by Jeff Lazarto

SAP and Oracle audits – US constitutional principles do not apply

Oct 10, 2018
IT LeadershipOracleSAP

While businesses are not required to have separate committees to draft, enforce and adjudicate company policy, we expect some form of these principles to apply, even in the private sector.

The US Constitution is the foundational document establishing the laws of the land and the creation of the federal government. One of the key concepts in the US government system is the separation of power between the legislative branch (creates laws), the executive branch (enforces laws), and the judicial branch (applies laws to the facts in cases alleging legal violations). For most US citizens these principles form the basis for how we view the fair and equitable creation, execution, and adjudication of laws.

However, the US Constitution only applies to government action, not private action. This is why businesses are not required to have separate committees to draft, enforce, and adjudicate company policy. Look no further than the recent enforcement of NFL policies for proof. Yet our underlying sense of fairness is formed by Constitutional principles and we expect some form of these principles to apply in the private sector.

The challenge with software audits is that these Constitutional principles are sorely lacking.

Legislative branch

SAP and Oracle are the legislative branch by and large. They create their licensing policies, rules, and procedures, and retain the ability to modify them as they may unilaterally determine. After all, it is their intellectual property and they have the right to determine the rules in which they license their intellectual property. Their attitude is, if you do not like how we license our products, then you do not have to purchase them. Fair enough. But many companies have concerns that the rules are not clearly defined, overly vague, and are open to much interpretation. Therefore, confidence with compliance is tenuous.

Executive branch

SAP and Oracle also play the role of the executive branch in enforcing their licensing rules, thereby crossing the separation of powers boundary. This can be unsettling to many when coupled with SAP and Oracle reserving the unilateral right to modify their licensing rules. Nonetheless, many still believe that fairness can prevail, until they realize who effectively controls the third branch.

Judicial branch

SAP and Oracle also effectively play the role of adjudicating their own policies. When you look at an audit, SAP and Oracle are the ones making the unilateral determination that an organization has violated its licensing rules, based on rules drafted and interpreted by SAP and Oracle. Ultimately an organization can dispute SAP’s and Oracle’s findings in a court of law, but that represents a secondary adjudication that in many cases is not a viable option because SAP and Oracle can exercise their self-help remedy to terminate the licenses in the event the fees are not paid. Companies can still pursue formal legal action, but after paying the fees to keep the licenses and the business running, and the internal political capital fallout associated with bringing a lawsuit, this is a path very seldom taken.

In effect, SAP and Oracle play the role of all three branches as it relates to software license audits.

This ability of SAP and Oracle to unilaterally determine how to draft, enforce, and interpret their licensing rules offends our typical notions of fairness and justice, and is the root cause of the strong emotional feelings evoked for many individuals responding to an audit. Of course, SAP and Oracle are well aware that they largely control these three branches and are not afraid to be bold in using these powers to help incentivize/persuade/coerce their customers to settle audit claims through additional license fees.

So how can SAP and Oracle restore our sense of fairness and justice to their licensing rules and audit process? 

Here are a few suggestions:

Have all licensing rules expressly stated directly in the licensing agreement

These rules would not be subject to unilateral modification in a separate licensing policy incorporated by reference into the agreement and would allow you and your company to fully understand the licensing rules you are accepting by signing the agreement.

Draft clear and concise license rules by removing as much vagueness and ambiguity as possible

For example, SAP’s interpretation regarding what constitutes “use” is extremely challenging; so much so that SAP won’t even provide guidelines when asked to do so. Any action that invokes the processing capabilities of the SAP software may constitute “use.” Unfortunately, the determination of “use” is often what SAP says it is in that particular case.

All clients want to be in compliance, but many unwittingly fall out of compliance because they do not understand the licensing rules, the rules have subsequently changed since licensing the software, or enforcement of the rules has changed. You may have experienced feeling extremely frustrated because you do not know or understand the rules and therefore maintaining compliance feels like a futile task. Much of this can be easily avoided if SAP and Oracle choose to draft clear and concise licensing rules in their agreements.

Create an independent software licensing judicial body that adjudicates audit disputes

As mentioned above, many people still believe fairness and justice can prevail with SAP and Oracle controlling the legislative and enforcement branches, provided there is a truly independent judicial branch that is a viable option. Creating an independent software licensing judicial body would allow you to raise your interpretations of the licensing rules, explain how you are using the software, and why you do not believe your company violated the licensing rules.

A big part of the challenge is that many feel they are not afforded a real opportunity to be heard, because under the current system you must tell your side of the story and try to persuade a judicial audit board that are the same people who are prosecuting you. It resembles SAP and Oracle playing the three-headed role of judge (interpreting the law), jury (deciding the facts), and executioner (carrying out the punishment).

With the establishment of a truly impartial and independent third-party adjudicator, you will have the opportunity to be heard and are more likely to respect the findings and learn how to change your internal policies to better comply in the future. The findings of this independent judicial body do not even have to be binding but having an independent judicial body that specializes in software licensing audits would greatly improve the fairness perception of the audit process, expedite findings, and alleviate the strong negative emotions that linger long after the audit is completed and hurting both parties.

So why haven’t SAP and Oracle proactively implemented the above suggestions, and what is the impact on clients?

The first part is simple – money! Licensing policies that are vague, ambiguous, and subject to unilateral change afford SAP and Oracle greater flexibility to alter the rules or their interpretations of the rules to extract more licensing fees downstream. This can include new technology that provides clients with greater value from their prior software licenses (i.e., VMware used with Oracle technology products), previously unanticipated software usage (i.e., utilizing SAP software through interfaced third-party systems), and as a lever to extract additional license fees to offset a slow sales pipeline.

Additionally, SAP and Oracle want visibility into clients’ IT strategic roadmaps and new project initiatives to generate new sales opportunities. Complex licensing rules incentivize clients to ask for permission and approval before making decisions, thereby providing SAP and Oracle with an opportunity to present their solutions to address client requirements. Then the threat of an audit encourages clients to select SAP’s and Oracle’s solutions over third-party solutions.

The impact of vague licensing rules for clients is being subject to unplanned and unbudgeted additional license fees. Further, clients want to maintain their autonomy in running their businesses, and not have to seek permission and consult SAP and Oracle for every business decision. Boards and executive teams expect their IT and procurement teams to be able to manage license compliance without assistance from SAP and Oracle. So, when audits go awry, and millions of dollars are owed, someone must take the blame which can result in people getting fired. This leads to further distrust and negative emotions towards SAP and Oracle resulting in an unwillingness to expand their SAP and Oracle footprints.

The bottom line is – both sides lose – and the root cause is the short-sighted approach of SAP and Oracle. If SAP and Oracle follow the suggestions above and take an approach of helping clients remain compliant with clear and concise licensing rules instead of trying to set up land mines for clients to fail, clients would view them much more favorably as long-term partners with a vested interest in helping them succeed. Removing the fear, uncertainty, and doubt with respect to licensing rules and audits would encourage clients to be more open and work collaboratively with SAP and Oracle, resulting in more sales opportunities and a greater desire by clients to expand their SAP and Oracle footprints. In this case, both sides would win!