Field Report: How To Survive An Oracle Audit

Palisade’s Insight Into How To Survive An Oracle Audit

At this point, Oracle’s reputation precedes it when it comes to aggressive auditing of its customers. As I’ve written about in several other pieces, a large part of Oracle’s current business model is to use the bargaining power that comes from finding compliance violations in the audit process to increase revenue from customers, often by pushing new services. This is known as the audit, bargain, close model.

Oracle can do this because they have leverage and power, and because they purposefully don’t put restrictions on the use of their software. Unlike almost every other software vendor, Oracle allows its customers to download and use any software they choose. If you don’t use this power with discipline, you might end up using too much and finding yourself in a weak position in an audit. Oracle understands their contracting policies better than businesses do and audits can be sprung on companies out of the blue — no matter how big or small the business may be.

An ecosystem is developing to assist Oracle customers who are facing an audit. These outside experts seek to show customers how to increase their power and create a balanced playing field when confronted with an Oracle audit. Just as a skilled realtor can get a better deal on our dream home or an accountant can ensure we file the most advantageous tax returns, the best way to go through an Oracle audit is with a partner company that prioritizes the company’s best interest. I’ve profiled Palisade Compliance before, which offers these type of services, but in this piece, I spoke to two of their clients (both of whom I’m keeping anonymous in the interest of avoiding further scrutiny from Oracle) about how using an expert can help in the run-up to an audit and during the actual process itself.

Partnering Before An Audit

I spoke with the COO of a small tech firm that had received notice that Oracle was planning to audit them. What’s interesting about the case of this company was that Oracle sent notification of the audit to the COO personally via an email that was so much like spam, the COO deleted it. It was only after receiving a certified letter in the mail that the company realized the audit was real.

The company had not purchased a license from Oracle since 2006. The COO told me that he never imagined Oracle would want to audit the business.

The letter contained direct threats of legal consequences if the company did not comply with the audit. It stated the company needed to complete a questionnaire within the next two weeks. Fortunately, after speaking with the company’s Oracle rep, the COO began to search online about Oracle audits and quickly realized the way in which Oracle uses audits to generate revenue. He realized that if he filled out the questionnaire blindly, he could back himself and the business into a corner — even if they were currently 100% in compliance. At that point, he called a couple of colleagues at other businesses, one of whom recommended bringing in Palisade.

The relationship proved fruitful for creating a plan prior to embarking on the audit process and the steps followed would be potentially beneficial for other companies undergoing an audit. “Palisade initially told me stop and not answer any questions.  So I did. And the most assuring portion of this was that, even though Oracle is telling you that you have two weeks to respond and we are going to go to the next level and get our attorneys involved, you’re absolutely not required to operate on their time schedule.  You are required to provide responses within a reasonable timeframe, and if their timeframe is not reasonable for you and does not accommodate your current job responsibilities, then you are not required to do that within two weeks. So that by itself really assured me that the Oracle attorneys were not going to be sending letters.  Which really is how I felt at the time, either one, I was going to respond and potentially entrap myself or, two, not respond and live under fear that Oracle was going to knock on the door.”

The company’s Palisade consultant helped guide the business through the questionnaire. Once completed, they then had to run scripts on their networks. The result of the audit? 100% compliance.

“I am absolutely sure that if I were to have completed the questionnaire without calling Palisade, there’s no doubt I would have responded differently to some of the questions and trapped myself into something that I would have had to battle Oracle over, just because I didn’t know how to word the response. I wouldn’t have understood the intent,” said the COO. “And that’s where I realized that this audit is owned by the sales team.  It’s all a sales pitch and they’re attempting to squeeze you into a purchase.”

“There’s no doubt that they’re a bully.  I’ve dealt with a bunch of different companies and I’ve never seen a company that was so threatening and really tried to come after you.  Other companies we’ve dealt with, even large companies, are all about getting you in compliance and making sure that you have a relationship.  Oracle doesn’t care about that. It was all about seeing what stones they could turn over and what they could squeeze us for,” said the COO.

Partnering Once An Audit Has Begun

Teaming up with an audit compliance company once the audit is already underway can also prove beneficial. I spoke with the Director of IT at a small engineering company who randomly found out about Palisade after searching the internet following receipt of the notification of an Oracle audit. Like the story I outlined above, this company received a threatening letter demanding they comply and was given scripts to run on their network to ensure everything was in compliance.

“When I first got the audit letter, I was confident that there was nothing wrong that we were in compliance,” said the IT Director. “Little did I know that we were not.  There was some information that we misinterpreted, that we didn’t understand, and so when the audit results came out, the numbers were staggering.  It wasn’t what we expected.”

That’s when Palisade jumped in, helping the company to negotiate a much fairer settlement than Oracle was offering. “If I go through it again, I would work with Palisade again because they gave us information that we didn’t know.  They guided us through navigating the whole process,” he said. “Every time an email came in from Oracle and before we sent a response, I would run it by our consultant and make sure that she was aware of what was being asked of us.  Then she would give us advice to say this, but don’t say that. Make sure you look at this and make sure you look at that. It was a very collaborative experience.”

The small company was at a disadvantage that many businesses find themselves in, in which Oracle understands the contract better than their clients. The company thought they had a concurrent user model, but instead were on a per user model. Based on this, Oracle demanded the company pay nearly a million dollars to get into compliance. The company found this number absurd.  “When I talked to my CFO, we both agreed that if we can come out of this between $200–250,000 dollars, that would be a win. Because, you know, we did use the licenses. We were out of compliance. It’s not like we were trying to walk away from it. We just wanted a more reasonable number from Oracle, given our track record and given that we’re a longtime customer. We weren’t willing to pay the $900,000 dollar initial assessment.”

Palisade helped them negotiate down to $225,000. But the IT Director stressed that they wouldn’t have been able to get there on their own. “I think the most important thing is knowing what the contract states. You cannot assume anything.  You need to understand what your licensing contract includes. You have to read it, understand it and know what it covers,” he said.

“Oracle is  good at exploiting technology and making that work in their favor.  This whole experience is kind of like buying a car. You talk to a salesman and then you tell the salesman, well, what about this?  ‘Well, let me talk to my finance manager.’ And then the finance manager says, ‘Well, let me talk to this guy…’ Well, why don’t I just talk to the finance manager and get rid of the people in the middle, right?  That was what the experience was like to me,” he said.

Having a partner to navigate the process, regardless of where the business is in an Oracle audit can reduce costs and ensure companies don’t end up going along with Oracle just because of fear.