Get Oracle Audit Intelligence
Join enterprise IT leaders receiving our monthly advisory on Oracle audit tactics, GLAS methodology changes, and compliance defence strategies.
By Fredrik Filipsson · Updated February 2026 · 20 min read · Audience: CIO / IT Director / SAM Manager / General Counsel / Procurement
01 The First Principle: An Audit Finding Is Not a Debt
When Oracle's GLAS team delivers an audit report showing a $3M compliance shortfall, the instinct is to treat it as a bill. It is not. Oracle's audit report is a position paper. It is an assertion of what Oracle believes you owe, calculated using Oracle's most favourable interpretation of every licensing rule, every metric, and every deployment scenario. It is designed to establish the maximum possible claim, from which Oracle expects to negotiate downward in exchange for a commercial resolution.
In our experience across 200+ Oracle engagements, independent review of GLAS audit findings typically reduces the stated compliance gap by 30 to 60% through legitimate contractual arguments, corrected technical assumptions, and identified entitlements that GLAS missed or miscounted. The remaining gap is then resolved through commercial negotiation at deeply discounted rates, not at the list-price "resolution" Oracle initially proposes.
02 The First 48 Hours: What to Do When the Letter Arrives
Your response in the first 48 hours sets the trajectory for the entire audit. Most organisations make critical mistakes in this window.
Do Not Run GLAS Scripts Immediately Critical
Oracle's position: Oracle sends an audit notification requesting that you download and execute their data collection scripts within 45 days. The letter implies urgency and obligation.
The weakness: Your OLSA gives Oracle the right to audit, but it does not give them unlimited access to every server, every environment, or every data point they request. The scope must be reasonable and proportionate. GLAS routinely requests broader access than your contract requires.
Your counter-move: Acknowledge the audit in writing within 5 business days. Request a formal scope definition: which specific Oracle products and environments are covered? Review your OLSA's audit clause. Engage independent advisory before running any GLAS scripts. Conduct an internal self-assessment first. Only provide data within the contractually defined scope.
Separate the Audit from All Commercial Discussions Critical
Oracle's position: Within days of the audit notification, your Oracle AE contacts you with a "helpful" offer: "Let me talk to my team about wrapping the resolution into your upcoming renewal." The audit and the commercial conversation are merged.
The weakness: Oracle benefits from bundling audit resolution with commercial transactions because it creates urgency and fear. You benefit from separation because it allows you to challenge findings on their merits, negotiate any resulting licence purchase at competitive rates, and prevent the audit from being used as leverage in unrelated negotiations.
Your counter-move: Communicate formally: "We will address audit compliance through the audit process. All commercial matters will be handled separately and on a separate timeline." Designate a different internal lead for audit response (IT/SAM) and commercial negotiation (procurement).
03 Challenging GLAS Script Output
GLAS scripts collect raw deployment data. But the scripts measure technical presence, not licensing compliance. The gap between "what is installed" and "what requires a licence" is where most audit inflation occurs.
Installed Does Not Equal Used Does Not Equal Licensed High Value
Oracle's position: GLAS scripts detect every Oracle product installed, regardless of whether it is actively used. Oracle's audit report treats every installed product as deployed and requiring a licence.
The weakness: Oracle's licensing terms require licences for products that are "installed and/or running," but the definition of "running" is narrower than "installed." An option that is installed but never configured, never accessed, and generates no data is not "running." Many products are installed automatically as part of the default installation.
Your counter-move: For each product GLAS flags, demand evidence of actual usage, not just installation. Review DBA_FEATURE_USAGE_STATISTICS: if a feature shows zero usage, challenge the requirement. Document cases where products were installed by default and never intentionally activated. This argument alone typically removes 10 to 20% of GLAS findings.
Non-Production Environments
Oracle's position: GLAS counts processors in development, testing, staging, QA, and disaster recovery environments alongside production, applying the same per-Processor licensing requirement. A 10-Processor production environment with a matching 10-Processor DR environment becomes a 20-Processor claim.
