Supplier software license audits have become more frequent. Are you ready?

With the first anniversary of the COVID-19 shutdown right behind us, there has been a lot of dialogue about what different industries have been through over the past year. Recognizing this questionable anniversary, we sat down to collect our thoughts and share some tips regarding our little corner of the legal and tech industry.

In a word? In our observation, over the past year, software license audits (and Oracle audits in particular) have: (1) increased in frequency; (2) more prone to thorny interim conflicts; yet (3) were more conducive to hasty resolution. While the first two have been frustrating for our clients and colleagues, the third potentially presents an opportunity for a refined approach to audit resolution.

Luckily, our friends from ITAM recently published their poll results regarding the year of audit and software licenses, mainly focusing on the volume, frequency and impact of audits during COVID-19. In this article, we take the time to compare our anecdotal results with the results of the larger ITAM survey.

Oracle audits / requests are more and more frequent

Nowadays, few licensees are surprised to learn that many vendors view software license audits as a pretext to generate revenue. As has been alleged in the Oracle securities litigation, Oracle whistleblowers said employees were pressured to adhere to the “ABC” method of “audit, negotiate, close”, with a general understanding that Oracle License Management Services (“LMS”) were little more than a tool at the disposal of the Sales Department. So, as times become more uncertain economically due to the COVID-19 lockdown, it’s no revelation that software vendors have fallen back on what they know best: auditing as sales tactics.

For our customers, software license audits seem to be more and more frequent, Oracle leading the pack but by no means the only competitor. It is important to note that a licensee can no longer rely on the 3-year audit cycle as the isolator from Oracle, with some of our customers pushing back Oracle requests in a quasi-serial fashion.

And the distinction between audits and investigations is crucial. Oracle militarized the threatens audits, starting with seemingly innocuous investigations with the implicit threat of a formal audit or other backstage verification procedures pending. Adding an implicit threat, some investigations are conducted by Oracle internal counsel rather than LMS or sales.

Our experiences are largely corroborated by the recent ITAM survey, reported in The register:

“In the ITAM Forum study, 46% of organizations said they experienced an increase in supplier audit requests during the pandemic. Meanwhile, 50% of those polled said they believed audit risk was increasing, while 12% said they expected risk to increase.

The register The article also noted that “ITAM Forum founder Martin Thompson, a longtime software licensing activist who helped organize the survey, added, “I’ve heard that software companies are stepping up recruiting into their licensing and audit teams for 2021. As the impact of the pandemic slowly spreads through the economy and therefore into sales numbers publishers and stock prices, everyone should expect more desperate behavior from some publishers. ‘”

Oracle audits are increasingly prone to interim litigation and obstruction tactics

While harder to quantify, we’ve observed over the past year that Oracle is increasingly reluctant (if not totally opposed) to making modest concessions that it has historically made without noticeable resistance. For example, most Oracle audit provisions contain a commitment that an Oracle audit “must not unreasonably interfere with your normal business operations.”

In the past, a licensee who received an audit opinion could reasonably expect to postpone the audit process for a month or two by stating in good faith that the planned audit schedule “interfered with the normal business operations ”(eg change in IT environment, end of quarter financial statements).

But in recent months we’ve seen Oracle bristle with such demands and insist that the audit be carried out rigidly according to the schedule unilaterally proposed by Oracle.

In addition, the typical Oracle audit layout contains a license holder commitment to “remedy (which may include, without limitation, payment of any fees for additional licenses for the programs)” of any “non-compliance within 30 days of written notification”. Historically, this so-called 30-day window came and went with little to no fanfare. In fact, in our view, any adherence to a built-in countdown was contrary to Oracle’s “shock and fear” tactic of strategically inflating license shortages that were painstakingly reduced over months of negotiations. In recent months, however, we’ve started to see Oracle focus on the 30-day window in order to push for an early resolution.

As it should come as no surprise to anyone, Oracle was ranked by IT asset managers who participated in the ITAM survey as the second the least useful software company. According to ITAM, “Oracle is at number two, dropping from number one in 2016. I think they’ll be quite disappointed to be at number two, because Oracle’s business model is built on hostility.”

While encountering hostility during an Oracle audit is nothing new, an increasingly short-sighted focus on short-term gain is a bit of a change. Regarding the less useful software publishers, ITAM said they are concentrated on short term income and don’t care about the customer relationship. They are motivated to extract some income from you at all costs so that they can reach their number.

If handled correctly, Oracle audits can increasingly achieve rapid resolution

It should be noted that the above examples focus on resolving an audit quickly, which in itself represents a measurable change from the long strategy game that most Oracle licensees have become accustomed to. And we have a distinct impression that Oracle was willing to quickly put in place audit resolution packages that require fewer out-of-pocket payments than comparable situations in the past.

Again, our results match some of the ITAM results. Respondents to the ITAM survey reported that “a little bit of income” was enough for some vendors who are just looking to “put something on the books”. A survey respondent said, “They are more desperate salespeople, happy to take on any type of commercial product proposition, as long as some form of income is realized.

The key to take away

Our takeaways and recommendations are relatively straightforward. If Oracle audits were never fully routinized, the licensee could rely on certain largely predictable elements. However, over the past year it has become clear that the rules are changing, and while much of the verification process remains familiar, less and less is fully predictable.

This emerging mix of the familiar and the unpredictable is yet another reason for the Oracle licensee to have an experienced guide through the audit process.