What Happens When Oracle Sends an Audit Letter

Oracle's audit notification is a formal legal communication, typically signed by a representative of Oracle's Global Licensing and Advisory Services (GLAS) team. It will cite the audit clause in your Oracle Master Agreement (OMA) or Oracle License and Services Agreement (OLSA), declare Oracle's intent to review your licence compliance, and request your acknowledgement. The letter may name specific products, or it may describe a sweeping scope covering "all Oracle software deployed across your organisation."

The letter is not an accusation of wrongdoing. It is the opening move in a structured process that Oracle uses across thousands of customers every year. Understanding that it is a process — with defined rights on both sides — is the most important mental reframe you can make in the first 48 hours.

What the letter is not: an emergency requiring immediate action. It is not a demand for payment. It is not a finding of non-compliance. And it is not a reason to panic, cancel IT projects, or begin any conversations with Oracle until you are properly prepared.

The Biggest Mistakes Organisations Make in the First 48 Hours

Before detailing what you should do, it is worth understanding the most damaging mistakes we see organisations make when an Oracle audit letter arrives. These errors are almost universal among first-time audit recipients, and they consistently result in worse outcomes:

  • Calling Oracle back the same day. There is no benefit to responding immediately, and significant risk. You have not yet reviewed your contracts, assembled a team, or assessed your position. Any conversation you have with Oracle before you are prepared can provide information Oracle uses to build its case.
  • Forwarding the letter to an Oracle account manager. Your account manager works for Oracle. Their objective is to close a commercial deal, not to protect your interests. Involving them early signals that you are not prepared and that a commercial resolution may be achievable quickly — which disadvantages you.
  • Sharing licence data before completing an internal assessment. Oracle will almost always ask you to confirm the scope of your Oracle deployments early in the process. Providing this before you have independently verified your entitlements and deployment position hands Oracle information it will use to build compliance gaps.
  • Accepting a broad audit scope without challenge. If Oracle's letter describes a sweeping scope — all business units, all environments, all Oracle products — that scope is negotiable. Many organisations accept it without questioning, then find themselves defending an unnecessarily large surface area.
  • Running Oracle's LMS scripts immediately. Oracle will typically request that you run its GLAS data collection scripts as part of the audit. Running these without first reviewing what they collect, and without checking the output before submission, routinely produces data that overstates your compliance gap.
"The organisations that achieve the best Oracle audit outcomes are those that slow down, get prepared, and challenge Oracle's process at every stage — starting with the first letter." — Morten Andersen, Co-Founder, Redress Compliance

Hour 0–4: Contain the Letter

The moment you receive an Oracle audit letter, your first task is containment — ensuring that the right people know about it and that the wrong people do not take uncoordinated action.

Do not forward it widely.

The audit letter should go to a defined set of stakeholders: your IT Asset Management lead, the relevant IT executive (typically the CIO or VP of IT Infrastructure), a senior procurement or vendor management manager, and your legal counsel or General Counsel. It should not be forwarded to the DBA team with a note to "sort it out", shared with your Oracle account manager, or discussed informally in Slack channels where uncoordinated responses might emerge.

Log the receipt date.

Document the exact date the letter was received. Your 45-day acknowledgement window starts from this date. This window is your most important asset in the first 48 hours — treat it with care.

Do not acknowledge receipt to Oracle yet.

Unless your contract requires a specific acknowledgement timeline shorter than 45 days (check your OMA or OLSA immediately), do not respond to Oracle until you are ready. The 45-day window is yours. Use it.

Hour 4–24: Assemble Your Response Team

Within 24 hours, you need a cross-functional response team in place with clear ownership. The team composition that works best in our experience:

  • Audit Lead: Typically the IT Asset Manager or Software Asset Manager. Owns all internal coordination, data gathering, and communications with Oracle. A single point of contact for Oracle is essential — multiple people communicating with Oracle is a major source of inconsistent information and unintended admissions.
  • Technical Lead: A senior DBA or infrastructure architect who understands how Oracle software is deployed across your environment — virtualisation platforms, database options in use, Java deployments, and middleware. This person will validate the technical accuracy of any data provided to Oracle.
  • Procurement / Vendor Management: Responsible for retrieving all Oracle contracts, Order Documents (ODs), and Customer Support Identifiers (CSIs). These documents define your entitlements and the audit clause that governs Oracle's rights.
  • Legal Counsel: Reviews the audit clause, confirms Oracle's rights and limitations, and advises on formal communication with Oracle. For complex audits, external legal counsel with software licensing expertise may be required.
  • Executive Sponsor: A CIO, CFO, or equivalent senior executive who can make commercial decisions if the audit progresses to settlement discussions. Their involvement signals to Oracle that this is a serious, managed process.

If your organisation does not have internal Oracle licensing expertise — and most do not — this is also the moment to engage an independent Oracle licensing adviser. Experienced advisers know Oracle's GLAS process inside out, understand the most common areas of compliance gap, and can challenge Oracle's scope and findings in ways that internal teams typically cannot. Redress Compliance's Oracle audit advisory team is available from the moment you receive the letter.

