Phase 1: Immediate Response (Day 1-3)
▼
STOP — Do not respond to Oracle directly yet
Any information shared with Oracle can be used against you. Pause all communication until you have a strategy.
Critical
Verify the audit letter is legitimate
Confirm the letter references your specific contract clause granting audit rights. Not all Oracle communications are formal audits.
Identify which contract clause Oracle is invoking
Oracle audit rights vary by agreement type (OMA, OLSA, CSA, cloud). The clause defines scope, process, and your obligations.
Important
Assemble your internal audit response team
Include: IT/DBA lead, procurement/contracts, legal, and executive sponsor. Define roles and communication protocol.
Engage independent Oracle audit defence advisory
Do NOT use your Oracle account team or Oracle-affiliated consultants. Independent advisors protect your interests.
Critical
Impose a communication blackout with Oracle
All Oracle communication should go through a single designated contact. No one else should discuss the audit with Oracle.
Important
Preserve all existing licence documentation
Gather and secure all Oracle purchase orders, licence agreements, ULAs, CSIs, and support renewal records immediately.
Phase 2: Rights & Scope Assessment (Day 3-10)
▼
Review your Oracle contract audit clause in detail
Understand exactly what Oracle can request, what tools they can use, and what access they require. Many clauses are narrower than Oracle claims.
Determine if Oracle has the contractual right to audit
Some agreements limit audit frequency, require advance notice, or restrict scope. Challenge any overreach.
Important
Challenge the audit scope if overly broad
Oracle often requests data beyond their contractual right. Push back on scope expansion.
Verify Oracle has provided required advance notice
Most contracts require 30-45 days written notice. Insufficient notice is grounds for delay.
Important
Confirm the audit covers only Oracle products
Oracle cannot audit non-Oracle products. Ensure scope is limited to Oracle-branded software only.
Identify products that are out of scope
Products under separate agreements, cloud subscriptions, or third-party products should be excluded.
Phase 3: Internal Discovery (Day 10-30)
▼
Run your OWN Oracle software discovery before Oracle does
Use independent tools (not Oracle LMS scripts) to understand your deployment first. Never let Oracle discover your environment blind.
Critical
Inventory all Oracle database installations (including dormant)
Include production, development, test, DR, and any forgotten installations. Unremoved installations are still countable.
Document Oracle options and packs in use
Oracle Database options (Partitioning, RAC, Advanced Security, Diagnostics, Tuning) are the #1 source of audit findings.
Important
Map all VMware, OVM, and cloud deployments running Oracle
Virtualisation licensing is the most complex and highest-value audit area. Every host in a VMware cluster may be in scope.
Critical
Identify all Java, middleware, and technology products
WebLogic, Java SE subscriptions, and middleware products are increasingly audited. Document every installation.
Check for Oracle products installed by third-party applications
Many third-party apps bundle Oracle databases. These installations may require separate Oracle licences.
Compile your complete entitlement position
Match every deployment against your licence entitlements. Identify gaps and over-deployments.
Important
Phase 4: Effective Licence Position (Day 30-45)
▼
Build your Effective Licence Position (ELP) document
The ELP is your primary audit deliverable. It must reconcile deployments against entitlements for every Oracle product.
Critical
Reconcile processor licence requirements using Oracle rules
Apply Oracle processor core factor table correctly. Ensure virtualisation soft partitioning rules are applied properly.
Validate Named User Plus (NUP) minimums are met
Oracle enforces minimums: 25 NUP per processor for EE, 5 for SE2. Many organisations are caught on minimums.
Important
Review Standard Edition 2 socket and user limits
SE2 is limited to 2 sockets and specific user counts. Exceeding limits triggers Enterprise Edition licensing.
Identify any legitimate compliance gaps
Where gaps exist, quantify them accurately. Do not over-report — but do not hide gaps that Oracle will find.
Prepare counter-arguments for grey areas
Many Oracle licensing rules are ambiguous. Document your interpretation with supporting evidence for any disputed areas.
Important
Phase 5: Oracle Engagement (Day 45-60)
▼
Submit your ELP to Oracle through your designated contact
Provide only the data you are contractually obligated to share. Do not volunteer additional information.
Important
Do NOT allow Oracle to run LMS scripts on your systems
Oracle LMS scripts collect far more data than needed and are interpreted in Oracle's favour. Use your own discovery data.
Critical
Challenge any Oracle findings that differ from your ELP
Oracle will likely claim higher usage. Require them to explain every discrepancy with specific evidence.
Do not accept Oracle preliminary findings as final
Oracle initial findings are negotiating positions, not facts. Every number is challengeable.
Important
Request Oracle provide their calculation methodology
Oracle must show how they calculated each licence requirement. Demand transparency.
Track all communications and maintain an audit log
Document every email, call, and meeting. This protects you if disputes escalate.
Phase 6: Negotiation & Settlement (Day 60-90+)
▼
Never accept the first Oracle compliance claim
Initial claims are typically inflated by 2-5x. Every element is negotiable.
Critical
Challenge Oracle pricing in any back-licence proposal
Oracle will propose list price for any gaps. Negotiate discounts equivalent to your existing agreement levels.
Evaluate whether a ULA or ELA resolves the compliance gap more cost-effectively
Sometimes an unlimited agreement costs less than back-licensing individual products. Model both options.
Important
Consider future needs when negotiating settlement
Any settlement should address both the compliance gap AND your forward-looking requirements.
Negotiate extended payment terms if needed
Oracle settlements can be structured over 1-3 years rather than immediate payment.
Get all settlement terms in writing before signing
Verbal commitments from Oracle have no value. Every term must be documented in the settlement agreement.
Important
Phase 7: Post-Audit Protection
▼
Implement ongoing Oracle licence monitoring
Deploy continuous compliance monitoring to prevent future gaps from accumulating.
Important
Document lessons learned from the audit
Record what went well, what was challenged, and what was missed for future reference.
Implement change controls for Oracle deployments
Require approval workflows for any new Oracle installations, options, or environment changes.
Calendar the next potential audit window
Oracle typically waits 2-3 years between audits. Plan accordingly.
Review and optimise your Oracle estate
Use the audit as a catalyst to right-size: remove unused options, consolidate databases, and reduce processor count.
Recommended
Negotiate audit frequency limits into your next contract
At your next renewal, negotiate a clause limiting Oracle audit rights (e.g., no more than once every 3 years).
Tip