Java licensing

Java Audit – What You Can Expect in the Audit

Oracle conducts Java audits in two forms:

  1. Formal Audit follows the same procedure as traditional Oracle audits, including Oracle audit organization.
  2. Soft Audit: Oracle starts a compliance conversation with your IT department in this type of audit. If issues are not resolved, they can lead to subtle threats regarding intellectual property protection, potentially involving your C-level executives and legal team.

But do not let the names fool you; the Soft Audit is far worse than a formal audit.

If you ignore Oracle e-mails, they may contact your CEO, CIO, or CFO. We put together a 7-step plan for you to execute.

Read our prediction for what to expect for Oracle Java Licensing in 2024.

Are you considering expert Help? Please read about our Java Audit Defense Service.

Oracle Java Audit Formal Audit

oracle java audit

Since 2023, Oracle has intensified its efforts in conducting formal audits on its customers’ use of Java.

These audits are not arbitrary but result from deliberate selection by the Oracle account team, which nominates customers for annual license audits.

Far from being random, the selection process targets specific entities, and these audits are a critical component of Oracle’s revenue strategy.

These license audits are estimated to generate around 70% of Oracle’s software license revenue, underlining their significance to the company’s financial health.

Key Aspects of the Oracle Java Audit Process:

  • Engagement by Official Audit Team: Oracle’s official audit team, the Global License Advisory Services (GLAS), conducts formal audits. This team is renowned for its meticulous and comprehensive audit procedures, making these audits among the most rigorous and potentially risky for customers.
  • Comprehensive Review: Oracle’s approach to auditing involves thoroughly examining every Java deployment and usage within an organization. This includes reviewing all patches and versions and utilizing a combination of tooling and manual declarations to ensure a comprehensive audit scope.
  • Detailed Information Sharing: Organizations under audit must share in-depth details about their Java deployments and historical usage. This process demands transparency and a considerable amount of documentation, including records of downloads, installations, and updates of Java software.

The formal Java audit process by Oracle underscores the importance of maintaining accurate records and compliance with licensing agreements.

Given the potential implications of these audits, including significant financial liabilities for non-compliance, organizations are advised to proactively manage their Java software licenses and prepare for the possibility of an audit.

Oracle Java Audit Defense Plan

java audit

When facing an Oracle Java audit, it’s crucial to have a defense plan in place.

This plan should be based on a thorough understanding of the Oracle license audit process.

Here is theJava Audit process, tailored specifically for Java audits:

  1. Oracle Audit Notification: Oracle will send a notification letter to your CFO/CIO or both, notifying you of their intention to perform an audit of your Oracle Java licenses.
  2. Audit Kick-off Meeting: During this meeting, Oracle will want to agree on a timeline for you to share all the necessary data.
  3. Data Sharing Oracle will provide access to a web-based license audit portal where you will be asked to answer a questionnaire about your Oracle Java usage. Alternatively, they ask you to complete a Java Server Worksheet (JSW) and run their PowerCLI tool to capture information about your virtual environments.
  4. Third-party tool Oracle will ask if you have a third-party software asset management tool, as Oracle has verified most of them to act as their audit tool. We recommend you consider your response. If you have one such tool, you have made it easier for Oracle to audit you.
  5. Oracle Audit Report: After the audit, Oracle will present a report outlining the worst-case scenario with the highest fees to be paid to Oracle.
  6. Review and Response: You will have 45 days to review your Oracle licensing and develop an Oracle audit defense plan. It’s crucial not to agree with the findings until you have had an Oracle licensing expert provide a second review of the license audit findings.

What is a Soft Java Audit?

What is a Soft Java Audit

A “soft Java audit” is initiated by Oracle’s Java account teams, who are supported by the business practices team at Oracle HQ.

The process usually involves:

  • Contacting Organizations: The teams reach out via email to discuss Java licensing.
  • Evidence of Licensing Requirements: They often possess proof of downloads for security patches and versions of Java that require a license, using this information to gauge compliance with Oracle’s licensing policies.

How Redress Compliance Can Assist with Oracle “Soft Audits”

  1. Receiving Soft Audit Emails from Oracle:
    • If you’re getting emails from Oracle about a soft audit and haven’t responded, Redress Compliance can guide you. We can clarify licensing requirements and help craft responses to Oracle, potentially averting a formal audit. We’ve successfully assisted over 20 organizations in similar situations.
  2. After Responding to Oracle:
    • If you’ve already sent Oracle information about your software use, it’s not too late. Redress Compliance offers advisory services, including a 40-hour consultation, aimed at minimizing or eliminating any claims by Oracle.
  3. Facing Claims for Back Dated Usage:
    • When Oracle’s claims involve backdated usage based on your provided information, we can support you with our 40-hour advisory service to reduce such claims. Additionally, we offer a “no cure, no pay” option, where our fee is a percentage of any savings we secure for you.

