Oracle Java Audit: What You Can Expect at Every Stage

Phase 1 — The Informal Inquiry: Oracle's Opening Move

The vast majority of Oracle Java audits do not begin with an official letter. They begin with a carefully worded email or phone call from an Oracle Java compliance representative or sales account manager. The message will typically reference "recent changes to Oracle Java licensing" and offer to help you "review your current Java deployment" or "ensure you have the right coverage in place."

This communication is not casual. Oracle is gathering information. Every answer you provide — about how many systems run Java, which versions are deployed, whether you have a current subscription — feeds directly into Oracle's calculation of your potential liability and their decision on whether to escalate to a formal audit.

Your immediate response should be: acknowledge receipt in writing, advise Oracle that the matter will be handled through your legal and procurement channels, and do not answer any specific questions about your Java environment at this stage. Form an internal response team — IT, legal, and a specialist Oracle licensing advisor — before any further engagement.

Phase 2 — The Formal Oracle LMS Audit Letter

If Oracle does not achieve a commercial resolution through the informal channel, or if your organisation is already on their formal audit schedule, you will receive a written notice from Oracle's License Management Services (LMS) or Global License Advisory Services (GLAS). This is the formal trigger of the contractual audit process.

The audit letter typically includes the following elements:

• A reference to the audit clause in your Oracle Master Agreement or applicable contract
• The specific products in scope — usually Oracle Java SE Universal Subscription and potentially other Oracle products
• The period covered by the audit (often 2019 or 2023 to present)
• A response deadline, typically 30 to 45 days from the letter date
• Contact details for the assigned LMS or GLAS audit manager

Upon receipt, your first action is a legal review of the audit clause in your Oracle contract. The contract specifies Oracle's audit rights, including permissible frequency, notice requirements, and the scope of data they can request. Many organisations provide far more than Oracle is contractually entitled to because they have not reviewed these rights carefully. Engaging legal counsel at this stage is not optional — it is essential.

Phase 3 — Data Collection: What Oracle Will Ask For

Once your organisation has acknowledged the audit, Oracle will issue a data collection request. This typically includes Oracle's own discovery scripts — usually PowerShell or shell scripts — and a structured inventory spreadsheet. Oracle expects these to be run across your entire estate and the results returned within the agreed timeframe.

What the LMS Scripts Look For

Oracle's discovery scripts scan for installed Java runtimes and development kits across servers, virtual machines, and endpoints. They identify the Java vendor (Oracle vs. OpenJDK distributions), version number, installation path, and whether the installation is within a known Oracle or third-party application bundle. The scripts typically identify all Java installations, not just those requiring a licence — which means Oracle's raw output will include many installations that are not in scope.

Your Obligation Before Returning Data

Do not run Oracle's scripts and return the output without independent validation. Before providing any data to Oracle, you must:

• Run your own parallel discovery using your CMDB, software asset management tool, or endpoint management platform
• Reconcile the two inventories and challenge any discrepancies
• Remove from scope any OpenJDK installations (Temurin, Corretto, Azul Zulu) that Oracle's scripts may have flagged incorrectly
• Identify Java within third-party application bundles and confirm with the vendor whether their licence covers your use
• Exclude pre-commercial JDK versions (8u202 and below) and any installations covered by the Oracle No-Fee Terms and Conditions

Oracle's scripts routinely over-count by a factor of two or more. Every installation you successfully remove from scope before returning data is one fewer installation in Oracle's claimed shortfall — and directly reduces your potential liability.

Phase 4 — Oracle's Findings: Reading the Compliance Gap Notice

After reviewing the data you provide, Oracle will issue a Compliance Gap Notice — their formal statement of the licence shortfall they have identified and the financial exposure they are asserting. This document is Oracle's opening commercial position, and it is not a final settlement figure.

