This course is focused on what providing a understanding of your rights during the audit, how do Oracle select customers for audits and how to prepare/steps to take before the official audit begins.
Oracle Audit - the audit process.
Who performs the audit
Partner audit or Oracle Audit? - Which audits can you decline.
Which products do Oracle want to audit and what tools are being used
What steps you should take when you receive the audit letter.
Negotiation of the audit scope.
Creating your internal audit team.
A checklist of steps to take before the audit begins
Questions and Answers
What you will learn:
Learn how to prepare your company for an Oracle License Audit.
Learn the steps you need to take before the audit begins.
Learn how to negotiate the scope and delivery of the audit.
Learn what to say to Oracle have a successful negotiation.
Who should attend the training:
License Manager
Software Asset Managers
Sourcing & Vendor Professionals.
IT Managers
Project Managers
5. Pagewww.redresscompliance.com 5
• It does not mention that
you need to run any Oracle
Audit Scripts and/or tools.
• It also says it shall not
“unreasonably” interfere
with your business
operations.
What is “unreasonably” ?
• 45 days written notice
before you need to reply.
6. Pagewww.redresscompliance.com
“Upon 45 days written notice, Oracle may audit your use of the programs. You agree to
cooperate with Oracle’s audit and provide reasonable assistance and access to information.
Any such audit shall not unreasonably interfere with your normal business operations.
Oracle shall provide you with a report of any such audit and you shall have the right
to provide a written response to such report to Oracle. All such audit reports and responses
to such audit reports shall be considered confidential and subject to the
non-disclosure obligations in this agreement.
You agree to pay within 30 days of the final audit report any fees applicable
to your use of the programs in excess of your license rights. If you do not pay, Oracle can
end your technical support, licenses and/or this agreement. You agree that Oracle shall not be
responsible for any of your costs incurred in cooperating with the audit.”
6
OLD - The Clause
Review of audit clause until 2019 (for all older agreements)
7. Pagewww.redresscompliance.com
Upon 45 days written notice, Oracle may audit Your use of the Programs to ensure Your use of the Programs is in compliance with
the terms of the applicable order and the Master Agreement. Any such audit shall not unreasonably interfere with Your normal
business operations. You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to
information reasonably requested by Oracle. Such assistance shall include, but shall not be limited to, the running of
Oracle data measurement tools on Your servers and providing the resulting data to Oracle. The performance of the audit
and non-public data obtained during the audit (including findings or reports that result from the audit) shall be subject to
the provisions of section 8 (Nondisclosure) of the General Terms.
If the audit identifies non-compliance, You agree to remedy (which may include, without limitation, the payment of any fees for
additional licenses for Programs) such non-compliance within 30 days of written notification of that non-compliance.
If You do not remedy the non-compliance, Oracle can end (a) Program related Service Offerings (including technical support),
(b) Program licenses ordered under this Schedule P and related agreements and/or (c) the Master Agreement. You agree that
Oracle shall not be responsible for any of Your costs incurred in cooperating with the audit.
Source: https://www.oracle.com/a/ocom/docs/lic-online-toma-us-eng-v040119.pdf
7
NEW - The Clause
New audit clause (only if you sign a new OMA)
8. Pagewww.redresscompliance.com
4 Key takeaways from the Oracle audit clause change:
1. Oracle inserting contractual language that you must
run Oracle Audit Tools. (more leverage for Oracle)
2. However does the audit change only cover software
purchased under this OMA? It surely does not
retroactively replace all older purchases.
3. They mention that the audit is covered by the NDA,
this is a way for Oracle to say “we don’t need to sign
your NDA before the audit begins”
4. Recommendation: Try to renew your current OMA with
old terms and/or try to remove language about the
audit tools.
8
4
10. Pagewww.redresscompliance.com
Oracle License Audits – Who are performing them?
Outsource its audits – it’s done
in-house.(LMS org)
If it is a partner that partner is not paid
money by Oracle. But are compensated if
there a shortfall. SevenEights, Innoapps.
Usually these partners are not
professional consulting companies, but
more geared towards resellers. Not much
SAM experience or Oracle licensing
knowledge.
10
You can decline these “partner led” audits.
11. Pagewww.redresscompliance.com
Oracle LMS does not
Knock on your data centre and ask to be
let in.
