Sunteți pe pagina 1din 7

Guía para Auditoría Oracle How to Survive an Oracle Software Audit

http://www.gartner.com/technology/media-

products/newsletters/hp_sw/issue3/gartner.html

Oracle has always conducted software audits, but the number reported in the last Gartner ITAM survey increased significantly. Software asset managers must tighten processes to manage unique Oracle license terms and policies to avoid costly, unbudgeted noncompliance fees.

Key Challenges

Software asset managers are challenged to manage increasing vendor-imposed, revenue-motivated software audits to avoid the possibility of excessive unbudgeted licensing costs.

Software asset managers who do not carefully review Oracle's contracts, policies and license metric definitions may not understand and perform the required compliance and audit readiness activities to reduce noncompliance risk.

Software asset managers who fail to act now and create audit management plans will subject their organizations to costly, unbudgeted fees and possibly repeat audits in the future.

Recommendations

Software asset managers must:

Establish written procedures for handling any audit, and include any Oracle- specific procedures that must be followed.

Proactively prepare for Oracle audits by ensuring that their organization has all purchasing records and a complete inventory of purchased and installed software.

Set up regular meetings with IT procurement and technical personnel to discuss any changes in technology and any future Oracle purchases to determine how these will impact the tracking of Oracle licenses.

Ensure that technical personnel understand areas of common audit risk.

Refuse to settle audit results until the analysis is complete and they are certain the results accurately reflect their environment.

Introduction

The number of reported Oracle audits has increased over the past four years. Two Gartner surveys have reflected this increase:

A survey from the 2012 Gartner IT Financial, Procurement & Asset Management Summits in Orlando, Florida, and London reflected an increase from 16% of respondents reporting that they were audited by Oracle in 2009 to

38% in 2012.1 Given figures of 19% in 2010 and in 2011, this indicates a significant increase during 2012.

A small survey of clients in France, conducted in early 2013, showed that 50% of the respondents had been audited by Oracle in the past 12 months.2

Organizations that are not prepared and have not done their own audits may find that they owe Oracle huge additional fees to correctly license their existing Oracle installations. Even if an organization has experienced IT asset managers, the Oracle licensing issues will create situations in which a customer can be out of compliance without realizing it – for example, Oracle's virtualization and cloud policies are not included in Oracle's license agreement. Oracle customers must not only stay on top of all Oracle licensing rules and policies, but also constantly work with the technical staff to stay educated about the areas of risk.

Why Am I Being Audited?

Like the majority of software vendors, Oracle is performing global audits across its entire customer base. Software asset managers must be alert for situations that might increase the chance of their being audited; in addition, they must consistently communicate and train technical staff to educate them regarding the areas of risk. These include:

Where the customer is still using older license metrics and product names:

Oracle appears to use audits to move customers from older license metrics (such as Concurrent Users) to new ones (such as Named User Plus [NUP], Processor or Application User), as well as to the most recent Oracle product names (which may or may not include the same functionality as the original entitlements). These types of conversions usually result in an increase in the cost for the customer to license the same environment.

Where the customer has made changes to the technology environment (for example, server refreshes, adding high-availability capability or using virtualization technologies): Use of virtualization technologies, such as VMware, is an area of very high, unexpected costs for Oracle customers.

Where Oracle "Configuration Manager" software is installed, and is possibly downloading and reporting installation data direct to Oracle (see Note 1): This may indicate potential compliance issues.

When a new Oracle account executive is assigned to the customer: Gartner discussions with clients have suggested that a change in the account team at a time when no new business is planned, or when plans are unclear, can easily spark an exploration into the customer's current licensing and potential noncompliance.

It is important to note that an Oracle Insight study is not an audit. It is an optional activity in which Oracle reviews the customer's use of Oracle products and suggests ways to optimized use. However, in the analysis carried out by Oracle during an Insight engagement, it is possible that compliance issues may be discovered.

Analysis

Check Your Contracts to Determine Audit Rights

Before responding to any audit request letter, it is important to understand what the letter is asking. If the request is for a formal audit that is in line with the terms and conditions of your contract (see Note 2), then you must comply with the request, whether it is for a self-assessment or an on-site audit. Organizations may also be approached by Oracle's License Management Services (LMS) to carry out a license optimization exercise to help the client to improve its license position.

Organizations that are approached with an offer of a license review must clarify from the outset whether it is an optional exercise or a formal invocation of the rights set out in the audit clause. Software asset managers must be aware that, while license optimization may be presented as the reason to engage the Oracle LMS, in fact, the LMS is Oracle's audit organization, so any proactive review or optimization work might result in a conflict of interest if the data could be used to justify a formal audit.

