Oracle's LMS team runs their audit methodology on your estate. The question is whether you run the same methodology first — on your terms, with time to remediate — or whether Oracle's results become your negotiating position. An internal Oracle licence audit, conducted properly, identifies every compliance gap before Oracle does and transforms an adversarial measurement into a controlled remediation exercise. This is the step-by-step methodology our advisors use when preparing enterprises for Oracle engagement.
Oracle's approach to licensing is built on information asymmetry. Oracle's LMS team knows more about your Oracle deployment — in many cases — than your own IT organisation does, because Oracle's measurement methodology is designed to surface data that standard IT asset management processes miss. Unless you replicate that methodology internally, you arrive at Oracle's audit table with a compliance position you do not fully understand, against a counterparty who has already modelled your exposure.
An internal audit closes that gap. It does three things that no amount of reactive preparation can achieve. First, it establishes your actual compliance position — not what you licensed, not what you think you deployed, but what Oracle's own measurement tools would show. Second, it gives you time to remediate: decommission unused instances, disable unlicensed options, right-size metrics — all before Oracle begins its measurement. Third, it gives you a baseline position to challenge Oracle's findings where their methodology overstates your liability. Enterprises that enter Oracle audits with an independently validated licence position consistently achieve better settlements than those who enter unprepared.
The methodology below mirrors the approach Oracle's LMS teams use — structured to find the same gaps Oracle would find, before Oracle finds them. Our compliance review service delivers this analysis with the additional layer of contract expertise and Oracle-specific measurement knowledge that most internal ITAM teams lack.
Before you begin: An internal audit is a privileged exercise — the findings and analysis should be conducted under legal privilege where possible, so that the results are protected from disclosure in any subsequent Oracle negotiation. Engage your legal counsel before commencing the process.
The most common mistake in internal Oracle audits is starting with the technology — scanning servers before understanding what the contracts actually say. Your Oracle Master Agreement, Support Schedule, Order Forms, and any applicable amendments define the measurement methodology that Oracle is entitled to apply. Before any discovery work begins, these documents must be reviewed in full.
Collect every Oracle Master Agreement, Cloud Agreement, ULA, PULA, EA, and individual Order Form. Include any amendments, side letters, and written correspondence that modifies standard terms. Many enterprises discover they have multiple active agreements from different business units, acquisitions, or historical purchases — each with potentially different metric and measurement terms. The CSI (Customer Support Identifier) database on Oracle's support portal can help identify active agreements.
From each Order Form, extract the exact product names as Oracle identifies them (not the display names in your CMDB), the applicable metric (Processor, Named User Plus, Employee, Application User), the licensed quantity, and the support commencement date. This becomes your licence entitlement register — the authoritative reference against which deployment data will be measured. Pay particular attention to whether licences are perpetual or subscription-based, and whether any options or management packs are explicitly excluded.
Most Oracle Master Agreements grant Oracle the right to audit on reasonable notice, but the scope of that right varies. Some agreements limit audit frequency, specify the measurement tools Oracle may use, or include territory or entity scope limitations. Any limitations Oracle has agreed to contractually are enforceable — but you cannot invoke them if you have not read them. Also review whether your agreement includes any BYOL (Bring Your Own Licence) provisions relevant to cloud deployment.
Determine which legal entities, subsidiaries, and geographic territories are within scope of each Oracle agreement. Oracle's contracts are typically held at a named legal entity level — but Oracle may attempt to expand scope to include subsidiaries or acquired companies. Establishing the contractual entity boundary before any measurement begins is essential for determining which deployments create licence obligations and which do not. The Oracle Database Licensing Guide details entity scope considerations in full.
Oracle Master Agreements and Order Forms contain dozens of clauses that affect your licence position. Our compliance review service includes a full contract analysis — identifying every limitation, right, and obligation that affects your audit exposure.
With contracts reviewed and scope defined, the discovery phase replicates what Oracle's USMM scripts would find across your estate. The objective is to identify every installation of Oracle software — active, dormant, containerised, and virtualised — before Oracle's measurement tools do.
Oracle's USMM (Usage Monitoring and Measurement) scripts are publicly available and can be run against your own estate without Oracle's involvement. Running USMM internally produces the same output Oracle would obtain — giving you the data before they request it. Alternatively, commercial SAM platforms (Flexera, Snow, ServiceNow ITAM) include Oracle discovery modules. Ensure discovery covers physical servers, virtual machines, containers (Docker, Kubernetes), cloud instances (AWS, Azure, GCP, OCI), and any development or test environments that may carry production licence obligations.
