Navigating Oracle Audits
By Pam Fulmer of Fulmer Ware LLP and Dave Welch of House of Brick Technologies
Fulmer Ware LLP and House of Brick work together frequently to defend customers when they are facing software audits from Oracle Corporation. We have learned much about the process, and while we cannot share confidential information, we do feel that it would be a benefit to publicly discuss some of the things that we think you should consider when preparing for, and defending yourself against an Oracle audit.
Because most of our work with customers starts with a conversation, we thought it would be best to present this information in the form of a Q&A.
Q: What is the most important thing that customers can do before an audit, or when they get an audit notice?
Pam: I think that it is important for the client to have a strong knowledge of their Oracle documents. This could include the license agreement(s), ordering documents and any emails or other correspondence that they may have had with Oracle employees. These are key documents and should be kept in one central repository, with your legal counsel able to access them easily. At Fulmer Ware, we also recommend that if you have actually gone through an Oracle audit previously, that you keep those prior audit records. They may come in handy in the future.
Dave: House of Brick consultants are not attorneys, and while we have success partnering with law firms such as Fulmer Ware, we think it is important for customers to seek legal counsel early. Even if a client has inside counsel, we also recommend that audit customers consider retaining qualified outside legal counsel who have had experience with advising clients in navigating these Oracle audits. This is not because Oracle audits frequently turn litigious. Quite the contrary, Oracle rarely proceeds to legal action to resolve an audit. Having experienced legal advisors will simply help you avoid risky pitfalls that every Oracle audit customer seems to encounter.
Q: Is it better for IT Management to engage in numerous calls and meetings with Oracle to avoid miscommunication in an audit?
Pam: No, not in my experience. Some Oracle customers might think that documenting communications in email or other writings sends a signal to Oracle that you do not trust them and that is not the way to act towards a valued business partner. Oracle customers should remember that audits have legal consequences, and that discussions may turn adversarial over the course of the audit process. It has been my experience in advising Oracle audit clients that it is important to make and keep a written record of the things you are doing in the audit. If you happen to be in a meeting or call with Oracle, you want to take careful and thorough notes. In reliance on these client-taken notes, I have been able to go back to Oracle and say on such and such a date, you made this commitment to my client, and Oracle has indeed agreed to honor that commitment. Keep copies of any voice mail messages either Oracle Sales or LMS leave as these might be important as well. Oftentimes by the time I am retained, the client has had a difficult experience with the audit process, so they want some help in handling further communications. When we work with House of Brick, we are able to develop an effective technical and legal communication strategy that includes providing draft correspondence that the client can review and provide to Oracle.
Q: Is there an advantage to having multiple points of contact with Oracle during an audit?
Dave: No, not typically. During an audit, we have seen that it is usually best to limit the number of people on your team interacting with Oracle. This can help avoid a scenario where a team member inadvertently provides information to Oracle that is outside of what is contractually required, and which then might be used to allege inaccurate compliance gaps.
Q: How does making a written record actually help a customer who is undergoing an Oracle audit? Could this backfire?
Pam: What we have found in our experience with many clients is that often while trying to be collaborative and helpful, these clients might fall into the trap of making statements that may seem apologetic or worse, even agreeing with an allegation that they did something wrong without first investigating the facts. Customers should not be discouraged from keeping a written record of your actions. It could be very important to you down the road, if Oracle makes accusations that your company might not be complying with the audit provision of the license agreement.
Q: Will maximum cooperation with Oracle actually help us get out of the audit with a better deal?
Dave: Not necessarily. During these audits, Oracle may ask for a lot of information, only some of which they are likely entitled to receive according to the contract. When considering these requests, you should ask yourself, “Is the requested information actually related to my use of the Oracle programs?” Again, an experienced, qualified third party can help you understand what is and what is not appropriate to share.
Oracle is entitled to know where you are using its software. But that does not entitle Oracle to probe into other areas of your IT environment where Oracle software is not in use. We have seen that oversharing of information with Oracle may lead to inflated claims of non-compliance. It may also lead to additional unnecessary efforts to eliminate those claims.
Along these lines, we recommend that customers that are considering certifying off of an Unlimited License Agreement (ULA) also get qualified help to determine what the limits of Oracle’s ULA Certification involvement are and what information you are required to share.