Oracle does not use any
discovery tool, so they can only
find the software deployments
that you have.
Many Oracle Software products there is
no data measurement tool and Oracle
relies on you providing truthful
information.
11
Oracle LMS does
have
A in-house developed tool that
will identify active usage today
and what has been used in the
past for certain products.
12. Pagewww.redresscompliance.com
AUDIT
Different types of “audits”
12
• Oracle partner led license review
• Review letter is being send from
Oracle LMS
• Client needs to send an acceptance
to Oracle LMS
• Partner is managing the project
• Data is shared 1 on 1 with Oracle,
script outputs analysed by Oracle
• At end client receives an official
compliance statement
• IS NOT AN AUDIT
• Letter from sales
• Looks the same as an Oracle
license review, since same
documents are being used
(OSW,…)
• Playing on the client’s lack of
knowledge regarding the audit
processes of Oracle.
• Purpose: find sales leads
LMS
Partner led
Soft audit
Audit
License review
License advisory service
13. Pagewww.redresscompliance.com
Oracle sends you an audit notification, and proposing that
their “partner” is representing Oracle during the audit.
13
What you should do:
1. You can decline to have the partner do the audit.
2. If Oracle refuses, you can say that you will never
purchase any licenses from the audit partner.
3. If the audit partner does not earn any money
they do not want to spend time auditing you.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
STRONG
Oracle are primarily for smaller Oracle customers using partners as “audit” – but these partners
ONLY make money on reselling licenses if you have a gap. They are not independent.
14. Pagewww.redresscompliance.com
Oracle selecting customers for audits
14
They are not
random, they are
selected based on
suspicion on
non-compliance.
Ultimately
it is the sales rep
who approves the
audit going
forward
or not. Sales reps
can nominate and
they can also
veto the audit.
16. Pagewww.redresscompliance.com
How can you avoid being audited?
MAKE ORACLE BELIEVE YOU IN FULL
CONTROL WITH YOUR ORACLE
LICENSING.
BE WELL-INFORMED when you are talking
to Oracle. If you Oracle notices that you are
not informed on licensing and contracts
higher risk of an Oracle audit.
16
17. Pagewww.redresscompliance.com
7. You have logged support tickets with
Oracle and in the ticket, you are
describing using technology features that
you don’t have a license for.
8. You decided to NOT to accept an Oracle
licensing or cloud solution.
9. You told Oracle that you are not interested
in meeting or have any new “projects” that
might involve buying more Oracle
Software.
10. You have a new sales rep; some sales
reps believe in auditing customers more
than others.
11. Declining to renew your Oracle ULA.
12. You were non-compliant in the last license
audit
13. While talking to your sales rep you
mention that you use a functionality that
your licenses does not cover.
12 Most common reasons for being audited by Oracle
17
?
1. You have Old License Metrics or NUP
licenses (Tech)
2. You have acquired a company or merged
with another company, by default you can
be non-compliant with the contract terms.
3. You have made a large hardware refresh,
which often changes licensing
requirements.
4. You have not been audited for more than
3 years.
5. You have Oracle EBS but don’t have full
use licensing for technology.
6. Oracle (often Sales) have heard that you
are using virtualization technologies.
(VMWare)
1
2
3
4
5
6
7
8
9
10
11
12
13
18. Pagewww.redresscompliance.com
3 strategies that can prevent your company from being selected for an Oracle License Audit
18
1# “Make Oracle believe you are
compliant” - Oracle don’t audit
customers who they believe are
compliant
1. Do a license review (use Oracle Audit
scripts, with an Oracle Expert firm. Its needs
to be reliable or it can backfire.
2. Consider sharing licensing info (high
level) with Oracle : If Oracle believes that
you have full control over your license
management. They will probably not audit
you.
If your last audit showed that you were
compliant, you are unlikely to be audited again
for many years.
#2 “Best friends strategy” Make Oracle sales your best friend
1. If you annually buy new Oracle Licenses and Cloud (not support) no audits.
2. If you don't buy new Oracle licenses/cloud you need to have excellent relationship
with your Oracle KAD. (Your KAD/AM can initiate and or stop the audit)
3. Advise always: Oracle believe that you are considering their solutions.
If you refuse to met Oracle and transparent open that you don’t buy anything
from Oracle - > Oracle have nothing to lose by auditing your company.