The Compliance Gap Notice will typically include:

• Oracle's calculated employee count for your organisation
• The number of employees Oracle claims require a Java SE licence
• Oracle's applicable subscription price tier
• Back-support fees calculated at 8% per year, retroactive to the date Oracle alleges unlicensed use began
• A total financial demand that incorporates both the ongoing subscription cost and the retroactive back-support amount

In the majority of cases we have advised on, Oracle's initial findings overstate the client's true liability. Common errors in Oracle's findings include: use of inflated employee counts drawn from public filings rather than actual headcount; inclusion of installations that belong to third-party vendors; failure to apply contracted entitlements from other Oracle products; and incorrect calculation of the back-support start date.

Do not accept Oracle's findings without a detailed written challenge.

Phase 5 — Negotiation and Settlement

Once Oracle has issued its Compliance Gap Notice, the audit moves into a commercial negotiation phase. Oracle's goal throughout the audit has been a subscription contract — not litigation. This gives you leverage, provided you use it correctly.

Key Settlement Levers

The strongest lever you have is the accuracy of Oracle's data. A well-prepared defence that reduces Oracle's employee count, removes out-of-scope installations, and applies all available entitlements reduces the base figure Oracle is working from — and therefore the starting point for any back-fee calculation.

The second lever is timing. Oracle's fiscal year ends on 31 May, and its Q4 window — March to May — is when Oracle Sales and LMS teams face the greatest pressure to close commercial agreements. Settlements reached in this window consistently include larger back-fee waivers and better subscription terms than those reached outside it. If you can time your negotiation to coincide with Oracle's Q4 pressure, your commercial outcome will improve materially.

The third lever is migration credibility. If your organisation can demonstrate — with evidence — that you are actively migrating from Oracle JDK to an OpenJDK alternative such as Temurin, Corretto, or Azul Zulu, Oracle's leverage diminishes significantly. Oracle's commercial interest is a multi-year subscription contract; if migration is credible, Oracle must offer attractive terms to retain the business.

What a Good Settlement Looks Like

An effective settlement achieves four things: an agreed employee count that reflects your actual contractual obligation rather than Oracle's inflated estimate; a full or partial waiver of back-support fees; an annual subscription rate below Oracle's published list price, ideally with a contractual cap on annual increases below the standard 8% per year uplift; and a written release from further audit liability covering the period addressed by the settlement.

Never sign a settlement that does not include an explicit audit release clause. Without it, Oracle retains the right to re-audit the same period and potentially raise the same claims again.

The Most Important Rules to Follow During an Oracle Java Audit

Drawing on hundreds of Oracle audit engagements, these are the non-negotiable principles that separate favourable outcomes from costly ones:

• Never provide data verbally or informally. All data submissions should be formal, documented, and reviewed by counsel before submission.
• Never rush. Oracle creates urgency to limit your preparation time. Push back on deadlines where contractually permissible. Every day of preparation time is valuable.
• Never accept Oracle's employee count without scrutiny. Oracle's count is their opening position, not a verified fact. Your actual contractually-relevant employee population is frequently lower.
• Never ignore third-party application Java. Always verify with each application vendor whether their Oracle licence covers your Java usage within their product.
• Always insist on an audit release in any settlement. This is non-negotiable. A settlement without a release is an incomplete deal.

After the Audit: Proactive Steps to Prevent Recurrence

Once an Oracle Java audit is resolved, the smartest organisations immediately take steps to prevent the next one. The first priority is a definitive Java inventory — knowing exactly which Oracle JDK installations remain, which have been migrated to OpenJDK, and what your ongoing subscription obligation actually is. The second is formalising your Java governance policy: clear rules about which Java distributions are approved for use in your environment, with technical controls to prevent unapproved Oracle JDK installations.

For organisations with significant Oracle Java deployments, considering a phased migration to a supported OpenJDK distribution is the most powerful long-term risk reduction. Removing Oracle JDK from your estate eliminates Oracle's leverage entirely. This does not need to happen overnight — a twelve to eighteen month phased migration that prioritises high-volume, lower-risk workloads can reduce Oracle's commercial hold while maintaining continuity for your most critical applications.

Contact Redress Compliance for a post-audit remediation plan tailored to your Oracle Java environment.