Home/Oracle Hub/White Papers/Oracle Audit Response Playbook
Oracle GLAS Audit  |  Buyer Side Response White Paper

Hit With an Oracle Audit? The 90 Day Response Map

Across roughly 35 to 50 Oracle audit responses we handled in 2024 to 2025, verified deployment data cut opening claims by 30 to 60 percent. This map runs the response from the notice letter to a settled close inside 90 days.

Prepared by Redress Compliance  ·  June 2026  ·  Representative Oracle estate scenario (benchmark scenario, not a quote)

Executive Summary

An Oracle audit notice starts a clock, but it is Oracle's clock only if you let it be. Your contract gives you 45 days of written notice before the audit may begin. What you do in the first 5 days decides whether you spend that window preparing or reacting.

The audit is run by Oracle License Management Services, now operating as Global Licensing and Advisory Services (GLAS), or by an appointed partner. Its opening findings letter is a claim, not a bill. In our 2024 to 2025 engagement file, first findings overstated exposure by 30 to 60 percent against verified use.

This playbook delivers the five things that decide the outcome: the first 5 days response calendar, the contractual scope limits that contain the GLAS engagement, the evidence pack that deflates inflated findings, the settlement structures that reshape the close, and the BATNA that constrains Oracle's pricing posture.

In the representative scenario modeled below, a $6,341,200 findings letter settles at $904,752, roughly 86 percent below the opening claim, by following this map.

45 days
Contractual written notice before an Oracle audit may begin. Your preparation runway, not a waiting period.
Day 5
By day 5: receipt acknowledged, contracts pulled, one spokesperson named, internal inventory started.
30 to 60%
Typical overstatement of first GLAS findings against verified deployment in our 2024 to 2025 file.
3 to 9 mo
Typical span from notice letter to settlement. The 90 day map compresses the part you control.
1

The 90 Day Map at a Glance

The response splits into three phases. Days 0 to 5 are about control: who speaks, what is frozen, what the contract actually says. Days 6 to 30 are about evidence: building your own verified deployment baseline before Oracle measures anything. Days 31 to 90 are about negotiation: controlled data submission, contesting findings, and structuring the close.

Days 0 to 5

Take control

Acknowledge in writing, open a privileged workstream, name one spokesperson, freeze changes to the Oracle estate, and read the audit clause before answering anything.

Days 6 to 30

Build the evidence

Run your own inventory, separate installed from used, document virtualization boundaries, and agree the audit scope and tooling with GLAS in writing.

Days 31 to 90

Negotiate the close

Submit data on your terms, test every finding line against the evidence pack, contest back support, and pick the settlement structure before talking numbers.

Control Days 0 to 5 Evidence Days 6 to 30 Negotiate Days 31 to 90 Day 45: notice window ends 0 15 30 45 60 75 90

The three phase response map. The contractual 45 day notice window covers all of phase one and most of phase two.

2

The First 5 Days: The Response Calendar

The most expensive mistakes in an Oracle audit happen in week one, before anyone senior is even paying attention. Someone replies helpfully, volunteers data, or agrees a kickoff date inside the notice window. Each of those gifts away leverage the contract gave you.

DayActionWhy it matters
Day 1Acknowledge receipt in writing, nothing more. Open a privileged workstream under legal. Freeze changes to the Oracle estate.An early helpful reply becomes Oracle's anchor. New deployments made after notice become findings.
Day 2Pull every Oracle contract: master agreement, ordering documents, amendments. Locate the audit clause and the named legal entity.The contract, not the GLAS letter, defines what you owe the process.
Day 3Name a single spokesperson. Instruct all staff, including DBAs, that nobody else communicates with Oracle.GLAS routinely emails admins directly. Side channel answers become evidence.
Day 4Start the internal inventory: installations, options, packs, and the virtualization estate they sit on.Your verified baseline must exist before Oracle proposes its measurement.
Day 5Respond formally: confirm cooperation per the contract, request the audit plan and tooling in writing, propose scope and timeline.You set the cadence inside the 45 day window instead of accepting Oracle's.
Non obvious mechanic 1: the standard Oracle audit clause grants the audit on 45 days written notice and requires your reasonable cooperation. It does not require you to run Oracle's specific collection scripts. Tooling, script versions, and which outputs you hand over are agreed items, not obligations.
3

Contractual Scope Limits That Contain the Engagement

GLAS opens wide by default: all entities, all environments, all products, full script output. The audit clause is narrower. Containment means holding the engagement to what the contract actually grants, politely and in writing, before any data moves.

GLAS will ask forThe contract supportsThe buyer side move
Data on all group companiesThe legal entity named in the agreement under auditConfirm the audited entity in writing; exclude affiliates not party to the contract.
Full estate script sweepVerification of use of the licensed ProgramsAgree tooling and scope first; exclude environments with no Oracle software.
Whole VMware cluster dataNothing: partitioning rules live in a policy paper, not your contractProvide host level facts and reserve position on the policy in writing.
An immediate kickoff callAn audit that begins after 45 days written noticeUse the full window. Scheduling is mutual, not dictated.
Years of back support on findingsNo back support clause for never licensed use; fees follow a negotiated orderTreat back support as a negotiation line, not an invoice.
Non obvious mechanic 2: Oracle's soft versus hard partitioning rules come from a partitioning policy document that is not referenced in the standard master agreement. A VMware finding that counts your whole cluster rests on policy, not contract. You can comply commercially while contesting it contractually, and that distinction moves settlements.

The same applies to the audited products. The clause covers the Programs licensed under the agreement cited in the notice. A notice citing your database agreement is not an open invitation to review Java, middleware, and applications estates. Each extension of scope is a concession you can trade, not a courtesy you owe.