3# “Enter an Oracle ULA or
Perpetual ULA”
If you sign a ULA/PULA you won't be
audited unless you want to exit the
agreement.
1. It is unheard of that Oracle has audited any
company that has an active ULA.
2. Instead of doing #1 (License Management)
which would cost even the largest companies
a fraction of a ULA. Some companies prefer to
keep spending millions with Oracle.
#1
#2
#3
19. Pagewww.redresscompliance.com
How you are selected for an audit.
19
Sales rep
nominated customer
for LMS
LMS approves
LMS sends out
notification letter.
PROCESS 1
Oracle LMS has
a list of
companies they
want to audit
List put
together based
on
LMS shared list
with Sales to
get agreement
on who to audit.
Sales discuss
with LMS
(results in last
audit? Details on
selection criteria
Sales gives
blessing to
audit
LMS sends out
letter
PROCESS 2
Old license metrics
Named user plus
licensing
Merger and acquisitions
3yrs+ since last audit.
Audit
Audit
23. Pagewww.redresscompliance.com 23
Exercise
Who at Oracle selects customers for audits?
Answer A:
✔ LMS only.
Answer B:
✔ Officially it is LMS, but indirectly/unofficially it is
done together with sales.
25. Pagewww.redresscompliance.com 25
Exercise
Which of these events are likely to trigger an
audit?
Answer A:
✔ I terminate my support agreement
or move it to third party support.
Answer B:
✔ I tell Oracle we have no new projects where there
is a sales opportunity (license/cloud).
26. Pagewww.redresscompliance.com 26
Exercise
Which of these events are likely to trigger an
audit?
Answer A:
✔ You have old license metrics or user based
licensing.
Answer B:
✔ We have in the past year merged with another
large company.
27. Pagewww.redresscompliance.com 27
Exercise
I received an email from Oracle saying I should fill in an
OSW.Do I need to cooperate?
Answer A:
✔ Yes, you need to comply with Oracle email.
Answer B:
✔ No, this sounds like a sales review. There is no
contractual obligation to cooperate with Oracle.
29. Pagewww.redresscompliance.com
Scripts/Tooling
29
• Oracle provides their own scripts for audits
• Scripts are continuously being developed and made
better
• Currently: Oracle LMS Collection Tool
− Captures: DB, Middleware, EBS, …
− Limitations: some license metrics make tracking
by tools impossible (e.g. Employee user)
Why should you NOT run the
scripts?
• It will be used as proof if you
used unlicensed software
• LMS collection tool might
pick up software which is not
in scope and Oracle will look
at it (and ask questions)
ORACLE SCRIPTS1
TO RUN OR NOT TO RUN? THAT’S THE QUESTION.
• No mention of running scripts in the contract
• Does the client get a choice? Not really, Oracle LMS will require it.
30. Pagewww.redresscompliance.com
Scripts/Tooling
30
• Oracle provides their own scripts for audits
• Scripts are continuously being developed and made
better
• Currently: Oracle LMS Collection Tool
− Captures: DB, Middleware, EBS, …
− Limitations: some license metrics make tracking
by tools impossible (e.g. Employee user)
Why should you RUN the
scripts?
• Oracle LMS might start to
threaten if you refuse
(although no contract obliges
the running of scripts)
• They might be more difficult
to deal with if eventually any
license deficits are found.
ORACLE SCRIPTS1
TO RUN OR NOT TO RUN? THAT’S THE QUESTION.
• No mention of running scripts in the contract
• Does the client get a choice? Not really, Oracle LMS will require it.
Argumentation
• Performance impact of the audit tools
proposed?
• Data collected:
- Why?
- Which data is gathered, understand the
detail?
- Where is the data collected from?
- How will it be used?
- Can this sort of data leave the premises?
- Where in the world is this data being
processed/stored? (Roumania)
31. Pagewww.redresscompliance.com
Oracle LMS tools “LMSCollection”
31
COMBINATION
of server worksheet,
questionnaires and
scripting
SOME EXAMPLES
CPU queries Virtual infrastructure screenshots
ReviewLite OMT User reports
DDL queries FMW scripts
Extraction scripts Siebel
32. Pagewww.redresscompliance.com
Scripts/Tooling
32
• A number of tooling providers are Oracle LMS Certified.
