Hit With an Oracle Audit? The 90 Day Response Map
Across roughly 35 to 50 Oracle audit responses we handled in 2024 to 2025, verified deployment data cut opening claims by 30 to 60 percent. This map runs the response from the notice letter to a settled close inside 90 days.
Prepared by Redress Compliance · June 2026 · Representative Oracle estate scenario (benchmark scenario, not a quote)
Executive Summary
An Oracle audit notice starts a clock, but it is Oracle's clock only if you let it be. Your contract gives you 45 days of written notice before the audit may begin. What you do in the first 5 days decides whether you spend that window preparing or reacting.
The audit is run by Oracle License Management Services, now operating as Global Licensing and Advisory Services (GLAS), or by an appointed partner. Its opening findings letter is a claim, not a bill. In our 2024 to 2025 engagement file, first findings overstated exposure by 30 to 60 percent against verified use.
This playbook delivers the five things that decide the outcome: the first 5 days response calendar, the contractual scope limits that contain the GLAS engagement, the evidence pack that deflates inflated findings, the settlement structures that reshape the close, and the BATNA that constrains Oracle's pricing posture.
In the representative scenario modeled below, a $6,341,200 findings letter settles at $904,752, roughly 86 percent below the opening claim, by following this map.
The 90 Day Map at a Glance
The response splits into three phases. Days 0 to 5 are about control: who speaks, what is frozen, what the contract actually says. Days 6 to 30 are about evidence: building your own verified deployment baseline before Oracle measures anything. Days 31 to 90 are about negotiation: controlled data submission, contesting findings, and structuring the close.
Take control
Acknowledge in writing, open a privileged workstream, name one spokesperson, freeze changes to the Oracle estate, and read the audit clause before answering anything.
Build the evidence
Run your own inventory, separate installed from used, document virtualization boundaries, and agree the audit scope and tooling with GLAS in writing.
Negotiate the close
Submit data on your terms, test every finding line against the evidence pack, contest back support, and pick the settlement structure before talking numbers.
The three phase response map. The contractual 45 day notice window covers all of phase one and most of phase two.
The First 5 Days: The Response Calendar
The most expensive mistakes in an Oracle audit happen in week one, before anyone senior is even paying attention. Someone replies helpfully, volunteers data, or agrees a kickoff date inside the notice window. Each of those gifts away leverage the contract gave you.
| Day | Action | Why it matters |
|---|---|---|
| Day 1 | Acknowledge receipt in writing, nothing more. Open a privileged workstream under legal. Freeze changes to the Oracle estate. | An early helpful reply becomes Oracle's anchor. New deployments made after notice become findings. |
| Day 2 | Pull every Oracle contract: master agreement, ordering documents, amendments. Locate the audit clause and the named legal entity. | The contract, not the GLAS letter, defines what you owe the process. |
| Day 3 | Name a single spokesperson. Instruct all staff, including DBAs, that nobody else communicates with Oracle. | GLAS routinely emails admins directly. Side channel answers become evidence. |
| Day 4 | Start the internal inventory: installations, options, packs, and the virtualization estate they sit on. | Your verified baseline must exist before Oracle proposes its measurement. |
| Day 5 | Respond formally: confirm cooperation per the contract, request the audit plan and tooling in writing, propose scope and timeline. | You set the cadence inside the 45 day window instead of accepting Oracle's. |
Contractual Scope Limits That Contain the Engagement
GLAS opens wide by default: all entities, all environments, all products, full script output. The audit clause is narrower. Containment means holding the engagement to what the contract actually grants, politely and in writing, before any data moves.
| GLAS will ask for | The contract supports | The buyer side move |
|---|---|---|
| Data on all group companies | The legal entity named in the agreement under audit | Confirm the audited entity in writing; exclude affiliates not party to the contract. |
| Full estate script sweep | Verification of use of the licensed Programs | Agree tooling and scope first; exclude environments with no Oracle software. |
| Whole VMware cluster data | Nothing: partitioning rules live in a policy paper, not your contract | Provide host level facts and reserve position on the policy in writing. |
| An immediate kickoff call | An audit that begins after 45 days written notice | Use the full window. Scheduling is mutual, not dictated. |
| Years of back support on findings | No back support clause for never licensed use; fees follow a negotiated order | Treat back support as a negotiation line, not an invoice. |
The same applies to the audited products. The clause covers the Programs licensed under the agreement cited in the notice. A notice citing your database agreement is not an open invitation to review Java, middleware, and applications estates. Each extension of scope is a concession you can trade, not a courtesy you owe.
