The art of surviving Oracle and SAP software licence audits
Don't fear the audit, writes Support Revolution's Mark Smith, prepare for it
Filing tax returns with inconsistencies, errors, or other red flags can result in your organisation being faced with a tax audit or investigation.
This has the potential to be highly stressful, time-consuming and expensive. But on the plus side, HMRC will let you know if it's looking for something in particular or whether it's just routine, and there are clear rules that will guide the auditors in any decision about your tax affairs.
That's not the case when it comes to Oracle and SAP licensing audits.
These are just as stressful but their motives can seem somewhat less clear. Anecdotal evidence suggests that Oracle, in particular, uses these audits to drive business, with small print designed to confuse rather than make an organisation's position clear. In fact, aggressive auditing tactics have led to accusations of sharp practice, such as double billing and acting beyond the scope of a reasonable audit.
With the potential fines levied by Oracle large enough to destroy a business's profits, it's natural to be worried about these vendors demanding a look under the hood. So how can organisations prepare?
Preparing for an audit
One of the best ways to prepare for an audit is to do your own audit.
Rather than wait for Oracle or SAP to come knocking, any organisation that uses licensed software should take the time to check that they are not using it in ways that would incur a penalty.
Getting it wrong is surprisingly easy to do. We're used to consumer-grade software warning us that we can only install it a set number of times or demanding that we de-authorise devices before proceeding. Many of us will have had Spotify unexpectedly shut down when a member of our family uses it elsewhere.
But enterprise software is different - it can be installed multiple times and used in ways that current licensing will not allow, only for an audit to uncover this. Oracle and SAP licensing works in a similar way to a hotel mini bar. It's all too easy to grab and consume whatever you want without a thought for the huge bill that will be waiting when you check out.
Database licensing is one of the easiest things to go awry when businesses are restructured or there are staff changes. It's important that licensing is the responsibility of a single person or group of people. An organisation should ideally be able to tell at any time how it is licensed and what software it is running. Administrative privileges should be regularly reviewed so that only the right people have the ability to enable functionality that may be unlicensed.
Outside help can be invaluable in making sure you are appropriately licensed ahead of audit, but it's important to understand that not every third-party licensing specialist will have your organisation's interests at heart.
Oracle, in particular, views its partner organisations as a part of its sales team, and it's in the partner's interest to sell licenses you may not actually need.
Surviving the audit
Notification of an audit, sometimes euphemistically referred to as a "review", will arrive in the form of a letter or an email, with 30-45 days' notice of the audit process taking place. The audit is often performed remotely, using scripts provided by the vendor. All you have to do is install and run them to hand over the information required for the audit.
The notice period ahead of an audit should be used by those who are unclear of their licensing to get their house in order, and quickly.
If unused instances are running, they can be taken offline. If packages that are unlicensed have been activated, they can be deactivated. If no preparatory work has been done, it may be impossible to fully prepare and check if an organisation is properly licensed during the notice period - however anything that can be done may help reduce the fine the vendor levies following the audit.
It's also vital to review exactly what licences your organisation has against what Oracle and SAP think you have. The vendor will provide you with a list that must be checked - discrepancies have in the past led to organisations appearing to be under-licensed when they are not.
The vendor won't be any more lenient on those that are accidentally using software without a license, than on those that are doing so knowingly. These audits are designed to maximise revenue—"sorry" won't help.
However, the end of the audit is not the end of the process. The fine, calculated by the vendor, is often used as a starting point for negotiations, and agreeing to purchase certain licenses and additional software may bring this cost down.
Common pitfalls
Even when following best practice, there are still plenty of banana skins for those facing an audit:
- Virtualisation
If you have an Oracle database running on a VMware virtual machine, then Oracle may not see this as a single installation to be licensed, as such. They may instead demand that your entire server estate should be licensed, as you have the potential to run Oracle on all of these servers. While this may not seem to follow common sense, Oracle has used these licence terms to pursue fees of hundreds of thousands of dollars.
- Mergers & acquisitions
When one business that uses Oracle or SAP buys or merges with another, the licensing can become very complicated. Depending on the application, licensing may be done per user, per core, or using another metric.
A business that wants to bring all of this together into a coherent whole may find this tricky if it wants to meet its licensing obligations. It's also very possible in acquisitions for responsibilities to become muddled, licences to end up being owned by the wrong entity, and even whole parts of an IT estate to be overlooked, leading to trouble when it comes to an audit.
- Invoices
Amalgamating invoices together may make life simpler for the finance team, but can mean headaches for licensing. The vendor may not allow an organisation to cancel a single licence if it is part of a larger invoice, as it may have been part of a bigger negotiated deal. So, it's better to have several invoices for flexibility. This does, however, make the task of internally auditing licensing tricky.
- Once it's over, it's over
Once the audit is done, all negotiations taken care of, and any additional fees paid, it's easy to get complacent. Aren't you, after all, now fully compliant with licensing requirements?
Not so fast. The vendor does not actually guarantee full compliance upon paying a fine. If more issues are found in a subsequent audit, the organisation will still be liable. An organisation that has, through an audit, revealed itself as a potential source of revenue for a vendor needs to do all it can to make sure that it is not caught out if targeted again. Audits may take place every three or four years on average, but some organisations have been audited more regularly.
The fees from audits have the potential to run into millions of pounds - tens of millions in some cases. This isn't just about saving some cash. It's about the difference between profit and loss, or even the difference between solvency and insolvency.
All organisations need to be aware of the software they use and the risk they are exposed to if they get the terms of their agreement wrong, especially if these terms are deliberately woolly and open to misunderstanding.
Mark Smith is CEO of Support Revolution, a consultancy offering lower-cost support for organisations running Oracle and SAP enterprise resource planning systems
Computing's Cloud & Infrastructure Summit Live returns on Wednesday 19 September, featuring panel discussions with end-users, strategic and technical streams and a session with guest speaker Inma Martinez. The event is FREE to qualifying IT leaders and senior IT pros, but places are going fast. Register now!