Oracle license management license audit defense

Oracle License Audit
Defense Training – Part 5
w w w . r e d r e s s c o m p l i a n c e . c o m

Oracle Contracts – Audit Clause

Oracle - > End customer Contracts
Oracle Ordering
Document
Oracle Master
Agreement (OMA)
Oracle Support Policies
| Dynamic/URL”

• It does not mention that
you need to run any Oracle
Audit Scripts and/or tools.
• It also says it shall not
“unreasonably” interfere
with your business
operations.
What is “unreasonably” ?
• 45 days written notice
before you need to reply.

“Upon 45 days written notice, Oracle may audit your use of the programs. You agree to
cooperate with Oracle’s audit and provide reasonable assistance and access to information.
Any such audit shall not unreasonably interfere with your normal business operations.
Oracle shall provide you with a report of any such audit and you shall have the right
to provide a written response to such report to Oracle. All such audit reports and responses to
such audit reports shall be considered confidential and subject to the
non-disclosure obligations in this agreement.
You agree to pay within 30 days of the final audit report any fees applicable
to your use of the programs in excess of your license rights. If you do not pay, Oracle can
end your technical support, licenses and/or this agreement. You agree that Oracle shall not be
responsible for any of your costs incurred in cooperating with the audit.”
OLD - The Clause
Review of audit clause until 2019 (for all older agreements)

Upon 45 days written notice, Oracle may audit Your use of the Programs to ensure Your use of the Programs is in compliance with
the terms of the applicable order and the Master Agreement. Any such audit shall not unreasonably interfere with Your normal
business operations. You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to
information reasonably requested by Oracle. Such assistance shall include, but shall not be limited to, the running of
Oracle data measurement tools on Your servers and providing the resulting data to Oracle. The performance of the audit
and non-public data obtained during the audit (including findings or reports that result from the audit) shall be subject to
the provisions of section 8 (Nondisclosure) of the General Terms.
If the audit identifies non-compliance, You agree to remedy (which may include, without limitation, the payment of any fees for
additional licenses for Programs) such non-compliance within 30 days of written notification of that non-compliance.
If You do not remedy the non-compliance, Oracle can end (a) Program related Service Offerings (including technical support),
(b) Program licenses ordered under this Schedule P and related agreements and/or (c) the Master Agreement. You agree that
Oracle shall not be responsible for any of Your costs incurred in cooperating with the audit.
Source: https://www.oracle.com/a/ocom/docs/lic-online-toma-us-eng-v040119.pdf
NEW - The Clause
New Audit clause (only if you sign a new OMA)

4 Key Take always from the Oracle Audit Clause Change:
1. Oracle inserting contractual language that you must
run Oracle Audit Tools. (more leverage for Oracle)
2. However does the audit change only cover software
purchased under this OMA? It surely does not retro-
actively replace all older purchases.
3. They mention that the audit is covered by the NDA,
this is a way for Oracle to say “we don’t need to sign
your NDA before the audit begins”
4. Recommendation: Try to renew your current OMA with
old terms and/or try to remove language about the
audit tools.
4

Oracle Audits – who performs
them and who are selected?

Oracle License Audits – Who are performing them?
Outsource its audits – its done in-
house.(LMS org)
If it is a partner that partner is not paid
money by Oracle. But are compensated if
there a short fall. SevenEights, Innoapps.
Usually these partners are not
professional consulting companies, but
more geared towards resellers. (low
experience, not much SAM experience or
Oracle licensing knowledge.
You can decline these “partner led” audits.

Oracle LMS does not
Knock on your data centre and ask to be
let in.
Oracle does not use any
discovery tool, so they can only
find the software deployments
that you have.
Many Oracle Software products there is
no data measurement tool and Oracle
relies on you providing truthful
information.
Oracle LMS does
have
A in-house developed tool that
will identify active usage today
and what has been used in the
past for certain products.