Case Study: Navigating Oracle Compliance with Redress Compliance

Case Study Navigating Oracle Compliance with Redress Compliance java audit

Background

A prominent organization in the Western United States found themselves in a daunting situation when faced with Oracle’s claims for hundreds of thousands of dollars in retroactive fees related to Java deployments.

With potential financial repercussions at stake, the organization turned to Redress Compliance for expert assistance in navigating the complexities of Oracle licensing and audit processes.

Challenge

The organization was confronted with Oracle’s demands for retroactive licensing fees exceeding $400,000 based on an audit that identified alleged non-compliance in their Java software deployments.

The stakes were high, and a strategic response was critical to avoid a substantial financial burden.

Approach

Redress Compliance undertook a multi-faceted approach to address the challenge:

  • Comprehensive Review: The first step involved thoroughly analyzing all communications between Oracle and the client, providing Redress Compliance with a clear understanding of the claims and Oracle’s stance.
  • Deployment Assessment: Redress Compliance conducted an in-depth review of the Java deployments. This examination was crucial for verifying compliance and identifying any possible misunderstandings or inaccuracies in Oracle’s audit findings.
  • Strategic Communication: Armed with insights from the reviews, Redress Compliance developed a targeted communication strategy to counter Oracle’s claims. This strategy was grounded in factual evidence and clearly articulated the organization’s compliance posture.
  • Negotiation: Redress Compliance engaged in months of negotiation with Oracle, leveraging their deep understanding of Oracle’s licensing policies and audit practices to advocate on behalf of the client.

Outcome

The negotiations led by Redress Compliance culminated in a settlement where the organization was required to pay only $5,000—a fraction of the initial demand exceeding $400,000.

This resolution represented a significant financial relief for the client and underscored the effectiveness of a well-informed and strategically executed response to software licensing audits.

FAQs

Does Oracle have any scripts to audit Java?

No, they do not; they rely on any third-party SAM tool (verified by Oracle), and you share declaration data in Excel.

What is Oracle focusing on in the audit?

Application name, Virtual deployments, VDI, Install paths, security patches, downloads of security updates or versions for the past 10 years.

What is a common mistake in the audit?

Oracle will ask when Java was installed; they do this to claim retroactive fees. We recommend you leave that field out or dispute those claims.

Are all Oracle Java audits the same?

No, we see that different auditors are using different methods and tools. Some auditors also ask for Java Commercial Features, while others do not.

Should we ignore Oracle e-mails about wanting to discuss licensing?

At first, yes, unless you already have a complete picture of your Java Licensing and an audit defense strategy. But Oracle will eventually escalate to your C-level management.

Oracle have logs of security and downloads of Java, how to respond?

There is no easy answer: Oracle has records of your organization downloading licensable Java. We recommend you review your licensing and design an audit defense strategy.

Oracle is sending us e-mails about wanting to discuss Java Licensing, what should we do?

Review which deployments require a license, optimize, and then negotiate and communicate with Oracle depending on your result. Oracle has all the information advantages; if you want to save money and reach a successful outcome, consider our Java Audit Defense Service.

Do we have to purchase the employee metric if we have licensable Java installed?

No, there are other purchasing options; however, to successfully negotiate such a purchase, you must have a full picture of your deployments and know how to negotiate with Oracle.

We purchased Java SE on the old license metrics, Oracle is not willing to renew on the old metrics, what should we do?

Oracle can calculate the cost of an employee license metric. If you want to save money and avoid purchasing the employee metric, consider getting expert help.

How can Redress Compliance Java Audit Defense Service Help?

This service is structured in two distinct phases:

1 – Java Licensing Assessment & Optimization: A thorough evaluation and enhancement of your Java licensing structure.
2 – Java Audit Defense Strategy & Advisory: Providing strategic advice and support for audit defense, including communication and negotiation with Oracle.

Organizations can engage in one or both phases based on their specific needs.

Which are the most common triggers for an Java audit?

Oracle audits are not random; they act on different kinds of information. A few joint audit triggers exist, such as downloads of downloadable Java for the past 5-10 years.

Redress Compliance Java Audit Defense Service

Redress Compliance offers a comprehensive Java Audit Defense Service to help organizations navigate the complexities of Oracle Java licensing audits.

We have a 100% success rate where organizations are not paying for retroactive usage and are only purchasing the licenses they need at favorable terms.

Contact us to learn more.

Please enable JavaScript in your browser to complete this form.

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, enhancing organizational efficiency.