• What does this mean?
• Means the deployment output from the tool is accepted by Oracle LMS
during an audit.
ORACLE CERTIFIED TOOLS2
Some notes:
• Only the ‘Server Worksheet’ containing deployment information, not the baseline results. Oracle will still investigate and ask
additional questions.
• Certification applies only to DATABASE products, not for any other Oracle software.
33. Pagewww.redresscompliance.com
Oracle says you must run their audit tools
33
What you should do:
1. Ask consultant to to analyze Oracle scripts on
your systems
2. Review results, remediate/optimize/purchase
3. IF you have risk: Don’t let Oracle run scripts
4. Claim that data cannot leave your on premises
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
MEDIUM
Oracle have developed their own in-house scripts (“LMSCollection”) – Your contract says nothing
about running Oracle scripts.
34. Pagewww.redresscompliance.com
Audit Process by Oracle
34
PHASE 1
Notification
• Notification letter by Oracle, indicating
partner
• Acceptance required
• 45 days prior written notice
• Directed at CFO
Kick-off with customer
• Scoping (Infrastructure, Customer
definition)
• Timeline
• Agreement on License Inventory
Data gathering
• Measurement? (If applicable)
• Complete Oracle Server Worksheet
• Questionnaire
• 2 to 3 weeks standard timeframe
1
35. Pagewww.redresscompliance.com
Audit Process by Oracle
35
PHASE 2
Data analysis
• Review measurement tooling output
• Review questionnaire
• Clarifications
• 3 to 5 weeks time frame
Reporting
• Draft report
• Review draft with client
• Final report with
non-compliance findings
2
37. Pagewww.redresscompliance.com
Audit Defense – Example how to build your own plan
37
PHASE 1:
Audit
preparation and
risk reduction
30-45 days
notification
As soon as
possible
Object delay
•Review
contracts
•Review real
usage
•Risk analysis
•Risk
reductions
•Optimizations
•Purchase
•Audit trends
Technical
activities
Audit
letter
Redress
Compliance
engaged
Audit
strategy
Compliance
assessment
Optimisation
Guidance
Risk
Reduction
Project
PHASE 2:
Audit support
NDA
Negotiation
scope
Kick off Find errors!
•Review
contracts
•Review real
usage
•Risk analysis
•Risk
reductions
•Optimizations
•Purchase
•Audit trends
Before Start Audit Preliminary
report
Review and
counter-strate
gy
Negotiation
support
38. Pagewww.redresscompliance.com
We have received the audit letter, practical steps to take
38
What you should do:
1. Review Audit letter to understand which
products Oracle wants to audit.
2. Try to gather all license entitlements, support
renewals
3. Contact an Oracle License expert, you need all
hands on deck.
4. Use Oracle scripts to analyze and perform your
“own” audit before Oracle starts its own.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
N/A
Oracle have developed their own in-house scripts (“LMSCollection”) – Your contract says nothing
about running Oracle scripts.
40. Pagewww.redresscompliance.com
Negotiation of the scope
40
• Limit the possibility of
unknowns
• Ask for Oracle ’s License
base (do we agree on
their scope and license
base)
Why?
• Depends on contract and
organisational setup
• Contract:
− In case of 1 contract or
central purchasing: Oracle
will likely include all
− In case of multiple contracts
through multiple entities…
easier to limit the scope.
How?
• Centralised IT: more
difficult to reduce scope
• Multiple IT Departments:
easier to limit scope – no
central management so
Oracle will need to
contact multiple
departments. Better to
reduce scope
Organisational setup?
41. Pagewww.redresscompliance.com
Negotiation of the scope
41
• Lately not all Oracle LMS
Consultants share their view
on the client’s license
entitlements.
• It’s important to start any
audit with a clear license
base. What is Oracle looking
at and do we agree with this
view?
Product scope
• Different products can be managed by
different departments
• Application contracts are often managed
at a different level of the company
entirely (not always IT).
It will also make it possible to
scope the products.
42. Pagewww.redresscompliance.com 42
Exercise
Which is the best way to avoid a new license audit
from Oracle?
Answer A:
✔ Renew our ULA every 3 years.
Answer B:
✔ Implement robust Oracle License Management
control.
