How to Netflix Oracle’s blockbuster audit model

Terms and conditions apply. Lawyers need not

Opinion It's a good rule of nostril that if your litigation department is a source of revenue, your business model stinks. The law is there to discourage delinquent behavior when all else fails, not to amplify power for profit. If there's a better, fairer way to stop naughtiness, you should try that first.

Let's pick a random example of, oh, let's say, software audits. On their face, they fall into a well-established tradition between companies of checking the books for financial irregularities. Regulators can set rules demanding financial audits to keep things honest, and are happiest if they find nothing wrong. Software audits agreed by contract should be the same, just a way for suppliers to keep customers honest about licensing.

They're not like financial audits, of course. The supplier gets to set the licensing conditions and won't do business unless the contract is to their taste. There's no oversight, the market is supposed to keep the suppliers honest. If you don't like the slime, don't sign on the line. That may not work. If you're a supplier with ecosystem residency, you'll soon discover some tasty tricks. For example, you might make your licensing schemes opaque, or easier to break than keep. Then have an aggressive audit policy with aggressive post-hoc compliance if your customer errs. That can be a lucrative vein to mine, and nobody's going to stop you.

Which is of course not the reason Oracle, to pick a company at random, makes up to an estimated $3 billion – six percent of total revenue – from audits. Unusually sloppy or scofflaw customers, hey, they never learn. Nor can one ascribe aggressive avarice to the recent report of an overly broad audit that seemingly tried to apply 2019 terms and conditions to a contract signed in 1999. Oversight and over-enthusiastic interns, perhaps.

So, what can be done about that six percent surcharge on revenues due to big, serious companies' inability to cope with Oracle's big, serious licenses? Since the most charitable explanation for these highly profitable audits is human mistakes, let's go a la mode and automate compliance. Have the software audit its own usage and give the customer a warning if limits are about to be exceeded. If the customer goes ahead anyway, Oracle will know at once and there's no need to send the goon squad. There's no point in rolling the dice if you know you're going to lose, after all.

The beauty of this is that Oracle's database software is very good at auditing. Immaculate records are kept of transactions and the other stuff that corporates simply adore knowing about for all their compliance and best-practice needs. It's a technology that Oracle has mastered. It's known and trusted and will be acceptable to even the most risk-averse and security-sensitive of clients. And if you'd rather not, then you're no worse off than before.

Which, alas, would not be the case for Oracle. It could put up all fees by six percent, of course, but that would be harsh on the honest and scrupulous. We must reluctantly assume that Oracle acts in the name of shareholder value. Sad to report, software giants don't always do the right thing by their corporate base.

Let's mix things up. Don't look at that $3 billion as corporate fines for malfeasance, but as the size of the market in audit avoidance. That's much the same attitude Netflix took at its inception with its pre-streaming "No late fees, ever" policy – directly attacking the business model of companies such as Blockbuster, which in 2000 collected $800 million or ten percent of revenue in late fees from customers. That message resonated with them.

How do you auto-audit your software? You look at your licensing rules, and every time you spin something up, plug something in or run something useful that is mentioned in your Oracle contract, you check against inventory and raise a warning if the new state breaks the rules. Keep a good audit trail – as mentioned, Oracle may be a good choice here – and if you're feeling cheeky, send a daily report by email to Oracle's audit department.

It works best if everyone's using a common package, so make it open source to create a much bigger headache if Oracle decides to risk antitrust and go after auto-audits. For maximum fun, create a for-profit support and insurance outfit that can afford to indemnify users. That'll sharpen attention all round, but you've got a $3 billion market to play with. That's how much the industry will effectively earn for itself if it gets this right.

None of this will stop the auditors coming in, at least at first. Thing is, if the raiding parties keep returning to base empty-handed, that's just no fun any more. Plus, that FOSS software and business model? It'll extend nicely wherever audits do the work of darkness.

It's all so nicely capitalist, using market thinking to break down gatekeeper abuse, all entirely within the rules of the game and compatible with even the biggest enterprise. Bad business models stink because they're dying. It's time IT's own late fee model becomes late as in the late Arthur Dent. ®

More about

More about

More about


Send us news

Other stories you might like