Oracle Audit Response Playbook

Your Progress

0/44 (0%)

🚨

Phase 1: Immediate Response (Day 1-3)

7 items

0/7

▾

STOP — Do not respond to Oracle directly yet

Any information shared with Oracle can be used against you. Pause all communication until you have a strategy.

Critical

Verify the audit letter is legitimate

Confirm the letter references your specific contract clause granting audit rights. Not all Oracle communications are formal audits.

Identify which contract clause Oracle is invoking

Oracle audit rights vary by agreement type (OMA, OLSA, CSA, cloud). The clause defines scope, process, and your obligations.

Important

Assemble your internal audit response team

Include: IT/DBA lead, procurement/contracts, legal, and executive sponsor. Define roles and communication protocol.

Engage independent Oracle audit defence advisory

Do NOT use your Oracle account team or Oracle-affiliated consultants. Independent advisors protect your interests.

Critical

Impose a communication blackout with Oracle

All Oracle communication should go through a single designated contact. No one else should discuss the audit with Oracle.

Important

Preserve all existing licence documentation

Gather and secure all Oracle purchase orders, licence agreements, ULAs, CSIs, and support renewal records immediately.

📜

Phase 2: Rights & Scope Assessment (Day 3-10)

6 items

0/6

▾

Review your Oracle contract audit clause in detail

Understand exactly what Oracle can request, what tools they can use, and what access they require. Many clauses are narrower than Oracle claims.

Important

Determine if Oracle has the contractual right to audit

Some agreements limit audit frequency, require advance notice, or restrict scope. Challenge any overreach.

Challenge the audit scope if overly broad

Oracle often requests data beyond their contractual right. Push back on scope expansion.

Important

Verify Oracle has provided required advance notice

Most contracts require 30-45 days written notice. Insufficient notice is grounds for delay.

Confirm the audit covers only Oracle products

Oracle cannot audit non-Oracle products. Ensure scope is limited to Oracle-branded software only.

Identify products that are out of scope

Products under separate agreements, cloud subscriptions, or third-party products should be excluded.

🔍

Phase 3: Internal Discovery (Day 10-30)

7 items

0/7

▾

Run your OWN Oracle software discovery before Oracle does

Use independent tools (not Oracle LMS scripts) to understand your deployment first. Never let Oracle discover your environment blind.

Critical

Inventory all Oracle database installations (including dormant)

Include production, development, test, DR, and any forgotten installations. Unremoved installations are still countable.

Document Oracle options and packs in use

Oracle Database options (Partitioning, RAC, Advanced Security, Diagnostics, Tuning) are the #1 source of audit findings.

Important

Map all VMware, OVM, and cloud deployments running Oracle

Virtualisation licensing is the most complex and highest-value audit area. Every host in a VMware cluster may be in scope.

Critical

Identify all Java, middleware, and technology products

WebLogic, Java SE subscriptions, and middleware products are increasingly audited. Document every installation.

Check for Oracle products installed by third-party applications

Many third-party apps bundle Oracle databases. These installations may require separate Oracle licences.

Compile your complete entitlement position

Match every deployment against your licence entitlements. Identify gaps and over-deployments.

Important

📊

Phase 4: Effective Licence Position (Day 30-45)

6 items

0/6

▾

Build your Effective Licence Position (ELP) document

The ELP is your primary audit deliverable. It must reconcile deployments against entitlements for every Oracle product.

Critical

Reconcile processor licence requirements using Oracle rules

Apply Oracle processor core factor table correctly. Ensure virtualisation soft partitioning rules are applied properly.

Validate Named User Plus (NUP) minimums are met

Oracle enforces minimums: 25 NUP per processor for EE, 5 for SE2. Many organisations are caught on minimums.

Important

Review Standard Edition 2 socket and user limits

SE2 is limited to 2 sockets and specific user counts. Exceeding limits triggers Enterprise Edition licensing.

Identify any legitimate compliance gaps

Where gaps exist, quantify them accurately. Do not over-report — but do not hide gaps that Oracle will find.

Prepare counter-arguments for grey areas

Many Oracle licensing rules are ambiguous. Document your interpretation with supporting evidence for any disputed areas.

Important

🤝

Phase 5: Oracle Engagement (Day 45-60)

6 items

0/6

▾

Submit your ELP to Oracle through your designated contact

Provide only the data you are contractually obligated to share. Do not volunteer additional information.

Important

Do NOT allow Oracle to run LMS scripts on your systems

Oracle LMS scripts collect far more data than needed and are interpreted in Oracle favour. Use your own discovery data.

Critical

Challenge any Oracle findings that differ from your ELP

Oracle will likely claim higher usage. Require them to explain every discrepancy with specific evidence.

Do not accept Oracle preliminary findings as final

Oracle initial findings are negotiating positions, not facts. Every number is challengeable.

Important

Request Oracle provide their calculation methodology

Oracle must show how they calculated each licence requirement. Demand transparency.

Track all communications and maintain an audit log

Document every email, call, and meeting. This protects you if disputes escalate.

💰

Phase 6: Negotiation & Settlement (Day 60-90+)

6 items

0/6

▾

Never accept the first Oracle compliance claim

Initial claims are typically inflated by 2-5x. Every element is negotiable.

Critical

Challenge Oracle pricing in any back-licence proposal

Oracle will propose list price for any gaps. Negotiate discounts equivalent to your existing agreement levels.

Evaluate whether a ULA or ELA resolves the compliance gap more cost-effectively

Sometimes an unlimited agreement costs less than back-licensing individual products. Model both options.

Important

Consider future needs when negotiating settlement

Any settlement should address both the compliance gap AND your forward-looking requirements.

Negotiate extended payment terms if needed

Oracle settlements can be structured over 1-3 years rather than immediate payment.

Get all settlement terms in writing before signing

Verbal commitments from Oracle have no value. Every term must be documented in the settlement agreement.

Important

🛡️

Phase 7: Post-Audit Protection

6 items

0/6

▾

Implement ongoing Oracle licence monitoring

Deploy continuous compliance monitoring to prevent future gaps from accumulating.

Important

Document lessons learned from the audit

Record what went well, what was challenged, and what was missed for future reference.

Implement change controls for Oracle deployments

Require approval workflows for any new Oracle installations, options, or environment changes.

Calendar the next potential audit window

Oracle typically waits 2-3 years between audits. Plan accordingly.

Review and optimise your Oracle estate

Use the audit as a catalyst to right-size: remove unused options, consolidate databases, and reduce processor count.

Recommended

Negotiate audit frequency limits into your next contract

At your next renewal, negotiate a clause limiting Oracle audit rights (e.g., no more than once every 3 years).

Tip

Need Expert Oracle Audit Defence?

Redress Compliance has defended hundreds of Oracle audits. Our audit defence advisory typically reduces Oracle claims by 50-90%. Do not engage Oracle without independent support.

Book a Free Consultation

Get Your Personalised Report

Need Expert Oracle Audit Defence?