Changes in Oracle audit clause

oracle license management audit

Oracle Corporation has been very active, and sometimes even considered aggressive, in its audit practices. However negative the image, most companies at least knew what to expect from the software vendor in the past. Lately, Oracle suffered quite some changes, the most recent one related to its audit clause.

But let’s quickly look at another change first. LMS was recently renamed Global License Advisory Services (GLAS), composed of Software Investment Advisory (SIA) and License Management Services (LMS). I’ll dive into this topic more in an article that will be published shortly, so stay close. To shortly describe what changed related to Oracle teams: the SIA team is focused on advising customers whereas the LMS team continues to focus on performing audits and license reviews at Oracle end users. Therefore, it will be no surprise to anyone that the LMS team is contributing significantly to Oracle’s overall revenue.

At the same time a team of consultants performing remote audits was set up in Romania, thereby reducing the number of LMS auditors in the local country organizations. In addition to this, Oracle LMS is introducing more LMS partners: third parties that are performing audits on behalf of Oracle. These LMS partners are not paid for conducting an audit, but compensated through a resell margin or referral fee in case the audit results in non-compliance.

The latest change however consists of some modifications in Oracle’s audit clause that was in force for over 20 years. This article provides an overview of what changed, the background of these changes, what they mean for you as an end user and our recommendations to prepare you for the moment when you will be confronted with this revised audit clause.

The most important advice that we can offer is to be always up to date with the changes that software vendors make to their (audit) clauses and products. And to find the right partner to support you on your SAM journey.

Overview of the changes

The below section provides an overview of the new standard audit clause included in Schedule P of each Oracle Master Agreement (OMA). The recent changes show in bold.

Upon 45 days written notice, Oracle may audit Your use of the Programs to ensure Your use of the Programs is in compliance with the terms of the applicable order and the Master Agreement. Any such audit shall not unreasonably interfere with Your normal business operations. You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information reasonably requested by Oracle. Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle. The performance of the audit and non-public data obtained during the audit (including findings or reports that result from the audit) shall be subject to the provisions of section 8 (Nondisclosure) of the General Terms. If the audit identifies non-compliance, You agree to remedy (which may include, without limitation, the payment of any fees for additional licenses for Programs) such non-compliance within 30 days of written notification of that non-compliance. If You do not remedy the non-compliance, Oracle can end (a) Program- related Service Offerings (including technical support), (b) Program licenses ordered under this Schedule P and related agreements and/or (c) the Master Agreement. You agree that Oracle shall not be responsible for any of Your costs incurred in cooperating with the audit.

Background

The first addition to Oracle’s audit clause:

Your use of the Programs is in compliance with the terms of the applicable order and the Master Agreement” is included to reflect that there are multiple contractual documents that should be taken into account to understand what you are entitled to make use of and as such to determine your compliance position. This has been confusing for many end users and resulted in disputes during audits. In essence this is not a real change, but a clarification by Oracle with regards to which terms and conditions should be taken into account to determine your contractual entitlements.

In summary these include:

  • Your original license order documents (or “orders”). Any non-standard contractual terms that you may have agreed with Oracle (e.g. restricted use or limited use licenses) are only listed in the original order documents.
  • Your latest support order document (or “order”). The support expiration date indicates what specific version of the software (e.g. 12.1, 12.2, 18, 19) you are entitled to make use of.
  • Your license agreements (OLSA/OMA). These include the general terms and conditions applicable to each license or cloud transaction you engaged in (e.g. customer definition, audit clause, mergers & acquisitions, divestitures)’
  • Oracle’s program documentation, referred to in your license agreement and published at docs.oracle.com. This documentation specifies what specific products/components are included in a specific software license and what specific products/components are required to be licensed separately.

