Oracle released their 2020 Q4 report and it may mean that there are Oracle Audits coming. Software audits can be a living nightmare if you find yourself unprepared, leaving the possibility for things to spiral out of control until the next thing you know you’re facing outlandishly large compliance gaps no idea how to prove them wrong. Oracle audits are no exception to this and many of their customers find themselves at a loss when confronted with one. While we have covered how to handle a general audit, there are a few things about Oracle audits that make them unique, which is what we’ll go over today. At, MetrixData 360, we have gone up against the biggest software companies in the software industry today and have empowered our clients with the knowledge they need to walk away from such audits with minimal damage to their IT budget.
Oracle’s Results Released for Q4
On June 16, 2020, Oracle released its Q4 report for their fiscal year and the results show case exactly how hard Oracle has been hit by the COVID-19 pandemic . The report showed four areas of Oracle’s business that were suffering. First, the Cloud services and licenses support, which saw only a 1% increase in revenue over the past year, which is a considerably weak increase since, historically, Oracle has seen a 4% increase in that same category. Their other main streams of revenue have declined with hardware seeing a 9% dip, services seeing an 11% dip, and cloud licenses and on-prem licenses seeing a staggering nosedive of 22%.
Those are 2008-recession levels of bad and it doesn’t help that Oracle’s traditionally highest grossing month is May, where they haul in almost 40% of their year’s total revenue. May was also the same month that saw the worst of the pandemic lock down, where the last thing on anyone’s mind was buying more software. Part of this may be just a COVID-19 blip, with Oracle having only to make it to the other side of this truly terrible year before they can see their usual numbers again. However, these numbers have many of Oracle’s customers sweating at what this might mean for Oracle audits.
From the Beginning: What Attracts an Oracle Audit, and How to Respond to Receiving One
With this news, there is a strong chance that there will be an increase in audits, and it’s suspected that these audits will be aimed towards small to medium size companies with lower investments in Oracle, while companies who have large investments in Oracle are not expected to feel any significant changes. But while there might not be any significant increase for these large companies when it comes to Oracle audits, there will certainly not be a decrease in them any time soon, so it’s important that you are prepared all the same. While some software companies have routine audits or send out audits at random, Oracle tends to be a bit more precise when it comes to who they audit.
Generally, you can expect an Oracle audit once every 3-4 years, unless your last audit was restricted to only a single Oracle product or area of your software environment, then you can expect to be audited more frequently. Your Oracle audit may have been brought on by any of the following factors occurring in the past 24 months at your organization:
- You’ve gone through a merger or acquisition
- You are still in possession of old or outdated Oracle software whose metrics are no longer used by Oracle
- You’ve conducted a hardware environment refresh
- Your organization has seen an organic growth of 10% or greater
- You have trimmed back on Oracle products in any way such as cancelling or reducing support from Oracle
- You have an Unlimited Licensing Agreement (ULA), since it is suspected that Oracle will be focusing its auditing efforts on either getting you to renew your ULA or switch to a perpetual ULA
When you receive either an Oracle License Review or an Oracle License Audit, don’t let the different names distract or tempt you to take the Review as less serious than the Audit. They are essentially the same in both process and stakes. The only real difference between the two is that ‘review’ is a friendly, less threatening term when compared to an audit.
LMS and Oracle Tools: Dealing with Both
Oracle Licensing Management Service (LMS) is the internal team from Oracle that you will likely be dealing with throughout your audit. Although it is possible for Oracle to outsource the project to their partners, and other departments of Oracle will perform audit-like services such as reviews, their internal audit team is the only department authorized to perform License Audits on behalf of Oracle.
When you interact with Oracle’s LMS, one consistent element that you’ll run into is that they will want you to run their own, Oracle approved, SAM tools to collect the data from your software environment. Your first goal in this audit is to make sure that your tools are used instead, an argument which we cover in length in our Software Audit Defense Procedure . While you are required to comply with the audit, nowhere in your contract does it require you to install their SAM tools. So long as you can prove that your own SAM tools can accurately retrieve the data that Oracle is asking for, then there is nothing wrong with using your own tools.