AUDIT
Different types of “audits”
• Oracle partner led license review
• Review letter is being send from
Oracle LMS
• Client needs to send an acceptance
to Oracle LMS
• Partner is managing the project
• Data is shared 1 on 1 with Oracle,
script outputs analysed by Oracle
• At end client receives an official
compliance statement
• IS NOT AN AUDIT
• Letter from sales
• Looks the same as an Oracle
license review, since same
documents are being used
(OSW,…)
• Playing on the client’s lack of
knowledge regarding the audit
processes of Oracle.
• Purpose: find sales leads
LMS
Partner led
Soft audit
Audit
License review
License advisory service

Oracle sends you an audit notification, and proposing that
their “partner” is representing Oracle during the audit.
What you should do:
1. You can decline to have the partner do the audit.
2. If Oracle refuses, you can say that you will never
purchase any licenses from the audit partner.
3. If the audit partner does not earn any money
they do not want to spend time auditing you.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
STRONG
Oracle are primarily for smaller Oracle customers using partners as “audit” – but these partners
ONLY make money on reselling licenses if you have a gap. They are not independent.

Oracle selecting customers for audits
Selection is not
random, it is
based on
suspicion on non-
compliance.
Ultimately
it is the sales rep
who approves the
audit going forward
or not. (Sales reps
can nominate and
they can also
veto the audit.

Who are selected?
Customers Oracle believe are
non compliant and will
generate revenue
Based on a mix of factors, no
science.

How can you avoid being audited?
MAKE ORACLE BELIEVE YOU IN FULL
CONTROL WITH YOUR ORACLE
LICENSING.
BE WELL-INFORMED when you are talking
to Oracle. If you Oracle notices that you are
not informed on licensing and contracts
higher risk of an Oracle audit.

2 ways for how you are selected for an audit.
Sales rep
nominated customer
for LMS
LMS approves
LMS sends out
notification letter.
PROCESS 1
Oracle LMS has
a list of
companies they
want to audit
List put
together based
on
LMS shared list
with Sales to
get agreement
on who to audit.
Sales discuss
with LMS
(results in last
audit? Details on
selection criteria
Sales gives
blessing to
audit
LMS sends out
letter
PROCESS 2
Old license metrics
Named user plus
licensing
Merger and acquisitions
3yrs+ since last audit.
Audit
Audit

7. You have logged support tickets with
Oracle and in the ticket, you are
describing using technology features that
you don’t have a license for.
8. You decided to NOT to accept an Oracle
licensing or cloud solution.
9. You told Oracle that you are not interested
in meeting or have any new “projects” that
might involve buying more Oracle
Software.
10. You have a new sales rep; some sales
reps believe in auditing customers more
than others.
11. Declining to renew your Oracle ULA.
12. You were non-compliant in the last license
audit
13. While talking to your sales rep you
mention that you use a functionality that
your licenses does not cover.
12 Most common reasons for being audited by Oracle
?
1. You have Old License Metrics or NUP
licenses (Tech)
2. You have acquired a company or merged
with another company, by default you can
be non-compliant with the contract terms.
3. You have made a large hardware refresh,
which often changes licensing
requirements.
4. You have not been audited for more than
3 years.
5. You have Oracle EBS but don’t have full
use licensing for technology.
6. Oracle (often Sales) have heard that you
are using virtualization technologies.
(VMWare)
1
2
3
4
5
6
7
8
9
10
11
12
13

3 strategies that can prevent your company from being selected for an Oracle License Audit
1# “Make Oracle believe you are
compliant” - Oracle don’t audit
customers who they believe are
compliant
1. Do a license review (use Oracle Audit
scripts, with an Oracle Expert firm. Its needs
to be reliable or it can backfire.
2. Consider sharing licensing info (high
level) with Oracle : If Oracle believes that
you have full control over your license
management. They will probably not audit
you.
If your last audit showed that you were
compliant, you are unlikely to be audited again
for many years.
#2 “Best friends strategy” Make Oracle sales your best friend
1. If you annually buy new Oracle Licenses and Cloud (not support) no audits.
2. If you don't buy new Oracle licenses/cloud you need to have excellent relationship
with your Oracle KAD. (Your KAD/AM can initiate and or stop the audit)
3. Advise always: Oracle believe that you are considering their solutions.
If you refuse to met Oracle and transparent open that you don’t buy anything
from Oracle - > Oracle have nothing to loose by auditing your company.
3# “Enter an Oracle ULA or
Perpetual ULA”
If you sign a ULA/PULA you wont be
audited unless you want to exit the
agreement.
1. It is unheard of that Oracle has audited any
company that has an active ULA.
2. Instead of doing #1 (License Management)
which would cost even the largest companies
a fraction of a ULA. Some companies prefer to
keep spending millions with Oracle.
#1
#2
#3