Just received an Oracle audit letter? Speak to an adviser today.

We will review your letter, assess your rights, and outline your immediate options — at no charge for the initial consultation.
Get Immediate Help →

Hour 24–48: Review Your Contracts and Assess Your Position

With your team assembled, you can begin the two most important preparatory tasks of the first 48 hours: contract review and initial deployment assessment.

Contract Review

Pull every Oracle contract document in your possession. This includes your Oracle Master Agreement or OLSA, all Order Documents and Schedule of Purchases that define your licensed products and metrics, your current Unlimited Licence Agreement (ULA) or Perpetual Unlimited Licence Agreement (PULA) documentation if applicable, all Customer Support Identifier records, and any prior audit closure letters.

From these documents, identify and record: the specific audit clause and what it permits Oracle to do; the look-back period Oracle is contractually entitled to audit; any scope limitations (e.g., specific legal entities, geographies, or product families covered); and your current licensed product list and the metrics under which each product is licensed (processor, named user plus, employee, etc.).

If you have a prior audit closure letter, review it carefully. It should state the date as of which Oracle confirmed you were compliant. Oracle's ability to revisit findings before that date is typically contractually limited — a fact that many organisations do not know to assert.

Initial Deployment Assessment

Do not attempt a full technical assessment in 48 hours — that is not realistic and is not necessary at this stage. What you need is a high-level view of your Oracle deployment landscape: which Oracle products are deployed, on how many servers, under what virtualisation environments, and with which options or packs enabled.

This initial assessment serves two purposes. First, it helps your team identify the areas of highest compliance risk — the areas where you may have gaps that Oracle is likely to target. Second, it gives you a factual basis for pushing back on an overly broad audit scope when you engage with Oracle.

Common high-risk areas to flag in your initial assessment include: Oracle Database deployments on VMware or other non-Oracle-approved hypervisors; enabled Database Options (Partitioning, Advanced Security, RAC, Diagnostic Pack, Tuning Pack) without corresponding licences; Java SE deployments using Oracle JDK after January 2023; and Oracle middleware (WebLogic) on uncapped virtual environments.

What to Do About the Audit Scope

When you do acknowledge Oracle's audit letter, one of your most valuable moves is to challenge — or at minimum, clarify — the audit scope in writing. Oracle's initial letter often describes the broadest possible scope it can claim. Your contract's audit clause limits what Oracle can actually audit, and it is entirely legitimate to hold Oracle to those limits.

In your written acknowledgement (which should come from your Audit Lead or legal counsel, not from a DBA), state clearly that you are reviewing Oracle's request, confirm the date of receipt, and request that Oracle provide a written scope definition specifying the business units, legal entities, environments, and Oracle product families included in the review. Ask Oracle to confirm the contractual basis for the stated scope.

This single step — requesting written scope confirmation — frequently results in Oracle narrowing its stated scope, which reduces the surface area of the audit and limits the potential findings Oracle can pursue.

Communications Protocol for the First 48 Hours

All communication with Oracle during the audit must be managed carefully. The following protocol applies from the moment the letter is received:

  • All external communications with Oracle go through the designated Audit Lead only.
  • No technical staff should communicate with Oracle GLAS directly — all data requests must be routed through the Audit Lead.
  • All communications are in writing. Verbal conversations with Oracle should always be followed up with a written summary of what was discussed and agreed. If Oracle says it verbally, it does not exist.
  • No data is shared with Oracle until the internal assessment is complete and an independent reviewer has confirmed the data is accurate and does not include information outside the agreed scope.
  • No Oracle account managers, sales representatives, or cloud advisers are to be briefed on the audit until the technical findings phase is complete. Commercial discussions come after technical findings — not before.

Your 48-Hour Checklist

To summarise the key actions from the first 48 hours:

  1. Log the receipt date and calculate your 45-day acknowledgement deadline.
  2. Contain distribution — alert defined stakeholders only.
  3. Do not respond to Oracle or acknowledge receipt yet.
  4. Assemble your response team (Audit Lead, Technical Lead, Procurement, Legal, Executive Sponsor).
  5. Retrieve all Oracle contract documents.
  6. Identify your audit clause and contractual rights.
  7. Conduct an initial high-level deployment assessment to identify risk areas.
  8. Engage an independent Oracle licensing adviser.
  9. Draft a written scope challenge/clarification letter for when you are ready to acknowledge.
  10. Establish the single-point-of-contact communications protocol.

The organisations that navigate Oracle audits most effectively are those that treat the first 48 hours as a preparation phase, not a response phase. The time you invest now — in assembling the right team, retrieving the right documents, and understanding your contractual position — directly determines the quality of the outcome you will achieve months later when Oracle presents its findings.

A note on financial stakes: Oracle's annual support fee is 22% of net licence value and increases at 8% per year — compounded. Back-dated support fees calculated over a multi-year look-back at this rate can be substantial. Understanding this rate is important when evaluating any settlement that includes retroactive support charges.

If you have received an Oracle audit letter and need immediate guidance, contact Redress Compliance's Oracle audit advisory team. We are available from the moment the letter arrives.