Oracle Audit: Top 20 Frequently Asked Questions

22 October 2014
20 minute read
Oracle

Oracle Audit: Top 20 Frequently Asked Questions

22 October 2014
20 minute read

This is abridged version of a whitepaper by Richard Spithoven of b.lay.

You can download the full version (without registration) on the b.lay website here.

Richard was one of our highly experienced presenters at our free Oracle Licensing Seminar held in November in London. Our next Oracle Licensing Seminar will be held in New York in January.

Learn more and register:

https://itassetmanagement.net/2014/12/02/event-listing-oracle-seminar-29th-january-2015-york/


Oracle License Review or Oracle License Audit – Your top 20 FAQ

By Richard Spithoven, b.lay

This article is based upon our experience of the last 20 years in which we performed Oracle License Reviews or Oracle License Audits ourselves and supported end-users to effectively go through such a process.

WHAT IS AN ORACLE LICENSE AUDIT, AND WHAT’S THE DIFFERENCE WITH AN ORACLE LICENSE REVIEW?

Richard Spithoven – Director, b.lay

Richard Spithoven – Director, b.lay

Whenever you install an Oracle program, whether as an individual or as a corporation, you agree to the terms and conditions of a license agreement. In the past, this agreement was called OLSA (Oracle License and Services Agreements) but nowadays this agreement is called OMA (Oracle Master Agreement). These agreements specify under which terms and conditions that you are allowed to make use of the Oracle programs but also provide Oracle the permission to perform an audit.

Oracle’s License Management Services (LMS) is the department within Oracle that typically performs the audits on behalf of Oracle Corporation, supported by a number of third parties (LMS partners) that can perform the audit on behalf of Oracle LMS. Oracle LMS is chartered to perform license audits at end-users and partners. However, in some countries, local sales representatives start a license audit or license review themselves, typically by selling this to an end-user as a “license optimization” or “business review” or by conducting the “audit” themselves.

During an audit, you are requested to complete an Excel overview (Oracle Server Worksheet) with the details of your IT infrastructure. In addition, you might be requested to run scripts on your servers or to execute various commands on the different software programs. The completed overview and the output log files, are requested to be sent back to Oracle for analysis purposes. At the end, the results of the analysis are formalized in a final report, through which Oracle presents you with your license compliance status. If you agree to pay for the necessary licenses to become compliant, the process usually ends there.

If you ignore the request for a license review or license audit, the issue may be turned over to Oracle’s License Management Services department (in case the project was initially started by sales representatives) or otherwise to Oracle’s Legal Department. Not cooperating with an official Oracle audit will be considered as a material breach of the license agreement resulting in legal steps from Oracle’s side.

But what’s the difference between an Oracle License Review and an Oracle License Audit?

In essence, there is no difference. Oracle’s License Management Services department speaks about an Oracle License Review instead of an Oracle License Audit in order to reflect the fact that they require collaboration from the end-user and to make it sound friendlier. However, a license review still concerns an assessment or analysis of your usage to verify your license compliance; thus, an audit of your usage is still being performed.

WHAT HAPPENS DURING AN ORACLE LICENSE AUDIT?

The audit starts when you receive a notification letter in which you are notified that you have been selected for a license audit or license review. The LMS consultant that performs the audit or the LMS partner that is selected for the audit is listed in the letter as well. Typically, the letter specifies which legal entities and which Oracle software programs are included in the scope of the audit and it is sent to the CIO and/or CFO of your organization.

You are requested to assign a single point of contact within your organization, which will act as the coordinator for the audit from your side.

HOW MUCH ADVANCE NOTICE DOES ORACLE GIVE FOR AN AUDIT?

The terms of the standard agreement states, “Upon 45 days’ written notice, Oracle may audit your use of the software programs”. If end-users have been keeping good, complete, and accurate records of their software deployments, 45 days should be ample time to respond to the audit request. It’s, however, not uncommon that Oracle’s auditors will typically try to start the audit earlier (within the 45 days written notice).

A limited number of end-users may not have an audit clause in their license agreements or may have a non- audit period within its agreements; this, however, does not mean that a vendor like Oracle cannot start an audit. Local (or European) laws provide software vendors by law the right to validate – at all times – if an end- user is following the terms and conditions under which it has provided the right end-users to make use of its software. The lack of an audit clause, however, typically means that the procedure to start such an audit (by requesting a court to formalize this) takes longer, due to the lack of a contractual basis.

HOW OFTEN SHOULD WE EXPECT TO BE AUDITED?

