knowledge & insights

10 Things Every Oracle (and Other Software) Licensee Should Do to Prepare for the Inevitable Audit

Mars v. Oracle & the Aggressive Audit

By: Arthur S. Beeman and Joel T. Muchmore

(the lead counsel for Mars in the Mars v. Oracle matter)

In the long wake of the Mars v. Oracle matter—to date, the only publicly filed complaint by a licensee challenging Oracle for its aggressive auditing techniques—Oracle has earned a singular reputation for its unfriendly and aggressive auditing tactics. What Oracle ultimately intends to accomplish through its unpopular auditing and licensing tactics is a matter of some speculation, but one thing is certain: Oracle’s routinized auditing strategy ensures that your business’s Oracle audit is either underway or is quickly approaching on the horizon. If your company uses enterprise software, your software vendor almost certainly has the contractual right to audit your company’s use of the licensed software.

Though it does have one of the most pronounced reputations, Oracle is not the only software vendor that is increasingly leveraging aggressive software licensing audits. As patent litigation continues its downward trajectory, we are seeing software licensing disputes rise to fill that void. As such, while some of our recommendations are tailored for certain predictabilities found in Oracle audits, the following suggestions are useful for any software audit. 

While there is no substitute for tailored legal advice, every software licensee— Oracle or otherwise—should at least consider the following ten tips: five for pre-audit preparation (which your company should consider well in advance of the audit) and five for handling the audit itself.

BEFORE THE SOFTWARE AUDIT

  1. Assemble your agreements and ordering documents. The license to use Oracle software generally consists of a master framework agreement (typically the “Oracle License and Services Agreement” or “Oracle Master Agreement”) and successive ordering documents specifying the software licensed, the license count, and the price for the licenses and accompanying technical support. All too often these controlling documents are not centrally located, which forces licensees to waste time scrambling to collect relevant materials during the audit. This is especially true as software audits increasingly involve legacy licensee/licensor agreements that were executed by predecessor entities.
  2. Assemble all licensor communications surrounding the execution of your licensing agreements. Often the sales team of a software vendor engages in extensive pre-licensing communication that involves an evaluation of system architecture and affirmative statements that certain license purchases will ensure compliance. Having any such communications ready can be useful if your vendor later disclaims any statements made by its sales department. (While any licensor can have an overzealous sales team, this is a pattern we have repeatedly seen with regard to Oracle licensing.)
  3. Determine whether your company is inadvertently using unlicensed software or features. Though unlicensed usage can occur regardless of vendor, many Oracle licensees report that certain products were pre-installed and were either activated automatically or were inadvertently used by employees who were unaware that the software was unlicensed. Typically, it is preferable to catch and correct for such instances before an audit, rather than be surprised by audit findings.
  4. Evaluate the configuration of your company’s virtualized environment. For years Oracle has surprised licensees by asserting millions of dollars in underlicensing fees and costs based on little more than the licensee’s use of virtualization software (e.g., VMWare). In a nutshell, most enterprise software is licensed on a “processor” metric, which Oracle agreements define as all processors on which Oracle software is “installed and/or running.” During an audit, Oracle defines “installed” as “available for use” and asserts that the capacity for live migration (the process of moving a running virtual machine or application between different physical machines) means that the programs are installed (a.k.a. “available for use”) on all processors across a virtual environment. Though we do not believe Oracle’s reasoning is legally sound (and have counseled many licensees to that end), it is prudent to understand how your company’s virtual environment is configured in relation to Oracle software and to consider preventative measures (such as deactivating live migration or otherwise isolating machines running Oracle programs from your virtualized environment).
  5. Ascertain whether there have been any changes in your system architecture (addition of servers, etc.) that could allegedly increase your company’s processor count. It is not unusual for a company to change its system architecture without considering the downstream impact on what that might do to its licensing obligations. This is increasingly true as many companies move many of their workloads to the cloud, which, Oracle in particular, asserts are subject to specific licensing obligations. If you believe that your company is underlicensed, you may wish to work with vendor in order to renegotiate your agreements outside the potentially coercive context of an audit.

DURING THE SOFTWARE AUDIT

  1. Obtain counsel experienced with software license audits. At its inception, an Oracle audit is structured to appear reasonable, even friendly. However, be wary that Oracle auditors are trained and experienced in convincing licensees to voluntarily provide information that Oracle is not entitled to, leveraging that information for increased scrutiny and, eventually, for the purchase of additional licenses. Retention of an experienced attorney can help ensure that the audit is appropriately circumscribed to the licensee’s contractual obligations, speed up the audit resolution process, and send a strong signal to Oracle.
  2. Carefully control communications with your licensor. Oracle is particularly notorious for reaching out to multiple employees of a licensee under audit and probing them for otherwise undisclosed information, which it then feeds back to the Oracle auditing team. You may wish to take proactive efforts to streamline communications with Oracle. Routing all communications through counsel can be an effective measure of ensuring that Oracle respects your company’s demand that it not seek information outside the typical audit channels.
  3. Be thoughtful regarding all information provided as part of an audit. At the heart of any audit is the voluntary production of information regarding use of the licensed products. Be careful to evaluate the extent to which your license requires you to disclose any information that is requested. For example, Oracle is notorious for requesting information regarding servers, virtual or otherwise, that do not run Oracle software. In an Oracle audit, also be on the lookout for its reliance on publicly available policy statements as support for its informational requests. (For example, see “Oracle Partitioning Policy” and “Licensing Oracle Software in the Cloud Computing Environment.”) These extra-contractual statements are likely not integrated into your Oracle agreement or otherwise binding on the licensee.
  4. Carefully review all scripts before running them. Be careful that the scripts you are asked to run are not designed to collect information that you are not contractually obligated to provide and may not wish to submit to your vendor. Also be careful that any scripts are not created in order to automatically transmit the results back to the licensor (something that many Oracle licensees have complained of). If possible, scrutinize the functionality of the scripts, and, if possible, consider performing a careful test run in a sandbox environment. 
  5. Pay special attention to replacement license agreements and other audit close documents. Some vendors are satisfied concluding audits with a reconciliation of the number of licensees needed. In such instances, a licensee must pay particular attention to release and other closing documents to be sure all future rights are protected. Other vendors aggressively push replacement agreements as the best method to resolve alleged license shortfalls. For example, Oracle licensees can expect to receive a hard pitch for an Unlimited License Agreement or a switch to Oracle’s cloud as an instant fix for auditing problems. Switching agreements at the close of an audit can provide short term relief from the immediate pressure of an audit, but such agreements may also constrict the licensee and leave them more vulnerable in future audits or upon certain triggering events. Experienced counsel can most easily detect licensing pitfalls and ensure that the legalese is sufficient to prevent Oracle, or any other vendor, from later revisiting audit findings.

We believe all audits—Oracle or otherwise—can be contained and controlled. While there is no one-size-fits all approach, the above tips are, at minimum, a good starting point for controlling your software audit. Careful preparation and close attention will help ensure that your company concludes any software audit uncompromised and with minimal disruption.

Arthur S. Beeman and Joel T. Muchmore were the lead counsel for Mars in the Mars v. Oracle matter.

PEOPLE ARE TALKING ABOUT US