The weakness: Many Oracle contracts include provisions for development and testing use at reduced rates. Disaster recovery environments that are not actively processing data may qualify for reduced licensing under Oracle's "Failover" policies (10 days per year on-premise). Environments that are genuinely isolated may be eligible for separate terms.
Your counter-move: Categorise every environment in the GLAS report as production, development, testing, staging, or DR. For each non-production category, review your Ordering Documents and OLSA for reduced-cost or exempt provisions. Challenge any finding that applies full Processor pricing to genuinely non-production environments. This reduces findings by 15 to 25% in environments with substantial non-production infrastructure.
04 The Virtualisation Dispute: Your Biggest Battleground
Virtualisation licensing is the single largest source of audit exposure and the area where Oracle's position is most aggressively contested.
The VMware Full-Cluster Licensing Claim Critical High Value
Oracle's position: Oracle asserts VMware vSphere does not constitute "hard partitioning." Licences must cover all physical processor cores on all hosts in the VMware cluster where Oracle could potentially run. A 6-host cluster with 120 total cores x 0.5 Core Factor = 60 Processor licences. At $47,500/Processor for Database EE, that is a $2.85M claim for what might be a single-VM deployment.
The weakness: Oracle's position is a licensing policy, not a contractual term. Your OLSA and Ordering Documents define your obligations. Oracle's partitioning policy is a unilateral document not part of the agreement you signed. Furthermore, technical controls (VMware DRS affinity rules, host affinity groups, resource pools) restrict VM mobility, creating an argument that Oracle cannot run on "any host" if controls prevent it.
Your counter-move: Review your Ordering Documents: do they reference Oracle's partitioning policy, or define licensing requirements independently? If your contract does not incorporate the partitioning policy by reference, Oracle's position has less contractual weight. Document VMware affinity rules and argue licensing should cover only pinned hosts. Evaluate migrating to Oracle-approved hard partitioning (Oracle VM, Oracle Linux KVM, Solaris Zones). See Partitioning Policy vs Contract.
Cloud Infrastructure (AWS/Azure) Licensing Claims
Oracle's position: For Oracle Database on AWS or Azure, Oracle's historical position required licensing based on vCPUs allocated, using authorised cloud environment rules (2 vCPUs = 1 Processor licence for most Intel instances). However, Oracle may also assert that shared tenancy instances do not qualify, requiring licensing of the underlying physical host.
The weakness: Oracle published an "Authorised Cloud Environment" policy that specifically addresses AWS, Azure, and Google Cloud, and most standard instances qualify. Oracle cannot override its own published cloud policy. If GLAS applies non-standard counting rules, challenge them against Oracle's own documentation.
Your counter-move: Document every Oracle instance running in AWS/Azure/GCP: instance type, vCPU count, tenancy model. Map each instance against Oracle's published Authorised Cloud Environment policy. If GLAS applies a different methodology, formally challenge with reference to Oracle's own policy. For BYOL deployments, verify that on-premise licences are not simultaneously counted in the on-premise audit.
Vendor Shield: Oracle Audit Defence
200+ Oracle audit engagements defended worldwide. Average 40% reduction in GLAS findings. 35 to 55% discount on resolution purchases. Confidential, independent, no Oracle commercial relationship.
05 Options, Packs, and Feature Enforcement
Database Options and Management Packs are the fastest-growing area of audit findings in 2025 to 2026. Oracle is actively scanning for feature usage that requires separately priced licences.
The TDE / Advanced Security Claim Critical
Oracle's position: If Transparent Data Encryption (TDE) is enabled on any tablespace, you require Advanced Security licences ($15,000/Processor) on every Processor running that database. GLAS scripts detect TDE encryption at the tablespace level.
The weakness: In Oracle 21c, Oracle announced TDE would be included with Enterprise Edition as a base feature, without an option licence. If your TDE usage is on 21c or later databases, the Advanced Security licence requirement may not apply. Additionally, if TDE was enabled inadvertently (by a DBA following a security hardening guide, or by an Oracle patch), accidental enablement without administrative intent should not create a licensing obligation.