The common practice is that every end-user is on average audited by Oracle or one of its LMS partners, once every 3-4 years. Oracle applies this “once every 3-4 years average” since Oracle knows as well that end-users typically will renew their hardware every 3-4 years. Since the number of licenses needed to license the Oracle software to a large extent depends on the hardware on which the software is deployed, (especially for database and middleware programs) this interval of every 3-4 years is applied. Obviously this interval can vary in case Oracle expects a non-compliance situation at an earlier stage or in case a previous audit was limited to a part of the software programs deployed within your organization. In addition, this interval can obviously also be dependent on the amount of auditors available within a country and their local workload.

WHY DID I GET SELECTED FOR AN ORACLE LICENSE AUDIT?

The typical answer of the auditors will be that you are randomly selected. In essence there are, however, two different channels through which end-users are typically nominated for an Oracle License Audit: Oracle’s Sales organization or Oracle’s License Management Services (LMS) department.

In case your Oracle Sales representative gets the feeling or got some indications of potential non-compliance he or she can nominate you as an end-user for an Oracle License Audit. The LMS department will then assess the financial risk of non-compliance after which they will decide to fulfil or deny the request to perform an audit.

Older license metrics (e.g. Named User, Concurrent Device, Universal Power Unit) are no longer sold by Oracle for a number of years now, since they typically can’t be used anymore to cover today’s software deployment correctly. End-users with old license metrics are, therefore, having a higher risk of non-compliance and, therefore, earlier selected for a license audit.

Recent mergers, acquisitions, and/or divestures of legal entities typically require a change in your software license agreement as well since these organizational changes typically result in a change of your software deployment and, therefore, that requires a change of your software license agreements as well.

WHO PAYS THE COSTS FOR AN AUDIT?

As per the terms of the license agreement, you are responsible for any of your costs that are incurred in cooperating with the audit.

In case you are found to be non-compliant for the deployment and/or use of any of the Oracle software programs, you are required to pay any fees applicable to your use of these programs. In such a non- compliance situation, Oracle will refer you to its Compliance Policy and your agreement will require you to purchase the appropriate licenses and related support maintenance fees within 30 days. These fees are typically charged without any additional discounts. In case you have a “price hold” with agreed discount levels for the software programs you are found to be non-compliance, the price hold prices are typically applied. In case you are willing to pay for additional licenses for the future deployment of other Oracle programs, a higher discount may be granted.

Apart from the license and support fees that you will need to pay to be correctly licensed, Oracle will charge you so called “Back Support” fees. “Back Support” fees are the support fees that Oracle “missed” for the period in which an end-user has made unlicensed use of the software programs. These are calculated as 22% of the net license price prorated back to the date it was determined that the end-user was using the un- owned licenses.

As an example:

If an end-user has 2 Processor licenses Oracle Database Enterprise Edition and is found to make use of 3 Processor licenses, Oracle Database Enterprise Edition for a period of 6 years, an end-user would have to pay the following fees:

List License USD 47,500
List Support USD 10,450
Standard Discount: 10%
Net License USD 42,750
Net Support USD 9,405
Back support (6 years) 6 years x 9,405 = USD 56,430
Total fees 42,750 + 9,405 +56,430 = USD 108,585

WE HAD NO IDEA THAT WE WERE OUT OF COMPLIANCE. WON’T ORACLE BE MORE LENIENT WITH US?

No. As per your agreement and Oracle’s Compliance Policy; if an end-user licenses the software, it is the end-user’s responsibility to ensure that they are utilizing their licenses in accordance with the terms and conditions of the license agreements. Therefore, it is the customer’s responsibility to ensure that they understand their license rights (including the licensing policies, support policies, program documentation etc.) and that they are complying with those obtained rights.

AM I REQUIRED TO INSTALL/DEPLOY THE SCRIPTS FROM ORACLE LMS DURING AN AUDIT?

No. As per the audit clause of your agreement “you agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information. Any such audit shall not unreasonably interfere with your normal business operations.” So the clause does not specify that you are required to install/deploy the scripts from Oracle or from any of their verified tool vendors. You are, however, required to provide access to all the relevant information. If you are able to provide the required information in a different complete and accurate way, providing this information in such a way should be sufficient.

End-users are, however, typically not able to provide the information that the scripts from Oracle gather, in a complete and accurate way, and, therefore, end up using the scripts of LMS.

WHEN I RUN THE MEASUREMENT SCRIPTS, CAN I FIGURE OUT MYSELF WHETHER I AM COMPLIANT OR NOT?

No. The scripts only gather deployment and usage information about Oracle products that are installed and /or used in your IT environments and provisional usage data. The output of these scripts requires expert knowledge from Oracle or a specialized firm to analyze the data and compare them with the existing contracts in order to determine the license compliance position.

