Oracle Audit Preparation Checklist: 50 Steps Before Auditors Arrive

Pull every signed Order Form, including renewals, amendments, and ULA documentation. Oracle's CSI numbers are your licence anchor points. Missing documents create gaps that Oracle will interpret in its own favour.

Each Oracle CSI (Customer Support Identifier) maps to a specific product licence. Confirm every active Oracle product deployment can be traced to a valid, current CSI with matching support entitlement.

Oracle offers multiple licence metrics — Processor, Named User Plus (NUP), Employee, Application User, and others. Confirm which metric applies to each product in your estate. Errors here can be extremely expensive in an audit.

If any products were acquired under an Unlimited Licence Agreement, confirm whether the ULA was formally certified, what products are covered, and whether the ULA term is still active. Uncertified ULAs create significant audit risk.

Enterprise Agreements restrict deployment to specific business units, geographies, or environments. Confirm your current deployments are within the EA's authorised scope — scope creep is a common audit finding.

Oracle licences are tied to the legal entity that purchased them. Licence transfers require Oracle's written consent. If your organisation has grown through acquisition, any Oracle licences held by acquired entities may not be valid without formal transfer documentation.

Some Oracle licence types — particularly promotional licences, trial licences, and early evaluation agreements — carry explicit expiry dates. Confirm no expired entitlements remain in active production use.

Oracle's audit rights are typically tied to active support contracts. Review your Oracle Support Schedule to confirm all deployed products are under current, paid Oracle Premier Support — and that the support quantity matches deployment quantity.

If any Oracle products have been moved to third-party support providers (e.g., Rimini Street, Spinnaker Support), confirm the transition was handled correctly and that Oracle's audit right was not triggered by the support change.

Create a current-state licence register listing every Oracle product, its metric, quantity, CSI, support status, and deployment location. This becomes the foundation of your entire audit defence. See our Oracle Licence Optimisation service for structured portfolio management support.

Document every Oracle Database instance across all environments: production, development, test, DR, and QA. Include version, edition (Enterprise, Standard Edition 2), and host details. LMS scripts will capture all of this.

Oracle Diagnostics Pack, Tuning Pack, Partitioning, Advanced Security, In-Memory, RAC, Data Guard, and GoldenGate are all separately licensed. Query the DBA_FEATURE_USAGE_STATISTICS and V$OPTION views to identify what is actually enabled — not what you believe is licensed. Diagnostics Pack is accidentally enabled in 40%+ of enterprise environments.

If the review in Step 12 identifies enabled but unlicensed options, disable them before Oracle runs LMS scripts. The Oracle Licence Management Services team measures the current state — not historical enablement. Work with DBAs to safely disable options without disrupting live operations.

Oracle Database SE2 is licensed per physical socket and is restricted to servers with a maximum of 2 populated sockets. Verify all SE2 deployments are on hardware compliant with this restriction — SE2 on a 4-socket server is an instant audit finding.

Oracle Real Application Clusters requires all nodes to be licensed. Confirm the processor count across all RAC cluster nodes matches the licence quantity held — including any passive standby nodes, depending on Data Guard configuration.

Oracle Processor licences are calculated using the Oracle Core Factor Table. Verify the correct factor is applied to each processor type in your estate. Errors in core factor calculation are a frequent audit dispute point.

Oracle NUP licences carry a minimum quantity per processor. Confirm your NUP deployments meet Oracle's minimum thresholds — undercounting is as problematic as over-counting. See our NUP vs Processor Metric guide for threshold calculations.

Oracle Autonomous Database on OCI uses a different licensing model — OCPU-based or BYOL. Confirm cloud database deployments are correctly counted under the applicable model and that any BYOL claims can be substantiated with on-premises licence documentation.

Oracle Exadata carries specific licensing requirements that differ from standard server deployments. If your environment includes Exadata systems, review our Exadata Licensing Deep Dive before the audit begins.

If databases have been decommissioned in the 12–18 months before the audit, document the decommission dates with system evidence. Oracle's LMS scripts may identify historical usage patterns — having evidence of formal decommission protects your position.

Run a complete software asset management scan for Java SE installations — servers, developer workstations, build infrastructure, test systems, and embedded Java in third-party applications. Oracle counts all of them. Use tools like Flexera, Snow, or Lansweeper to capture the full picture.

Oracle Java SE 8 Update 202 and later, and all Java SE 11+ versions, are subject to commercial licensing. OpenJDK, Eclipse Temurin, Amazon Corretto, and Azul Zulu are free alternatives. Map every Oracle Java SE version to confirm which releases require licensing.

Under Oracle's 2023 Java SE Universal Subscription, the licence quantity is the total number of employees at the legal entity (not just Java users). For large enterprises, this can cost 5–10x more than traditional per-user or per-device models. See our Java SE Employee Metric guide for the calculation methodology.

For many enterprise environments, migrating from Oracle Java SE to OpenJDK-based distributions eliminates Java licensing exposure entirely. Our Oracle Java Licensing service provides migration analysis and safe transition planning before an audit creates commercial pressure to act under Oracle's terms.

Oracle Java SE embedded in third-party applications — ISV software, middleware products, integration platforms — counts toward your licensing obligation. Review major vendor applications for bundled Java components. This is often missed in standard asset management scans.

Java SE commercial licences require Oracle support to be maintained. Confirm any purchased Java SE licences are under current, paid Oracle support — and that the support quantity matches deployment quantity.

