⚠️ Received an audit notice? Our team responds within 4 hours. Contact us immediately →

Home Blog Audit Defence Guide Respond to Oracle Audit
Oracle · Audit Response · LMS Defence

Respond to Oracle Audit Notification 2026: The First 30 Days

The exact response process when Oracle's Global Licence Compliance team sends a notification. What to do immediately, what not to do under any circumstances, and how the first 30 days determine the outcome of an audit that might last 12 months.

March 2026 2,000 words Audit Defence Cluster

You have received a letter from Oracle's Global Licence Compliance team. It is formal, it cites specific contract clauses, and it requests access to your Oracle deployment data. What you do in the next 30 days will fundamentally shape the commercial outcome of an audit that — if not managed effectively — could result in a settlement demand in the tens of millions of dollars for a large enterprise Oracle estate.

This guide provides the exact response framework that experienced Oracle audit advisors use in the critical first month. It is written by former Oracle LMS practitioners who managed these processes from the vendor side and now advise exclusively for buyers. For the broader audit defence framework, see our Software Audit Defence Guide. For the specific Oracle measurement tactics you will face, see Oracle audit tactics explained.

The First 30 Days Principle: The parameters established in the first 30 days — scope, methodology, measurement date, data access — are extremely difficult to change later. Oracle's audit team is experienced at getting agreement on process terms that favour their outcome. Every concession you make on process in week one costs you in settlement value months later. Protect the parameters before anything else.

Immediate Actions: Days 1–7

The first seven days after receiving an Oracle audit notification are the most consequential. The temptation — especially for organisations that believe they are generally compliant — is to respond quickly and cooperatively, get the audit started, and resolve it efficiently. Resist this entirely. Speed of response benefits Oracle, not you.

  1. Do not respond to Oracle yet. Read the notification carefully. Note the contract clause cited (this tells you which agreement Oracle is auditing under), the scope of products mentioned, the proposed timeline, and any data requests. Do not acknowledge receipt in writing until you have done steps 2–5.
  2. Engage legal counsel immediately. Your response to Oracle should be issued through or reviewed by external counsel with Oracle licence experience. All internal communications about the audit should be copied to counsel to establish privilege. A casual internal email at this stage saying "we probably have issues with our Java deployment" can become discoverable if the audit escalates to litigation.
  3. Notify your senior leadership. Oracle audits that reach escalation phase will involve your CFO, CEO, and potentially your board. Senior leadership briefed from day one make better decisions than those ambushed by a $30M settlement demand six months later. Brief factually: an audit has commenced; the potential range of outcomes is wide; professional management is being engaged.
  4. Freeze your Oracle environment changes. Any changes to Oracle deployment made after the audit notification date — deinstallations, configuration changes, user access modifications — will be scrutinised. Do not make changes that could look like destruction of audit evidence. If remediation is required, it should be done before the measurement date, which you have not yet agreed. Document everything.
  5. Begin an internal assessment under legal privilege. Before Oracle sees anything, you need to understand your own position. Commission an internal assessment of your Oracle deployment under legal privilege — meaning it is conducted at the direction of counsel and is documented as privileged work product. This assessment should use the same methodology Oracle will use so you know what they will find before they find it.

Drafting Your Initial Response: Days 7–21

Your initial written response to Oracle sets the tone for the entire audit and establishes several critical parameters. It should be drafted with counsel and reviewed by your Oracle advisory team before sending.

Acknowledge Without Conceding

Your response should acknowledge receipt of the notification and confirm your understanding of the audit rights under the relevant agreement — without agreeing to Oracle's proposed scope, timeline, or methodology. A simple acknowledgement that you are reviewing the notification and will respond substantively within 30 days is both professional and protective.

Contest the Proposed Scope

Oracle's initial notification typically proposes a scope that is broader than the contract supports. Common overreach includes: proposing to audit products not covered by the relevant agreement; requesting data for a multi-year historical period beyond the contract's audit lookback provision; and proposing to audit affiliated entities not identified in your agreement schedule.

Your response should specify that you understand the audit to be scoped to the products and entities covered by your current agreement, and that you look forward to agreeing a mutually acceptable scope in writing before data collection commences. Do not agree to anything broader.

Propose a Methodology Discussion

Before any data is collected, you should request a methodology discussion — a meeting with Oracle's audit team to agree the specific approach for measuring Oracle deployment. The specific points to raise in the methodology discussion include: the virtualisation partitioning rules that will be applied; the Oracle scripts that will be run and whether you may review them in advance; the approach for handling Oracle options and packs that are in a default installation state; and the measurement date that will form the basis of the compliance calculation.

Oracle will push back on methodology discussions — they prefer to collect data first and discuss methodology later. Your contractual position — that you are entitled to know how compliance will be measured before providing data — is defensible and should be maintained.