Exercise
Who performs Oracle audits?
Answer A:
 KPMG, Deloitte
Answer B:
 Oracle LMS or JPE partners

Exercise
Can you decline a “partner audit” ?
Answer A:
 No, Oracle decides
Answer B:
 Yes you can, JPE partners earns money on
reselling licenses. (not objective audit)

Exercise
How often do Oracle audits its customers?
Answer A:
 Every 5 years
Answer B:
 Every 3 years

Exercise
Who selects at Oracle selects customers for audits?
Answer A:
 LMS only
Answer B:
 Officially it is LMS, but indirectly/unofficially it is
done together with sales.

Exercise
If I am audited with Oracle come to my data center?
Answer A:
 No, they ask you to run their tools.
Answer B:
 Yes, they will always come to my data centre

Exercise
Which of this events are likely to trigger an audit?
Answer A:
 I terminate my support agreement
or move it to third party support.
Answer B:
 I tell Oracle that we have no new projects where
there is a sales opportunity (license/cloud)

Exercise
Which of this events are likely to trigger an audit?
Answer A:
 You have old license metrics or user based
licensing.
Answer B:
 We have in the past year merged with another
large company

Exercise
I receive an email from Oracle saying I should fill in an OSW
Do I need to co-operate?
Answer A:
 Yes, you need to comply with Oracle email
Answer B:
 No, this sounds like a sales review. There is no
contract obligation to co-operate with Oracle.

Oracle Audit Data Measurement
tools

Scripts/Tooling
• Oracle provides their own scripts for audits
• Scripts are continuously being developed and made
better
• Currently: Oracle LMS Collection Tool
− Captures: DB, Middleware, EBS, …
− Limitations: some license metrics make tracking
by tools impossible (e.g. Employee user)
Why should you NOT run the
scripts?
• It will be used as proof if you
used unlicensed software
• LMS collection tool might
pick up software which is not
in scope and Oracle will look
at it (and ask questions)
ORACLE SCRIPTS1
TO RUN OR NOT TO RUN? THAT’S THE QUESTION.
• No mention of running scripts in the contract
• Does the client get a choice? Not really, Oracle LMS will require it.

Scripts/Tooling
• Oracle provides their own scripts for audits
• Scripts are continuously being developed and made
better
• Currently: Oracle LMS Collection Tool
− Captures: DB, Middleware, EBS, …
− Limitations: some license metrics make tracking
by tools impossible (e.g. Employee user)
Why should you RUN the
scripts?
• Oracle LMS might start to
threaten if you refuse
(although no contract obliges
the running of scripts)
• They might be more difficult
to deal with if eventually any
license deficits are found.
ORACLE SCRIPTS1
TO RUN OR NOT TO RUN? THAT’S THE QUESTION.
• No mention of running scripts in the contract
• Does the client get a choice? Not really, Oracle LMS will require it.
Argumentation
• Performance impact of the audit tools
proposed?
• Data collected:
- Why?
- Which data is gathered, understand the
detail?
- Where is the data collected from?
- How will it be used?
- Can this sort of data leave the premises?
- Where in the world is this data being
processed/stored? (Roumania)

Oracle LMS tools “LMSCollection”
COMBINATION
of server worksheet,
questionnaires and
scripting
S O M E E X A M P L E S
CPU queries Virtual infrastructure screenshots
ReviewLite OMT User reports
DDL queries FMW scripts
Extraction scripts Siebel

Scripts/Tooling
• A number of tooling providers are Oracle LMS Certified.
• What does this mean?
• Means the deployment output from the tool is accepted by Oracle LMS
during an audit.
ORACLE CERTIFIED TOOLS2
Some notes:
• Only the ‘Server Worksheet’ containing deployment information, not the baseline results. Oracle will still investigate and ask
additional questions.
• Certification applies only to DATABASE products, not for any other Oracle software.

