What Percentage of Revenues do SAP and Oracle Get from Audits?

Executive Summary

  • Audits are big business for both SAP and Oracle, however the hide the percentage from customers and Wall Street.
  • In this article, we discuss the percentage of revenues obtained from these audits.


Neither SAP nor Oracle can achieve their revenue objectives using normal means — and this is where the software audit comes in. With Oracle is takes the form of a highly extractive software audit. SAP has created a false licensing principle called indirect access, a concept that should be tried in a US court, but apparently so far has not. Both of these mechanisms are used to extract significantly more from customers than customers expected to pay.

The Percentage of Revenues for Each Vendor Audits

The percentage of revenues that each vendor extracts from customers is a closely guarded secret, and both Oracle and SAP seek to minimize the figure in the popular imagination. One reason is that they want to surprise customers with audits and want the incidence of audits unreported. For example, if we look at the SAP user group ASUG (which is controlled by SAP) and Diginomica (which is paid by SAP) we can identify the media outlets through which SAP gets its word out:

The Drastic Difference from How SAP and Oracle Present Themselves to Wall Street Versus Reality

When it comes to Wall Street, both SAP and Oracle sell themselves as dynamic companies that have customers that are very interested in their new products, and in the fact that they are becoming increasingly cloud (which they are not). Therefore, the fact that a significant percentage of their revenues are coerced out of customers is not something SAP or Oracle wants Wall Street to know.

This leads to the question of what it is. Here is the following quote that generally matches what we have heard about the percentage.

An interesting statistic that Oracle gets 94% margins on support. I read an article some time back that the big ones, i.e. including SAP, get ~20% of their revenue from audits and going after their customers.. wonder how much they really make selling their products. Ask anyone who has been around the IT space for a long period of time and I believe you would have a hard time finding many say something positive about the big ERP vendors.., only that they are stuck with them. – Danny Borndal

Where is the Margin for Oracle and SAP?

There is not that much margin in the sale of the items, which is mind-boggling because Oracle and SAP software is extremely overpriced. Oracle’s database, its best product, is so overpriced compared to every other competing database (except HANA) it is a marvel how they don’t make that much money on the actual license. 

“It’s Time for Your Audit Sir”

Oracle is the best-known user of audits in enterprise software. And while Oracle proposes legitimate reasons for audits, in reality, Oracle uses audits in the most dishonest way imaginable. Oracle uses audits to control customers and drive them to things that Oracle would like them to purchase. Oracle’s attempts to legitimize their audits are undermined by the fact that no other software vendor uses audits in such an extreme fashion as Oracle. No other vendor places triggers in their software that are deliberately designed to be exploited during an audit. Oracle resources endorsing Oracle’s audits illustrate the fundamental corruption of the person attempting to defend such manipulative and abusive practices. An obvious question becomes apparent. If virtually all other vendors that charge far more reasonable prices for their software do not need to perform such audits, why does Oracle claim the right to do so?

So how to Oracle audits work in reality?

Boobie Trapping the Installation

One strategy they use is to boobie trap the installation. A typical audit scenario we have seen is that Oracle delivers software with essentially all functionality, default, enabled. The actual bill of material is not relevant. They put the onus on the customer to deactivate the functionality to tie out to the bill. However, few customers do this. Also, few Oracle consulting firms advise their customers to do this. As with the SAP consulting partners market, this is one of the many things that leads us to question who much Oracle consulting partner market looks out for their customers versus looking out for themselves (and for Oracle).

This is covered in the lawsuit against Oracle by Union Asset Management Holdings AG.

Oracle would audit on-premises customers and upon finding violations, would threaten large penalties…unless the customer purchased cloud. Typically, the violation would be organisations caught out by Oracle’s tactic of enabling add-ons by default, and thus being found “using” software they hadn’t purchased.

It is alleged that LMS and the sales teams worked in tandem to identify large accounts and that, in some cases, the sales teams would write letters that the LMS team then sent to customers. Once customers had bought the cloud, LMS would close the file – without even a follow up to review the licensing position. – ITAM

Oracle knows when to audit the customer, as they placed the trap in the installation in the first place. When the audit hits the customer Oracle will tell the customer something along the lines of the following.

“Look here this is what you procured yet you have transportation turned on, have you used this module?”

The customer often has no idea. Then the audit starts!

Oracle’s audits attack the entire stack. That is from apps, middleware, to the database. Oracle then comes up with a number which conveniently matches/exceeds a sales rep cloud quota. Then the horse trading starts, and they state something along the following.

“Your cost is 500k for all this illegal use of software. We’re also going to have to charge you interest based on time of use and this is going to get ugly.”

So a deal is cut.

“Buy 500k Oracle Cloud ANYTHING and we’ll make this problem go away.”

And then…

“Sign this non-disclosure and everything is fine.”

