Vendor Software License Audits Have Become More Frequent. Are You Prepared?

With the 1-year anniversary of the COVID-19 shutdown just behind us, there has been a lot of dialogue regarding what different industries have experienced over the past year. Acknowledging this dubious anniversary, we sat down to collect our thoughts and share a few advisements with respect to our small corner of the legal and tech industry.

In a nutshell? In our observation, over the past year software license audits (and Oracle audits in particular) have been: (1) increasing in frequency; (2) more prone to prickly interim conflict; yet (3) have been more amenable to hurried resolution. While the first two have been frustrating to our clients and colleagues, the third potentially presents an opportunity for a refined approach to audit resolution.

Fortuitously, our friends at ITAM recently published their survey results regarding the year in software auditing and licensing, primarily focusing on audit volume, frequency and impact during COVID-19. In this post, we take some time to compare our anecdotal findings with the broader survey results of ITAM. 

Oracle Audits/Inquiries Are Increasing in Frequency

These days, few licensees are surprised to learn that many vendors treat software license audits as a pretext for revenue generation. As was alleged in the Oracle Securities Litigation, Oracle whistleblowers stated that employees were pressed to adhere to the “ABC” method of “audit, bargain, close,” with a general understanding that Oracle’s License Management Services (“LMS”) was little more than a tool at the disposal of the sales department. So, as times become more economically uncertain through the COVID-19 lockdown, it is hardly a revelation that software vendors fell back on what they know best: auditing as a sales tactic.

For our clients, software license audits appear to be increasing in frequency, with Oracle leading the pack but by no means the only contender. Importantly, no longer can a licensee count on the 3-year audit cycle as insulating them from Oracle, with some of our clients fending off Oracle inquiries in near-seriatim fashion.

And the distinction between audits and inquiries is crucial. Oracle has been weaponizing the threat of audits, beginning with seemingly innocuous inquiries with the implied threat of a formal audit or other verification proceedings waiting in the wings. Adding an implied menace, some inquiries are led by Oracle in-house counsel rather than LMS or sales.

Our experiences are largely matched by the recent ITAM poll, reported in The Register:

“In the ITAM Forum study, 46 per cent of organisations said they had experienced an increase in audit requests from vendors during the pandemic. Meanwhile, 50 per cent of respondents said they thought the risk of audits was getting higher, while 12 per cent said they expected the risk to increase.”

The Register article also noted that “ITAM Forum founder Martin Thompson, a long-time software license campaigner who helped organize the survey, added‘I hear anecdotally that software publishers are stepping up recruitment into their licence management and audit teams for 2021. As the repercussions of the pandemic slowly filter through the economy and therefore to publisher sales numbers and share price, everyone should anticipate more desperate behaviour from certain publishers.’"

Oracle Audits are Increasingly Prone to Interim Disputes and Obstructionist Tactics

Though harder to quantify, we have observed over the last year that Oracle is increasingly reluctant (if not entirely opposed) to making modest concessions that it has historically granted without notable resistance. For example, most Oracle audit provisions contain a covenant that an Oracle audit “shall not unreasonably interfere with Your normal business operations.” 

In the past, a licensee that received an audit notice could reasonably expect to postpone audit proceedings for a month or two based on a good faith assertion that the scheduled timing of the audit improperly “interfered with normal business operations” (e.g., a change in IT environment, quarter-end financials).

But over the last several months, we have seen Oracle bristle at such requests and insist that the audit rigidly go forward pursuant to Oracle’s unilaterally proposed schedule.

Further, the typical Oracle audit provision contains a licensee covenant to “remedy (which may include, without limitation, the payment of any fees for additional licenses for Programs)” any “non-compliance within 30 days of written notification.” Historically, this purported 30-day window came and went with little-to-no fanfare. In fact, in our estimation, any adherence to a built-in countdown was antithetical to Oracle’s “shock and awe” tactic of strategically inflating license shortfalls that were painstakingly whittled down through months of negotiations. In recent months, however, we have begun to see Oracle emphasize the 30-day window in order to bring pressure for quick resolution.

As should be a surprise to no one, Oracle was rated by the IT asset managers who participated in the ITAM survey as the second least helpful software company. According to ITAM, “Oracle is at number two, falling from number one back in 2016. I think they will be quite disappointed to be at number two, because Oracle’s business model is founded on hostility.”

While running into hostility in the course of an Oracle audit is nothing new, an increasingly myopic focus on short term gain is a bit of a shift. Regarding the least helpful software publishers, ITAM said they are focussed on short term revenue and don’t care about the customer relationship. They are motivated to squeeze a bit of revenue out of you at any cost so they can hit their number.”

If Handled Properly, Oracle Audits can Increasingly Reach Quick Resolution

It should be noted that the above examples stress quick resolution of an audit, which itself represents a measurable change from the strategic long game that most Oracle licensees have grown accustomed to. And it has been our distinct impression that Oracle has been willing to expeditiously put together audit resolution packages that require less in the way of out-of-pocket payments than comparable situations in the past.  

Once again, our findings match certain findings of ITAM. Respondents to ITAM’s survey reported that “a little bit of revenue” was enough for some vendors that are simply looking to “put something on the books.” One survey respondent was quoted as saying, “They are more desperate vendors, happy to accept any kind of commercial product proposal, as long as some form of revenue is achieved.”

The Key Takeaway

Our takeaway and recommendations are relatively straightforward. While Oracle audits were never entirely routinized, the licensee could count on certain elements being largely predictable. However, over the last year, it has become clear that the rules are changing and, while much of the audit process remains familiar, fewer and fewer elements are entirely predictable.

This emerging mixture of the familiar and the unpredictable is all the more reason for the Oracle licensee to have an experienced guide through the audit process.