Oracle says you must run their audit tools
What you should do:
1. Ask consultant to to analyze Oracle scripts on
your systems
2. Review results, remediate/optimize/purchase
3. IF you have risk: Don’t let Oracle run scripts
4. Claim that data cannot leave your on premises
RECOMMENDATION
MEDIUM
Oracle have developed their own in-house scripts (“LMSCollection”) – Your contract says nothing
about running Oracle scripts.

Audit Process by Oracle
PHASE 1
Notification
• Notification letter by Oracle, indicating
partner
• Acceptance required
• 45 days prior written notice
• Directed at CFO
Kick-off with customer
• Scoping (Infrastructure, Customer
definition)
• Timeline
• Agreement on License Inventory
Data gathering
• Measurement? (If applicable)
• Complete Oracle Server Worksheet
• Questionnaire
• 2 to 3 weeks standard timeframe
1

PHASE 2
Data analysis
• Review measurement tooling output
• Review questionnaire
• Clarifications
• 3 to 5 weeks timeframe
Reporting
• Draft report
• Review draft with client
• Final report with
non-compliance findings
2

PHASE 3
Solution
• Solve the findings within 30 days
• Negotiate
3

Audit Defense – Example how to build your own plan
PHASE 1:
Audit
preparation and
risk reduction
30-45 days
notification
As soon as
possible
Object delay
• Review
contracts
• Review real
usage
• Risk analysis
• Risk
reductions
• Optimizations
• Purchase
• Audit trends
Technical
activities
Audit
letter
Redress
Compliance
engaged
Audit
strategy
Incompliance
assessment
Optimisation
Guidance
Risk
Reduction
Project
PHASE 2:
Audit support
NDA
Negotiation
scope
Kick off Find errors!
• Review
contracts
• Review real
usage
• Risk analysis
• Risk
reductions
• Optimizations
• Purchase
• Audit trends
Before Start Audit Preliminary
report
Review and
counter-
strategy
Negotiation
support

Example: Oracle Audit Letter
Source: https://www.itassetmanagement.net/wp-content/uploads/2016/03/Oracle-
Review-Notice-.pdf

We have received the audit letter, practical steps to take
What you should do:
1. Review Audit letter to understand which
products Oracle wants to audit.
2. Try to gather all license entitlements, support
renewals
3. Contact an Oracle License expert, you need all
hands on deck.
4. Use Oracle scripts to analyze and perform your
“own” audit before Oracle starts its own.
RECOMMENDATION
N/A
Oracle have developed their own in-house scripts (“LMSCollection”) – Your contract says nothing
about running Oracle scripts.

Negotiation of the scope
• Limit the possibility of
unknowns
• Ask for Oracle ’s License
base (do we agree on
their scope and license
base)
Why?
• Depends on contract and
organisational setup
• Contract:
− In case of 1 contract or
central purchasing: Oracle
will likely include all
− In case of multiple contracts
through multiple entities…
easier to limit the scope.
How?
• Centralised IT: more
difficult to reduce scope
• Multiple IT Departments:
easier to limit scope – no
central management so
Oracle will need to
contact multiple
departments. Better to
reduce scope
Organisational setup:

Negotiation of the scope
• Lately not all Oracle LMS
Consultants share their view
on the client’s license
entitlements.
• It’s important to start any
audit with a clear license
base. What is Oracle looking
at and do we agree with this
view?
Product scope
• Different products can be managed by
different departments
• Application contracts are oftened
managed at a different level of the
company entirely (not always IT).
It will also make it possible to
scope the products.

