The prospect of an Oracle licence review can be scary. Despite the best efforts of your business, substantial costs on software asset management (SAM) and an eye-watering amount paid to Oracle every year, your sinking heart knows the audit will result in a huge and unexpected demands.
But what are Oracle’s audit rights? And can it really come in at any time and search your systems for evidence of non-compliance? Despite Oracle’s $170bn might, and a 39-year history in which to have fashioned the toughest contracts to its benefit, the truth is that Oracle’s audit rights are weak and ambiguous. And they do not give it the rights that its licence management service (LMS) team and CIOs assume.
A new study from Cerno offers eight reasons why it is you, rather than Oracle, in the driving seat. You should consider whether these reasons can be used to respond to a demanding call from a dominant Oracle to allow its personnel in for a wide-ranging audit.
Firstly, Oracle has no right to enter your premises. UK and US laws give strong protection to the rights of individuals and businesses to protect and control their property. The laws continue to follow a 1765 case, when it was declared: “Our law holds the property of every man so sacred, that no man can set his foot upon his neighbour’s close without his leave.”
Rights to enter can therefore never be assumed, and this is not in Oracle’s contracts.
If you volunteer to give permission to the Oracle LMS to come into your datacentre, it is recommended that consent is given in writing and strictly limited to the rights in the audit clause.
Oracle’s audit right is also limited to checking your use of programs, but there is no mandatory format (“Upon 45 days’ written notice, Oracle may audit your use of the programs”).
“Audit” just means checking or examining your records or evidence as to usage. There is no contractual obligation to run specific scripts, and if you can deliver the information in another robust and credible format, that would be enough. Surprisingly, the audit is of your use of programs, and not a demand to produce the licences you hold.
Equally important is that it is not to be an audit of your infrastructure, or indeed areas or clusters where you are not using the programs. There are continuing doubts over Oracle’s rights to demand licence fees for all processors in virtualised clusters, and this should be considered and accommodated in any response you give as to “use” of the programs.
It is also important to focus on the specific word “audit”, which is not defined in Oracle’s licence definitions and rules. Therefore, it must be given its ordinary and natural meaning, “A systematic review or assessment of something”, as stated in Oxford dictionaries.
What does this tell us? An audit is against pre-existing material. It is not a report created from scratch. Indeed, it is also not a licence review. For Oracle customers, the legal process to follow the contract should be:
Oracle’s audit rights lack any detail as to how the licensee needs to respond. The obligation is to give “reasonable assistance” and, by implication, any response by your organisation should be enough to permit Oracle to check that your response is adequate as to use of the programs. There is no legal obligation to use Oracle Measurement Tool, complete its questionnaire, or use its other third-party verified tools.
Even though Oracle habitually calls in outside consultants for “licence reviews”, such as Garmendia Consulting, it is not your contractual obligation to accept this. Your obligation is to assist “Oracle”, which means the specific Oracle group company named in your Oracle Master Agreement, not necessarily third parties.
You should also take your time considering how best to respond to an audit notification, and in what form. Legal proceedings simply do not follow after 45 days.
One worry is, if you are in breach of permitting the audit within Oracle’s 45-day time period, what will it do? Can it injunct you? Will it immediately issue High Court proceedings? The answer is no.
In the UK, the High Court expects that parties must first seek to settle cases with exchanges of information, without issuing legal proceedings, and, preferably, with consensual mediation first. There are very damaging cost consequences if legal proceedings are undertaken without this process being fully exhausted first.
This means that despite increasingly agitated letters threatening “escalation”, and even alarming solicitors’ letters, Oracle almost never takes the final step of issuing court proceedings against its licensees, except in clear cases of piracy or counterfeiting. Take your time to consider how best to respond to an audit notification and in what form, as legal proceedings simply do not follow after 45 days.
Customers should also resist intrusive audits unless and until their commitments to data privacy and security for their operations are first checked and safeguarded. Many businesses and organisations, particularly if interfacing with the financial services sector, can have onerous contractual commitments to partners or customers to limit entry to their premises and restrict access.
Against the backdrop of your giving “reasonable assistance” to Oracle, you must look at any overriding obligations to others. In allowing any external audit, there must be a pre-condition that your business and organisation remain fully protected to follow first, your internal security standards; second, any regulations applicable to your sector or functions; third, data privacy rules; and fourth, general business prudence.
Before surrendering yourself to a wide-ranging audit, consider the extent of these issues. Where necessary, require Oracle to execute a letter of undertaking or contract setting out the parameters of information-sharing and confidentiality obligations.
It is very surprising that Oracle’s audit right is so poorly worded. It is also far more limited than either the LMS or most CIOs presume. Many lawyers would consider Oracle’s audit rights to be defective. Use this to your advantage. Prepare carefully. Be strong. Allow access on your own terms. And only then give the required amount of assistance.
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!