43. Pagewww.redresscompliance.com 43
Exercise
Why does Oracle want to start the audit so quick?
Answer A:
✔ They are helpful and efficient.
Answer B:
✔ Oracle don’t want you to be able to take any
remediation activities.
45. Pagewww.redresscompliance.com 45
Exercise
Can I refuse to run Oracle provided tools?
Answer A:
✔ No, it’s in the contract that I must cooperate.
Answer B:
✔ Maybe, review your contract language and
understand how much you need to cooperate.
46. Pagewww.redresscompliance.com 46
Exercise
If I have an Oracle certified SAM tool, what does it
mean?
Answer A:
✔ It means nothing, except Oracle accepts
the high level deployment info (OSW).
Answer B:
✔ Oracle will almost always want you to also run
their data measurement tools.
47. Pagewww.redresscompliance.com 47
Exercise
Why is it a bad idea to hand over SAM tool data to Oracle?
Answer A:
✔ Because the SAM tool data may be incorrect.
Answer B:
✔ If you tell Oracle you have such tools, then you
can provide Oracle data within days. No time to
review your licensing.
49. Pagewww.redresscompliance.com
What is proof of license? - Contract documentation
49
• Contracts.
• Ordering documents.
• Maintenance renewal.
• Amendments.
• Termination letters.
• Transfer letters (license
assignment).
Proof of license
constitutes of
• Oracle LMS does not accept
side-letters, emails, verbal
agreements in their audits.
• Any such type of agreements
can disappear due to a person
leaving either organisation.
• As such, these pose a risk
to Oracle customers.
Special note:
Sideletters/emails/verba
l agreements
50. Pagewww.redresscompliance.com
Contractual Terms and Conditions
50
Do we understand the
contractual T&C’s
correctly?
CUSTOMER DEFINITIONS
Majority owned subsidiaries
Limitation to entities
Other customized “definitions”
Amendments
51. Pagewww.redresscompliance.com
Contractual Terms and Conditions
51
Do we understand the
contractual T&C’s
correctly?
CUSTOMER DEFINITIONS
TERRITORY RIGHTS
Country?
Regional or worldwide?
Why limited Territory rights on contracts?
52. Pagewww.redresscompliance.com
Contractual Terms and Conditions
52
Do we understand the
contractual T&C’s
correctly?
CUSTOMER DEFINITIONS
TERRITORY RIGHTS
LIMITED USE RIGHTS
Limited use for certain processes
Limited use for certain applications
Limited use for certain
environments (e.g. Test/Dev)
53. Pagewww.redresscompliance.com
Contractual Terms and Conditions
53
Do we understand the
contractual T&C’s
correctly?
CUSTOMER DEFINITIONS
TERRITORY RIGHTS
LIMITED USE RIGHTS
LICENSE METRIC
DEFINITIONS
Standard metric or contract
negotiated?
Change over time – multiple
contracts, same metric, multiple
definitions
Defines how to count the license
requirement?
Old metrics
High risk of non-compliance
High risk of audit selection
54. Pagewww.redresscompliance.com
What if we cannot find all agreements?
54
What you should do:
1. Find as much as you can, and do a internal
review.
2. Before any audit begins, ask Oracle to supply all
license agreements/entitlements for your review.
3. Review contracts to understand your license
terms or any customizations.
COMMONCHALLENGE
ORACLE WILL TO NEGOTIATE:
STRONG – N/A
Many companies are missing or are unsure if they have all license agreements.
56. Pagewww.redresscompliance.com
1# VMware impact on Oracle licensing
The use of vSphere has impacts that vary depending on the version that has been implemented, but which
are confirmed by the general Oracle guideline:
Any hardware which could be used theoretically by the software during a given runtime must be
licensed
56
Version Features Licensing Impact
Up to and including 5.0
Version 5.1 and version
5.5
Version 6.0
The virtual machines (VMs)
can only be migrated within
a cluster
Virtual machines (VMs) can
be migrated between
clusters (within one
vCenter)
Virtual machines (VMs) can
be migrated from one
vCenter to another
The whole vmware
cluster must be
licensed
All physical hosts in all
clusters in the whole
vCenter instance must
be licensed
All physical hosts in all
vCenters (in your
company)
57. Pagewww.redresscompliance.com
If you have deployed Oracle Software on virtualized env?
