When an enterprise receives a communication from Oracle about licensing compliance, the first instinct is to treat “Oracle” as a monolithic entity. It is not. Oracle’s compliance and audit activities are conducted by at least four distinct organisational units, each with different reporting structures, different revenue models, different levels of technical sophistication, different legal authority, and — critically — different commercial objectives. The enterprise that understands which Oracle organisation it is dealing with can calibrate its response accordingly: how much data to provide, how aggressively to challenge findings, where the negotiation leverage lies, and what Oracle’s endgame is. The enterprise that treats every Oracle compliance communication identically — as a generic “audit” requiring generic “cooperation” — will overpay every time, because it is responding to a sales exercise with the posture appropriate for a legal proceeding, or vice versa. This guide maps Oracle’s audit landscape: every organisation, every mandate, every tactic, and every vulnerability. If Oracle is talking to you about compliance, this is the intelligence briefing you need before your next meeting.
Consider two enterprises, both receiving a communication from Oracle about Java compliance in the same week.
Enterprise A receives a formal audit notification letter, citing specific contractual audit clauses from its Oracle Master Agreement, requesting data collection within 45 days, and signed by Oracle’s Global Licensing and Advisory Services organisation. This is a contractual audit with legal authority. Enterprise A has specific obligations, specific rights, and a specific timeline governed by the contract.
Enterprise B receives a phone call from its Oracle sales representative, who mentions that Oracle has “identified potential Java installations” in Enterprise B’s environment and would like to schedule a “compliance review” to “help Enterprise B understand its licensing position.” No contract clause is cited. No formal letter is sent. No legal authority is invoked.
Both enterprises hear “Oracle wants to audit us.” Both enterprises feel the same anxiety. But the two situations are fundamentally different in terms of legal obligation, required response, available defences, and commercial exposure. Enterprise A is in a contractual proceeding with defined rules. Enterprise B is in a sales conversation with no rules at all. The enterprise that treats them identically makes a strategic error that costs real money — either by over-cooperating with a sales conversation (providing data that creates compliance exposure where none existed) or by under-responding to a contractual audit (triggering escalation that eliminates negotiation leverage).
Understanding Oracle’s audit organisations is not academic. It is the foundation of every effective audit response.
Oracle License Management Services (LMS) was Oracle’s dedicated licensing compliance organisation from the early 2000s through approximately 2019. LMS was the team that conducted formal software licence audits under the contractual audit clauses in Oracle Master Agreements and ordering documents. For nearly two decades, LMS was the name that made Oracle customers nervous — and with good reason. For more detail, see our Oracle license management services.
LMS was structured as a revenue-generating organisation within Oracle. The team’s performance was measured on the licensing revenue generated from audit findings: back-licence fees, new licence purchases to resolve compliance gaps, and support revenue from those new licences. LMS auditors were Oracle employees with deep technical knowledge of Oracle’s product portfolio, licensing metrics, counting methodologies, and — critically — the specific architectural patterns that create compliance exposure (virtualisation, database options, middleware sprawl).
LMS conducted formal audits under contract. The process was standardised and well-documented (from Oracle’s perspective): the audit notification letter citing contractual authority, the deployment of Oracle’s data collection scripts, the analysis of deployment data against entitlements, the preliminary findings report quantifying the compliance gap, and the commercial resolution (typically a new licence purchase, ULA, or support expansion). For the complete audit process, see our Oracle Audit Letter Playbook.
LMS built and maintained Oracle’s audit data collection scripts — the technology tools that enumerate Oracle product installations, detect enabled features and options, count users and processors, and catalogue the physical and virtual infrastructure. These scripts were (and remain) the technical foundation of Oracle’s audit capability. For guidance on what these scripts actually collect and how to interpret the output, see our guides on Oracle audit scripts and interpreting LMS database script output.
The LMS name has been formally retired, replaced by GLAS (see below). However, the people, the processes, the scripts, and the institutional knowledge of LMS did not disappear. They were absorbed into the successor organisation. Many current GLAS auditors are former LMS staff. The LMS scripts continue to be used (with updates for new product versions). And Oracle customers with long histories still refer to any Oracle audit as an “LMS audit,” regardless of the current organisational name.
The practical implication: if you see references to “LMS” in older Oracle correspondence, contract amendments, or internal documentation, understand that LMS is the predecessor of GLAS. The contractual audit rights, the data collection processes, and the commercial objectives are substantively the same. The rebranding changed the name. It did not change the game.