WE ARE USING AN ORACLE VERIFIED TOOL VENDOR DURING THE AUDIT, SO I AM SAFE, RIGHT?

Oracle’s License Management Services department has verified a number of tool vendors, including BDNA, Easyteam, Flexera Software, Hewlett-Packard, iQuate, Lime Software, and Nova Ratio. The decision from Oracle LMS to “verify” these vendors has been rather smart; in case an end-user is subject to an Oracle audit and implemented any of these tools, the end-user can’t hide during the audit process that the data gathering process will require so much time and energy since you already have implemented the tool in your infrastructure!

End-user often believe (or have the perception) that since they have implemented such a tool, they are in full control of Oracle software. They forget, however, where they were not told or did not validate themselves and what the tools do; the tools only collect raw data for the Oracle Database and its associated options as the scripts from LMS do as well. The collection of raw software data for any of the (thousands of) other Oracle programs is not covered by the tool itself.

In addition, the hardware details on which the software is deployed as provided by the third party tools, is not verified by LMS. Therefore, during an audit, LMS would still require you to run their CPU queries to collect the required hardware details.

“Raw” measurement data as collected by the scripts from Oracle LMS (or any of the third party tool vendors) does not tell you what you would need to license. An analysis – and more important the correct interpretation of the raw measurement data – is still required to obtain a complete and accurate understanding of the software deployment. This requires expertise knowledge that needs to be maintained. This is also the reason why Oracle LMS requires the usage data gathered from third party tool vendors (or their own tools) to be shared with themselves to assess the license needs. Only after an assessment done by the right-licensing experts, you will have a clear understanding of the real license needs.

You should think about the software inventory tools as your ERP system. Every ERP has a Tax Report functionality. It’s great that you can have such an automated report since it saves you a lot of time and energy to get the numbers. However, before sending it to the Tax authorities would you let your accountant and/or Tax expert review and analyze the data coming out of your ERP system?

WHAT SOFTWARE PROGRAMS ARE TYPICALLY INCLUDED IN AN ORACLE LICENSE AUDIT?

Oracle’s Product portfolio includes a large number of different software programs, also due to the large amount of acquisitions done over the years (e.g. BEA Systems, Siebel Systems, PeopleSoft, JD Edwards etc.). Any of these software programs which are owned by Oracle Corporation can be subject to an Oracle License Audit especially if there is a high (financial) risk of non-compliance. However, Oracle’s audit team typically focuses on a certain number of Oracle programs due to the large number of end-users making use of these programs and the high financial risks of non-compliance that these Oracle programs represent. The Oracle programs on which the audit team typically focuses are Oracle Database (including Database Options and Database Enterprise Managers), Oracle Application Server, Weblogic and Tuxedo (either purchased in the past through BEA or after the acquisition through Oracle), SOA, E-Business Suite, Siebel and JD Edwards. In certain countries/divisions, like the US, some focus is also placed on Agile / Autovue programs as in the EMEA some additional focus is placed on Primavera programs.

ORACLE PROVIDED ME WITH A LIST OF ALL OR OUR LICENSES. IT LOOKS OK TO ME. ARE WE DONE?

You could be tempted to end the validation of your current licenses at this point due to the time constraints and efforts it will take you to validate the list provided by Oracle. You may assume that an organization like Oracle should be able to provide you with a complete and accurate overview of your licenses. You could, however, end-up overpaying if you don’t complete this validation. Why? In many cases where we have performed an analysis of the list of licenses as provided by Oracle vs. the actual agreements, many discrepancies were identified. Discrepancies such as the fact that license metrics may not be correctly registered within the internal systems of Oracle (e.g. after one of the many acquisitions), the current (and not the contractual) license metric definitions are applied, the products/components which are part of a certain license are not taking into account by the auditors, etc. All these differences that can potentially be identified during the validation process should be documented and dealt with in the audit process.

It is, therefore, important to gather all Ordering Documents, License Agreements (either Software License & Services Agreements (SLSA’s), Oracle License & Service Agreement (OLSA) or Oracle Master Agreements (OMA’s)), Support Maintenance Renewals, Partner Ordering Forms, Partner Agreements and the corresponding program documentation (which is part of the license agreement) and any other paperwork (e.g. invoices, POs, commercial proposals/emails from the past) that provides insight into the obtained license and support rights.

WE HAVE REACHED A SETTLEMENT; SHOULD I BE CONCERNED ABOUT ANYTHING ELSE?