Who Foots the Bill? The Old Oracle vs. the New Post COVID Oracle
In the past, Oracle’s audits and their sales reps had the same goal: sales for the sake of sales. Sales reps got commission annually for every transaction, these numbers were usually 1% of the contract value, and if it was cloud services they were selling, that number rose to a tantalizing 5-10%. So, sales reps preferred cloud services and at the end of an audit, it was often the case that cloud services would come up when it was time for settlement. Oracle has essentially offered its audited customers get-out-of-jail free cards in exchange for the purchase of cloud services at a much smaller cost than your compliance gap, even if you didn’t need the cloud solution you are purchasing. All the sales rep really cared about was selling the services, it didn’t matter to them if you never used it again afterwards, since they got to walk away with that 5%-10% commission jingling in their pockets.
Now, however, Oracle has made a few changes to their sales rep models. They have significantly cut back on their staff numbers, and have put the vast majority of the remaining sales reps on the task of exclusively selling cloud services, and will only see that same level of compensation if their customers use the cloud services that were sold to them. This means that you will not see be seeing any cloud service deals at the end of your audit, you’ll just be expected to pay the compliance gap, which will be painfully more expensive than the previous alternative.
Now, however, Oracle has made a few changes to their sales rep models. They have significantly cut back on their staff numbers, and have put the vast majority of the remaining sales reps on the task of exclusively selling cloud services, and will only see that same level of compensation if their customers use the cloud services that were sold to them. This means that you will not see be seeing any cloud service deals at the end of your audit, you’ll just be expected to pay the compliance gap, which will be painfully more expensive than the previous alternative.
In addition to these costs, if you are found to be out of compliance by a significant degree, then you will be forced to cover the expenses for the entire software audit, including any expenses that Oracle racks up.
How Should I prepare?
Once you have received a software audit notice from Oracle, you will have about 45 days to respond. During that time, you need to get the following ready:
- A Non-Disclosure Agreement: This will ensure that any information that you give to the auditors must remain between you and them unless they ask for your consent to send it to the rest of Oracle’s higher ups. This will allow you to remain in control of how Oracle perceives your organization and your compliance, both of which will become important when you enter into the negotiation and settlement phase of the audit.
- A Single Point of Contact (SPC): You will need to make sure that you have a team to act as a single point of contact (ideally with legal, technical, and Oracle specialization) in place who will exclusively deal with communications with Oracle’s audit team. The auditors will only talk to the SPC and anything that is passed from your organization to the auditors will pass under the SPC’s eyes first. Anyone who is planning to be interviewed by Oracle will discuss with the SPC what they are planning on saying and how they should answer Oracle’s questions. This isn’t done for the sake of hiding anything from Oracle, but this will help to keep track of where you stand with Oracle and ensures your negotiation strategies remain uncompromising.
- A Scope for the Audit: This is done so that, in the case that you are not so far out of compliance as Oracle originally thought, they do not keep looking through your software environment trying to find the profit they anticipated, also referred to as ‘scope creep’.
This needs to be laid out during the kick-off meeting and it’s important that you do not let the data collection phase begin without those three things in place.
Want to become an Expert a Handling Software Audits?
No one will claim software audits are easy or simple, and if they claim it’s anything other than a thinly veiled attempt to squeeze more money out of your company, then they’re kidding themselves. Oracle audits can be especially tricky, considering the sheer size of Oracle’s company and the vast amount of resources you’ll be going up against. It can feel like you’re outnumbered and out of your depth as you’re surrounded by sharks who do this for a living. Which is why you don’t have to go through this experience alone. At MetrixData 360, we have created a whole reservoir of resources in order to better equip you to face any software audit that comes your way. If you would like to download our free e-book on a step-by-step process on handling software audits, you can click the link below.