The Sequence of Events of an Audit

Let us review the sequence of events.

  1. Set the Audit Land Mine: The problem, in this case, is a landmine that is preset by Oracle to go off when the audit is conducted.
  2. Complicit Oracle Consulting Partners: Oracle consulting partners are complicit by not informing the customer as to the preset landmine. Any Oracle consulting partner that would advise their customer about the landmines in the implementation would put their partnership with Oracle on tenuous ground. This is why companies that have a history of helping customers with these types of issues, like House of Brick, are not Oracle partners.
  3. The Audit: Oracle then audits the account, knowing precisely what they will find as they set the landmine.
  4. The Determination of the Audit Bill: The Oracle sales rep works backward from their quota to determine the audit charge.

The solution is then for the customer to buy more software. The customer ends up paying exorbitant compensation to Oracle. The IT department is then motivated to use somehow the software they “purchased” to cover up for what happened.

However, when the sale of the item is reported to Wall Street, it is reported as if it is voluntary. Oracle does not set aside a part of its quarterly analyst calls to state that “40% of our cloud sales were coerced through audits of other products.” There is a lawsuit filed against Oracle for misrepresenting audit lead cloud purchases as a consequence of authentic demand at customers which will be covered in more detail later in the book.

How Big of a Deal are Oracle Audits?

One should consider the seriousness of an Oracle audit concerning what it means for the work effort on the part of the customer. Oracle’s strategy is to drown the customer in paperwork to overwhelm their ability to respond to the audit. When Mars sued Oracle over their audit, Mars claimed that they were required to provide over 233,089 documents over a year period to Oracle.

Mars asserted Oracle lied the reasons it requested information.

“Oracle demanded information to which it is not contractually entitled regarding servers that do not run Oracle software and Mars personnel who do not use Oracle software,” Mars’ complaint read. “Oracle made these demands under false pretenses under false premises that non-use of software nonetheless somehow constitutes licensable use of software for which Mars owes Oracle.”

As is usually the case, this information is only available because it came out in a lawsuit. Non litigated audits (which is nearly all of them) stay private. However, why would so many documents be requested by Oracle?

Oracle and VMware

According to Dave Welsh of House of Brick Technologies, this case in 2015 was the first litigation of Oracle on VMware. Oracle did not like this case to be discussed because it shed light on something they would prefer to do in the shadows which is Oracle’s pricing with respect to virtual machines. Dave Welsh proposes that Oracle settled out of court so quickly with Mars because Oracle did not want its claims around Oracle on VMware tested in court. This is because they want to continue to bring these same audits with the same set of assertions against other customers, as his following quote attests.

“I’m sorry that it appears Oracle opted not to appear in court. I’m also not the least bit surprised. In my opinion, Oracle appears interested in trying to see if it can get any more money out of any of its Oracle on VMware customers. It also appears to want to do that without a court’s evaluation.”

And Arthur Beeman, who was the lead counsel for Mars made the following statement regarding the outcome of the case.

“That filing…represented such a threat to Oracle’s practices as it related to the licensing that there was an agreement to immediately stay the matter… and then eventually there was a settlement and it was dismissed with prejudice less than two months after the filing.”

These are not uncommon experiences. AutoDeploy has experienced the audit scenario above with every one of their customers. It’s a feature of their sales process, not a bug.

The Lawsuit by the City of Sunrise Firefighter Fund

This is corroborated by the lawsuit brought by the City of Sunrise Florida Firefighter Fund that was brought up earlier in the book. The Firefighter Fund is suing Oracle for not disclosing that a portion of its cloud revenue reported as voluntary was anything but. This was, as asserted by the Firefighter Fund, because Oracle has been using audits to coerce customers into buying cloud products, and not telling investors. All while Oracle has made it appear as if the cloud business has been customers coming to Oracle asking to purchase cloud offerings.

Oracle also misleads customers in its documentation as to what the rules are about auditing, which is covered in the following quotation.

“Another area that causes confusion with many Oracle customers is the policy documents that Oracle publishes. Most of these documents (Partitioning Policy, Licensing Oracle Software in the Cloud Computing Environment, Licensing Data Recovery Guide, etc.) are not referenced by the agreement and are thus not binding in your contract with Oracle. The Partitioning Policy document is frequently cited by Oracle to customers running on VMware. Just remember that this document does not contain binding policy. There are some non-contractual documents, however, such as the Licensing Oracle Software in the Cloud Computing Environment (Cloud Environment) policy from Oracle, that are fundamentally different. In this particular document, Oracle is granting additional privileges beyond the contract, rather than restricting them.(emphasis added)”

SAP and Oracle must have been separated at birth!