For each Oracle Database installation, capture: the edition (EE, SE2, SE), the version, the host configuration (physical or virtual, cores per socket, sockets), and — critically — which database options and management packs have been enabled or queried. Options like RAC, Partitioning, Advanced Security, In-Memory, and Data Guard each carry separate licence fees. Management packs including Diagnostics Pack, Tuning Pack, and Cloud Management Pack are detected by Oracle LMS through AWR usage flags — query the V$OPTION view and AWR usage data to identify which packs have been used.
For any Oracle software running in a virtualised environment, document the complete virtualisation topology: hypervisor type, cluster membership, host count, core count per host, and any affinity or pinning rules in effect. Oracle's soft partitioning policy means that every host in a VMware cluster that contains Oracle VMs may require licences — the topology documentation is essential for both calculating your liability and mounting any challenge to Oracle's cluster-wide counting methodology. See our Oracle Database on VMware guide for the specific measurements required.
Java SE deserves a separate discovery workstream. Run a dedicated Java discovery across your estate — servers, workstations, containers, application servers, and CI/CD pipelines — capturing every JDK and JRE installation by version, vendor string (Oracle JDK versus OpenJDK versus other distributions), and host. Version matters: Oracle's commercial licence obligation applies to Oracle JDK 8u211 onwards and all Oracle JDK 11+ releases. OpenJDK builds from other vendors (Adoptium, Amazon Corretto, Azul Zulu) do not require an Oracle Java SE subscription. Map each installation to a business unit and role-holder for the Employee Metric calculation.
Discovery tells you what is deployed. Metric calculation tells you what that deployment costs in Oracle licences — the number that Oracle's LMS team will ultimately present as your compliance liability.
For Oracle Database licensed by the Processor metric, multiply the number of physical cores per host by the Oracle Core Factor for that processor type. Intel Xeon processors carry a Core Factor of 0.5 — so a server with two 24-core Intel Xeon sockets requires 24 processor licences (48 cores × 0.5). AMD EPYC processors also carry a 0.5 Core Factor. Oracle SPARC and Sun processors use different factors. Document the processor type, core count, and Core Factor for every server hosting Oracle software.
Oracle Database SE2 is licensed by Named User Plus (NUP) rather than Processor for some deployment types. NUP requires a minimum of 5 users per Processor licence equivalent. For each SE2 deployment, calculate the total authorised users and verify whether the NUP metric or the Processor metric produces the higher number — Oracle requires the higher of the two. The NUP vs Processor guide covers the comparison methodology.
For each Oracle JDK installation, identify the legal entity whose employees have access to that installation — directly or indirectly through applications. Apply the Java SE Employee Metric: count every employee of that legal entity (full-time, part-time, and where Oracle claims, certain contractor categories). Verify the exact subscriber entity on your Oracle Java SE Order Form — the Employee Metric applies to the contracting entity, and Oracle's claim to extend it to parent companies, subsidiaries, or affiliates requires contractual support that is not always present.
For each product and metric, compare the licence requirement calculated in Phase 3 against the entitlement quantity from Phase 1. Where deployment exceeds entitlement, document the gap — the product, the metric, the under-licenced quantity, and the applicable list price. This is your initial compliance gap analysis. In most enterprise environments, some gaps are expected — the objective of the internal audit is to identify and quantify them before Oracle does, not to find a clean slate.
Not every gap Oracle identifies is a genuine compliance liability. Review each identified gap against three challenge criteria: (a) Is Oracle's measurement methodology contractually justified, or does it rely on an interpretation of the contract that is arguable? (b) Is the deployment genuinely within the scope of your Oracle agreement, or has Oracle included entities, territories, or environments that the contract does not cover? (c) Is Oracle's identification of "usage" technically accurate, or has the discovery process flagged artefacts, backup data, or automated queries that do not represent actual user deployment? Applying this filter reduces the compliance gap to a defensible liability — the number you would pay if Oracle's most aggressive claims were independently challenged.
Our complete guide to Oracle LMS and GLAS audits — measurement methodology, challenge frameworks, and negotiation tactics. Free for enterprise IT and procurement leaders from our white papers library.
The gap analysis produces a prioritised list of compliance exposures. The remediation phase resolves those exposures before Oracle's measurement begins — transforming a compliance liability into a managed cost.
