As experts in enterprise license optimisation, we are all too familiar with the intricacies of license audits and the behaviours displayed by vendors. Audits are notoriously tricky and can be stressful for staff running scripts and liaising with the vendor whilst wondering if they’ve caused potential problems. We have numerous blogs and resources on the topic (listed at the end of this blog) to help prepare businesses for a license audit or support them during the various phases.

You may well be forgiven to assume that an audit is an audit, however this is not always true. There are several different types of audits: understanding the various approaches and their objectives is important. This post highlights the view from our license experts gained over many years of working with Tier 1 software vendors and their customers in license audit scenarios.

Oracle Audit Approaches

Oracle has a number of approaches — including ‘audits’, ‘reviews’, ‘can you provide some information on …’, ‘license health checks’ and vary only in the initial formality and how they obtain the data. However, they can all end in a formal dispute and formal claim of non-compliance.

If you were to submit to a license health check or license review, innocently thinking that there is some sort of goodwill and help from the vendor, only for them to find non-compliance, they would then switch into a formal mode, often issuing a formal report and proceed down a dispute route for you to resolve the license issue commercially.

This rapid escalation into a position of non-compliance, having revealed (in good faith) information to the vendor will be maintained until you have come to an agreement with Oracle. They won’t say ‘We have found this issue. Do you want to go and fix it and then we’ll come back and audit you later?’ They will act on that information there and then, with no chance for remediation: this is critical — you will more than likely, pay over the odds, often for something you don’t need.

So, our advice would be to stay alert when Oracle approaches you about licensing, whether it’s directly or via one of their partners. Some partners do outsourced auditing for Oracle: these outsourced partners, part of the Joint Partner Engagement (JPE) programme, do not get paid by Oracle. The only thing they get by way of compensation is the resale of license for discovered non-compliance. So, it’s in their interest to find non-compliance to generate a large number so that they get paid for the effort that they have put in.

This clearly does not put the customer first and should lead customers to question where the priorities of any partner in the JPE programme lie.

Microsoft Audit Approaches

Microsoft are not as programmatic in terms of running through every customer, trying to do some form of audit, however organisations still need to prepare for and defend against it if it takes place.

Typically, there are 3 types of motions when it comes to Microsoft auditing:

The LCC — License and Contracts Compliance audit. Initiated off the back of the terms and conditions within your EA, MPSA or Select Plus Agreement. Microsoft will pay one of the Big 4 accounting firms to audit your organisation. This tends to be targeted at the larger sized client. These types of audit still take place and can occur for any reason.

SAM baseline — retired in the last 2 years and replaced with Microsoft Solution Assessment Program. This doesn’t focus on the delivery of an effective license position, it focuses on the delivery of a ‘value added’ engagement to help customers plan for and right-size their potential move to the cloud for Office 365, Microsoft 365 or Azure. Microsoft would say that this is not a compliance engagement and there is no license position output, however we would exercise caution in relation to the information that you give to Microsoft if your organisation has a concern around its license position. For example, Microsoft running an assessment on a Datacentre to understand how much it’s going to cost on Azure might throw up some awkward questions if you haven’t bought Windows Datacentre licenses.

Self-verification — a phone-based individual would call up the organisation and ask you to fill out a questionnaire and depending on how you fill out the questionnaire, you could either be asked more questions which could lead to a potential license exposure or there is no further action. This can be quite a laborious exercise and takes quite a lot of effort from the customer to answer the questions in the right way. We have probably seen a drop off in that activity in the developed world, however definitely taking place in some of the emerging markets where there is probably not the same concentration of cloud.

Microsoft are probably one of the fairer vendors to deal with as part of an audit in terms of the risks and where they are identified. Microsoft will try and look forward with the customer and try to understand how they fix the problem as opposed to retrospectively. They will want to understand what you are planning and how they can close the gap with new software whilst addressing some of your future requirements.

The risk associated with this is that you will have to front end investment in potential cloud services that you haven’t completed the necessary planning for and as a consequence of that, you are falling into a situation where you may be creating shelf-ware or jumping in with 2 feet into a particular product set that might not actually be best fit for your business needs. This can create cost overruns, waste, and redundancy.

So even though the concessions that Microsoft are offering (as part of an audit type activity) tend to be a lot more co-operative it’s always good to understand this, so that you are not creating waste and redundancy further down the line.