realize that in a traditional audit, all the alarm bells go off, I’m being audited. Okay, what do I do? I limit communication to the vendor. I stop all purchases, right? Because you’re preparing to defend yourself. In a soft audit, customers are just answering these questions and not realizing that the wrong answer could clearly either trigger an audit or become a very expensive bill. And so these innocent questions are not innocent. They’re really getting you to lower your defense systems, and that’s an absolute mistake. When the vendor starts asking questions, specifically on how you’re deploying the software and your licensing, you should treat that an audit so you’re not caught.

AJ Witt:

Yeah, I mean, I guess with Java in particular, that’s a typical sales approach because they’ll be talking to you about potentially moving things to Oracle Cloud to mitigate sort of Java license requirements. I know that’s pretty much top-level strategy for Oracle. It was mentioned in a recent earnings call that they see OCI as a way of… Oracle Cloud Infrastructure as a way of getting Java exposure. So yeah, you could easily have that sales conversation and suddenly you’re on the hook, right? Yes.

Dean Bolton:

Yep. I think, kind of related to that, one other thing that we’re looking at and kind of monitoring is this kind of new linking of sales and audits for software compliance that we’ve seen over the past couple years. It used to be in, and for a lot of vendors, you could still go and buy their products from the vendor directly or a reseller, and you basically just do the natural order. You’re like, I like this product, I need 10 of them. Give me a quote for it and I’ll go purchase it.

But we’ve seen, in recent years, especially around Oracle Java, where they bring in that audit group for sign off before they even create a quote for customers. And they’re making it much more difficult, as Mike said, kind of in this soft audit, they’re asking questions and then they’re using the answers and sometimes saying, well, we don’t like that answer, so we’re not going to let you buy the product in there. And we’re definitely tracking that and seeing if that expands out to other groups, other vendors, and just watching how the vendors use that balancing act of doing that to drive bigger deals versus hamstringing their normal process and normal sales.

AJ Witt:

Yeah. Great. Well, I think that’s probably time to wrap up on this. Thank you, Mike. Thank you, Dean, for your insights as always. It is always interesting talking to you because you get to see this kind of stuff day in, day out with Oracle. Plenty to be thinking about there for 2023 and beyond around Java and sort of different sales tactics and so on. And yeah, I really like the point that we made going back into the survey around this idea of bringing in that expertise as you would do in a financial audit, and also bringing in, of course, that technical expertise when you’re making perhaps quite complex technical changes. So thank you both.

Dean Bolton:

Thank you.

Mike Corey:

Thank you.