This is the second in our series on Oracle Best Practice. To view part 1, please click here.
This part of our Oracle Best Practice series is all about Oracle audits, and what to do if you are unfortunate enough to be audited by Oracle or Oracle LMS.
Do not ignore Oracle!
If you receive a letter from Oracle requesting an audit or ‘license review’ do not ignore it! Do not think they are going away, because Oracle have every right to audit a customers estate and every single organisation that has Oracle products have agreed to comply with their request for an audit. You have already agreed to give them access to your environment and systems to see what Oracle software is installed and in use. Ignoring an audit request or ‘license review’ could result in the organisation facing further and stricter repercussions. Most Oracle contracts include the right to audit at 45 days notice unless otherwise agreed by the customer.
The audit process
Firstly, Oracle will send out an audit letter, or request for a ‘License Review’. A license review is in essence, an audit so respond and treat it in the same way you would an audit letter. Oracle will provide an organisation with 45 days notice before coming in to audit. However, Oracle LMS (License Management Services) will attempt to contact the organisation (and come into the organisation) before those 45 days. It was explained to delegates that they have no obligation to allow Oracle in during that 45-day period.
Once the organisation is aware of the audit, what exactly is being audited should be discussed with Oracle. Do they want to do a full sweep of the environment, or is it an audit for a particular piece of Oracle software? Either way find out the parameters for the audit before the audit actually commences, provide the bare minimum amount of information. We’re not saying hide anything, we’re just saying don’t give Oracle any more information that what they have requested.
It is also important to remember that Oracle tends to audit organisations on a specific point in time. If there have been breaches of compliance at another stage that isn’t audited by Oracle, it is recommended that you do not mention this fact to Oracle. Oracle does not really seem to care too much about non-compliance or helping the organisation. It’s a revenue stream for them. Our speakers suggested that organizations use the information and data you have for the point in time that Oracle want to audit the organisation for, and go with that without mentioning any other discrepancies that the organisation may have had in the past.
Finally, as part of an Oracle contract agreement all organisations have agreed to be audited at any time (with prior notice) and agree to provide their full co-operation with Oracle during the audit. Whilst audits are not nice, it can be a good learning experience, so try and make the best out of a bad situation.
Be prepared, have a good audit strategy
Some organisations go through a number of audits each year for different vendors. It pays to have a good audit strategy. This factor was discussed in length at the seminar, and it was widely agreed that an audit strategy is unique from business to business. The strategy needs to fit around the organisations environment, tools, resources and general capabilities.
Organisations have different goals for an audit strategy too, as we saw from the seminar. Some want to merely get through the audit as quickly as possible with as little disruption and bad press as possible (some didn’t seem to be too concerned with large fines, so long as the organisations reputation wasn’t harmed in any way), whereas others want a strategy that allows them time to learn from mistakes and make changes. How big a role the audit strategy plays within an organisation is up to them, but Oracle experts agreed, and so did the delegates, that having an audit strategy is something that will help should an audit request come through.
WHAT DOES ‘AUDIT READY’ LOOK LIKE?
Firstly, it’s not about being 100% compliant. Being audit ready is about having the knowledge and process in place to ensure that if an audit was to happen that the appropriate actions will take place with as little impact on the organisation as possible. Achieving 100% compliancy isn’t a realistic target; there will always be discrepancies or installs that the license team are not aware of (however brief), but being audit ready will help towards achieving a realistic level of compliancy.
Being audit ready also means that the organisation knows where all of their Oracle documentation is, what processes are in place should an audit take place, what resources will be used and also have an ELP (effective license position) for all of the Oracle software installed within the environment. Some form of Oracle solution can help with being audit ready, but simply implementing a tool does not mean an organisation is fully aware of its compliancy or is fully audit ready.
Audit readiness requires the following:
- All Oracle documentation and PoE (Proof of entitlement) for all Oracle applications installed
- Processes in place that highlight what happens in the event of an audit
- Roles and responsibilities allocated to individuals or teams
- Strong, reliable Oracle data stats, including installation, users, usage etc.
- ELP known (this includes a rough financial estimate on how much it would cost to rectify any non-compliance. This information is for internal use only).
Why do Oracle audit organisations?
In short, the answer is money. Whilst the remit of LMS is to protect Oracle IP, it was clear from our Oracle seminar delegates and speakers that “Oracle audit customers to generate extra revenue”. The common consensus is that Oracle does not care too much about helping customers optimize their licenses; they audit to generate extra revenue from their customers through audit penalties.
ORACLE AUDIT SUMMARY
In summary, these were the top tips to remember about Oracle audits:
|· ‘License Reviews’ are in essence an audit!|
|· 2 factors to manage and consider with Oracle audits. Environment and deployment|
|· 45 days notice then they review estate. LMS will try and start sooner than 45 days!|
|· Are you aware of what features your contract allows you to use before an audit?|
|· Audit will increase Oracles revenue. That’s why they audit|
|· Be ‘audit ready’|
|· Don’t ignore audit messages from Oracle|
|· Have a good Oracle audit strategy. This may be a different strategy to other vendors|
|· Having a tool isn’t the only thing required to manage Oracle licenses|
|· LMS limited by number of resources they have. Have them specify what they are auditing before hand|
|· It is not uncommon for local entities to be audited within global organisations|
|· Oracle will provide tools to audit your estate. You have agreed to let them do so when signing your contract|
|· Remember, entitlements are not just order forms! There are a number of documents required to show entitlement/compliancy|
|· Understand entitlements and deployment|
|· Remember, you have agreed to co-operate and provide relevant information in your contract.|
In part 3 we will look at how you can build up your organisations defense against Oracle. For more information about Oracle, or to find our previous articles about Oracle, please click here.