Your counter-move: For each database flagged for TDE, document the Oracle version, when TDE was enabled, who enabled it, and whether it was intentional. For 21c+ databases, challenge the Advanced Security requirement directly. For 19c and earlier, if TDE was inadvertent, offer to disable it immediately and argue retrospective licensing is not appropriate. If the claim stands, negotiate at 30 to 50% off list.
The AWR / Diagnostics Pack Single-Use Trap
Oracle's position: Any access to Automatic Workload Repository (AWR) reports, even a single report generated by a DBA during troubleshooting, triggers a Diagnostics Pack licensing requirement ($7,500/Processor) across the entire database. GLAS detects AWR access through DBA_HIST_SNAPSHOT.
The weakness: Oracle's "any access = requires a licence" position is contractually aggressive. Your OLSA licences programmes that are "installed and/or running." A single historic AWR access is neither currently installed nor currently running. Oracle makes AWR trivially easy to access through Enterprise Manager without any licence-check gate, then penalises the access.
Your counter-move: Review AWR access logs. If usage was a single troubleshooting instance, argue that momentary access does not constitute "running" the Diagnostics Pack. Offer to disable AWR immediately. If Oracle insists, negotiate Diagnostics Pack licensing only for specific databases where AWR was accessed, not your entire estate. See Diagnostics & Tuning Pack Guide.
06 Metric Interpretation Disputes
Oracle's licensing metrics have specific definitions in your Ordering Documents. GLAS frequently applies the broadest possible interpretation.
The NUP Minimum Calculation Over-Count
Oracle's position: GLAS applies the NUP minimum requirement (25 NUP per Processor for EE) based on the total Processor count, including processors counted under Oracle's virtualisation interpretation. If GLAS counts your VMware cluster as 60 Processors, the NUP minimum becomes 1,500 NUP.
The weakness: The NUP minimum is calculated against the Processor count, so every inflated Processor claim cascades into an inflated NUP minimum. If you successfully challenge the Processor count, the NUP minimum reduces proportionally. This is why the virtualisation argument is so critical: it affects not just Processor licensing but every metric that derives from Processor counts.
Your counter-move: Challenge the Processor count first. The NUP minimum follows. If you reduce the claimed Processor count from 60 to 20 (by excluding non-Oracle VMware hosts), the NUP minimum drops from 1,500 to 500. Then verify actual named users against the reduced minimum. Reducing the Processor count often eliminates the NUP shortfall entirely.
Missing or Miscounted Entitlements High Value
Oracle's position: GLAS compares your deployed usage against the entitlements in Oracle's records. But Oracle's entitlement records are only as complete as the Ordering Documents they have on file, and Oracle frequently has incomplete records.
The weakness: GLAS does not proactively search for your full entitlement history. Many organisations have 15 to 20 years of Ordering Documents across multiple legal entities, CSI numbers, and purchasing channels. Licences purchased by acquired subsidiaries, bundled with hardware, and included in older agreements are routinely missing.
Your counter-move: Compile your complete Ordering Document history. Pay particular attention to OEM licences bundled with hardware, licences inherited through M&A, licences purchased through Oracle partners, and older agreements with product bundles. We regularly find $200K to $1M+ in uncounted entitlements during audit defence.
07 Fighting Java SE Audit Claims
Java SE claims are Oracle's fastest-growing audit revenue stream. The per-employee metric creates massive, organisation-wide exposure from even minimal Java usage.
Challenging the Java Usage Scope Critical High Value
Oracle's position: Oracle detects Oracle JDK installations (via download records, update server connections, or binary fingerprinting) and asserts that any Oracle Java SE installation after January 2023 requires a Java SE Universal Subscription covering every employee. Oracle's initial claim: total employee count x $5.25/month x 12 months x number of years since January 2023.