Global Licensing and Advisory Services (GLAS) is Oracle’s current dedicated licensing compliance organisation. GLAS replaced LMS as Oracle’s formal audit function and inherited LMS’s mandate, tools, and much of its personnel. GLAS is the organisation that sends formal audit notification letters, conducts contractual audits, analyses deployment data, and produces compliance findings.
The rebranding from LMS to GLAS was not merely cosmetic — it reflected a strategic repositioning. The “Advisory Services” in the name signals Oracle’s attempt to reposition the audit function as a “helpful” service that assists customers in understanding their licensing position, rather than an enforcement arm that finds non-compliance and extracts revenue. The positioning is aspirational. The economic incentives are unchanged. GLAS auditors are still measured on the commercial outcomes of their engagements.
GLAS conducts two types of engagements:
Formal contractual audits: Invoked under the audit clause in the Oracle Master Agreement. These are legally binding proceedings in which the customer has a contractual obligation to cooperate. The audit notification letter will cite the specific contract clause, identify the scope (products, entities, time period), and specify the response timeline (typically 45 days). The customer must respond. Failure to cooperate is a contract breach.
“Advisory” reviews: Positioned as voluntary engagements where GLAS offers to help the customer understand its licensing position. These reviews are technically not audits — they are not invoked under the contract’s audit clause, and the customer has no contractual obligation to participate. However, GLAS presents them in language that blurs the distinction, and many customers treat advisory reviews as mandatory when they are not.
The critical distinction: a formal audit invoked under the contract audit clause creates legal obligations. An advisory review does not. The customer’s response strategy should differ accordingly. For the formal audit, cooperate within the contractual requirements while controlling the scope and data flow. For the advisory review, evaluate whether participation serves the customer’s interests — and decline if it does not.
Based on Redress Compliance’s experience defending hundreds of Oracle audits, GLAS engagements follow predictable patterns:
Enterprises in a GLAS audit have specific rights that many do not exercise:
Oracle’s Software Investment Advisory (SIA) programme is a compliance engagement positioned as a collaborative, non-punitive review designed to help customers “optimise their Oracle investment.” SIA reviews are presented as customer-friendly exercises where Oracle analyses the customer’s deployment, identifies optimisation opportunities, recommends right-sizing, and provides a compliance roadmap — all without the adversarial posture of a formal audit.
The framing is appealing. The reality requires careful evaluation. For the critical perspective on SIA, see our dedicated analysis.
SIA reviews differ from GLAS audits in several important ways:
SIA’s danger lies in the gap between its positioning and its commercial function:
Data volunteered in an SIA review can be used in a future audit. The SIA programme does not include a “safe harbour” guarantee that data collected during the SIA review cannot be used in a subsequent formal GLAS audit. An enterprise that cooperates fully with an SIA review, providing comprehensive deployment data in the spirit of “collaborative optimisation,” has effectively pre-populated Oracle’s audit database. If a formal GLAS audit follows, Oracle already has the data.
SIA “recommendations” become audit leverage. When SIA identifies a compliance gap (framed as an optimisation opportunity) and the customer does not act on it, that identified gap becomes a documented non-compliance finding that GLAS can reference in a subsequent audit. The customer was “informed” of the issue during SIA and chose not to resolve it — which strengthens Oracle’s position in any subsequent compliance dispute.
SIA findings feed Oracle’s sales pipeline. SIA reports are shared with Oracle’s sales organisation. Every “optimisation opportunity” identified by SIA becomes a sales lead. The customer receives a call from Oracle sales within weeks of the SIA report, proposing licence purchases, cloud migrations, and ULAs that address the SIA findings. The “advisory” service has functioned as a sales qualification tool.
If Oracle proposes an SIA review, evaluate it with the same strategic discipline you would apply to a formal audit. Key questions: What specific data will SIA collect? Can you limit the scope to specific product families? Does the SIA engagement letter include a safe harbour clause that prevents SIA findings from being used in a subsequent formal audit? Will SIA findings be shared with Oracle’s sales organisation? If Oracle cannot provide satisfactory answers to these questions, decline the SIA review and conduct your own internal assessment using independent advisory support instead.
Redress Compliance provides independent Oracle licensing advisory services — fixed-fee, no vendor affiliations. Our specialists have helped enterprises save millions through strategic license optimization, audit defense, and contract negotiation.