Exercise
Which is the best way of avoiding a new license audit
from Oracle?
Answer A:
 Renew our ULA every 3 years
Answer B:
 Implement robust Oracle License Management
control.

Exercise
Why does Oracle want to start the audit so quick?
Answer A:
 They are helpful and efficient.
Answer B:
 Oracle don’t want you to be able to take any
remediation activities.

Exercise
What is the name of Oracle main audit tool?
Answer A:
 Oracle uses certified LMS tools.
Answer B:
 LMSCollection

Exercise
Can I refuse to run Oracle provided tools?
Answer A:
 No, its in the contract that I must co-operate.
Answer B:
 Maybe, review your contract language and
understand how much you need to co-operate

Exercise
If I have an Oracle certified SAM tool what does it mean?
Answer A:
 It means nothing, except Oracle accepts
the high level deployment info (OSW).
Answer B:
 Oracle will almost always want you to also run
their data measurement tools

Exercise
Why is it a bad idea to hand over SAM tool data to Oracle?
Answer A:
 Because the SAM tool data may be incorrect
Answer B:
 If you tell Oracle you have such tools, then you
can provide Oracle data within days. No time to
review your licensing.

Where to begin? By reviewing your
Licensing Agreements

What is proof of license? - Contract documentation
• Contracts
• Ordering documents
• Maintenance renewal
• Amendments
• Termination letters
• Transfer letters (license
assignment)
Proof of license
constitutes of
• Oracle LMS does not accept
side-letters, emails, verbal
agreements in their audits.
• Any such type of agreements
can disappear due to a person
leaving either organisation.
• As such, these pose a risk
to Oracle customers
Special note:
Sideletters/emails/verba
l agreements

Contractual Terms and Conditions
Do we understand the
contractual T&C’s
correctly?
CUSTOMER DEFINITIONS
Majority owned subsidiaries
Limitation to entities
Other custumized “definitions”
Amendments

contractual T&C’s
correctly?
TERRITORY RIGHTS
Country?
Regional or worldwide?
Why limited Territory rights on contracts?

contractual T&C’s
correctly?
TERRITORY RIGHTS
LIMITED USE RIGHTS
Limited use for certain processes
Limited use for certain applications
Limited use for certain
environments (e.g. Test/Dev)

contractual T&C’s
correctly?
TERRITORY RIGHTS
LIMITED USE RIGHTS
LICENSE METRIC DEFINITIONS
Standard metric or contract
negotiated?
Change over time – multiple
contracts, same metric, multiple
definitions
Defines how to count the license
requirement?
Old metrics
High risk of non-compliance
High risk of audit selection

What if we cannot find all agreements?
What you should do:
1. Find as much as you can, and do a internal
review.
2. Before any audit begins, ask Oracle to supply all
license agreements/entitlements for your review.
3. Review contracts to understand your license
terms or any customizations
COMMONCHALLENGE
STRONG – N/A
Many companies are missing or are unsure if they have all license agreements.

4 main risk areas

1# VMWare impact on Oracle licensing
The use of vSphere has impacts that vary depending on the version that has been implemented, but which
are confirmed by the general Oracle guideline:
Any hardware which could be used theoretically by the software during a given runtime must be
licensed
Version Features Licensing Impact
Up to and including 5.0
Version 5.1 and version
5.5
Version 6.0
The virtual machines (VMs)
can only be migrated within
a cluster
Virtual machines (VMs) can
be migrated between
clusters (within one
vCenter)
Virtual machines (VMs) can
be migrated from one
vCenter to another
The whole vmware
cluster must be
licensed
All physical hosts in all
clusters in the whole
vCenter instance must
be licensed
All physical hosts in all
vCenters (in your
company)

If you have deployed Oracle Software on virtualized env?
What you should do:
1. Review which virtualization technology is in use.
2. Check if you have any special contract with
Oracle enabling reasonable licensing in virt env.
3. If no such contract exists, remove to bare metal
or cloud deployments.
4. Consider not sharing any virtualization info with
Oracle during audit
RECOMMENDATION
SMALL
Usually this is a red flag for any Oracle customer

