As part of Insight’s Oracle LCS Projects, our Oracle LCS consultants review client’s contracts carefully, either as part of a usage verification or as part of their contract negotiations. Throughout a recent project, it was noticed that Oracle had made an important change in their contractual audit clause.
This change took place in the same way Oracle makes all its changes, without any communication whatsoever. This was simply through publishing a new version of the contract document in April 2019.
Upon reviewing this new clause, we immediately understood the importance of these changes and the need for clients to be aware of them.
Oracle’s previous audit clause stated the following:
“Upon 45 days written notice, Oracle may audit your use of the programs. You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information. You agree to pay within 30 days of written notification any fees applicable to your use of the programs in excess of your license rights. If you do not pay, Oracle can end your technical support, licenses and/or this agreement. You agree that Oracle shall not be responsible for any of your costs incurred in cooperating this this audit.”
This has now changed to:
“Upon 45 days written notice, Oracle may audit your use of the Programs to ensure Your use of the Programs is in compliance with the terms of the applicable order and the Master Agreement. Any such audit shall not unreasonably interfere with Your normal business operations.
You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information reasonably requested by Oracle. Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle.
The performance of the audit and non-public data obtained during the audit (including findings or reports that result from the audit) shall be subject to the provisions of section 8 (Nondisclosure) of the General Terms.
If the audit identifies non-compliance, You agree to remedy (which may include, without limitation, the payment of any fees for additional licenses for Programs) such non-compliance within 30 days of written notification of that non-compliance. If You do not remedy the non-compliance, Oracle can end (a) Program-related Service Offerings (including technical support), (b) Program licenses ordered under this Schedule P and related agreements and/or (c) the Master Agreement. You agree that Oracle shall not be responsible for any of Your costs incurred in cooperating with the audit.”
The changes in the clause which have an important impact, either positive or negative, are -threefold:
One of the most important changes is that Oracle now states that the client will need to provide reasonable assistance, which includes but is not limited to “the running Oracle data measurement tools on Your servers and providing the resulting data to Oracle”.
This stipulation had not been included before and dramatically changes the rules of the audit. Previously, customers had the possibility to refuse running the Oracle scripts while still providing the information Oracle required to perform an audit in line with their contractual obligations. This new audit clause makes it impossible to refuse this request from the Oracle auditing team. Clients become contractually obliged to run the scripts and provide the outputs to Oracle.
One piece of advice we would share on this would be to negotiate an addition to the audit clause, stipulating that these measurement tools will only be run upon review and approval by the client’s security department. From a security point of view, it is never advised to run ‘foreign’ tools in an environment without the approval process having taken place. However, you cannot tell whether this change will be obtained. Based on our experience it is very unlikely that a client will be able to negotiate a removal of this running of measurement tools clause.
One commonly used approach for slowing down an audit is to sign an Non-Disclosure Agreement as the first step in an audit, as the previous contracts did not include terminology which sufficiently protected client data in this context.
By referencing the Non-Disclosure clause in the General Terms of the agreement, Oracle aims to simplify this process for clients, but mainly for themselves, as this NDA signature often takes a long period of time to complete.
Another interesting change is the fact that the Audit clause in Schedule P (Programs) now states that customers have 30 days to “remedy” the compliance situation. The previous clause stated that customers had 30 days to PAY any fees related to customers using the programs in excess of their license rights.
This adjustment can be interpreted to mean that clients now have a 30 day period where they are able to change their Oracle deployment setup to align with Oracle’s licensing rules. When this results in a compliant situation, no financial indemnification should be required to finalise the audit.
For example; a client that had deployed database management packs without actually using them , has the possibility of uninstalling the software within 30 days without having to pay Oracle the associated fees for the finding.
It is important to note however, the words between brackets after remedy, namely “which may include, without limitation, the payment of any fees for additional licenses for programs”. In other words, Oracle will continue to ask for payment. We assume that it will be up to the client to push at “remedy” as a solution to the audit findings.
The audit clause has clearly changed in a materialistic way, which impacts the alternatives clients have in dealing with Oracle’s audit practices.
Previously, clients could use their contractual audit clause as a means to buffer the audit process and where possible gain time and reduce risk. Oracle has now aimed to counter this practice. On the other hand, the changes are not all negative. The mention of remediation of compliance in this new clause seems to indicate that Oracle might be softening their very hard auditing strategy towards clients. Or is this just an impression and nothing effectively changed?
For more information on the impact this change will have on your organisation or the remaining alternative options, please contact our consultants on LCS.Oracle@insight.com