This is because we found this exact issue with SAP when they released what was supposedly an announcement to ameliorate the concerns of their customers regarding something called indirect access. In a nearly identical pattern to that displayed by Oracle regarding audits, SAP pretended in their announcement to soften their position on indirect access, but instead which served to claim more restrictive indirect access rules on customers. Brightwork Research & Analysis covered this topic in detail in the article SAP’s Recycled Indirect Access Damage Control for 2018.

How SAP Uses Indirect Access for Coerce Purchases

As a brief interlude, SAP has perhaps unsurprisingly been using indirect access to force cloud purchases as is covered in the following quotation from the book SAP Nation 2.0.

“Other customers report “gun to the head” behavior. In a spin-off situation, SAP demanded a hefty assignment fee, but offered an alternate multiyear contract on its cloud products, which the customer did not need. In another such situation, SAP threatened to invoke its “indirect access” clause (a tactic many customers report)-again, the customer was offered a cloud subscription as an alternative.”

Oracle also declares that they may change their license agreements at any time.

“Reliance on such documents may be risky, however, as Oracle expressly points out in the Licensing Oracle Software in the Cloud Computing Environment policy that it is non-binding and subject to change at any time. However, to the extent that Oracle is knowingly publishing extra-contractual documents on which its customers rely by making large investments, an argument can be made that Oracle should be estopped or prevented from changing course down the road, especially if such a change would cause injury to Oracle customers. Whether a court would accept this argument, or find that the customer proceeded at their own risk, is an open question.”- Pamela Fulmer

Audit Software Vendors that are Also SAP Partners?

Unfortunately, in order for a software company to build audit software for SAP, it must be an SAP partner. This means that it has restrictions by SAP on what it can say and what it can publish. I am in constant contact with many software vendors, and the complaints about SAP interference in what they can say and what the can do are unremitting. In fact, I am surprised that SAP would allow software vendors to offer an audit product as it states clearly, for instance in the promotional video from one of the software vendors that their product.

It ensures that you know more about your SAP system than anyone else, giving you the upper hand in any negotiation or audit.

Why would SAP want that? SAP wants the upper hand clearly. Snow software states that they can

..save 20 to 30% savings on their SAP costs typically within weeks alone.

But again, this is money coming out of SAP’s pockets, and they have the right to decertify Snow or any other software vendor at any time. So if the audit vendors statements are true, how are they still certified partners of SAP. What this means is that SAP has a say as to how the software vendor’s software actually works. SAP can and will threaten the software vendor with a removal of their SAP Certification, which would impact that software vendor’s ability to exist.

If I compare how the SAP partnership agreement is used with other vendors, SAP will use it to neuter the marketing of the vendor so that everything the third party vendor releases is consistent with the needs of SAP.

How the Total Costs are Hidden from SAP & Oracle Customers

A big part of the on premises software model is that costs are hidden. It is a curiosity to participate in sales support and to see executives spend so much time focusing on the initial purchase cost when the initial purchase cost is such a small percentage of the overall TCO of any on-premises application or database.

With SAP and Oracle, costs are always hidden to the degree possible.

As with other on-premises purchases, the costs are absorbed as part of the overall IT budget. Costs don’t ever seem to decrease with SAP or Oracle. SAP and Oracle customers typically have their IT budgets overconsumed by SAP and Oracle, and this leaves areas unaddressed because SAP and Oracle don’t offer everything necessary to run a company, or at the very least to run it well.


Both SAP and Oracle have a strategy set up around auditing or applying indirect access to their customers. Furthermore, both vendors have what amounts to fake purchases, because the way that auditing fees and indirect access fees are paid is through purchasing software — often software that is unwanted and ends up unused. That is neither SAP nor Oracle has a line item on their income statements that say “audit income” or “indirect access income.”

Both companies are very happy to have Wall Street think that every single dollar that is paid to these companies is voluntary on the part of their customers.

The Necessity of Fact Checking

We ask a question that anyone working in enterprise software should ask.

Should decisions be made based on sales information from 100% financially biased parties like consulting firms, IT analysts, and vendors to companies that do not specialize in fact-checking?

If the answer is “No,” then perhaps there should be a change to the present approach to IT decision making.

In a market where inaccurate information is commonplace, our conclusion from our research is that software project problems and failures correlate to a lack of fact checking of the claims made by vendors and consulting firms. If you are worried that you don’t have the real story from your current sources, we offer the solution.

Financial Disclosure

Financial Bias Disclosure

Neither this article nor any other article on the Brightwork website is paid for by a software vendor, including Oracle, SAP or their competitors. As part of our commitment to publishing independent, unbiased research; no paid media placements, commissions or incentives of any nature are allowed.


AWS and Google Cloud Book

How to Leverage AWS and Google Cloud for SAP and Oracle Environments

Interested in how to use AWS and Google Cloud for on-premises environments, and why this is one of the primary ways to obtain more value from SAP and Oracle? See the link for an explanation of the book. This is a book that provides an overview that no one interested in the cloud for SAP and Oracle should go without reading.