#2 Oracle Applications
• Employee count: all employees irrelevant of actual use
• Application User: all users of application
• Customised bundling of software: e.g. Professional user,
External professional user,…Correct counting requires:
• Analysis of contractual license metric definitions
• In case of bundling: in depth analysis required of:
a. User names
b. Allocated responsibilities (review of customised responsibilities)
c. Mapping responsibilities to components
d. Mapping components to products
e. Mapping products to bundles

Application licensing with Oracle is high cost and exotic to
manage.
What you should do:
1. Check support renewal and license agreement
for users.
2. Engage with expert who can use Oracle audit
scripts to analyze output
3. Will provide results in which you can take
appropriate actions before audit begins.
4. Remediation/Optimisation/Purchase
RECOMMENDATION
VERY SMALL
No SAM tool can manage this, if auditing we recommend engaging licensing expert.

#3 Using features that you do not have a license for (database options)
Partitioning
Multitenant
Real Application Clusters
Active Data Guard
Real Application Testing
Advanced Compression
Advanced Security
Label Security
Database Vault
OLAP
Spatial
Advanced Analytics
Database in Memory
Diagnostics Pack
Tuning Pack
Database Lifecycle Management Pack
Data Masking and Subsetting Pack
Cloud Management Pack for Oracle Database
Partitioning found on 1 server with 2 processors and 4 cores per
processor Intel.
= 2*4 = 8 core factor 0.5 = 4 CPU licensable cost = $11,500 per cpu,
plus support and back support total cost could be a minimum of $56,120
for one server alone, without the back support costs.
What if it was on a VM Cluster/ vCenter, risks of unlicensed option
usage and financial risks are very high.
Example

Database options usage is one of the most common
compliance issues
What you should do:
1. Deploy Oracle LMS Scripts.
2. Engage with expert who can use Oracle audit
scripts to analyze output
3. Expert will provide output to you and tell you
exactly what will Oracle find.
RECOMMENDATION
VERY SMALL
SAM tools can be part of the solution, but its not the whole solution.

#4 Misunderstanding Oracle Licensing
• Are all environments being
licensed correctly?
• Difference between standby,
failover, remote mirroring?
• Are correct rules being
applied?
Disaster Recovery
Test & Development
• All environments need to be
licensed
• Test/Dev per user? Can you
prove user count?
Hardware
• Counted correctly?
• Correct core factor
• Hardware partitioning

Oracle Licensing Policies are notoriously difficult to
understand and it is easy to misunderstand.
What you should do:
1. Review: https://www.oracle.com/assets/data-
recovery-licensing-070587.pdf
2. Consult with licensing expert to confirm findings.
RECOMMENDATION
VERY SMALL
Review Oracle Policy documents to understand if your DR licensing is correct.

Step:
Description: Oracle License Experts have
developed almost identical tools
as Oracle LMS
Recommendations: Always use to avoid making
costly mistakes
How important do I
think this is?
Benefits:
Find out exactly what Oracle LMS
will find when they audit you
What actions should you
take:
Find someone who can analyse
Oracle Audit scripts
Use Data Measurement tools

We have a SAM Tool and in-house SAM staff, is that enough?
What you should do:
1. NO SAM tool is able to measure non DB
products such as Middleware and Applications.
2. You want to replicate Oracle LMS methodology
as much as possible.
3. The choice is simple - either you pay money to
Oracle in a license audit or you use expert
consultant.
4. Even if you have great in-house expertise, its
always useful to get a “second set of eyes” on
your data.
RECOMMENDATION
N/A
The reason why companies struggle is that SAM Tools are not able to measure Oracle and that
Oracle licensing is very much about the “details”

You use Oracle scripts – AND identify a license gap that you
need to resolve by purchasing licenses
What you should do:
1. Contact Oracle Sales and say you “maybe”
have a new license need for a for a future
project
2. Ask if they can cancel audit if you make
purchase.
3. If the they don’t cancel, purchase anyway
4. Discounts are generally 30% higher purchased
pre-audit
RECOMMENDATION
STRONG
Many companies wonder if they should buy before audit begins or after, we recommend before.