The Evidence Pack Against Finding Inflation
Findings inflate in three predictable ways: options counted as used wherever installed, virtualized hosts counted as whole clusters, and usage assumed to stretch back years for back support. The evidence pack is the set of artifacts that beats each inflation at the line level.
Build it in days 6 to 30, before any submission. The pack that wins contains: feature usage reports per database, AWR and pack access logs, virtualization topology with host CPU inventories, deployment dates from change records, and the entitlement map from your ordering documents.
The representative scenario below is a manufacturing estate audited on its database agreement. List prices follow Oracle's technology price list: Database Enterprise Edition at $47,500 per processor, RAC at $23,000, Partitioning at $11,500, Diagnostics Pack at $7,500, and Tuning Pack at $5,000 per processor.
| Finding line | GLAS findings letter | Verified position |
|---|---|---|
| Database EE on VMware cluster | 40 processors · $1,900,000 | 24 processors · $1,140,000 |
| Real Application Clusters | 20 processors · $460,000 | 12 processors · $276,000 |
| Partitioning option | 40 processors · $460,000 | 12 processors · $138,000 |
| Diagnostics Pack | 80 processors · $600,000 | 40 processors · $300,000 |
| Tuning Pack | 80 processors · $400,000 | 0 processors · $0 |
| License subtotal | $3,820,000 | $1,854,000 |
| Back support claim | 3 years · $2,521,200 | 1 year forward · $407,880 |
| Total exposure | $6,341,200 | $2,261,880 |
Benchmark scenario, not a quote. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
License findings by line, letter versus verified. Values match the scenario table; back support shown separately.
The verified position of $2,261,880 sits 64 percent below the $6,341,200 opening claim, before any discount is negotiated.
Across our 2024 to 2025 audit response file, first findings overstated exposure by 30 to 60 percent against verified use.
Settlement Structures That Reshape the Close
Oracle audits do not end with a check for the findings letter. They end with a commercial structure, and the structure you choose moves the number more than the discount percentage does. Four paths cover almost every close.
| Settlement path | Structure | Scenario cost |
|---|---|---|
| Pay the findings letter | Claim at list plus 3 years back support. Nobody should land here. | $6,341,200 |
| Verified position at list | Evidence pack applied, back support reduced to 1 year forward dated support. | $2,261,880 |
| ULA as settlement vehicle | 3 year unlimited agreement absorbing the gap: $1,200,000 license plus $264,000 first year support. Defers, not resolves, the count. | $1,464,000 |
| Negotiated net new order | 60 percent discount on the verified $1,854,000 list gap: $741,600 license plus $163,152 first year support at 22 percent. | $904,752 |
Benchmark scenario, not a quote. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
The four settlement paths in the benchmark scenario. The structure, not the discount, does most of the work.
Two cautions on structure. A ULA closes the audit but converts a finding into a multi year relationship with its own certification fight at exit; size it only if growth genuinely justifies it. And a cloud commitment offered as settlement trades compliance paper for consumption you may not need. Both are fine instruments and poor reflexes.
The BATNA That Constrains Oracle's Pricing
GLAS pricing posture tracks one variable: whether you have a credible alternative to writing the check. A buyer with a documented walk away path gets a different discount band than a buyer who needs the audit closed by quarter end.
The credible alternatives that moved our 2024 to 2025 closes: migrating contested workloads to PostgreSQL or to hyperscaler managed databases, moving lapsed support estates to third party support, decommissioning the installed not used options the findings priced, and simple time, because a buyer who controls the timeline can let Oracle's quarter end arrive first.
None of these need to be executed to work. They need to be documented, costed, and visibly board ready. The point of a BATNA is that Oracle prices against it instead of against your fear.
Anchor your position in the primary sources before the first call: the audit basis on the Oracle License Management Services page, your contract documents on the Oracle contracts page, and current list pricing on Oracle's published price lists.
Our Recommendation
Run the map, not the reflex: take the full 45 day window, build the verified baseline before any data leaves the building, and negotiate the structure before the number.
- If the notice has landed: execute the day 1 to day 5 calendar this week, and bring a buyer side advisor in before any data or kickoff date is agreed. The first baseline you give Oracle anchors the whole audit.
- If it has not landed yet: build the evidence pack now as a standing asset. An estate that can prove real deployment in 30 days has already removed the 30 to 60 percent inflation the findings letter relies on.
Redress Compliance is 100 percent buyer side: 500+ enterprise clients, $2B+ under advisory, and audit responses run against Oracle every month. Contact us before you answer the notice. We are glad to tie a meaningful part of the fee to delivered value.