The weakness: Multiple attack vectors exist. First, version: Java SE 8 Update 211 and later, Java 11+, 17+, and 21+ are subject to licensing, but earlier versions are not. Many installations may be pre-Update 211 Java 8, still under the older, free Binary Code Licence. Second, distribution: Amazon Corretto, Eclipse Temurin, Azul Zulu, and other OpenJDK distributions are functionally identical and licence-free. GLAS may incorrectly flag non-Oracle JDK installations. Third, scope: the per-employee metric only applies if you allowed the legacy licence to lapse.
Your counter-move: Inventory every Java installation: version, distribution (Oracle vs OpenJDK), installation date, and actual usage. Remove or replace every Oracle JDK with an OpenJDK alternative where possible, immediately reducing your compliance surface. Challenge the employee count: negotiate based on actual Java users, not total headcount. If a subscription is unavoidable, negotiate 40 to 60% off list with a credible migration-to-OpenJDK timeline. See Exiting Oracle Java SE.
08 The Resolution Negotiation: Turning Defence into Leverage
Once you have challenged GLAS findings and reduced the compliance gap, the resolution negotiation begins. This is where the audit shifts from a compliance exercise to a commercial transaction.
Never Accept Resolution at List Price Critical
Oracle's position: GLAS presents a "resolution proposal" pricing the gap at list or near-list. For a 40-Processor Database EE shortfall: 40 x $47,500 = $1.9M in new licences, plus $418K/year in support. Oracle frames this as compliance, not a purchase, implying you cannot negotiate.
The weakness: An audit resolution is a licence purchase, and licence purchases are always negotiable. Oracle's list price is a starting position that no customer pays. Furthermore, Oracle's preference for a commercial resolution (rather than legal action) means they have strong incentives to negotiate: litigation is expensive, uncertain, and damages the customer relationship.
Your counter-move: After reducing findings through technical challenges, negotiate the remaining gap as a standard licence purchase. Demand benchmark-appropriate discounts (30 to 55% off list for Database, 25 to 45% for Applications). Time the resolution to Oracle's Q4 (March to May) for maximum discount authority. Use the resolution as leverage for broader improvements: support uplift caps, true-down rights, cloud migration credits, or ULA/PULA terms. See Oracle Pricing Benchmarks.
09 The Audit Defence Timeline: 12 Weeks to Resolution
| Week | Activity | Owner | Deliverable |
|---|---|---|---|
| 1 | Receive audit notification; engage independent advisory | IT/Legal | Acknowledgement letter, advisory engagement |
| 2-3 | Internal self-assessment: inventory all Oracle deployments, Ordering Documents, and entitlements | SAM/IT | Deployment inventory, entitlement register |
| 3-4 | Review OLSA audit clause; define and agree audit scope with Oracle | Legal/Advisory | Agreed scope document |
| 4-6 | Run GLAS scripts on agreed-scope environments only; collect data | IT/DBA | Script output, environment documentation |
| 6-8 | Receive GLAS preliminary findings; begin independent review | Advisory | Finding-by-finding challenge document |
| 8-10 | Present counter-arguments to Oracle; negotiate reduced findings | Advisory/Procurement | Revised compliance position |
| 10-12 | Negotiate commercial resolution at benchmark-appropriate discounts | Procurement/Advisory | Resolution agreement with broader commercial improvements |
Initial GLAS finding: $8.2M shortfall across Oracle Database EE (VMware cluster claim), Advanced Security (TDE on 14 databases), Diagnostics Pack (AWR on 22 databases), and WebLogic Server (embedded in EBS deployment).
Defence actions: Challenged VMware full-cluster licensing (reduced from 120 to 34 Processors via documented DRS affinity rules). Demonstrated TDE was enabled inadvertently by a security patch on 9 of 14 databases, disabled immediately, narrowing claim to 5. AWR access challenged as single-event troubleshooting on 18 of 22 databases. WebLogic entitlement identified in original EBS Ordering Document that GLAS had not reviewed.
Result: Compliance gap reduced from $8.2M to $2.6M (68% reduction). Remaining $2.6M resolved at 46% discount = $1.4M in licence purchases. Resolution timed to Oracle Q4. Also secured: 0% support uplift for 3 years, 20% annual true-down rights, and advanced audit protections in a renegotiated OLSA. Total savings vs Oracle's initial claim: $6.8M.
