How Oracle Selects Audit Targets
Oracle's GLAS (Global License Advisory Services) team — the successor to LMS — does not allocate audit resources randomly. Audit target selection is driven by a structured prioritisation process that evaluates customer accounts against a set of known risk indicators: infrastructure changes, commercial signals, product-specific triggers, and governance gaps. Understanding which signals apply to your organisation is the foundation of effective Oracle risk management.
The 20 indicators below are scored as High Risk (strongly associated with near-term Oracle audit initiation), Medium Risk (associated with elevated audit probability within 24 months), or Low Risk (background risk factor that contributes to audit probability in combination with other signals). Any organisation scoring more than three High Risk indicators should treat an Oracle licensing assessment as urgent.
Use this assessment to score your Oracle audit probability. Each High Risk indicator scored adds materially to your audit probability. Three or more High Risk indicators: commission an independent assessment immediately. One to two High Risk indicators: schedule an assessment within six months. Zero High Risk indicators: conduct annual compliance review.
01Is Oracle Database running on VMware vSphere without hard partitioning isolating Oracle VMs from non-Oracle workloads?High Risk
Expert NoteVMware soft partitioning is the single most prevalent Oracle audit trigger Redress observes. Oracle's GLAS team actively targets enterprises running Oracle on shared VMware clusters, using partner intelligence, hardware refresh announcements, and cloud migration disclosures to identify targets. Any shared VMware cluster — where Oracle VMs can migrate via vMotion to non-Oracle hosts — requires all physical processors in the cluster to be licensed. In 2025, Oracle accelerated audit targeting of vSphere 7 and 8 environments, capitalising on customer uncertainty following the Broadcom acquisition of VMware.
02Has the organisation completed a data centre refresh, server consolidation, or hypervisor platform change in the past 18 months without a concurrent Oracle licensing review?High Risk
Expert NoteInfrastructure changes alter Oracle licence requirements in ways that are rarely assessed at project time. A server refresh changes Core Factor Table applicability; a hypervisor change may alter cluster boundary definitions; a consolidation may create new co-residency of Oracle VMs with non-Oracle workloads. Oracle monitors procurement notices, data centre announcements, and hardware lease events. An organisation that has completed an infrastructure project without an Oracle licensing review in the subsequent 12 months is among Oracle's highest-priority audit targets.
03Are Oracle workloads in a public cloud (AWS, Azure, GCP) without a formal BYOL entitlement assessment confirming on-premises licences cover cloud deployments?High Risk
Expert NoteCloud migration without a BYOL assessment is a well-documented audit trigger. Oracle monitors cloud partner data and public migration announcements. An Oracle Database migration to AWS or Azure without confirmed BYOL entitlement creates dual exposure: unlicensed cloud deployment and potential misapplication of on-premises licences. Oracle's cloud audit focus in 2025 targeted AWS EC2 deployments where vCPU counts had not been mapped against Oracle processor licence requirements under BYOL rules.
04Does the organisation use Nutanix AHV, KVM, or Microsoft Hyper-V for Oracle Database workloads without a formal Oracle partitioning status assessment?Medium Risk
Expert NoteOracle classifies Nutanix AHV, KVM, and Hyper-V as soft partitioning technologies in most deployment configurations. Many organisations migrating from VMware to Nutanix assume that Nutanix's hard partition capabilities are Oracle-recognised — they are not, in the majority of deployment topologies. A formal partitioning status assessment for any non-VMware hypervisor running Oracle is essential before infrastructure migration or renewal negotiation.
How many High Risk indicators does your organisation score?
Redress Compliance conducts independent Oracle audit risk assessments — before Oracle engages.05Is Oracle Java SE 8u211 or later deployed anywhere in the enterprise without a current Oracle Java SE Universal Subscription?High Risk
Expert NoteOracle Java SE is the most active Oracle audit vector in 2025. Oracle identifies Java exposure through JDK download telemetry, vulnerability scanner reports listing Java versions, and partner intelligence from resellers. Gartner forecasts one in five enterprises running Oracle Java without a subscription will receive an audit notice by 2026. Under the employee-based Universal Subscription model, a single unlicensed Java deployment triggers a subscription demand covering every employee and contractor globally — creating demands routinely exceeding £500,000 for mid-market enterprises.
