How Oracle Conducts Audits
- Oracle’s internal teams or resellers do audits.
- Resellers under the Joint Partner Engagement (JPE) program act as auditors.
- Resellers are financially incentivized to find license gaps.
- Oracle uses tools like LMSCollectiontool to collect data.
- Data collection focuses on compliance and license shortfalls.
How Oracle Conducts Audits
Oracle license audits are an essential part of the company’s business model. While framed as compliance checks, these audits are primarily commercial tools designed to uncover unlicensed usage and generate additional revenue through license sales.
Oracle approaches audits in two ways: through its internal audit teams or via resellers acting under its Joint Partner Engagement (JPE) program.
Understanding how these audits work, who conducts them, and the potential risks involved is crucial for any organization using Oracle products.
Who Conducts Oracle Audits?
- Direct Audits by Oracle’s Internal Teams
Oracle has dedicated audit teams known as Global License Advisory Services (GLAS), formerly called License Management Services (LMS). These teams execute Oracle license audits across a wide range of customers globally. Oracle GLAS handles all aspects of the audit process, from sending the initial audit letter to analyzing the data and issuing the final report. Oracle auditors are incentivized to find unlicensed usage, often leading to increased revenue through new license sales and backdated support fees. - Partner-Led Audits Under the JPE Program
Oracle also outsources audits to resellers under its Joint Partner Engagement (JPE) program. These partners, typically Oracle resellers, are not independent auditors. Their primary goal is to identify license shortfalls, which they can cover by reselling Oracle licenses to the audited company. Unlike Oracle’s internal teams, these resellers are financially motivated to find non-compliance, as they are compensated based on the license sales they generate, not on the quality of the audit itself.
The Conflict of Interest in Partner-Led Audits
Reseller-led audits under the JPE program present a clear conflict of interest. Since these resellers only make money by selling licenses to address shortfalls, they want to identify as many compliance gaps as possible.
In practice, they may apply more aggressive interpretations of Oracle’s licensing policies, potentially inflating the compliance gap to benefit their bottom line.
For example, a reseller might interpret Oracle’s licensing rules for virtualized environments in the strictest possible way, even if there’s room for negotiation or leniency.
This could lead to significantly higher license requirements than necessary under a more balanced or customer-friendly interpretation of the rules. For this reason, partner-led audits can be especially risky, as the reseller’s goals may not align with your organization’s best interests.
Who Doesn’t Conduct Oracle Audits?
In many industries, large organizations rely on third-party firms like KPMG, Deloitte, or PwC to conduct audits. These firms are known for their independence and objectivity.
However, Oracle does not use these firms for its audits. Instead, Oracle relies exclusively on its internal audit teams or resellers under the JPE program to conduct these reviews.
The lack of independent oversight makes it even more important for organizations to approach Oracle audits cautiously and prepare thoroughly.
How Does the Oracle Audit Process Work?
The Oracle audit process typically begins with an audit notification letter informing your organization that Oracle will be conducting a formal review of your software usage.
This letter may come directly from Oracle or a reseller partner. From this point, Oracle will expect your cooperation in providing data and documentation related to your Oracle software deployments and licensing.
Key Steps in an Oracle Audit:
- Kick-Off Meeting
After receiving the audit notification, a kick-off meeting is usually scheduled. This meeting helps define the scope of the audit and what specific products and legal entities will be reviewed. It is important to clearly understand which Oracle products are being audited and where Oracle focuses its attention. - Data Collection Using Oracle LMS Tools
Oracle uses its proprietary LMSCollection Tool to gather data from your servers and systems. This tool must be run on all servers where Oracle software is installed, and Oracle’s audit team analyzes the output. It’s important to note that Oracle does not come on-site to collect this data. You are responsible for running the scripts and sharing the results with Oracle. - Analysis and Report
Once the data is collected, Oracle or its reseller partner will analyze the findings and issue a preliminary report. This report will detail licensing shortfalls, unlicensed features, or other compliance issues. It’s important to carefully review this report and challenge any discrepancies or aggressive interpretations of licensing rules. - Resolution and Negotiation
After reviewing the preliminary report, you will have the opportunity to respond to Oracle’s findings. This is where negotiations take place. Understanding Oracle’s licensing rules and how to push back on findings that may be incorrect or inflated is essential. In many cases, having expert assistance from an independent licensing consultant can significantly reduce the cost of resolving audit findings.
Potential Costs of an Oracle License Audit
Oracle license audits can be incredibly costly, especially if non-compliance is found. The financial risks stem from the cost of purchasing new licenses and the requirement to pay backdated support fees for the period the software was used without proper licensing.
For example, consider a scenario where your organization has a server with 32 cores, which translates to 16 Oracle processors (due to Oracle’s core factor calculations).
