Controlling Your Data in Oracle Audits

controlling dataOracle’s audit scripts gather increasingly wide swaths of data that are analyzed in their famously non-transparent process.  This leaves Oracle customers in the position of proving a negative when Oracle makes a costly assertion then refuses to disclose how they reached their conclusions.  In every Oracle audit we challenge, our clients benefit from knowing what they are about to show Oracle, and holding Oracle accountable for the quality of their analysis.

Recently, I was working with a new client’s IT security group to negotiate our contract for services with their company.  They were highly concerned about where their data was going, requiring very specific assurances in our contract.  We were able to do this, because analysis was being done by our US-based technical analysis team.  During the negotiation, I mentioned, ‘you know Oracle is probably using an offshore team to analyze this data.’

You could have heard a pin drop.

“Impossible,” they said, “Oracle knows we do not want any data going offshore.”

And yet, here we are. I thought.

Turns out, not only was Oracle using an offshore team, one of our ‘independent’ competitors was offering a solution with a ‘white-labeled’ offshore analysis team from a third-party Oracle partner.  Not so independent after all.

In recent years, Oracle shifted most of their audit analysis capability to their teams in eastern Europe and other locations.  This lets Oracle audit more customers for less money, and limits the ability of customers to challenge the audit methodology.  Their audit process does not take into account agreements you might have in place for Oracle consulting services that limit offshore provision of service.  This is because Oracle audits do not happen under a consulting agreement, they work off of a provision in your software license agreement.

All of this said, the specific data in script output is usually not highly sensitive from an IT security perspective.  Even so, understanding where your data will go and how it will be used are key advantages to working with a transparent & reputable independent advisor.

As the market for third-party advisory services grows, the temptation is to hire offshore back-office groups to do data analysis because experienced on-shore staff are comparatively expensive.  At Palisade, our analysis process is transparent, allowing clients to know who is accessing their data and why.  This enables our clients to better control their Oracle relationship, and data!