Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Oracle Audits

SLC
March 17, 2021
73

Introduction to Oracle Audits

SLC

March 17, 2021
Tweet

Transcript

  1. · What an Oracle Audit is and is not ·

    Oracle’s Audit Language explained · How Oracle communicates to their clients if an audit is pending · What rights does Oracle have during an audit and what are your rights? · Whom Oracle assigns to be your LMS Auditor (or audit proxy) · Who needs to be involved in an audit from your side? · What information you should be prepared to collect for your review and why Oracle Audit Course
  2. What is an Oracle Audit? · A contractual right Oracle

    has embedded in all their contracts giving them rights to audit you after giving you official notice · Oracle’sonly contractual method of forcing a client to give them information regarding Oracle license deployments · A significant part of Oracle’s revenue stream, even if license or cloud purchases are being made · A process that should not significantly impact your ability to do business or put an onerous amount of pressure on your staff
  3. An Oracle audit is NOT the following: A contractual right

    for Oracle to get any information they want in any form they want by simply asking for it. Oracle’s audit rights require that notice be given, so if no official written notice is received, then no audit! It is not an open-ended fishing expedition where Oracle can ask for things outside of their contractual rights – If it is not listed in the contract, it is not part of the audit Oracle cannot dictate timelines nor responses unilaterally; they are not in control – You are!
  4. I N THI S EXAMPLE BELOW, WE ARE SHOWI NG

    ORACLE’ S MOST RECENT CONTRACT LANGUAGE TAKEN FROM THE ORACLE MASTER AGREEMENT, SCHEDULE P – PROGRAMS WHI CH I S FOR ON- PREMI SE LI CENSI NG:
  5. Oracle's Audit Language WHAT TO LOOK FOR · If there

    is a notice period – In this case, the client has 45 days · That it requires “reasonable assistance and information access” but that is also modified by giving Oracle rights to run their measurement tools! · What does it say about your audit data collected and is it subject to the confidentiality section of your contract – in this case, it may limit the client’s ability to get help analyzing the data or sharing it for review · How Oracle can treat non-compliance – in this case, the client must pay within 30 days, or Oracle could cancel the agreement or shut off support! In most cases, it is better to use OLDER audit language which does not include some of the restrictive rights that Oracle has placed upon their clients with this version.
  6. How will you know when you are being officially audited?

    Oracle’s process is to send an official AUDIT NOTICE to a C-Level or VP level person in your company from the License Management Service (LMS) or Global Licensing and Auditing Service (GLAS). See the next slide for an example of a typical email Clients can negotiate the scope and/or timing of the audit due to many factors That they do not have to respond to the auditor during the notification period That the auditor seeking to contact them within the notification period is acceptable That the client has no voice in who is conducting the audit
  7. Oracle auditors or their proxies are not your friends. Treat

    auditors as the outside entities that they are and beware of falling into the trap that they are only here to help you
  8. Disadvantages of who is auditing you and why: There are

    disadvantages to being audited by all these options and clients should carefully review who they are being audited by and their intrinsic motivations ORACLE AUDIT STAFF They take their cues directly from Oracle Sales, and in fact, often can be found alongside Sales in other activities such as ULA certifications or technical discussions. This can lead to directed settlements that benefit the sales team rather than the right outcome for the client. It is an illusion that they are completely independent of sales, as they often consult with them on the back end and have no power to settle the audit themselves. ORACLE PARTNERS Oracle Partners often have a vested interest in ensuring that you settle for a larger amount, as their fees for conducting the audits are based on the amount they settle with the client! This leads to a healthy conflict of interest and they are not a disinterested third party. THIRD PARTY AUDITORS Often larger consulting houses have separate lines of business that do not overlap with accounting and Sarbanes-Oxley auditing; however, they still are measured on what they identify with their clients.This means they have less incentive than Oracle’s LMS or Partners, but they still are results-driven to find larger pools of usage. In the US, most audits take place virtually without ever coming on-site to your location, so your auditor’s phone number and email will be important. You will want to archive this to ensure that you can monitor who this person contacts and limit their involvement with your team.
  9. Assembling Your Team Continued The team should have one single

    point of contact to Oracle with the remaining key subject matter experts behind the scenes feeding the information to the SPOC, who in turn will be able to forward it to Oracle. At no time should Oracle be allowed to meet with the larger team to ask questions and who these people are should not be exposed to Oracle or the auditing party. Of special note is legal counsel, in 99% of all audits conducted by SLC, Legal Counsel representation is not required and insertion into the discussions with Oracle will automatically escalate the conversation to include counsel on the Oracle side. This is not recommended and often is a hindrance to effective settlement or management of the audit.
  10. Your team should now be prepared to gather and review

    the following information as the starting point of undertaking an audit defense: Next Steps
  11. This can be downloaded from the Oracle Support Portal and

    may require that multiple owners log in and provide requested details to you. These are the licenses you own and should be tracking your deployment against. These are the master agreement(s), amendments, and original ordering documents that your company has in place for Oracle Licensing. You may already have some of this information, as the audit clause is found in the master agreement, however, most clients miss the ordering documents, as they also could contain specific information on the products purchased and contract terms. This information typically is the information required to complete an Oracle Server Worksheet (OSW) which details the hardware Oracle Products are installed against. Oracle may want this collection to show details on products not being audited (auditing database, but asking for details on EBS for example), as they may attempt to broaden the scope of the audit. You will need to know where the licenses are deployed and how the license metrics interact with that deployment. Support Contract Information Oracle Contracts Oracle Deployment information