The second addition to Oracle’s audit clause:

“Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle” is included to find a solution for the fact that more and more end users who are confronted with an audit are not willing to run Oracle’s LMS Collection Tool. This can either be because end users may have concerns with the performance implications of running such tool or are advised by license consultancy firms to not run these tools. Such advice is typically given to either delay an audit or to avoid the disclosure of any unintentional deployment and/or use of Oracle programs to Oracle.

Oracle is aware that almost every end user is found to be non-compliant when technical data is collected through Oracle’s measurement tools. Not having access to the data resulting from the measurement tools means they are less likely to find the non-compliance situations. In addition, this does not enable the LMS auditors to make use of their highly automated analysis process.

The third addition to Oracle’s audit clause:

“The performance of the audit and non-public data obtained during the audit (including findings or reports that result from the audit) shall be subject to the provisions of section 8 (Nondisclosure) of the General Terms” is included to find a solution for the fact that more and more end users who are confronted with an audit are requiring Oracle to have a separate non-disclosure agreement in place before starting the audit.

Oracle is aware that at the start of an audit, it is important to collect the deployment and use information of its software programs within the shortest possible timeframe. If an end user requests a separate non-disclosure agreement as a tactic to delay an audit (potentially buying time to remediate a non-compliance issue before it is being disclosed towards the LMS auditors), such request can be denied by Oracle based on this addition to the clause.

What does this mean for you as an end user?

As mentioned, the first addition to Oracle’s audit clause “your use of the Programs is in compliance with the terms of the applicable order and the Master Agreement” is not a new principle, but a clarification. It does however highlight the importance of having a complete and accurate, detailed license entitlement administration. This way, all contractually agreed license and/or subscriptions as well as the associated terms and conditions are administered and maintained.

The second addition to Oracle’s audit clause “such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle” is a new principle. It’s not a change in Oracle’s audit practice though. Oracle always has requested end users to run its LMS Collection Tool.  End users who accept this new addition to the audit clause will, during an audit, be forced to run the “Oracle data measurement tools” and to share the resulting data with Oracle.

What Oracle means with “Oracle data measurement tools” is once more open for interpretation and discussion. It most likely means that Oracle will only allow the use of its own “tools”, including:

  • Standalone Scripts:
    • product-specific measurement queries that provide a simple, nonintrusive way to extract data
  • Oracle LMS Collection Tool
    • detection and collection of usage data
  • Oracle Server Worksheet
    • declaration of all of the Oracle products end users have installed within their organization
  • Oracle Enterprise Manager
    • discovery and measurement capabilities across multiple Oracle products
  • and the use of the Verified third-party tools (Aspera SmartCollect, iQuate, Lime Software, Micro Focus, Flexera).

As specified by Oracle, the usage data gathered from these tools will still need to be complemented with data elements that need to be collected manually. In addition, the data gathered from these tools still needs to be analyzed by license experts to assess license needs and to provide you with a compliance position.

The last addition to Oracle’s audit clause: “The performance of the audit and non-public data obtained during the audit (including findings or reports that result from the audit) shall be subject to the provisions of section 8 (Nondisclosure) of the General Terms” is not a new principle either.  It again is a clarification from Oracle’s side, aiming to avoid that end users insist on signing a separate non-disclosure agreement at the start of the audit.

Our recommendation

Some Oracle software license consultancy and audit defense firms may have advised their customers to not run Oracle’s data collection tools. In this way they tried to protect their customers (and in some cases avoided being confronted with the fact that they lack the in-depth knowledge to analyse the output of such tools). But moving forward, avoiding to run Oracle’s data collection tools is no longer an option.

The only way to properly manage your Oracle compliance position is by performing regular internal software license audits. In addition to detecting any compliance issues at an early stage, this will also allow you to optimize your available licenses, monitor your software spend, reduce your financial risks and ultimately save costs. How do you do this? By engaging license experts who use measurement tools and methodologies similar to the ones Oracle uses.

B-lay’s Oracle Managed Services are developed to address this specific need and has proven its value at many customers across the globe. For more information, contact us.