How to Respond to an Oracle LMS Audit Letter: First 48 Hours

1. What Oracle Already Knows When the Letter Arrives

By the time Oracle's audit notification letter reaches your desk, Oracle's LMS team has already built a preliminary model of your compliance position. Oracle's pre-audit intelligence gathering draws on multiple data sources that give LMS a detailed picture of your Oracle estate before a single audit script is run. Understanding what Oracle knows — and what they are looking for — fundamentally changes how you approach the first 48 hours.

Oracle's Pre-Audit Intelligence Sources

• CSI (Customer Support Identifier) data: Every Oracle support request, patch download, and Oracle support portal interaction creates a data record tied to your CSI numbers. Oracle's LMS team can identify which Oracle products your organisation has support agreements for, which products have been actively patched, and whether there are products in use without active support — a common indicator of unlicensed use.
• Oracle Installed Base: Oracle's internal systems maintain a record of all hardware and software Oracle products associated with your account. Discrepancies between your Oracle Installed Base and your declared licence entitlements are frequently the trigger for the audit.
• Oracle sales intelligence: Your Oracle account executive maintains detailed records of your technology environment, your infrastructure growth, your virtualisation platform, and your planned technology investments. This sales intelligence is accessible to the LMS team and informs their preliminary compliance model.
• Third-party data: Oracle purchases data from third-party technology intelligence providers that can identify Oracle software deployments across enterprise environments. Hardware configuration data, technology stack reports, and public infrastructure information all contribute to Oracle's pre-audit intelligence.
• Previous audit history: If your organisation has been audited before, Oracle LMS maintains records of the previous audit findings, your declared compliance position at the time, and any settlement agreed. Divergence from the previous position is a direct focus area for the current audit.

2. Hours 0–4: Immediate Actions

The four hours immediately following receipt of Oracle's audit notification letter are critical. These are the actions that protect your position before any response is sent or any conversation takes place.

3. Hours 4–24: Internal Assessment

The period between your initial internal escalation and the preparation of your formal response to Oracle should be used for a rapid internal assessment. This assessment has two objectives: establishing your contractual rights and establishing your initial read on the compliance risk.

Contractual Rights Assessment

Your legal team — ideally supported by independent Oracle licensing advisors — should review your Oracle master agreement to establish the specific answers to the following questions. The answers determine your response posture.

• What is the audit notice period specified in your Oracle agreement? Is Oracle's letter compliant with the required notice period?
• What is the defined scope of Oracle's audit rights? Does your agreement limit audit rights to specific products, territories, or legal entities?
• What assistance are you specifically required to provide? What does "reasonable assistance" mean in the context of your specific agreement?
• Does your agreement contain any dispute resolution mechanism that applies to audit findings?
• Are there any limitations on the frequency with which Oracle can conduct audits? Has Oracle audited you recently in a way that might limit their current rights?

The Oracle Audit Defence Guide provides a detailed analysis of standard Oracle contract audit clauses and the rights they confer on enterprise buyers.

Rapid Compliance Risk Assessment

Your IT asset management team should conduct an immediate high-level review of the most common Oracle compliance risk areas — not to produce an audit-ready inventory, but to give your leadership team a directional read on the risk before Oracle's first conversation. Focus on: Oracle Database EE deployments on VMware, Hyper-V, or other soft partitioning platforms; Java SE deployment size relative to current employee count; Oracle Database options that may be enabled by default (Diagnostics Pack, Tuning Pack); and any Oracle software in use without current support agreements. Our Compliance Review service provides a rapid independent assessment of your exposure.

4. Hours 24–48: Formal Response Preparation

Your formal response to Oracle's audit notification letter should be prepared by your legal team in consultation with your independent Oracle licensing advisors. The objectives of the formal response are: to acknowledge Oracle's notification and confirm your intention to engage constructively; to reserve your rights regarding audit scope, timing, and process; and to avoid providing any substantive information about your Oracle environment that could be used to build or expand Oracle's preliminary claim model.

Oracle's standard audit process gives you 30 days to respond to their notification. Your initial formal response does not need to constitute full engagement with Oracle's audit request — it needs to acknowledge receipt, express willingness to engage, and request the opportunity to review Oracle's proposed audit scope and methodology before agreeing to data collection. This response buys your organisation time to conduct a proper assessment and engage appropriate expertise.

Do not agree in the initial response to Oracle's proposed timeline, Oracle's proposed scope, or Oracle's proposed data collection methodology. These are all negotiable. Agreeing to them in the initial response without challenge foregoes significant defensive leverage that exists only at this early stage of the audit process.

5. What to Do vs. What to Avoid in the First 48 Hours

6. Oracle's Opening Playbook — What to Expect After Your Response

Once you have sent your formal acknowledgment, Oracle will typically follow a structured playbook that is designed to maximise their information gathering at each subsequent stage while creating a sense of momentum and urgency. Understanding this playbook in advance allows your team to engage at each stage from a position of knowledge rather than reaction.

The Kick-Off Meeting Request

Oracle will request a kick-off meeting — typically within two to three weeks of your acknowledgment — to define the audit scope and agree on the methodology. This meeting serves multiple purposes for Oracle: it gathers intelligence about your environment, it establishes the scope that Oracle will use for the audit, and it creates a sense of agreed process that makes it harder to challenge Oracle's methodology later. Attend this meeting with your independent Oracle licensing advisors present. Do not attend without them.

The USMM Script Request

Following the kick-off, Oracle will request permission to run their USMM (Usage Monitoring and Measurement) and Review Lite scripts on your infrastructure. Your advisors should review the specific scripts proposed before you grant permission. You are entitled to understand what data will be collected, to restrict collection to what is genuinely within the agreed audit scope, and to receive the complete raw output before Oracle analyses it. See our detailed guide to Oracle LMS audit scripts for what USMM collects and how to manage the data collection phase.

The Informal Conversations

Oracle's LMS team will frequently attempt to gather information through informal conversations — phone calls, emails, and meeting side-conversations — that seem innocuous but are designed to build the preliminary claim model. Questions about your server count, your virtualisation plans, your employee numbers, and your planned Oracle technology investments all have direct implications for Oracle's audit methodology. Brief your internal team to route all Oracle audit-related communications through your legal team and independent advisors.

7. Structuring Your Formal Response Letter

A well-structured formal response letter establishes your position without conceding any rights. The letter should achieve five objectives: acknowledge Oracle's notification; confirm your intent to engage constructively; request the specific documents Oracle relies on for audit authority; reserve your rights to review and negotiate scope, timing, and methodology; and request additional time to engage legal counsel and independent advisors before committing to Oracle's proposed process.

The tone should be professional and cooperative — not adversarial. An aggressive or dismissive response creates unnecessary friction and can be used by Oracle to portray your organisation as non-cooperative. The objective is to slow Oracle's momentum, preserve your rights, and buy time to conduct a proper assessment — while giving Oracle no grounds to claim that you are refusing to engage.

Specific elements your legal team should include in the response letter: a request for the specific Oracle agreement clause Oracle is relying upon for audit authority; a request for Oracle's proposed audit methodology document before any data collection takes place; a statement that your organisation will cooperate fully with its contractual obligations once those obligations have been confirmed by independent legal review; and a request for a 30-day extension before agreeing to the kick-off meeting, to allow for independent legal and advisory engagement. Our Audit Defence team prepares and reviews response letters as standard practice on every engagement — it is the most important document in the entire audit process.