4

The Evidence Pack Against Finding Inflation

Findings inflate in three predictable ways: options counted as used wherever installed, virtualized hosts counted as whole clusters, and usage assumed to stretch back years for back support. The evidence pack is the set of artifacts that beats each inflation at the line level.

Build it in days 6 to 30, before any submission. The pack that wins contains: feature usage reports per database, AWR and pack access logs, virtualization topology with host CPU inventories, deployment dates from change records, and the entitlement map from your ordering documents.

The representative scenario below is a manufacturing estate audited on its database agreement. List prices follow Oracle's technology price list: Database Enterprise Edition at $47,500 per processor, RAC at $23,000, Partitioning at $11,500, Diagnostics Pack at $7,500, and Tuning Pack at $5,000 per processor.

Finding lineGLAS findings letterVerified position
Database EE on VMware cluster40 processors · $1,900,00024 processors · $1,140,000
Real Application Clusters20 processors · $460,00012 processors · $276,000
Partitioning option40 processors · $460,00012 processors · $138,000
Diagnostics Pack80 processors · $600,00040 processors · $300,000
Tuning Pack80 processors · $400,0000 processors · $0
License subtotal$3,820,000$1,854,000
Back support claim3 years · $2,521,2001 year forward · $407,880
Total exposure$6,341,200$2,261,880

Benchmark scenario, not a quote. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

Findings letter Verified position Database EE $1.90M $1.14M RAC $460K $276K Partitioning $460K $138K Diagnostics $600K $300K Tuning Pack $400K $0: usage evidence showed the pack was never accessed

License findings by line, letter versus verified. Values match the scenario table; back support shown separately.

64%
Below the findings letter

The verified position of $2,261,880 sits 64 percent below the $6,341,200 opening claim, before any discount is negotiated.

30 to 60%
Typical first finding inflation

Across our 2024 to 2025 audit response file, first findings overstated exposure by 30 to 60 percent against verified use.

Where the common advice is wrong: the standard advice, including from many resellers, is to cooperate fully, run Oracle's scripts immediately, and close fast. We disagree. Running the scripts blind hands GLAS an inflated baseline that your own verified data would have cut sharply. Control the data you submit, prove real deployment, and contest every installed not used line before any number is agreed.
5

Settlement Structures That Reshape the Close

Oracle audits do not end with a check for the findings letter. They end with a commercial structure, and the structure you choose moves the number more than the discount percentage does. Four paths cover almost every close.

Settlement pathStructureScenario cost
Pay the findings letterClaim at list plus 3 years back support. Nobody should land here.$6,341,200
Verified position at listEvidence pack applied, back support reduced to 1 year forward dated support.$2,261,880
ULA as settlement vehicle3 year unlimited agreement absorbing the gap: $1,200,000 license plus $264,000 first year support. Defers, not resolves, the count.$1,464,000
Negotiated net new order60 percent discount on the verified $1,854,000 list gap: $741,600 license plus $163,152 first year support at 22 percent.$904,752

Benchmark scenario, not a quote. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

Findings letter $6.34M Verified at list $2.26M ULA vehicle $1.46M Net new order $0.90M, 86% below the letter

The four settlement paths in the benchmark scenario. The structure, not the discount, does most of the work.

Two cautions on structure. A ULA closes the audit but converts a finding into a multi year relationship with its own certification fight at exit; size it only if growth genuinely justifies it. And a cloud commitment offered as settlement trades compliance paper for consumption you may not need. Both are fine instruments and poor reflexes.

Non obvious mechanic 3: back support for software that was never licensed has no contractual price until you agree one, and Oracle's support reinstatement pricing applies to lapsed support, not new findings. In most of our closes, back support claims collapsed into forward dated support on the negotiated order. Treat the line as fully negotiable, because it is.
6

The BATNA That Constrains Oracle's Pricing

GLAS pricing posture tracks one variable: whether you have a credible alternative to writing the check. A buyer with a documented walk away path gets a different discount band than a buyer who needs the audit closed by quarter end.

The credible alternatives that moved our 2024 to 2025 closes: migrating contested workloads to PostgreSQL or to hyperscaler managed databases, moving lapsed support estates to third party support, decommissioning the installed not used options the findings priced, and simple time, because a buyer who controls the timeline can let Oracle's quarter end arrive first.

None of these need to be executed to work. They need to be documented, costed, and visibly board ready. The point of a BATNA is that Oracle prices against it instead of against your fear.

Anchor your position in the primary sources before the first call: the audit basis on the Oracle License Management Services page, your contract documents on the Oracle contracts page, and current list pricing on Oracle's published price lists.

7

Our Recommendation

Run the map, not the reflex: take the full 45 day window, build the verified baseline before any data leaves the building, and negotiate the structure before the number.

  • If the notice has landed: execute the day 1 to day 5 calendar this week, and bring a buyer side advisor in before any data or kickoff date is agreed. The first baseline you give Oracle anchors the whole audit.
  • If it has not landed yet: build the evidence pack now as a standing asset. An estate that can prove real deployment in 30 days has already removed the 30 to 60 percent inflation the findings letter relies on.

Redress Compliance is 100 percent buyer side: 500+ enterprise clients, $2B+ under advisory, and audit responses run against Oracle every month. Contact us before you answer the notice. We are glad to tie a meaningful part of the fee to delivered value.

Prepared by Redress Complianceredresscompliance.com
Boardroom

Holding an Oracle audit notice?

Talk to a buyer side advisor. Thirty minutes, your deployment data, and the first 5 days calendar mapped to your estate before you answer Oracle.

Buyer side intelligence, monthly

One letter a month. Negotiation moves, audit signals, and price book shifts.