If this server runs Oracle Database Enterprise Edition, the cost per processor is $47,500. Now, imagine your company is running 20 servers with this configuration but is missing licenses for just one server:
- License cost: 16 processors x $47,500 = $760,000.
- Backdated support fees (22% of the yearly license cost): $167,200.
In this example, the total cost for non-compliance on just one server would be $927,200. And this is for just one server—if multiple servers or environments are out of compliance, the financial implications can quickly escalate into the millions.
Common Oracle License Compliance Issues
Organizations face several common compliance issues during Oracle audits. Understanding these pitfalls can help you prepare for and avoid potential problems:
- Over-deployment of Oracle Databases: Many organizations deploy more instances of Oracle databases than they are licensed for, often due to poor deployment tracking.
- Misuse of Oracle Database Options: Oracle offers a variety of database options (such as Partitioning, RAC, or Tuning Pack), each requiring separate licensing. It’s common for companies to enable these features without realizing they need additional licenses.
- Incorrect Licensing in Virtualized Environments: Oracle has strict rules regarding virtualization, particularly in soft partitioning environments like VMware. Misunderstanding these rules can lead to significant licensing shortfalls.
- Failing to Track Named User Plus (NUP) Licenses: Organizations often struggle to accurately track the number of users who require licenses, especially when indirect access is involved.
- Unlicensed Middleware or Applications: Legacy Oracle products, like E-Business Suite (EBS) or Siebel, can create compliance issues if access is not properly managed.
How to Prepare for an Oracle Audit
Given the potential financial impact of an Oracle audit, it’s crucial to prepare thoroughly before the review begins.
A key part of this preparation is conducting an internal audit of your Oracle software usage.
You should:
- Run Oracle LMS scripts: Before Oracle asks for them, run them yourself and analyze the results with an expert. This lets you clean up any compliance issues before the official audit starts.
- Review your contracts: Understanding your Oracle agreements is critical. Know which products you are licensed for, your entitlements, and any potential compliance risks.
- End-date users and clean up legacy environments: Ensure all user access is correctly documented, and any legacy systems are properly decommissioned or licensed.
FAQ on How Oracle Conducts Audits
Who conducts Oracle audits?
Oracle audits are conducted either by Oracle’s internal audit teams (GLAS) or by resellers under the Joint Partner Engagement (JPE) program.
What is the Joint Partner Engagement (JPE) program?
The JPE program involves Oracle resellers conducting audits. These resellers are compensated by selling licenses to cover any compliance gaps they find, creating a conflict of interest.
Are Oracle resellers independent auditors?
No, resellers are not independent. They make money by identifying license shortfalls and reselling licenses to fill those gaps, which may lead to aggressive findings.
Does Oracle use big accounting firms for audits?
Oracle does not use third-party firms like KPMG or Deloitte for audits. Instead, it relies on its own audit teams and reseller partners.
What triggers an Oracle audit?
Common triggers include hardware changes, expired ULAs, mergers and acquisitions, or changes in Oracle software spending patterns.
How does Oracle collect data during an audit?
Oracle gathers data from your systems using its LMSCollection Tool. These scripts must be run on your servers, and Oracle analyzes the output.
Does Oracle come onsite during the audit?
No, Oracle does not come to your data center. You are responsible for running Oracle’s audit scripts and providing them with the data.
What should I do before an Oracle audit?
Before the audit, conduct an internal review of your Oracle deployments, run LMS scripts, and consult an independent licensing expert to identify and resolve compliance issues.
What are the main risks in an Oracle audit?
Risks include unlicensed usage, legacy deployments, misuse of database access, and incorrect virtualized environment licensing. Non-compliance can lead to significant financial penalties.
Can I negotiate the findings of an Oracle audit?
Yes, you can negotiate Oracle’s audit findings. Understanding Oracle’s licensing rules and challenging errors in the report can help reduce the financial impact.
What role does GLAS play in an audit?
Oracle’s Global License Advisory Services (GLAS) conducts official audits and handles data collection, analysis, and reporting.
What’s the difference between an Oracle audit and a JPE audit?
Oracle’s internal audit teams (GLAS) conduct more formal audits, while JPE audits are conducted by resellers who aim to sell licenses to address compliance gaps.
Why are JPE audits risky?
JPE audits can be risky because resellers are financially motivated to find compliance issues. Their main goal is to sell licenses, which can lead to inflated findings.
What happens if I am found non-compliant?
If Oracle finds non-compliance, you may be required to purchase additional licenses, pay backdated support fees, and possibly face penalties.
How can I prepare for an Oracle audit?
Prepare by reviewing your Oracle contracts, running Oracle’s LMS scripts, and working with a licensing expert to address compliance risks before the audit begins.
Read more about our Oracle Audit Defense Service.