Explore Oracle Advisory Services →The most common Oracle compliance engagement is not conducted by LMS, GLAS, or SIA. It is conducted by Oracle’s sales team. A sales representative or account manager contacts the customer, mentions “compliance concerns,” “licensing gaps,” or “installations we’ve identified,” and proposes a “quick review” to “help the customer get compliant.”
Sales-led compliance reviews are not audits. They have no contractual authority. The customer has no obligation to participate, provide data, or respond. They are sales conversations disguised as compliance proceedings, and they are extraordinarily effective because most enterprises do not recognise the distinction.
The typical pattern:
Sales-led reviews are the most commercially dangerous Oracle compliance engagement — not because of the legal authority behind them (there is none), but because of the information asymmetry they exploit.
The customer provides data voluntarily. In a formal GLAS audit, the customer’s data disclosure obligations are governed by the contract. In a sales-led review, the customer has no obligation to provide any data at all — but often does, because the conversation feels like an audit and the customer does not want to appear uncooperative. Every piece of data voluntarily provided becomes ammunition for Oracle’s commercial proposal.
The “finding” is unverified. GLAS audit findings, while often inflated, are at least based on systematic data collection using standardised scripts. Sales-led “findings” may be based on incomplete intelligence, assumptions, or speculation. The customer may be accused of non-compliance that does not actually exist — but without an independent assessment, cannot verify the claim.
The commercial resolution is pre-determined. In a GLAS audit, the compliance finding is produced first and the commercial resolution is negotiated second. In a sales-led review, the commercial resolution (a specific licence purchase, a specific ULA, a specific cloud commitment) is often determined before the compliance “finding” is produced. The finding is reverse-engineered to justify the predetermined sale. The enterprise buys what Oracle wanted to sell, not what the compliance gap (if any) actually requires.
The single most important question. If Oracle cites a specific contractual audit clause and sends a formal notification letter, it is a GLAS audit with contractual obligations. If Oracle does not cite an audit clause, it is a sales conversation. Respond accordingly.
In a sales-led review, you have no obligation to provide deployment data, run scripts, or disclose any information about your Oracle environment. Politely decline the data request. If Oracle wants to conduct a formal audit, it can invoke the contractual audit clause — which triggers your rights (scope limits, script review, data review) alongside your obligations.
If Oracle’s sales-led outreach raises genuine concerns about your compliance position, conduct an internal assessment using independent advisory support — not with Oracle’s help. An independent assessment identifies your actual compliance position without exposing data to Oracle and without creating the information asymmetry that a sales-led review exploits.
If the sales-led review results in a commercial proposal from Oracle (licence purchase, ULA, cloud commitment), evaluate it on its own commercial merits, not as a compliance remediation. Use independent pricing benchmarks to validate Oracle’s proposed rates. The compliance concern may be legitimate, inflated, or entirely fabricated — but the commercial proposal should be evaluated regardless of the compliance context.
Received an Oracle audit notification? Our free audit risk assessment evaluates your compliance position and identifies whether you're facing a formal GLAS audit or an advisory review.
Take the Free Assessment →| Dimension | GLAS (Formal Audit) | GLAS (Advisory Review) | SIA | Sales-Led Review |
|---|---|---|---|---|
| Legal authority | Contract audit clause | None (voluntary) | None (voluntary) | None (sales conversation) |
| Obligation to cooperate | Yes (contractual) | No | No | No |
| Notification method | Formal letter citing contract | Letter or email, no clause cited | Proposal for “collaborative review” | Phone call or email from sales rep |
| Data collection | Standardised scripts | Same scripts | Same scripts | Informal questions, partial data |
| Finding quality | Systematic but inflated | Systematic but inflated | Framed as “optimisation” | May be speculative |
| Commercial objective | Back-licence + new sale | New sale | Sales pipeline qualification | Pre-determined sale |
| Typical finding inflation | 50–90% | 50–90% | Disguised as advice | Unknown (unverified) |
| Your best response | Controlled cooperation + challenge | Evaluate participation, may decline | Decline unless safe harbour guaranteed | Decline data, assess independently |
| Escalation path for Oracle | Legal proceedings (rare) | Convert to formal audit | Convert to formal audit | Invoke formal audit clause |
| Your escalation leverage | Contract rights, dispute resolution | Right to decline entirely | Right to decline entirely | Right to decline entirely |
Oracle sometimes engages third-party audit firms (historically Deloitte, KPMG, PwC, and others) to conduct audits on its behalf. Third-party auditors add a layer of complexity to the engagement:
They have the same contractual authority as GLAS when engaged under the audit clause. The contract permits Oracle to use “agents” for compliance verification. A third-party firm acting on Oracle’s behalf has the same audit rights (and is subject to the same limitations) as Oracle’s internal team.