06Has Oracle E-Business Suite module usage been internally audited in the past 24 months, including modules activated by system integrators or upgrades without explicit licence requests?High Risk
Expert NoteOracle EBS is a high-priority audit target because module licensing drift is structurally inevitable over time. Oracle's GLAS team specifically targets EBS deployments approaching support renewal, using audit findings to create commercial leverage. Organisations in the 12 months before an EBS support renewal are at elevated audit risk. An internal EBS module review conducted 18 months before renewal provides both remediation time and negotiation leverage.
07Have Oracle Database Options — Diagnostics Pack, Tuning Pack, Partitioning, Advanced Compression — been assessed on all production instances using DBA_FEATURE_USAGE_STATISTICS?High Risk
Expert NoteDBA_FEATURE_USAGE_STATISTICS is permanent evidence of Oracle Options usage. The most common trigger is CONTROL_MANAGEMENT_PACK_ACCESS at its default DIAGNOSTIC+TUNING value, causing AWR data collection from database creation. Oracle LMS uses this view as its primary evidence source. Query this view on every Oracle Database EE instance — the result tells you exactly what Oracle's audit team will find, enabling proactive remediation before the audit begins.
08Does the organisation use Oracle Middleware — WebLogic Server, SOA Suite — and has the deployment topology been validated against current licence requirements?Medium Risk
Expert NoteOracle Middleware licensing is among the most complex in the Oracle portfolio. WebLogic Server requires careful analysis of managed server topology, Oracle-branded product access triggers, and Suite versus Server entitlement. Oracle GLAS has specific WebLogic assessment expertise and targets large WebLogic estates. A middleware licensing review is recommended for any organisation with more than five WebLogic managed servers in production.
09Has the organisation reduced its Oracle support spend — through support termination, third-party support, or licence reductions — in the past 24 months?High Risk
Expert NoteOracle treats support spend reduction as a commercial threat signal that frequently triggers audit initiation. An organisation that terminates Oracle support on a significant product line, moves to third-party support, or reduces its footprint substantially at renewal is statistically more likely to receive an Oracle audit within 18 months. This does not mean support optimisation should be avoided — it means that support changes must be preceded by a compliance assessment so the position is defensible when Oracle responds.
10Has the organisation been involved in a merger, acquisition, or corporate restructuring in the past 36 months that brought new Oracle deployments within the corporate perimeter?High Risk
Expert NoteMergers and acquisitions are one of Oracle's highest-confidence audit triggers. Oracle's account intelligence team monitors M&A activity through regulatory filings, press announcements, and reseller partner reports. Oracle frequently times formal audit initiation to coincide with post-acquisition integration of the acquired entity's Oracle estate into the parent, maximising the scope of any exposure finding. An immediate Oracle licence position review for any acquired entity should be a standard post-acquisition workstream.
11Is the organisation in the final 18 months of an Oracle ULA, or has it recently completed a ULA term without an independent pre-certification assessment?Medium Risk
Expert NoteULA certification is a structured compliance risk. In the final 18 months of a ULA term, Oracle's account team monitors for deployment growth that can justify a ULA renewal demand rather than certification to perpetual licences. An independent pre-certification assessment — covering all Oracle product deployments, cloud environment exclusions, and acquired entity treatment — is the standard risk mitigation step. Inaccurate ULA certifications create post-certification audit exposure that Oracle pursues aggressively.
12Does the Oracle Master Agreement include audit provisions with shorter than 45 days notice, or clauses that give Oracle unlimited scope to review any Oracle product in the estate?Medium Risk
Expert NoteOracle's standard agreement includes audit rights with 45 days notice. Agreements signed in specific markets or during specific periods may contain shorter notice provisions or broader scope clauses. Reviewing the specific audit clause — notice period, evidence Oracle can request, scope of acquired business reviews — is foundational to audit risk management. Organisations with narrow scope provisions can more effectively limit Oracle's information requests during a formal review.
13Does the organisation lack a current Oracle licence position — a reconciliation of entitlement against deployment — documented and signed off within the past 12 months?High Risk
Expert NoteOrganisations without a current Oracle licence position are unable to defend an audit effectively. An Oracle licence position requires three components: a complete entitlement inventory (all signed agreements, order forms, and amendments), a current deployment inventory (from SAM platform or equivalent), and a reconciliation analysis. The absence of any component means Oracle's audit team sets the terms of the finding. Organisations that can present a current validated position within days of receiving an audit notice consistently achieve better commercial outcomes.