If your environment uses OpenJDK, Eclipse Temurin, or other free distributions, document this clearly — including version, source, and deployment locations. This evidence directly challenges any Oracle claim that all Java in your environment is Oracle-licensed Java SE.

Oracle's LMS Review Lite script collects Java deployment data across the estate. Before permitting Oracle to run scripts, understand what Java data the scripts will capture and ensure your environment accurately reflects your true deployment state. See the LMS Scripts guide for detail.

Document where each Oracle database and application runs: bare metal, VMware vSphere, Hyper-V, KVM, OCI, AWS, Azure, or GCP. The licensing rules differ substantially by platform. See our Oracle on VMware guide for the detailed analysis.

If Oracle runs in a VMware environment, map the complete vSphere cluster — every host and every physical processor. Oracle's LMS scripts collect this data. Knowing your cluster scope before Oracle does allows you to prepare a defensible counter-position.

Oracle recognises certain hard partitioning technologies (Oracle VM, LPAR on IBM Power, Solaris Containers) as valid boundaries for processor licence counts. If Oracle workloads can be migrated to hard-partitioned environments before audit, this can substantially reduce your licence exposure.

Oracle Database on AWS follows specific counting rules: on dedicated hosts, the licence count is tied to vCPUs (with core factor applied); on shared infrastructure, different rules apply. Our Oracle on AWS guide covers the complete methodology.

Oracle Cloud Infrastructure deployments may be covered by OCI Universal Credits, BYOL arrangements, or separate licence agreements. Confirm the applicable model for each OCI deployment and that licence quantities align. Review our Oracle Cloud Advisory service for full OCI licence analysis.

BYOL arrangements require specific documentation and licence quantities. Confirm that every cloud deployment making a BYOL claim is backed by on-premises licence entitlements that are not simultaneously used on premises. Double-dipping creates immediate audit exposure.

Oracle's licence requirements for DR environments depend on whether the standby is "hot" (ready to take over immediately) or "cold" (requiring manual start). Hot standby typically requires full licensing. Review your DR architecture against Oracle's policy before the audit.

If your environment uses Oracle VM Server for x86, Oracle VM Server for SPARC, or IBM LPAR with appropriate configuration, maintain documentation proving these are properly configured as hard partitioning boundaries. This evidence directly limits Oracle's processor count claim.

Oracle WebLogic Server is one of the most heavily audited middleware products. Confirm every WebLogic installation is covered by a current licence — paying particular attention to whether deployments are Standard, Enterprise, or Suite editions, as pricing varies significantly.

Oracle SOA Suite components — Service Bus, B2B, BAM, MFT — are separately licensed. Confirm which SOA Suite edition you hold and whether all deployed components are covered. Oracle's LMS scripts identify SOA Suite components with precision.

Oracle application products (EBS, PeopleSoft, JD Edwards, Siebel) are typically licensed by application user or employee count. Confirm that your current user count — including any system accounts or integration accounts — matches the licence quantity held.

Oracle Fusion Cloud (ERP, HCM, SCM, CX) deployments are subscription-based. Review your Fusion Cloud contracts to confirm module scope, user counts, and any expansion modules being used that may not be in the current subscription.

Oracle GoldenGate carries separate processor-based licensing. If GoldenGate is running in any environment — including for cloud migration purposes or as a replication tool — confirm the deployment is covered by a valid licence.

Oracle's licence terms do not automatically exempt development or test environments from commercial licensing requirements. Unless your licence explicitly permits non-production use without additional licences, all Oracle installations require coverage — including in CI/CD pipelines and automated testing frameworks.

All communication with Oracle's LMS team should flow through a single designated point of contact — ideally supported by legal counsel and an independent Oracle licensing adviser. Uncoordinated communication across IT, procurement, and legal creates inconsistencies that Oracle will exploit.

Oracle's right to audit is defined in your Master Agreement. Review the specific audit clause — particularly notice period, frequency limitations, scope restrictions, and dispute resolution provisions. Not all Oracle audits are contractually valid as served. See our Oracle Audit Rights guide.

Your initial response to Oracle's audit notification letter should be factual and neutral. Confirm receipt, confirm you will cooperate, and request the scheduling of an initial scoping call. Do not make any statements about your compliance position — these statements become part of the audit record.

Oracle's LMS scripts are publicly documented. Run equivalent measurement scripts against your environment before Oracle's visit — ideally with specialist support. Your own measurement gives you an independent baseline against which to challenge Oracle's findings. See our LMS scripts guide for detail on what Oracle measures.

An Oracle audit is a contractual and commercial dispute, not merely a technical exercise. Engaging independent legal counsel — experienced in Oracle licensing disputes — early in the process ensures your communications and any agreements are reviewed by someone whose interests are aligned with yours, not Oracle's.

Oracle's LMS team and Oracle's account team are separate commercial functions. While the LMS team runs the audit, your account team has an interest in the commercial outcome — Oracle wants the audit to result in additional product purchases, not litigation. Engaging your account team early can create commercial pathways that pure LMS negotiation cannot.

If your internal assessment identifies genuine compliance gaps, develop a remediation plan — covering decommission of unlicensed deployments, purchase of additional licences, or migration to alternative products — with realistic timelines tied to Oracle's audit schedule. Documented intent to remediate strengthens your negotiating position.

Oracle's compliance report is a starting point for negotiation, not a final bill. Understanding in advance how to challenge Oracle's methodology, push back on disputed positions, and convert any genuine shortfall into a commercial discussion rather than a penalty settlement is the foundation of effective Oracle contract negotiation. Read our Oracle Audit Defence Playbook for the full negotiation framework.