Q: How might we be caught off guard?
Dave: Oracle license agreements are complex, and Oracle can take advantage of that complexity as a tactic to extract maximum concessions from the customer. That is why it is critically important to understand the contract, and stand confidently on your contractual rights. If Oracle reports a compliance figure that is shockingly high, we recommend that customers take the time to assess their findings for accuracy. House of Brick and Fulmer Ware regularly assist companies with dissecting Oracle’s compliance assertions and understanding what, if any, is the true compliance gap.
Pam: One of the things we have observed is that Oracle early in the audit will demand information from the customer very quickly. People that are not used to these audits and these tactics unfortunately find themselves saying, “Oh, I apologize for the delay.” Most Oracle contracts that we review state that Oracle must give a 45-day written notice before the audit even starts. We recommend that you take every bit of that time to prepare your company for the actual audit. As we have discussed, you want to be careful in your communications with Oracle to not admit or imply that you have done something wrong when in fact you have not.
Q: Are there key take-aways from the Mars case that Oracle customers should be aware of?
Pam: Mars is the well-known candy company, which several years ago was undergoing an Oracle audit. From the public filings in the lawsuit we know that Oracle demanded a massive amount of information, much of which Mars contended Oracle was not entitled to receive. Oracle threatened Mars with a license termination, and to protect itself Mars filed a lawsuit in San Francisco Superior Court for declaratory and injunctive relief. It is clear from the public court filings that Mars did an excellent job of making its record as it responded to the audit, which helped it immensely in setting forth a strong legal position in its lawsuit. When you read the court filings you can see for yourself where Oracle Legal started trying to discourage Mars from making their record by saying in effect, “Let’s not write these lengthy letters back and forth,” and “Let’s not waste time setting up these legal positions.” You do not have to give into that kind of pressure. In the unlikely event that litigation is ever filed, the back and forth between Oracle and you the customer will be key in the Court’s eventual ruling. Setting yourself up to win by carefully making your record is critically important in dealing successfully with Oracle.
Q: Is it better to give Oracle everything that they ask for with the audit sooner rather than later?
Dave: You should really accept that these audits are a marathon, and not a sprint. While it is natural to want to be done with the audit quickly, that may actually set you up for sharing too much information, and ultimately paying too much and giving up your contractual rights. Do not be intimidated by a Power Point or a nice slide from Oracle that has dates on it and interaction obligations that may appear professional and reasonable to you. If you convey that you are growing weary of the audit, and just want it to end, that gives Oracle leverage to just press harder. Take your time and be deliberate. Think through each move like you would a game of chess, while validating your actions against your contractual obligations.
Pam: I agree with Dave. Clients sometimes ask me when the audit will be over. I caution them that this is a long game. If you try to rush the audit Oracle may sense that and hang tough on their assertions. You want to show that you can hang tough as well. If you have based your usage and audit responses on your contract, then good things come to those with the patience to wait.
Q: Is it better to deal with anyone at Oracle rather than the attorneys in the Oracle Legal Department?
Pam: I often see Oracle LMS threatening customers with escalation to Oracle Legal if the customer does not agree to Oracle’s non-contractual demands. The insinuation is that escalation to Oracle Legal is something that should be intimidating, and that the customer should avoid at all costs. If you are confident of your contractual position, then I would urge companies that are undergoing Oracle audits to not be afraid of this escalation to Oracle Legal. Escalation may even be the fastest way to an audit resolution. If you have made your record, by the time it gets escalated to Oracle Legal, you have actually documented that you have cooperated and that you believe that there have been certain inaccuracies and perhaps overreaches made by the Oracle audit team. So, it has been my experience that escalating to Oracle Legal may actually be the best strategy to get you on that path to resolution. If you are prepared, then there is no need to be afraid of that, but actually embrace it.
Q: What law applies to most Oracle license agreements in the U.S.? In the event of litigation, where would a lawsuit be filed?
Pam: Most Oracle agreements in the U.S. specify that California law applies and that in the event of litigation, the lawsuit is to be filed in certain venues in the San Francisco Bay Area. Fulmer Ware lawyers have been practicing California contract and copyright law in the Bay Area for years, and we are very familiar with the law and with state and federal courts in the area.