14Has the organisation accepted a 'friendly licence review' or 'health check' offer from Oracle's account team or LMS without independent counsel involvement?High Risk
Expert NoteOracle's friendly health check is among the most consequential risks in Oracle account management. LMS frames these as customer benefits — they are evidence-gathering exercises. Data provided, access granted, and statements made during a health check become Oracle's evidence base for a subsequent formal audit or commercial demand. No Oracle health check should be accepted without independent counsel involvement and a clear scope limitation agreement agreed in advance.
15Are the original Oracle licence certificates and order confirmations for all products inaccessible, incomplete, or not reconciled to SAM platform entitlement records?Medium Risk
Expert NoteOracle entitlement disputes arise when licence certificates cannot be located for products acquired through resellers, inherited through acquisitions, or purchased more than five years ago. Oracle GLAS may assert that products without accessible certificates are unlicensed. A proactive entitlement reconciliation — contacting Oracle's licence certificate team to obtain digital copies of all entitlements and reconciling against SAM records — eliminates this risk. Oracle is obligated to provide certificate copies to current support customers.
16Are DBA teams, infrastructure engineers, and developers untrained on Oracle licensing implications of operational decisions — Options activation, VM migration, Java version changes?Medium Risk
Expert NoteThe majority of Oracle licensing exposures are created by technical teams acting without awareness of licensing implications. A DBA enabling Diagnostics Pack for performance investigation, an engineer adding a host to a VMware cluster running Oracle VMs, a developer installing Oracle Java SE — each creates exposure without knowing it. A one-hour annual Oracle licensing awareness training for DBA, infrastructure, and application development teams prevents more Oracle risk than any SAM tool configuration change.
17Has the organisation received any Oracle communication — account review requests, certified letters, or compliance correspondence — that may be a precursor to formal LMS engagement?High Risk
Expert NoteOracle's formal audit process is typically preceded by lower-level contact — an account manager requesting a licence position meeting, a letter from GLAS requesting deployment information, or a compliance team email. Organisations that respond without independent counsel involvement frequently concede commercial ground before the formal audit begins. Any Oracle communication referencing 'licence position', 'deployment review', 'compliance', or 'LMS/GLAS' should be reviewed by an Oracle licensing specialist before any response.
18Is Oracle support spend growing significantly year-over-year in a way that may indicate unlicensed deployment growth alongside the licensed growth?Medium Risk
Expert NoteRapid Oracle support spend growth indicates Oracle deployment expansion, which may include unlicensed deployment of products, features, or users not covered by existing entitlement. Oracle account teams monitor support growth rates as a deployment expansion indicator. An internal Oracle deployment review should accompany any period of significant support spend growth — validating that the support liability reflects only licensed deployments.
19Is Oracle Analytics, Oracle AI Services, or any Oracle product introduced or expanded in the past 24 months fully licensed with user and processor metrics correctly applied?Medium Risk
Expert NoteNew Oracle product categories carry their own licensing metrics that frequently differ from existing Oracle product models. Oracle Analytics Cloud uses a named user or professional user metric that differs from the Oracle Database NUP metric in scope and minimum requirements. Organisations deploying new Oracle products frequently apply the wrong metric by analogy with existing products. A licensing review for any new Oracle product deployed in the past 24 months should precede the next Oracle support renewal discussion.
20Has an independent Oracle audit risk assessment — not relying on Oracle's tools or account team — been conducted in the past 18 months?Low Risk
Expert NoteThe most reliable audit risk reduction measure is an independent Oracle audit risk assessment before Oracle engages. This establishes which risk indicators apply, scores severity, and produces a prioritised remediation plan. Organisations with an independent baseline assessment consistently achieve two outcomes: they identify and remediate the highest-probability exposures before Oracle finds them, and when Oracle does engage, they present a documented compliance programme that shifts the commercial discussion from punitive to collaborative.
What Your Score Means
If your organisation scores four or more High Risk indicators, Oracle audit initiation is a question of timing rather than probability. An independent Oracle licensing assessment — conducted by advisers using independent tools, not Oracle's own scripts — should be commissioned immediately. The assessment produces a validated licence position, a prioritised remediation plan, and an audit defence framework ready to deploy from the moment Oracle makes contact.
Download the Oracle Assessment Guide →