Fifteen Gotchas to Diffuse an Oracle Audit - PT I

Without an umbrella, you’re gonna get soaked

Vendor audits are as inevitable as rain on a public holiday, yet they often catch companies unawares, causing panic in the boardroom and concern among the SAM team members.

Most feared are audits from Microsoft, Oracle and SAP. Hardly an astonishing finding given that a sizeable chunk of the software spend in most companies is attributed to these big vendors – who are increasingly turning to audits to create revenue.               

Twelve years ago – a lifetime in IT – I worked for Oracle. At that time, there was room for give and take in licensing, leeway for gentlemen’s agreements – such accommodation is no more. Auditors exist to improve the bottom line, and they can be pretty ruthless about it. Today, I have switched sides, and use my knowledge to provide SAM managers with advice on how to, for example, mount a successful audit defense. In this three-part series, I will share some of that advice with you, gotchas that my clients have used in head-on battles with Oracle. Much of my approach is also relevant for audits by other vendors, but my time at Oracle has given me particular insight into its mindset and the way it structures audits.

Gotcha 1 – Take it seriously

Panic isn’t helpful. SAM managers have a tendency to underestimate the consequences of not taking an audit request seriously. They think they can delay the audit, or come to a commercial arrangement with the vendor. The days of amicable backroom deals are over. Vendors want every penny they are owed (as they see it) and are not afraid to let the courts decide.

You may have heard about the legal battle between SAP and drinks-giant Diageo concerning indirect use of software, where the (England and Wales) High Court came out in favor of the vendor, with a price tag of GB £54 million. The case is a staggering example of how far vendors are prepared to go to defend their interests. But, going back to Oracle, in its dispute with Mars over VMware, it was revealed that the confectionery giant filed 233,089 pages of documents to assist in the license audit. Okay, you may not be as big as Mars but you get my point: treat your audits seriously.

Gotcha 2 – If it walks like an audit, or talks like an audit…

Then chances are, it is an audit. SAM managers can go into denial about what’s happening and kid themselves they are not being audited. Even if a letter from Oracle or from the likes of Deloitte and KPMG may talk of a “review”, “a verification”, or “a self-audit exercise”, whichever way it is dressed up, if you receive a formal letter asking you to share data in any shape or form, you’re being audited.

Gotcha 3 – It’s all under control

If you tell me that, I know it probably isn’t. If you don’t have a good SAM solution that provides visibility of your IT estate, or supporting processes in place, the chances are, you’ll never uncover the blind spots in your network. And that’s when accidents happen.

Gotcha 4 – Be realistic about timing

I get calls all the time that go something like this. “Hey, Richard, we need to understand our Oracle compliance position. Can you help us to get that clear within the next two weeks?” I am Dutch and we are nothing if not direct. My stock response is: “That is ridiculous!”

An Oracle audit takes three to six months if Oracle itself performs the audit. Not a couple weeks. If you believe that you can carry out an audit quickly, you are heading for trouble.

Gotcha 5 – A solution doesn’t solve everything

It’s good, even essential, to deploy a SAM solution, but don’t let it lull you into a false sense of security. “We bought a solution, we spent X number of dollars on it, so we’re done, right?” ­– this kind of thinking often prevails in the boardroom. Even some CIOs possess a limited understanding of what goes in SAM. “But, Richard, how difficult can it be? You count your desktops, you count how much software is installed on them, and then you know what you need, right? I can count, so how can it be so difficult? Why don’t my SAM team  know what to do?” – I get that all the time.

In the end, Software Asset Management is about having the right people with the right knowledge, and the right processes that implement policy. Without those, a SAM solution will get you only so far.

Here’s a story about one of my clients who bought a SAM solution (not from Snow) for US $500,000. They  went through an elaborate and disruptive implementation process, and trusted everything was hunky-dory. In walks Oracle with an audit and my client is non-compliant to the tune of US $80 million.

CIO: “How the hell can this happen?”  
Me: “Well, did you really understand what the solution could do and what it couldn’t do? Did you look at your contracts to understand what terms and conditions you need to manage to remain in compliance?”  
CIO: “No.”

In my next post, I will look in detail at some legal aspects of an Oracle audit. In the meantime, why not read our eBook: 5 Ways to Cut Spending on Oracle Databases.