Do in the First 30 Days

  • Engage external legal counsel immediately
  • Brief senior leadership factually
  • Conduct internal assessment under privilege
  • Freeze Oracle environment changes
  • Contest scope in writing before agreeing anything
  • Request methodology discussion before data collection
  • Engage specialist Oracle audit advisory support
  • Identify your contract audit rights limitations

Do Not in the First 30 Days

  • Respond immediately without legal review
  • Agree to Oracle's proposed scope in writing
  • Run Oracle's measurement scripts without review
  • Share deployment data before scope is agreed
  • Deinstall Oracle software post-notification
  • Allow Oracle account team to frame the response
  • Treat the notification as a compliance exercise
  • Assume Oracle's methodology is contractually required

The Scope Negotiation: Days 21–45

Scope negotiation is the most important single phase of Oracle audit management. The product list, the measurement date, the audit period, and the entities in scope collectively determine the maximum exposure Oracle can claim. Getting scope agreement in writing before data collection begins is the professional standard for any well-managed Oracle audit.

Product Scope

Oracle will propose to audit every Oracle product you have installed. Your target scope is the specific products covered by your current active licence agreements. Products purchased under expired ULAs, products covered by OEM agreements with hardware vendors, and products deployed by subsidiaries with separate agreements should each be addressed explicitly.

For organisations with Oracle Unlimited Licence Agreements, the ULA scope question is particularly important. The products included in the ULA (typically a named list in the ULA schedule) should be audited under the ULA terms, not general Oracle licence terms. Products not included in the ULA that are deployed in the ULA period are subject to separate licence requirements — and Oracle will attempt to include these in the audit scope.

Measurement Date

Oracle typically proposes to measure compliance "as of" a recent date — creating a target for the remediation efforts you began in week one. Your objective is to negotiate a measurement date that allows sufficient time for technical remediation of genuine shortfalls identified in your internal assessment. A measurement date 60–90 days from the scope agreement date is a reasonable enterprise position, particularly for large, complex Oracle environments.

Agreeing Methodology in Writing

Before Oracle runs any scripts or collects any data, you should have written agreement on the measurement methodology — specifically the virtualisation partitioning rules that will be applied. If Oracle is auditing an environment that includes VMware, the written agreement on how VMware clusters will be counted (full cluster vs actual host occupancy) is the single most commercially significant document in the audit. Do not allow data collection to proceed without this agreement.

When to Engage Professional Advisory Support

The question is not whether to engage professional advisory support for an Oracle audit — it is when to engage it. For significant Oracle estates (over $1M in Oracle support annually), professional advisory support from day one consistently produces better outcomes than engaging it later in the process.

Advisory firms with Oracle audit expertise bring three things that internal teams and legal counsel cannot fully replicate: specific knowledge of Oracle's internal measurement methodology and where it can be challenged; knowledge of the settlement patterns and targets that Oracle's commercial team uses; and the commercial negotiation skill to use renewal timing, competitive evaluation, and commercial package structure to influence settlement value.

Redress Compliance is the leading independent Oracle audit advisory firm, with former Oracle LMS practitioners on the team who have managed hundreds of Oracle audits from both sides of the process. The firm's Oracle practice covers all Oracle product families including Database, Java, Middleware, Applications, and Cloud. Our Vendor Audit Defence service includes Oracle audit management as a core practice area. Our Oracle Audit Defence white paper provides the detailed methodology for organisations managing Oracle audits independently or with advisory support.

For Oracle Database licensing fundamentals that inform the audit position, see our Oracle Database licensing guide. For the broader Oracle commercial landscape, our Oracle advisory practice page covers all Oracle product families and negotiation contexts.

Related Intelligence

Oracle

Oracle Audit Tactics: What Their Team Actually Does

The specific Oracle LMS methodology steps, virtualisation overcounting scripts, and escalation patterns that determine how audits unfold.

Read guide →
Audit Defence

Software Audit Defence Guide: The Complete Enterprise Playbook

The master framework for managing enterprise software audits across Oracle, SAP, Microsoft, and IBM.

Read pillar guide →
Oracle Licensing

Oracle Licensing Complete Guide 2026

Oracle Database, Java, Middleware, and Cloud licensing — the complete reference for enterprise Oracle licence management.

Read guide →

The Licensing Edge

Weekly vendor intelligence on audits, negotiations, and licensing changes. Trusted by 4,200+ enterprise licensing professionals.

Oracle Audit Notification? Act in the Next 48 Hours.

The first 30 days determine the outcome. Our former Oracle LMS advisors provide immediate triage, scope challenge strategy, and methodology defence for enterprise Oracle audit clients globally.

Get Immediate Oracle Support

Before you go — get the full playbook free.

Join 4,200+ licensing executives. Unsubscribe any time.