Oracle Audit Letter: What to Do When You Receive One

Understanding the Oracle Audit Process

Oracle's licence audit programme is conducted by its Global Licensing and Advisory Services (GLAS) team — formerly LMS (Licence Management Services). GLAS operates globally and audits thousands of Oracle customers every year. The programme is structured, disciplined, and designed to maximise Oracle's commercial outcome at each stage.

Understanding that the Oracle audit is a process — not a random event, not a penalty, and not a judgment — is fundamental to responding effectively. Every stage has defined roles, standard tactics, and established leverage points. The organisations that achieve the best outcomes are those that understand the process well enough to manage it rather than react to it.

The Oracle audit process has five principal stages: notification, scope definition, data collection, findings and challenge, and commercial resolution. Each stage presents specific opportunities to protect your position — and specific traps that can worsen it.

Stage 1: The Notification Letter

Oracle's audit notification arrives as a formal letter from GLAS, citing the audit clause in your Oracle Master Agreement (OMA) or Oracle License and Services Agreement (OLSA). It will typically state Oracle's intent to review your compliance with Oracle's licensing policies, list the contractual basis for the audit, and request acknowledgement. The letter may name specific products or describe a broad, organisation-wide scope.

Your obligations at this stage are minimal: you must acknowledge receipt within the timeframe specified in your contract (typically 45 days), and you must cooperate with the audit process as defined in the audit clause. You are not required to respond immediately, provide any data, or engage in any commercial discussions.

What to do: Log the receipt date, restrict the letter to a defined response team, retrieve your Oracle contracts, and engage an independent Oracle licensing adviser before taking any other action. Do not respond to Oracle, contact your Oracle account manager, or share any deployment information at this stage.

Read our dedicated guide on what to do in the first 48 hours after receiving an Oracle audit letter for a detailed action plan for the initial notification phase.

Stage 2: Scope Definition and Kickoff

Once you acknowledge Oracle's audit notification, Oracle will schedule a kickoff call. This call aims to confirm the audit scope — the business units, legal entities, geographic locations, and Oracle product families covered — and establish the timeline and data collection methodology.

The kickoff call is one of the most important moments in the entire audit. Organisations that accept Oracle's stated scope without challenge commit to defending a potentially unnecessary surface area. Organisations that challenge the scope, demand a written scope definition, and push back on elements outside the contractual audit clause immediately reduce their exposure.

What to do: Before the kickoff call, review your audit clause carefully. Identify which legal entities, geographies, and products Oracle is contractually entitled to audit. Demand a written scope document from Oracle before or during the kickoff. Challenge any scope elements not explicitly authorised by the contract. Request that Oracle confirm scope in writing before data collection begins.

Common scope challenges that succeed include: limiting the audit to the specific legal entities named in Oracle contracts; excluding recently acquired businesses whose Oracle licences have not yet been formally transferred; limiting the product scope to products listed in Order Documents; and excluding environments contractually designated as development or test where licence obligations differ.

Stage 3: Data Collection

Data collection is the technical core of the Oracle audit. Oracle's GLAS team will typically request that you complete an Oracle Server Worksheet (a spreadsheet documenting all servers running Oracle software) and run Oracle's GLAS data collection scripts — a modular toolkit that collects information about Oracle deployments, enabled database options and packs, user counts, and hardware configurations.

This stage is where the largest compliance gaps are identified — and where the most mistakes are made by organisations that are unprepared.

The Oracle Server Worksheet

The Server Worksheet requires you to list every server on which Oracle software is installed, including the hardware specifications, virtualisation configuration, and Oracle products deployed. Accuracy here is critical: an incomplete or inaccurate Server Worksheet becomes the basis for Oracle's compliance calculations. Errors in your favour that Oracle discovers later give Oracle leverage. Errors in Oracle's favour that you fail to catch inflate your compliance gap.

The GLAS Collection Scripts

Oracle's collection scripts gather technical data from your database and application servers. They detect which Oracle Database options and packs have been enabled — including options that may have been switched on inadvertently or historically without a current business need. They also detect processor counts, user counts, Java deployments, and middleware configurations.

Critical warning: Oracle's scripts are known to collect information beyond the agreed audit scope in virtualised environments. Scripts run on a host running VMware may report processor counts for the entire physical host — not just the processors allocated to Oracle VMs — if Oracle's preferred licensing interpretation of that environment is that no hard partitioning exists. Before running any scripts, your technical lead and independent adviser must understand exactly what each script collects and how the output will be interpreted.