Once thing you should include in a (commercial) settlement on identified license compliance issues by Oracle, is to receive a written conformation (“Close Letter”) from the Oracle compliance team (License Management Services). This letter should confirm that Oracle releases, discharges, and acquits your organization of and from any and all obligations, debts, liabilities, claims, causes of action, promises, penalties, interest, attorneys’ fees, and all damages of all kinds and character whatsoever, (including but not limited to, license fees, maintenance fees, infringement penalties, actual, consequential, and punitive damages, known or unknown, asserted or un-asserted) arising from the identified compliance issues.

If the case makes it to court, it will likely become public record and the negative publicity could be more damaging than the offense and fines.

WE UNDERSTAND ALL THE RISKS AND HAVE DECIDED TO DO OUR OWN SELF-AUDIT. WHAT KIND OF ERRORS SHOULD WE BE AWARE OF WHILE WE INVESTIGATE OUR OWN SOFTWARE LICENSING USAGE?

From our experience working with scores of clients around the world, we have discovered approximately 50- 60 areas that companies frequently reported inaccurately during an audit.

A number of these area’s include:

  • Failure to recognize historical entitlements (products purchased 3-9 years ago) that can be used to mitigate current licensing gaps.
  • Incorrect application of wrong license metrics (often the license metrics under which Oracle nowadays sells the licenses) instead of the contractual license metric definitions and corresponding agreed terms and conditions.
  • Licenses from mergers and acquisitions that can be used to mitigate current licensing gaps.
  • Incomplete and/or inaccurate understanding of which products/components are part of certain Oracle licenses that can be used to mitigate current licensing gaps. (e.g. Oracle’s Database Enterprise Edition restricted – usage rights are part of Oracle’s Internet Application Server Enterprise Edition licenses, Oracle Coherence usage rights are part of Oracle’s Web logic Suite license and many more.)
  • Incomplete and/or lack of understanding of all data streams to and/or from the Oracle software in order to understand the “multiplexing front end” and not understanding what Oracle means with “measuring the users at the multiplexing front-end”.
  • Incorrect calculations of required number of licenses needed for virtualized environments, which are depending on technologies used and their configuration (e.g. IBM LPar, VMware VSphere, Sun Solaris Capped Containers, Oracle VM, etc.).
  • Incorrect licensing of Oracle programs deployed in disaster recovery environments.
  • Failure to comply with the minimum required number of licenses per Processor for all servers on which the Oracle programs are deployed, including test, development, and acceptance environments.
  • Incomplete and/or inaccurate understanding of the installed and/or used components and/or features and/or modules (e.g. Database Options and/or Database Enterprise Managers, Human Resources, Financials etc.)
  • Incorrect counting of the number of “users” by lack of de-duplication of user names, including of system users and/or inactive user names created within the software.

WHAT IS THE TRIGGER TO LICENSE ORACLE SOFTWARE: ONCE THE SOFTWARE IS INSTALLED OR ONCE THE SOFTWARE IS IN USE?

All the license metric definitions of Oracle state that the Oracle software is required to be licensed once the software is installed and/or running. This means that the trigger to license the software is once it is installed independently if the software is actively being used. Apart from the exception rules of Failover environments, Oracle, therefore, also requires you to license the software, which is installed for disaster recovery purposes.

Are there no exceptions? Yes, there is one exception rule related to the deployment and use of Database Enterprise Edition Options and/or Database Enterprise Managers. Why? Oracle Database Enterprise Edition is shipped with various Database Options and Database Packs (or if the Database Enterprise Edition is downloaded, the Database Options and Packs are downloaded along with the Database Enterprise Edition program).

End-users must install these Database Enterprise Edition Options and Packs and often – as a result of this – start using these separate licensable Database Enterprise Edition Options and Packs. In case these Database Enterprise Edition Options and Packs are – during the course of a license audit – found to be installed only (and not used), end-users normally receive the opportunity to sign a “Certification of Non Use” letter. With such a letter (which should be offered) the end-user certifies and warrants that it has not made operative use of the Database Options and/or Database Packs and the end-user warrants that it shall not make any operative use of the Database Options and/or Database unless and until it purchases the required licenses for such usage.


This is abridged version of a whitepaper by Richard Spithoven of b.lay.

You can download the full version (without registration) on the b.lay website here.

Richard was one of our highly experienced presenters at our free Oracle Licensing Seminar held in November in London. Our next Oracle Licensing Seminar will be held in New York in January.

Learn more and register:

https://itassetmanagement.net/2014/12/02/event-listing-oracle-seminar-29th-january-2015-york/

Can’t find what you’re looking for?