Not all compliance gaps are equally urgent. Rank remediations by the combination of financial exposure (gap quantity × list price) and likelihood that Oracle will identify the gap in any near-term audit. Virtualisation topology gaps, enabled Diagnostics Pack on production databases, and unsubscribed Java SE on high-headcount entities are the highest-priority remediations — they are visible to Oracle's scripts, carry high financial exposure, and are technically straightforward to address.
Many compliance gaps can be closed through technical changes rather than licence purchases. Disabling unused Oracle Database options reduces Diagnostics Pack and Tuning Pack exposure. Decommissioning dormant database instances reduces Processor licence requirements. Migrating Oracle Database from VMware to Oracle VM or dedicated physical hardware eliminates soft-partitioning exposure entirely. Each technical remediation should be documented with before-and-after evidence — the documentation becomes your defence record if Oracle attempts to claim historical usage.
For gaps that cannot be closed through technical remediation, plan a targeted licence purchase at negotiated — not list — pricing. Any licence purchase within six months of an Oracle audit should be treated as a negotiation event: Oracle will be aware of your compliance gap and will use that knowledge to resist discounting. Our contract negotiation service benchmarks Oracle licence pricing and negotiates on the basis of comparable market transactions, not Oracle's published list prices.
A successful internal Oracle audit depends on discovery tooling that covers the full deployment scope — including environments that standard CMDB processes miss. The most effective approaches combine Oracle's own USMM scripts (which Oracle cannot challenge as inaccurate, since it wrote them) with a commercial SAM platform for ongoing inventory management.
Oracle USMM is available from Oracle's support portal and produces a standardised output file that Oracle's LMS teams use directly. Running USMM internally ensures your measurement is conducted with Oracle's exact methodology — any discrepancy between your results and Oracle's later scan will be based on timing differences or scope disputes rather than tool differences. USMM requires database access and should be run during a defined measurement window, not as a continuous monitor, to avoid generating ongoing Diagnostics Pack usage records through its own queries.
Commercial SAM platforms provide broader discovery — Flexera's Oracle Discovery module and Snow's Oracle Publisher are the most widely deployed — but none replicate Oracle's AWR usage detection as accurately as USMM itself. For options and pack detection, the most reliable internal approach is direct AWR queries against each Oracle Database instance, specifically the DBA_FEATURE_USAGE_STATISTICS view, which records every database feature that has been used and the date of last use. The licence optimisation service includes a full options detection methodology as part of every engagement.
An internal Oracle audit conducted by a competent ITAM team addresses the technical discovery and metric calculation components effectively. The gaps that most internal teams cannot bridge independently are contract interpretation, Oracle-specific challenge methodology, and negotiation benchmarking — the three areas where Oracle's information advantage is most acute.
Contract interpretation matters because Oracle's licensing policies and contract language have been refined over twenty-five years to protect Oracle's measurement rights in ambiguous scenarios. Understanding where that language is genuinely Oracle-favourable versus where it overstates Oracle's rights requires direct experience with how Oracle's LMS teams have applied — and have failed to apply — the same clauses in prior engagements. An external advisor with Oracle-side experience brings that library of precedent.
Challenge methodology matters because the forensic analysis that reduces a $30M Oracle claim to $4M is not improvised — it is a structured process of identifying Oracle's measurement overreach, producing counter-evidence, and presenting that evidence in a way that Oracle's LMS team recognises and respects. Most internal teams attempt this process by instinct; advisors who have conducted it hundreds of times do it systematically. Our guide to hiring an Oracle audit advisor covers the selection criteria in detail.
Negotiation benchmarking matters because Oracle's settlement proposals are not market-calibrated — they are Oracle's preferred commercial outcome dressed as a compliance resolution. Knowing what comparable organisations have paid in similar Oracle negotiations, and having the independence to walk away from Oracle's proposal if it does not meet market benchmarks, is the single most effective lever in any Oracle compliance negotiation. The Oracle Licensing Benchmarks 2026 white paper provides current market reference data.
The complete technical and commercial guide to Oracle Database licence metrics, options, virtualisation rules, and compliance methodology. Free download for enterprise technical and procurement teams.
Download Free →Weekly Oracle licensing methodology updates, audit intelligence, and negotiation tactics — delivered to enterprise IT and procurement leaders.
Former Oracle LMS auditors, licensing executives, and contract managers — now working exclusively for enterprise buyers. Not affiliated with Oracle Corporation. Learn about our team →