How to beat Oracle licence audits
An eight-step guide to tame the Oracle auditors. Don't take the bait...
Published on 19th January 2017
The prospect of an Oracle licence review can be scary. Despite the best efforts of your business, substantial costs on software asset management (SAM) and an eye-watering amount paid to Oracle every year, your sinking heart knows the audit will result in a huge and unexpected demands.
But what are Oracle’s audit rights? And can it really come in at any time and search your systems for evidence of non-compliance? Despite Oracle’s $170bn might, and a 39-year history in which to have fashioned the toughest contracts to its benefit, the truth is that Oracle’s audit rights are weak and ambiguous. And they do not give it the rights that its licence management service (LMS) team and CIOs assume.
A new study from Cerno offers eight reasons why it is you, rather than Oracle, in the driving seat. You should consider whether these reasons can be used to respond to a demanding call from a dominant Oracle to allow its personnel in for a wide-ranging audit.
Firstly, Oracle has no right to enter your premises. UK and US laws give strong protection to the rights of individuals and businesses to protect and control their property. The laws continue to follow a 1765 case, when it was declared: “Our law holds the property of every man so sacred, that no man can set his foot upon his neighbour’s close without his leave.”
Rights to enter can therefore never be assumed, and this is not in Oracle’s contracts.
If you volunteer to give permission to the Oracle LMS to come into your datacentre, it is recommended that consent is given in writing and strictly limited to the rights in the audit clause.
Oracle’s audit right is also limited to checking your use of programs, but there is no mandatory format (“Upon 45 days’ written notice, Oracle may audit your use of the programs”).
“Audit” just means checking or examining your records or evidence as to usage. There is no contractual obligation to run specific scripts, and if you can deliver the information in another robust and credible format, that would be enough. Surprisingly, the audit is of your use of programs, and not a demand to produce the licences you hold.
Eight steps to handle Oracle LMS audits
- Oracle has no right to enter your company’s premises.
- Oracle’s requested scripts or tools are not mandatory.
- The audit is only against use of the programs – not your IT infrastructure.
- The word “audit” means a checking or inspection of existing records – not an investigation from scratch.
- You need to give reasonable assistance – not every assistance.
- Oracle’s audit rights do not extend to licence reviews by third parties.
- Lack of co-operation by the business in giving immediate access does not result in a court order.
- Confidentiality undertakings may be needed from Oracle.
Equally important is that it is not to be an audit of your infrastructure, or indeed areas or clusters where you are not using the programs. There are continuing doubts over Oracle’s rights to demand licence fees for all processors in virtualised clusters, and this should be considered and accommodated in any response you give as to “use” of the programs.
It is also important to focus on the specific word “audit”, which is not defined in Oracle’s licence definitions and rules. Therefore, it must be given its ordinary and natural meaning, “A systematic review or assessment of something”, as stated in Oxford dictionaries.
What does this tell us? An audit is against pre-existing material. It is not a report created from scratch. Indeed, it is also not a licence review. For Oracle customers, the legal process to follow the contract should be:
- The licensee itself prepares its own report, backed up by evidence such as screenshots and any scripts it chooses to run.
- It then makes these available to Oracle.
- Oracle then “audits” that material.
- Oracle may reasonably ask questions to determine areas of uncertainty.
Oracle’s audit rights lack any detail as to how the licensee needs to respond. The obligation is to give “reasonable assistance” and, by implication, any response by your organisation should be enough to permit Oracle to check that your response is adequate as to use of the programs. There is no legal obligation to use Oracle Measurement Tool, complete its questionnaire, or use its other third-party verified tools.
Even though Oracle habitually calls in outside consultants for “licence reviews”, such as Garmendia Consulting, it is not your contractual obligation to accept this. Your obligation is to assist “Oracle”, which means the specific Oracle group company named in your Oracle Master Agreement, not necessarily third parties.
You should also take your time considering how best to respond to an audit notification, and in what form. Legal proceedings simply do not follow after 45 days.
One worry is, if you are in breach of permitting the audit within Oracle’s 45-day time period, what will it do? Can it injunct you? Will it immediately issue High Court proceedings? The answer is no.
In the UK, the High Court expects that parties must first seek to settle cases with exchanges of information, without issuing legal proceedings, and, preferably, with consensual mediation first. There are very damaging cost consequences if legal proceedings are undertaken without this process being fully exhausted first.
This means that despite increasingly agitated letters threatening “escalation”, and even alarming solicitors’ letters, Oracle almost never takes the final step of issuing court proceedings against its licensees, except in clear cases of piracy or counterfeiting. Take your time to consider how best to respond to an audit notification and in what form, as legal proceedings simply do not follow after 45 days.
Resist intrusive audits
Customers should also resist intrusive audits unless and until their commitments to data privacy and security for their operations are first checked and safeguarded. Many businesses and organisations, particularly if interfacing with the financial services sector, can have onerous contractual commitments to partners or customers to limit entry to their premises and restrict access.
Against the backdrop of your giving “reasonable assistance” to Oracle, you must look at any overriding obligations to others. In allowing any external audit, there must be a pre-condition that your business and organisation remain fully protected to follow first, your internal security standards; second, any regulations applicable to your sector or functions; third, data privacy rules; and fourth, general business prudence.
Before surrendering yourself to a wide-ranging audit, consider the extent of these issues. Where necessary, require Oracle to execute a letter of undertaking or contract setting out the parameters of information-sharing and confidentiality obligations.
It is very surprising that Oracle’s audit right is so poorly worded. It is also far more limited than either the LMS or most CIOs presume. Many lawyers would consider Oracle’s audit rights to be defective. Use this to your advantage. Prepare carefully. Be strong. Allow access on your own terms. And only then give the required amount of assistance.