57
What you should do:
1. Review which virtualization technology is in use.
2. Check if you have any special contract with
Oracle enabling reasonable licensing in virt env.
3. If no such contract exists, remove to bare metal
or cloud deployments.
4. Consider not sharing any virtualization info with
Oracle during audit.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
SMALL
Usually this is a red flag for any Oracle customer
58. Pagewww.redresscompliance.com
#2 Oracle Applications
58
• Employee count: all employees irrelevant of actual use
• Application User: all users of application
• Customised bundling of software: e.g. Professional user,
External professional user,…Correct counting requires:
• Analysis of contractual license metric definitions
• In case of bundling: in depth analysis required of:
a. User names
b. Allocated responsibilities (review of customised responsibilities)
c. Mapping responsibilities to components
d. Mapping components to products
e. Mapping products to bundles
59. Pagewww.redresscompliance.com
Application licensing with Oracle is high cost and exotic to
manage.
59
What you should do:
1. Check support renewal and license agreement
for users.
2. Engage with expert who can use Oracle audit
scripts to analyze output.
3. Will provide results in which you can take
appropriate actions before audit begins.
4. Remediation/Optimisation/Purchase.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
VERY SMALL
No SAM tool can manage this. If you are auditing, we recommend engaging licensing expert.
60. Pagewww.redresscompliance.com
#3 Using features that you do not have a license for database options
60
Partitioning
Multitenant
Real Application Clusters
Active Data Guard
Real Application Testing
Advanced Compression
Advanced Security
Label Security
Database Vault
OLAP
Spatial
Advanced Analytics
Database in Memory
Diagnostics Pack
Tuning Pack
Database Lifecycle Management Pack
Data Masking and Subsetting Pack
Cloud Management Pack for Oracle Database
Partitioning found on 1 server with 2 processors and 4 cores per
processor Intel.
= 2*4 = 8 core factor 0.5 = 4 CPU licensable cost = $11,500 per cpu,
plus support and back support total cost could be a minimum of $56,120
for one server alone, without the back support costs.
What if it was on a VM Cluster/ vCenter, risks of unlicensed option
usage and financial risks are very high.
Example
61. Pagewww.redresscompliance.com
Database options usage is one of the most common
compliance issues
61
What you should do:
1. Deploy Oracle LMS Scripts.
2. Engage with expert who can use Oracle audit
scripts to analyze output.
3. Expert will provide output to you and tell you
exactly what will Oracle find.
4. Remediation/Optimisation/Purchase.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
VERY SMALL
SAM tools can be part of the solution, but it’s not the whole solution.
62. Pagewww.redresscompliance.com
#4 Misunderstanding Oracle Licensing
62
• Are all environments being
licensed correctly?
• Difference between standby,
failover, remote mirroring?
• Are correct rules being
applied?
Disaster Recovery
Test & Development
• All environments need to be
licensed
• Test/Dev per user? Can you
prove user count?
Hardware
• Counted correctly?
• Correct core factor
• Hardware partitioning
63. Pagewww.redresscompliance.com
Oracle Licensing Policies are notoriously difficult to
understand and it is easy to misunderstand.
63
What you should do:
1. Review:
https://www.oracle.com/assets/data-recovery-lic
ensing-070587.pdf
2. Consult with licensing expert to confirm findings.
3. Remediation/Optimisation/Purchase.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
VERY SMALL
Review Oracle Policy documents to understand if your DR licensing is correct.
64. Pagewww.redresscompliance.com
Step:
Description: Oracle License Experts have
developed almost identical tools
as Oracle LMS
Recommendations: Always use to avoid making
costly mistakes
How important do I
think this is?
Benefits:
Find out exactly what Oracle LMS
will find when they audit you
What actions should you
take:
Find someone who can analyse
Oracle Audit scripts
www.redresscompliance.com
Use Data Measurement tools
65. Pagewww.redresscompliance.com
We have a SAM Tool and in-house SAM staff. Is that enough?
65
What you should do:
1. NO SAM tool is able to measure non-DB
products such as Middleware and Applications.
2. You want to replicate Oracle LMS methodology
as much as possible.
3. The choice is simple - either you pay money to
Oracle in a license audit or you use expert
consultant.