Q: What about companies that have resolved audits, either by purchasing something they did not want such as cloud credits, or by amending their contracts in an unfavorable way?
Dave: We frequently see Oracle propose audit close amendment language that would establish restrictive technical or architectural boundaries. The problem is that if those boundaries are ever crossed, the new architecture may become subject to new licensing obligations that were not in the customer’s original license agreement with Oracle. This situation is something House of Brick routinely helps customers avoid.
Pam: If you have been audited by Oracle and have purchased additional software, paid money, or amended your contract based upon Oracle’s assertions around VMware or other issues, you may have legal options to recoup some of those costs and/or reverse the amendment language.
Q: When do you think Oracle audit customers are most at risk?
Pam: I think they are most at risk when they wait for the audit report to be issued before actually considering their contractual rights, and even retaining counsel to validate their position. Many times, this is because they have not had adequate controls over the flow of information, and did not fully understand their contractual rights and the limits of the audit.
Q: I have a good relationship with my Oracle Sales rep. I would rather deal with that person than an auditor.
Dave: Based on what we have seen with regard to Oracle’s behavior during audits, it is our opinion that Oracle LMS and Sales may actually be collaborating with the intent to generate product or cloud services sales opportunities . We believe that Oracle’s typical practice of claiming an outsized compliance gap in the audit is intended to intimidate customers into looking for any opportunity to reduce that number. The LMS team then refers the customer to the sales team who encourages the customer to make an additional purchase to conclude the audit. In our experience, in most instances these purchases are unnecessary or overstated for establishing actual license compliance. Customers should be confident in encouraging Oracle to complete the audit based on actual contract terms. Do not allow Oracle to scare you with a number that may be inaccurate, and agree to a purchase simply to conclude the audit.
Dave: House of Brick has encountered organizations that attempt to spend their way into audit avoidance. While audit avoidance may be achieved in this manner, if you manage your licenses appropriately, audits are not something to be feared. I believe that concluding an audit while standing on strong contractual footing can be a badge of honor. It may be an indication that Oracle believes they are not getting enough revenue from you. The objective during an audit is to minimize customer effort, consulting expense, and outside legal fees. Your objective should not be to attempt to abbreviate the calendar time required to stand firm on your positions.
Pam: The key to successfully exiting an Oracle audit without overpaying is understanding your Oracle license agreement(s) and the scope of your contractual rights. I have assisted multiple clients to successfully navigate their Oracle audit. You do not need to be afraid of an Oracle audit, but do be prepared. Oracle customers receiving an audit notice letter should not try to wing it, or to go it alone. Instead, it pays to seek out experienced legal and technical advice.
Pam Fulmer is a partner and co-founder at Fulmer Ware LLP, an IP and commercial litigation boutique located in San Francisco, California. Pam is admitted to practice law in California and has over 27 years of experience litigating all types of intellectual property and commercial disputes in California and across the United States. In addition to her litigation practice, Pam has a great deal of experience defending audits by software companies including Oracle Corporation, and has dealt with various issues involving Oracle software such as VMware virtualization, ULA Certifications, as well as hosting and related alleged areas of under-licensing. She has worked with her clients to develop strategies to mitigate these positions and to push back successfully on the audit findings.
Dave Welch is House of Brick Technologies’ CTO, Chief Evangelist and a co-founder. He is one of the Oracle license leads within House of Brick Technologies. Dave has participated in the optimization of hundreds of millions of dollars of hardware and software, especially related to Oracle licenses. His background is that of Oracle database administrator. Dave delivered the world’s first VMware session on an Oracle topic in 2007 and has spoken annually at VMworld ever since. Dave has a Business Management Bachelor of Science degree from Brigham Young University with a finance emphasis and minors in accounting and economics.
8/6/2018 07:08:16 pm
I used to work at Oracle in compliance and this is one of the most useful articles I’ve read on *any* IP compliance subject. Bravo!
Your comment will be posted after it is approved.
Leave a Reply.
Pam Fulmer and Dee Ware are attorneys at Fulmer Ware LLP, an IP and Litigation boutique located in San Francisco, California.