Oracle May Use Third Parties to Audit Customers

Historically, Oracle has performed its own audit activity via the LMS team. However, Gartner clients are starting to report audits involving third parties. These third parties are generally reported to be Oracle business partners, resellers or distributors with which the client has no existing relationship.

It is important for a strong nondisclosure agreement to be signed with any third party acting on Oracle's behalf in an audit, and for processes to be reviewed to ensure that data is managed confidentially. Any nondisclosure agreement must be drafted with the help of your in-house legal team, and should require a three-way agreement between your organization, Oracle and the auditor, since data will be shared three ways.

Use Your Established Audit Governance and Processes

Like many vendors, Oracle sets out its audit processes and time scales in the initial letter or during the initial scoping meeting. These time scales are negotiable. The contract requires the following:

"Upon 45 days written notice, Oracle may audit Your use of the Operating System, Integrated Software and Integrated Software Options. You agree to cooperate with Oracle's audit and provide reasonable assistance and access to information. Any such audit shall not unreasonably interfere with your normal business operations."3

This allows for discussion and negotiation, so clients must ensure that they refer to their own audit governance and processes, and that they work with Oracle to scope and schedule the audit to fit with these. The following considerations must be addressed upfront:

The transfer and retention of data

Nondisclosure agreements

Resource requirements and availability

Agreement on scope

An understanding of the methodologies used to conduct the audit

Reconciliation of entitlement and audit data

Cooperation and collaboration can help minimize the operational impact of audits, as well as the internal cost. For some high-level information on how Oracle expects to proceed with audits, see Oracle License Management Services.

Check Your Entitlement Records

Few organizations are confident that their licensing and contracting records are complete. In many cases, master contracts may be available, but details of individual orders or licenses have been lost. Other organizations only keep the current contract and archive older versions, resulting in incomplete information and references to inaccessible agreements. Many organizations rely on the software vendor to provide them with details of their entitlements when paying support and maintenance bills, when renewing contracts, or even during audits.

However, vendor entitlement data may also be incorrect, and unlike some other vendors, Oracle does not have an online licensing portal through which customers can view the information they hold, so it is often only in the event of an audit that issues with the data are uncovered. Errors in the data may be due to a number of factors:

Purchases have been made under legal entities that Oracle does not associate with the company that holds your main contract.

Purchases have been made using brands or variations of company names that do not match your legal entity names.

Purchases have been made by companies that have been acquired, merged or divested, and Oracle has not been informed or asked to update its records.

Purchases have been made through service providers, resellers or application vendors, and are linked to a specific application instance, but not registered with Oracle.

Errors have been introduced into the supply chain process, from requisition through delivery, such as miskeyed part codes or assignment to the wrong account code.

Entitlement Misunderstandings Cause Confusion

For many organizations, confusion over entitlement arises due to misunderstandings around the order or precedence of the various contract documents – for example, individual Oracle Ordering Documents, Addendums and Executable Quotes (which may not be individually negotiated once an organization believes that a master agreement is in place) take precedence over the terms in the Oracle License and Services Agreement (OLSA), or the newer Oracle Master Agreement (OMA).3 Oracle, like many other vendors, also makes use of online policies to supplement the license terms and conditions that are referenced in contracts and license documentation, and that are subject to change without notice. These policies are often updated in response to technology changes, and it can be difficult for software asset managers and system administrators to relate the old terms and conditions to new technologies.4 It is, therefore, unsurprising that many organizations have an inaccurate view of their entitlements.

For customers with older contracts, there may be further complexity, because Oracle's older concurrent license stated that measurement must be done at the multiplexing front

end; however, generally, there was no minimum number of concurrent users required per processor. The older Named User license also stated that counting must be measured at the multiplexing front end, but there was only a requirement of 10 Named User licenses per processor. Licenses purchased under NUP before March 2009 had set definitions in the contract as to how to "count" based on the processor type. For licenses purchased after March 2009, see the Oracle Processor Core Factor Table,5 which must be referenced when changing hardware platforms. All these will require a different analysis of how to "count" needed licenses.

Take These Actions to Manage and Prove Compliance

Gartner clients reported particular issues in a number of areas, including but not limited to:

Accurate inventory: Many organizations have older OLSAs containing license metric definitions; due to the order of precedence, each order form must be "matched" with the licenses to ensure that you have the correct definition for each metric.

Action Item: Oracle should provide copies of any missing ordering documents, and it is essential that you obtain these as soon as possible. For products licensed under older names, ask Oracle to provide the current product name, as well as details of the product functionality to which you are this entitled.

Virtualization: Proving compliance with the virtualization policy is difficult; unless you can prove hardware partitioning (not software partitioning), you must pay for all processors and cores accessible to the software.