They are technically competent but commercially misaligned. Third-party auditors are skilled at data collection and technical analysis, but their commercial incentives may differ from Oracle’s. The third-party firm is paid by Oracle to produce thorough findings. Thoroughness, in this context, means finding every possible compliance gap — regardless of whether the gap is commercially material, contractually defensible, or technically accurate.
They can be more procedurally rigid. Third-party auditors follow standardised methodologies that may be less flexible than Oracle’s internal team when presented with nuanced technical or contractual arguments. Challenging findings with a third-party auditor may require more formal documentation and evidence than the same challenge would require with GLAS directly.
They provide a perception of independence that does not exist. Oracle engages and pays the third-party firm. The firm reports to Oracle. The firm’s findings serve Oracle’s commercial interests. The presence of a recognisable third-party name (Deloitte, KPMG) lends a veneer of neutrality to findings that are produced under the same commercial incentives as an internal GLAS audit. Do not mistake the third-party brand for independent assessment. True independence comes from the customer’s own independent advisory engagement, not from Oracle’s chosen auditor.
Oracle’s Java compliance engagements deserve special mention because they frequently bypass the formal GLAS process entirely. Most Java compliance “audits” are actually sales-led or “soft” audits conducted by Oracle’s Java-focused sales team rather than GLAS.
The pattern: Oracle identifies Oracle JDK installations (through network scanning, download records, telemetry data, or third-party intelligence), contacts the customer through the sales channel, presents a retroactive licensing claim, and proposes a forward Java SE subscription as the resolution. The entire engagement — from initial contact to commercial proposal — is conducted by Oracle’s sales organisation, not GLAS.
The implication: Java compliance engagements are almost always sales conversations, not contractual audits. The enterprise has no obligation to provide data, accept the retroactive claim, or sign a subscription. The appropriate response is to assess the Java compliance position independently (using independent Java advisory services), migrate to OpenJDK where possible, and negotiate any required subscription at market rates with full pricing benchmarks. For the complete Java audit defence strategy, see our Java Audit Guide and case studies showing how enterprises have resolved Java claims from $500K to $20M at zero cost.
Oracle’s Verified SAM (Software Asset Management) programme deserves mention as a fifth Oracle compliance touchpoint. The programme engages with SAM tool vendors and customers to “validate” the customer’s Oracle deployment data through Oracle-approved tools and processes.
The programme is positioned as helping customers maintain compliance. The commercial reality: Oracle Verified SAM provides Oracle with continuous visibility into the customer’s deployment landscape. This visibility informs targeting decisions for future audits and sales-led compliance reviews. An enterprise participating in Oracle Verified SAM is effectively providing Oracle with real-time intelligence about its deployment that Oracle can use to time audit engagements for maximum commercial impact (e.g., initiating an audit when the data shows the customer has expanded Oracle usage significantly without purchasing additional licences). For the detailed evaluation, see our Oracle Verified SAM pros and cons analysis.
The optimal response to an Oracle compliance engagement depends entirely on which organisation you are dealing with. Here is the framework:
Before any substantive response, determine exactly who within Oracle is initiating the engagement. Read the communication carefully. Is it a formal letter citing a contractual audit clause (GLAS formal audit)? An email proposing a “licensing review” without contractual reference (GLAS advisory or SIA)? A phone call from your Oracle sales representative (sales-led review)? The answer determines your obligations, your rights, and your strategy.
Only a formal GLAS audit invoked under the contract audit clause creates a legal obligation to cooperate. All other engagement types are voluntary. Do not voluntarily cooperate with a non-mandatory engagement unless you have determined that participation serves your commercial interests. It almost never does.
Regardless of which organisation you are dealing with, the fundamental principle is the same: every piece of data you provide to Oracle will be used to maximise Oracle’s commercial position. Provide only what the contract requires (in a formal audit) or nothing at all (in a voluntary engagement). Review all data before submission. Redact out-of-scope information. Document all communications in writing.
Regardless of the engagement type, engaging independent Oracle licensing advisory support within the first week of any Oracle compliance communication provides the strategic framework, technical expertise, and negotiation leverage that the internal team typically lacks. The advisory engagement cost is a fraction of the commercial exposure reduction it enables — whether the engagement is a $50M formal audit or a $500K sales-led Java review.