4. Even if you have great in-house expertise, it’s
always useful to get a “second set of eyes” on
your data.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
N/A
The reason why companies struggle is that SAM Tools are not able to measure Oracle and that
Oracle licensing is very much about the “details”
66. Pagewww.redresscompliance.com
You use Oracle scripts – AND identify a license gap that you
need to resolve by purchasing licenses
66
What you should do:
1. Contact Oracle Sales and say you “maybe” have
a new license need for a for a future project.
2. Ask if they can cancel audit if you make
purchase.
3. If the they don’t cancel, purchase anyway.
4. Discounts are generally 30% higher purchased
pre-audit.
RECOMMENDATION
ORACLE WILL TO NEGOTIATE:
STRONG
Many companies wonder if they should buy before audit begins or after, we recommend before.
68. Pagewww.redresscompliance.com
Best Practices
68
BEFORE AFTER
AUDIT
321BE READY
ADVANTAGES
Create audit response team Gain experience and quick reaction times
Define audit policy, process steps and
allocate responsibilities
Know what to expect and who to turn to.
Create your own audit process, with
timelines
Be ready to control the audit and auditor
Prepare document templates
Specific NDA for audit, co-op with legal
department
Centralise all purchasing and licensing
documentation
Easy access to the information
Make regular internal verifications Control and reduce risk, cost avoidance
69. Pagewww.redresscompliance.com
Delay Tactics
69
BEFORE AFTER
AUDIT
321 If not ready, DELAY
ACTIONS WHICH CAN POSE
DELAY BEFORE AUDIT STARTS…
TO BE TAKEN
INTO ACCOUNT
We are in the middle of an IT roll-out. Officially, client should have 45 days
written notice. This can be interpreted as 45
days between audit notification (letter) and the
initial kick-off meeting.
Oracle might ask for a meeting before that
time is past. There are multiple ways to delay
this meeting (some indicated in previous
column).
No actual risk in delaying.
Advantage in not delaying: “We are in control
of our Oracle licenses”
We’ll need to wait for legal department
feedback
This is the 3rd/4th audit this quarter…
Before meeting, we would like our NDA
to be signed
Person responsible is not available due
to…
70. Pagewww.redresscompliance.com
Best Practices
70
BEFORE AFTER
AUDIT
321 Understand your rights
NOTES
Audit clause in the contract? Audit clause part of the License agreement
Full license entitlement
Licenses,customer definition,territory in Oracle
ordering document
Customized clauses in the contracts?
Knowing usage limitations, licensing
deviations negotiated. Auditor might take
standards as base for audit
45 days written notice In principle you have 45 days…
The audit will not unreasonably interfere Any interference?
71. Pagewww.redresscompliance.com
Best Practices
71
BEFORE AFTER
AUDIT
321NDA
SCOPE TOPICS NOTES
You can negotiate the scope Limiting geographical, products
Clearly describe the scope at the start
So Oracle cannot state later… ‘we found
another product’
Product scope
Get a license entitlement list from the auditor,
verify against internal data and the agreed
limitations
Agree on audit approach
• Which steps?
• Which data? How is this collected? By
whom?
• How much effort required from your side?
Start of the audit
SCOPE
73. Pagewww.redresscompliance.com
TOP 3 most common errors companies make during audits
73
1 2 3
No negotiation
on audit scope
“We’ll do everything
Oracle asks to
keep them happy”
No need to
review report,
we’ll negotiate
Having a clear view on what
is being looked at, improves
controllability
of the audit
Get a list of the licenses in
scope. Is Oracle looking at
all purchases for these
products? Anything
missing?
Some data you might not
wish to share regarding e.g.
applications, …
Oracle’s scripts will capture
a lot of information, even
products not in scope.
Finding mistakes improves
negotiation position
Reducing the findings will
decrease the start price
Contact Experts Read articles/blogs – Boost your knowledge
74. Pagewww.redresscompliance.com
4 strategies for how companies manage Oracle license
audits
You reply to Oracle audit letter notification
directly.
You don’t take any action to review your
licensing.
You don’t work with any external Oracle
license expert.
You run Oracle audit tools and hand over
the data.