Action Item: It is important to work with your technical staff to ensure that they are aware of Oracle's virtualization policy, and to ensure that processes are in place to check that your server is correctly reporting its configuration.6

Non-human-operated devices: These must be licensed via the NUP license model, and must be counted at the multiplexing front end. Non-human-operated devices are any devices that do not require a person to operate them, but that access Oracle software to function – for example, sensors, smart electrical meters, medical devices, vending machines and inventory devices. In the Oracle Software Investment Guide (SIG), Oracle provides examples of non-human-operated devices and how they must be counted;7 however, these might not match your exact situation.

Action Item: Review Oracle's SIG. While it is not considered part of the Oracle license agreement, and is subject to change, it can assist customers in understanding more about Oracle's license models. It is currently a 62-page resource created for the customer's education, and serves as a guide to Oracle's policies. It provides an important starting point in understanding Oracle's vast array of licensing configurations and detailed information.

Batch processing: Compliance with Oracle's policies regarding the "batching" of data into or out of a database may also need to be substantiated during an audit. In the Oracle SIG, the process is defined as follows:

"Batching is an activity that allows a group of tasks occurring at different times to be processed all at the same time, while requiring little or no interaction from the user. For most environments, batching is performed to transport data from computer to computer where the database is running."7

Oracle permits two common ways for batching data into or out of a database:

Automatic batch data feeds require no human interaction because prewritten scripts automatically upload data.

Manual batch data feeds require human interaction because an individual must execute the scripts to upload the data. With the manual method, "users" performing the batch data feeds must be licensed.

Oracle authorizes Processor and NUP metrics to license environments with batch processing. For a batched environment licensed by Processor, all processors in which the database is installed and/or running must be licensed.

Action Item: Ensure that your software asset management (SAM) database captures the requirement that, for a batched environment licensed by NUP, batching data to/from computers in which the databases are installed and/or running is the only automated process permitted.

Are You Aware of Oracle Configuration Manager?

Oracle Configuration Manager (OCM) was provided to Oracle customers from mid- 2008 onward. It collects and transmits customer configuration data to Oracle over the Internet, and may be installed and activated without notifying the client organization that it is occurring. Although Oracle allows its customers to turn off OCM reporting, by default it is installed and activated. The information from the tool is sent direct to Oracle, and there are no reports accessible to customers that could help them with their license compliance.

Software asset managers must verify whether OCM is installed and activated. If it is, then they must engage with stakeholders to discuss whether to switch it off, since this action might trigger an audit. As part of the audit process, software asset managers should confirm whether Oracle will be using this data, and ask for a copy of the report to ensure that the data is relevant and accurate.

Once the audit is completed, software asset managers and information security must consider whether this continuous monitoring is appropriate, and decide whether to continue allowing it.

How Bad Can It Get When Resolving Compliance Infringements?

Gartner clients often want to know the "worst case" scenario for their audit outcomes so they can prepare themselves and stakeholders in advance. It also helps when justifying the dedication of resources to ensuring that the audit is carried out effectively, or putting together a SAM business case. Oracle reserves the right to pursue all available remedies to resolve license violations – including, but not limited to:

Charging full list price for additional software licenses required to correct the license violation

Charging technical support fees for the period of unlicensed software use

Charging interest on all amounts due for additional licenses and technical support

Suspending technical support service and software updates, where applicable

Terminating the license agreement and associated licenses

What to Expect When Resolving Compliance Issues

For short-term compliance issues, Oracle offers term-based leases – that is, one- to five- year term licenses – which can be a sensible option for licenses that are no longer needed or will not be needed for much longer. If you purchase perpetual licenses, then it may be difficult to get reductions in maintenance and support if you want to remove part of an order from support. All licenses purchased to settle the audit will be on a single ordering document.

Although Oracle will push for customers to pay for the licenses within 30 days of the audit results – you should not do this if you do not agree with the results. Rather, ensure that you understand and agree on the entitlement details, installations and associated metrics, and reconciliation methodology before discussing the settlement payment.

You do not have to give up older license models (for example, concurrent), but you may have to move them to environments where there are limited users. Older Oracle license agreements did not require a minimum number of licenses per processor for concurrent models.

As soon as both parties have agreed on the audit results, you should still be able to negotiate down the settlement figure, especially if the compliance issue is due to a policy that is not part of the Oracle contract (such as the virtualization policy), when there is some vagueness in Oracle's definitions, or when there is substantial money on the table for a new deal. Remember to review current maintenance and support invoices for any shelfware or overpayments, because you might be able to use these as negotiating leverage to obtain higher discounts.