The audit begins

Best Practices
BEFORE AFTER
AUDIT
BE READY
ADVANTAGES
Create audit response team Gain experience and quick reaction times
Define audit policy, process steps and
allocate responsibilities
Know what to expect and who to turn to.
Create your own audit process, with
timelines
Be ready to control the audit and auditor
Prepare document templates
Specific NDA for audit, co-op with legal
department
Centralise all purchasing and licensing
documentation
Easy access to the information
Make regular internal verifications Control and reduce risk, cost avoidance

Delay Tactics
BEFORE AFTER
AUDIT
If not ready, DELAY
ACTIONS WHICH CAN POSE
DELAY BEFORE AUDIT STARTS…
TO BE TAKEN
INTO ACCOUNT
We are in the middle of an IT roll-out. Officially, client should have 45 days
written notice. This can be interpreted as 45
days between audit notification (letter) and the
initial kick-off meeting.
Oracle might ask for a meeting before that
time is past. There are multiple ways to delay
this meeting (some indicated in previous
column).
No actual risk in delaying.
Advantage in not delaying: “We are in control
of our Oracle licenses”
We’ll need to wait for legal department
feedback
This is the 3rd/4th audit this quarter…
Before meeting, we would like our NDA
to be signed
Person responsible is not available due
to…

Best Practices
BEFORE AFTER
AUDIT
Understand your rights
NOTES
Audit clause in the contract? Audit clause part of the License agreement
Full license entitlement
Licenses,customer definition,territory in
Oracle ordering document
Customized clauses in the contracts?
Knowing usage limitations, licensing
deviations negotiated. Auditor might take
standards as base for audit
45 days written notice In principle you have 45 days…
The audit will not unreasonably
interfere
Any interference?

Best Practices
BEFORE AFTER
AUDIT
NDA
SCOPE TOPICS NOTES
You can negotiate the scope Limiting geographical, products
Clearly describe the scope at the start
So Oracle cannot state later… ‘we found
another product’
Product scope
Get a license entitlement list from the auditor,
verify against internal data and the agreed
limitations
Agree on audit approach
• Which steps?
• Which data? How is this collected? By
whom?
• How much effort required from your side?
Start of the audit
SCOPE

Best Practices
BEFORE AFTER
AUDIT
ACTION NOTE
Appoint a Single Point of Contact
Spokesperson towards Oracle from that point
on.
Absolutely NO other communication
Nobody else speaks to Oracle (exception
urgent support calls)
SPOC
Start of the audit

TOP 3 most common errors companies make during audits
1 2 3
No negotiation
on audit scope
“We’ll do everything
Oracle asks to
keep them happy”
No need to
review report,
we’ll negotiate
Having a clear view on what
is being looked at, improves
controlability
of the audit
Get a list of the licenses in
scope. Is Oracle looking at
all purchases for these
products? Anything
missing?
Some data you might not
wish to share regarding e.g.
applications, …
Oracle’s scripts will capture
a lot of information, even
products not in scope.
Finding mistakes improves
negotiation position
Reducing the findings will
decrease the start price
Contact Experts Read articles/blogs – Boost your knowledge