You trust Oracle LMS fully.
www.redresscompliance.com
WORST – 50% BAD – 35% RECOMMENDED – 10% BEST – 5%
“I manage the audit alone,
with no help and I trust
Oracle completely”
“We have a SAM tool that is
certified by Oracle. Now I am
ready for the Oracle License
Audit”
“I realize that Oracle licensing
can be very difficult and we
will contact an expert firm to
help us”.
“I want to stop being audited
and be proactive when
managing Oracle?”
Company
strategy
Actions
taken
End result You will be forced to pay for software
that you are not using but simply
because you have misinterpreted
Oracle licensing policies or rules.
Oracle will at the end send you a
“audit report” saying you need to pay
for the license gaps and hint that
“Oracle reserves the right to
terminate your licenses and programs
if you don’t resolve it within 30 days”
You reply to Oracle audit letter notification
directly.
You decide to work use your Oracle LMS certified tool.
You use your existing Software Asset Management
Tool to give Oracle output. (OSW)
You don’t work with any external Oracle license
expert.
You are left to the mercy of Oracle LMS.
The tool might save you 10-20% of any license gap,
but that is little worth when the license gap is €
8,000 000 due to you have used Oracle Software in
ways that the tool is not able to detect.
Oracle will at the end send you a “audit report”
saying you need to pay for the license gaps and
hint that Oracle reserves the right to terminate your
licenses and programs if you don’t resolve it within
30 days.
Companies taking this approach usually pays the
same to Oracle as the customers who did not have
any tool. With a good negotiation team you might be
able to “settle” the license audit at € 4,000 000 or be
tricked into signing an Oracle ULA.
You hire an Oracle License expert.
You don’t reply to Oracle LMS letter.
You and partner perform a license review using
scripts to measure your license position.
You ignore your SAM tool or simply use it as a
data source to understand where Oracle software
is installed.
You only start “Oracle audit” after remediation
Together with the Oracle license expert you
make a independent audit of your Oracle
Software investment. You discover a € 8,000
000 license gap.
Almost always 95% of that is due to not
over-usage but simply that you misunderstood
how to license Oracle Software.
You are then left with a real over-usage of € 400
000 and you can decide if you want to wait until
the audit is complete or if you want to
purchase Oracle Software.
You still have to purchase Oracle Software, but
the key result here is that you ONLY pay for
what you use.
Benefit: 95% savings
Find Oracle licensing expert to partner with
for 2 years. = knowledge transfer
Use your SAM tool to the best of their ability,
start thinking of it as A TOOL AND NOT A
SOLUTION)
Make annual license reviews of your
compliance position.
Start optimizing on licensing (often up to 30%
of Oracle licensing can be optimized)
BY GAINING FULL CONTROL over your
Oracle Licenses you can prevent audits
from happening.
Benefit: By showing Oracle you have full
control the likelihood that you will be
audited in the future is EXTREMELY LOW
Benefit: You will not waste time working on
license audits.
Benefit: Your SAM and Procurement team
will focus on optimization and cost savings
76. Pagewww.redresscompliance.com 76
Exercise
When you get Oracle LMS “preliminary report” – what should
you do?
Answer A:
✔ Contact IT sourcing to buy the licenses covering
any gap.
Answer B:
✔ Review report for errors and wrong assumptions.
77. Pagewww.redresscompliance.com 77
Exercise
If you have an OMA from 2018, does it include any contract
language to run Oracle audit scripts?
Answer A:
✔ Yes, it does.
Answer B:
✔ No, it does not.
78. Pagewww.redresscompliance.com 78
Exercise
When should you let Oracle start the audit?
Answer A:
✔ As soon as they want to kick off the audit.
Answer B:
✔ Wait until you have done a review of licensing
and possible remediation.
79. Pagewww.redresscompliance.com 79
Exercise
What should you primarily look at in your contracts?
Answer A:
✔ Only products, metrics, quantities.
Answer B:
✔ Product, metrics, quantities, customer definition,
territory, or other “limited use” clauses.
80. Pagewww.redresscompliance.com 80
Exercise
You have an email from an sales rep saying it’s ok to
License with SE, but LMS says you are non-compliant.
Is the “side letter” a get out of jail free card?
Answer A:
✔ Yes, I don’t need to buy licenses.
Answer B:
✔ No, an email has no contractual value. But it can
be used as negotiation leverage to avoid paying
full price.