Audit Defence Quick Reference
Before Scripts
Do not run GLAS scripts until you have engaged independent advisory and agreed on audit scope. Separate audit and commercial discussions with different internal leads and different timelines.
Challenge Everything
GLAS findings are reducible by 30 to 60%. Compile all Ordering Documents. Virtualisation is your biggest lever. Options exposure (TDE, AWR) is challengeable. Java claims require version and distribution analysis.
Resolve Commercially
Never pay list price. Demand 30 to 55% discount. Time to Oracle's Q4. Turn defence into offence: use the resolution to secure broader commercial improvements across your entire Oracle position.
Frequently Asked Questions
No. Oracle's audit right under your OLSA is a right to verify compliance, not a right to compel a purchase. If the audit reveals a genuine shortfall, Oracle can require you to become compliant, which typically means either purchasing the required licences, uninstalling the products, or reaching a commercial resolution. But you have the right to choose how you become compliant. Oracle cannot issue an invoice. They can only present a claim and negotiate toward resolution.
From notification to resolution, a typical audit takes 3 to 6 months. The OLSA usually specifies a 45-day notice period, followed by 30 to 60 days for data collection, 30 to 60 days for GLAS analysis and preliminary findings, and 30 to 90 days for challenge, counter-argument, and resolution. Organisations that prepare proactively resolve faster and at lower cost.
In most cases, your primary need is Oracle licensing expertise, not legal counsel. Oracle audits are resolved commercially, not through litigation. Over 99% of audits never reach legal proceedings. An independent licensing advisory firm provides technical analysis, contractual challenge arguments, benchmark pricing data, and strategic guidance. Legal counsel becomes valuable if Oracle threatens legal action (rare), the audit involves complex M&A issues, or you need to renegotiate your OLSA's audit clause.
Even genuine non-compliance does not mean you pay list price. First, reduce the gap as much as possible through the challenge process. Second, negotiate the remaining gap as a standard licence purchase with benchmark-appropriate discounts (30 to 55% off list). Third, time the resolution to Oracle's Q4 for maximum discount authority. Fourth, use the resolution as leverage to secure broader commercial improvements. The worst approach is accepting GLAS findings at face value and paying at Oracle's proposed price.
Your OLSA almost certainly includes an audit clause granting Oracle the right to verify compliance. Refusing to cooperate with a properly scoped audit is a contractual breach. However, you have significant rights within the process: you can require Oracle to define the scope, you can limit data collection to what is contractually required, you can insist on reasonable timelines, and you can challenge every finding on its merits. The goal is not to refuse the audit but to manage it professionally.
Almost always yes. Independent advisory fees for audit defence typically range from $50K to $150K. The savings achieved through reduced GLAS findings, benchmark-appropriate resolution pricing, and broader commercial improvements typically range from $500K to $10M+. The ROI is 5 to 50x the advisory fee. Moreover, Oracle's account team takes independently advised customers more seriously, which accelerates the negotiation and produces more reasonable initial positions.
📚 Oracle Audit & Compliance Series
Oracle Knowledge Hub (Pillar) → Audit Letter: First 48 Hours Checklist → How Oracle Selects Audit Targets → Interpreting GLAS Script Output → Partitioning Policy: How to Push Back → PeopleSoft Compliance & Audit → Oracle Sales Tactics 2026 → Oracle Contract Terms Glossary → Oracle Pricing Benchmarks & Leverage →Oracle Knowledge Hub
Knowledge Hub
Oracle Advisory Services
Service
NOV Inc: $22M Saved
Case Study
ADNOC: $6M Saved
Case Study
World Kinect: $5M Java Zero Cost
Case Study
Kroger: $20M Java Zero Cost
Case Study
Received an Oracle Audit Letter? Talk to Us First.
Our Oracle practice has defended over 200 audit engagements worldwide, achieving an average 40% reduction in GLAS findings and 35 to 55% discount on resolution purchases. Confidential, independent, no Oracle commercial relationship.