What to do: Never run Oracle's collection scripts without first conducting your own internal assessment using the same or equivalent tools. Compare your internal results with Oracle's script output before submitting anything to GLAS. Review all script output with your independent adviser. If the output contains data outside the agreed scope, challenge its inclusion before submission. You are entitled to review everything Oracle receives before it becomes part of the audit record.

Stage 4: Findings, Challenge, and Analysis

After data collection, Oracle's GLAS team produces a preliminary compliance report. This report states Oracle's view of your licence position — the products and quantities you are alleged to have deployed without adequate licence coverage — and calculates the shortfall in licences required, expressed at Oracle's current list prices. Back-dated support fees (at 22% of licence value per year, increasing at 8% per year) are typically added to amplify the headline figure.

The preliminary findings report is not final. It is Oracle's opening position — and in almost every case, it contains errors, overstated claims, and interpretations that are not supported by the contractual terms that govern your Oracle licences.

How to Challenge Oracle's Findings

Every finding in Oracle's report should be reviewed against four questions: Is the technical data accurate? Is Oracle's interpretation of the data correct under your contractual licensing metrics? Does the finding reflect Oracle's current licensing policy or an older policy that was not in effect during the relevant period? Is the finding within the agreed audit scope?

Technical data errors are common. Oracle's scripts miscount processors in VMware environments. They detect enabled Database options that may have been enabled by default or by Oracle-managed processes without customer knowledge. They misidentify Java SE versions. Each of these errors can be challenged with documented counter-evidence.

Interpretation disputes are also frequent. Oracle's preferred interpretation of processor licensing in virtualised environments is more aggressive than what many contracts actually require. Named User Plus calculations based on user counts may be disputed if the count methodology used does not match the contractual definition. Java SE employee counts can be challenged if Oracle's count includes categories of worker not covered under the subscription model.

What to do: Do not respond to Oracle's preliminary findings immediately. Conduct a thorough internal review of every finding with your technical team and independent adviser. Prepare a written response for each finding you dispute, citing the specific data error, policy misinterpretation, or contractual basis for the challenge. Request a formal meeting with Oracle's GLAS team to present your counter-analysis. Never accept findings verbally or without a written record of what has been agreed.

Stage 5: Commercial Resolution and Settlement Closure

Once the technical findings have been finalised — either through agreement or exhaustion of challenges — Oracle typically hands the audit from GLAS to its commercial sales team. The sales team will present settlement options, which generally involve purchasing new licences, converting to a ULA or subscription, or accepting a cloud commitment on OCI.

This is the negotiation phase, and it is where your commercial leverage is greatest — if you have played the technical phase correctly. An organisation that has successfully reduced Oracle's initial findings through documented challenges enters the commercial phase with a smaller liability, better knowledge of the actual compliance position, and clearer understanding of what Oracle can and cannot prove. All of these improve negotiating outcomes.

Oracle's support fees increase by 8% per year — this rate is important to understand when evaluating settlement proposals that include back-dated support charges. Oracle will frequently offer to reduce or waive retroactive charges as part of a forward-looking commercial agreement. Accepting Oracle's first settlement proposal almost always means overpaying. The settlement is negotiable.

Oracle's fiscal year ends on 31 May. The Q4 window from March to May creates meaningful internal pressure within Oracle to close outstanding audits. Timing your settlement engagement to coincide with this period can improve discounts and commercial flexibility.

After settlement, insist on a written closure letter confirming that as of the settlement date, Oracle considers you compliant in respect of the products and periods covered by the audit. Without this letter, a future Oracle GLAS team could revisit the same period. The closure letter is your legal protection against double-jeopardy auditing.

What a Good Oracle Audit Response Looks Like: Summary

Across hundreds of Oracle audit engagements, the pattern of what produces the best outcomes is consistent:

• Slow the process down from the moment the letter arrives. Use the full 45-day acknowledgement window.
• Engage independent advisory support before responding to Oracle at any stage.
• Challenge the scope in writing at the kickoff, and hold Oracle to a documented scope throughout.
• Never submit data to Oracle without first reviewing it independently.
• Challenge every finding with specific, contractual counter-evidence.
• Separate technical and commercial discussions — do not let Oracle's sales team engage until findings are finalised.
• Use Oracle's Q4 (March to May) to drive better settlement terms.
• Demand a written closure letter before considering the audit resolved.

An Oracle audit is a serious commercial event, but it is manageable. Organisations that approach it with preparation, expert support, and a clear strategy consistently achieve outcomes that are dramatically better than those that respond reactively. If you have received an Oracle audit letter and want immediate expert guidance, contact Redress Compliance.