4 strategies for how companies manage Oracle license
audits
You reply to Oracle audit letter notification
directly.
You don’t take any action to review your
licensing.
You don’t work with any external Oracle
license expert.
You run Oracle audit tools and hand over
the data.
You trust Oracle LMS fully.
WORST – 50% BAD – 35% RECOMMENDED – 10% BEST – 5%
“I manage the audit alone,
with no help and I trust
Oracle completely”
“We have a SAM tool that is
certified by Oracle. Now I am
ready for the Oracle License
Audit”
“I realize that Oracle licensing
can be very difficult and we
will contact an expert firm to
help us”.
“I want to stop being audited
and be pro-active when
managing Oracle?”
Company
strategy
Actions
taken
End result You will be forced to pay for software
that you are not using but simply
because you have misinterpreted
Oracle licensing policies or rules.
Oracle will at the end send you a
“audit report” saying you need to pay
for the license gaps and hint that
“Oracle reserves the right to
terminate your licenses and programs
if you don’t resolve it within 30 days”
You reply to Oracle audit letter notification
directly.
You decide to work use your Oracle LMS certified tool.
You use your existing Software Asset Management
Tool to give Oracle output. (OSW)
You don’t work with any external Oracle license
expert.
You are left to the mercy of Oracle LMS.
The tool might save you 10-20% of any license gap,
but that is little worth when the license gap is €
8,000 000 due to you have used Oracle Software in
ways that the tool is not able to detect.
Oracle will at the end send you a “audit report”
saying you need to pay for the license gaps and
hint that Oracle reserves the right to terminate your
licenses and programs if you don’t resolve it within
30 days.
Companies taking this approach usually pays the
same to Oracle as the customers who did not have
any tool. With a good negotiation team you might
be able to “settle” the license audit at € 4,000 000 or
be tricked into signing an Oracle ULA.
You hire an Oracle License expert.
You don’t reply to Oracle LMS letter.
You and partner perform a license review using
scripts to measure your license position.
You ignore your SAM tool or simply use it as a
data source to understand where Oracle software
is installed.
You only start “Oracle audit” after remediation
Together with the Oracle license expert you
make a independent audit of your Oracle
Software investment. You discover a € 8,000
000 license gap.
Almost always 95% of that is due to not over-
usage but simply that you misunderstood how
to license Oracle Software.
You are then left with a real over-usage of €
400 000 and you can decide if you want to wait
until the audit is complete or if you want to
purchase Oracle Software.
You still have to purchase Oracle Software, but
the key result here is that you ONLY pay for
what you use.
Benefit: 95% savings
Find Oracle licensing expert to partner with
for 2 years. = knowledge transfer
Use your SAM tool to the best of their ability,
start thinking of it as A TOOL AND NOT A
SOLUTION)
Make annual license reviews of your
compliance position.
Start optimizing on licensing (often up to 30%
of Oracle licensing can be optimized)
BY GAINING FULL CONTROL over your
Oracle Licenses you can prevent audits
from happening.
Benefit: By showing Oracle you have full
control the likelihood that you will be
audited in the future is EXTREMELY LOW
Benefit: You will not waste time working on
license audits.
Benefit: Your SAM and Procurement team
will focus on optimization and cost savings

Exercise
Can you negotiate the scope of an audit?
Answer A:
 Yes, only products
Answer B:
 Yes, both products and entities covered

Exercise
When you get Oracle LMS “preliminary report” – what should
you do?
Answer A:
 Contact IT sourcing to buy the licenses covering
any gap
Answer B:
 Review report for errors and wrong assumptions

Exercise
If you have an OMA from 2018, does it include any contract
language to run Oracle audit scripts?
Answer A:
 Yes it does
Answer B:
 No it does not

Exercise
When should you let Oracle start the audit?
Answer A:
 As soon as they want to kick off the audit
Answer B:
 Wait until you have done a review of licensing
and possible remediation

Exercise
What should you primarily look at in your contracts?
Answer A:
 Only products, metrics, quantities
Answer B:
 Product, metrics, quantities, customer definition,
territory, or other “limited use” clauses.

Exercise
You have an email from an sales rep saying its ok to
License with SE, but LMS says you are non-compliant.
Is the “side letter” a get out of jail free card?
Answer A:
 Yes, I don’t need to buy licenses
Answer B:
 No, an email has no contractual value. But it can
be used as negotiation leverage to avoid paying
full price.

Exercise
Which products “can a SAM” tool manage?
Answer A:
 Oracle Database, Middleware and EBS.
Answer B:
 Oracle Database (partly) but often is wrong.

Oracle license management license audit defense

Recommended

Recommended

More Related Content

What's hot

What's hot (14)

Similar to Oracle license management license audit defense

Similar to Oracle license management license audit defense (20)

Recently uploaded

Recently uploaded (20)

Oracle license management license audit defense