This is the final post of a 3 part series on Oracle’s LMS Audit of the City of Denver.
In Part 1 we looked in detail at the Oracle LMS audit of the City of Denver. In this Part 2 we examined some of the specific tactics Oracle LMS used against Denver so you can be prepared should Oracle LMS use those tactics against you. In this final Part 3, we do a little deconstruction of the Denver response and define what could Denver have done differently to completely avoid, or at the very least dramatically reduce, the Oracle LMS audit penalty.
The first thing Denver should have done was get help from the right people. I know this is a little self-serving from me, a guy who provides help to companies and public sector agencies being audited by Oracle. That being said, getting help makes all the difference in the world. Had Denver reached out to Palisade, you can be sure that Oracle would have adhered to the contractual notice period, as well as the “everything in email” requirements. There are other things that would have been done differently, but you can see, the entire audit would have started from the client being in a position of strength and control.
Make sure you get help from the right team. Don’t ask an Oracle reseller, tool vendor, or Oracle itself to help you with your audit. That kind of help is a disaster waiting to happen.
Have a Plan
It appears from the materials reviewed that Denver did not have a tight audit response plan when Oracle knocked on the door. If they did have a plan, it really was not effective. I say this because Oracle LMS crashed through every objection we saw and really ran the audit according to Oracle’s standard playbook.
If Denver had a plan, they could have imposed that on the process. Oracle contracts don’t really specify how an audit will be conducted. If it’s not in the contract then it’s up for negotiation. We didn’t read any emails where Denver told Oracle they have a software audit plan/playbook, and Oracle had to follow it. Big Mistake.
When Oracle Escalates, Escalate Higher
Oracle LMS brought their attorney into this audit after Denver requested the audit be documented in email. That legal escalation threat appears to have worked as Denver quickly agreed to Oracle’s “demand”. In cases like this Denver could have gone way up the Oracle food chain and escalated to very senior executives and attorneys. I don’t know the laws in Denver, but if there really was an open records obligation, Denver should have pushed it. Make Oracle put everything in writing for all to see. I’ve seen Oracle’s customers escalate all the way to the CEO. Oracle LMS has no problems writing your C-Level Executives; you should have no problems doing the same thing. The key is knowing who to escalate to, when to escalate, and what to say. With our years of experience, those are all things Palisade could have helped Denver with.
Know the Answer Before Oracle
Oracle’s audit process is designed for you to give them all this information, in a format you can’t decipher (script output), and then put it in their black box until they tell you what they found. And Oracle will keep looking until they find something. Anyone who is audited by Oracle, including the city of Denver, should know their compliance position before Oracle knows it. That’s only common sense. You want to put your company in the best possible situation. In fact, you can even tell Oracle what the results are and have Oracle try and argue with your facts. Don’t let Oracle create their own set of facts.
Follow the Contract
If it’s not in the contract, it doesn’t exist. That’s a good rule to follow with an Oracle audit. I could be wrong, but given the size of the numbers being thrown around in the Denver audit, I can only assume the issues were around virtualization. Its pretty safe to say that Denver’s Oracle contract probably didn’t say anything around virtualization. So why did Oracle get to pick and choose this policy to insert into this audit? The answer is simple, because Denver let them do it. Had Denver forced Oracle to stick to the contract this issue would have been resolved totally differently. I can assure you of that. Again, however, this is where there is an art to an Oracle audit response. You need to know when to force the contract, and when to let it go.
Using information available in the public domain and exposing what Oracle LMS and sales do in an audit situation should be both comforting and alarming for every Oracle customer. On the one side, as explained in this article, there are things that Oracle customers can do to better manage an audit and severely reduce or eliminate any non-compliance finding. Obviously, Palisade Compliance can assist any customer at any stage of an audit (from beginning to end).
On the other hand, Oracle has over 400 people in their audit department who do nothing but target and audit their customers. Day in and day out. In addition to Oracle, there are a slew of Oracle resellers, tool vendors, jack of all trade firms, and individuals who claim they can help you in an Oracle LMS audit. Buyer beware when using one of those firms. They just can’t provide the support that a Palisade can.
I hope this series on the City of Denver was helpful and you learned some things about Oracle LMS and how to respond to their audits. Watch this space as we will be investigating additional audits and making information available whenever we can.