Oracle audits – can you ever be prepared for a software audit?
Any organization that is using software knows that there will come a time when they will be confronted with an audit. Is it used as it’s supposed to? Does it have the right licenses? Who is actually using it? These are just some questions that you’ll be confronted with when you’ll be under software audit. And it doesn’t really matter who’s the vendor. However, Oracle is known as the one of the most active and aggressive publishers when it comes to audits. So, let’s have a look at what you need to know in order to go through an Oracle audit smoothly.
What might trigger an Oracle audit?
Oracle audits are not random. If Oracle feels they will not yield any results, they will not waste any resources. Some end-users are under the impression that because (they think) they have everything under control, they will not have to go through a software audit. To their disappointment, the Oracle audit team is also targeting them. Why? First of all, because Oracle wants to check on a regular basis (every 3-5 years) that you have everything under control. And even if that is the case, an Oracle audit is never a walk in the park. Second of all, there are some events that can trigger an audit. It can be that your company grew in number of employees, it merged with another company or acquired a new company. An audit can also be triggered by your expiring agreement (e.g. ULA), the termination of support maintenance or changes in the infrastructure. Lastly, it can be just Oracle’s need to push for more sales at the end of a quarter or the fiscal year. And what’s an easy way to make money? Exactly, a software audit. We have listed the most common triggers en red flags below.
The most common triggers of an Oracle audit:
• Receiving an Oracle license review notification letter
Even though a review sounds friendlier, there is no difference between an Oracle license review and an Oracle license audit. Don’t be fooled, you are being audited, even if they talk about a review or verification process.
• If you have performed any hardware refreshes within the last 2-3 years
If you add or change your infrastructure (e.g. more servers, more powerfull servers, virtualized servers), you will probably need additional licenses.
• Have you been audited within the last 3 years?
It is common for companies to refresh their hardware every 3 to 5 years. Oracle LMS audit frequency coincides with these cycles, especially if you did not make any purchase of new licenses in that period.
• You decided to decline an Oracle licensing or cloud solution. Another option is that you failed to renew your Oracle ULA.
• Mergers, Acquisitions and Divestitures
This one seems quite obvious since tracking IT assets and software licensing entitlements becomes blurry during M&A and the risk of non-compliance becomes higher. If you are divesting a business entity, this may also be triggering an audit.
• Experiencing significant organic employee or revenue growth
Experiencing growth is likely to increase license requirements just as M&A activities will.
• You are at risk if you failed your previous license audit and were in fact non-compliant
• Displacing Oracle solutions and acquiring competing solutions
It’s not that easy to get away from Oracle. Oracle can use their audit to discourage you from looking for competing solutions like Amazon EC2 or RDS, Microsoft Azure or Google Cloud.
• Be careful if you have started using virtualization technologies (VMWare)
Oracles licensing policies require you to isolate your VMware environment on storage and network level, if and when vSphere 6.0 or higher is being used.
• Have you bought any Oracle Cloud services recently?
Oracle is putting pressure on sales reps to make cloud purchases. If they do so, ongoing audits may be ‘resolved’.
When is a good time to start preparing?
Any time is a good time to start preparing for an Oracle audit. We recommend our customers to always be ready to receive the dreaded letter. This doesn’t mean you should live in panic, but exactly the opposite: you should take action before the actual letter arrives. If you didn’t get the chance to prepare in advance, the battle is not yet lost and the damage can still be minimized if you have the right support. The timelines are however more challenging to achieve the optimal result.