Every Oracle compliance engagement — regardless of which organisation conducts it — has the same endgame: a commercial transaction that generates new Oracle revenue. A licence purchase. A ULA. A cloud commitment. A support expansion. The compliance finding is the means; the transaction is the end. Every decision you make during the engagement should be evaluated against this reality: does this action move the enterprise toward a fair commercial outcome, or does it increase Oracle’s leverage to extract a premium commercial outcome?
“Oracle does not have an audit organisation. Oracle has a revenue organisation that uses compliance as its sales methodology. LMS, GLAS, SIA, and sales-led reviews are four different delivery mechanisms for the same commercial objective. The enterprise that understands this — that sees the compliance communication as a commercial opening move rather than a legal proceeding — responds with commercial discipline: controlled data disclosure, independent assessment, methodical challenge of findings, and negotiation based on the enterprise’s actual position, not Oracle’s inflated calculation. The enterprise that does not understand this provides everything Oracle asks for, accepts Oracle’s interpretation of everything it finds, and signs whatever commercial proposal Oracle presents as the ‘resolution.’ The difference between the two responses is typically 50–90% of the financial outcome — millions of dollars determined by whether the enterprise understood who it was dealing with.” — Fredrik Filipsson, Co-Founder, Redress Compliance
LMS (License Management Services) was Oracle’s original audit organisation, active from the early 2000s through approximately 2019. GLAS (Global Licensing and Advisory Services) replaced LMS as Oracle’s formal audit function, inheriting its mandate, personnel, tools, and processes. The rebranding added “Advisory Services” to position the function as collaborative rather than adversarial, but the economic incentives, data collection methodology, and commercial objectives remain substantively the same. GLAS auditors include many former LMS staff, and the audit scripts are the same (updated for new product versions).
No. Only a formal GLAS audit invoked under the contractual audit clause in your Oracle Master Agreement creates a legal obligation to cooperate. GLAS “advisory” reviews, SIA reviews, and sales-led compliance reviews are voluntary engagements — you have no contractual obligation to participate, provide data, or respond. Before cooperating with any Oracle compliance communication, determine whether it is a formal contractual audit (with specific clause citation) or a voluntary engagement. Your response strategy should differ fundamentally.
Oracle’s Software Investment Advisory (SIA) is a compliance review positioned as a collaborative, non-punitive “optimisation” exercise. Participation is voluntary. However, data collected during SIA may be used in a subsequent formal audit, SIA findings are shared with Oracle’s sales team, and “optimisation recommendations” that are not acted upon become documented non-compliance in future audits. Before agreeing, ask whether the SIA engagement letter includes a safe harbour clause preventing future use of SIA data. If not, consider conducting an independent assessment instead.
Sales-led compliance reviews typically come as phone calls or informal emails from your Oracle sales representative or account manager, referencing “compliance concerns” or “installations we’ve identified,” without citing a contractual audit clause or sending a formal notification letter. If no contract clause is cited and no formal letter is received, it is a sales conversation, not an audit. You have no obligation to provide data. The appropriate response is to decline data requests and conduct an independent internal assessment if the compliance concern seems legitimate.
Yes. Oracle’s standard audit clauses permit Oracle to use “agents” for compliance verification. Third-party firms (historically Deloitte, KPMG, PwC) acting on Oracle’s behalf have the same audit rights and limitations as Oracle’s internal team. However, the third-party firm is engaged and paid by Oracle, reports to Oracle, and produces findings that serve Oracle’s commercial interests. The third-party brand provides a perception of independence that does not reflect the actual engagement dynamics.
Before any substantive response: (1) Identify which Oracle organisation is contacting you (GLAS formal audit, GLAS advisory, SIA, or sales-led). (2) Determine whether a contractual audit clause is cited — this is the only trigger for mandatory cooperation. (3) Do not provide any data until the engagement type is confirmed and your response strategy is defined. (4) Engage independent advisory support within the first week. (5) Establish a single point of contact for all Oracle communications. The first 48 hours set the trajectory for the entire engagement.
Before your next conversation with Oracle, understand who you are dealing with and what your obligations are. Redress Compliance provides independent audit defence, SIA evaluation, and compliance strategy for enterprises navigating Oracle’s audit organisations.
Book a free consultation with our licensing specialists. No obligations, no vendor ties — just independent advice tailored to your situation.
Book Your Free Consultation →