Oracle ITAM · Audit Preparation · M&A Due Diligence

Oracle Licensing Due Diligence Checklist: Pre-Audit, M&A & Annual Review 2026

📅 March 2026 ⏱ 15 min read 🏷 ITAM · LMS Prep · M&A · Compliance

Oracle licensing due diligence is not a single event — it is a continuous process that enterprises must execute before Oracle LMS audits, during M&A transactions, and as part of annual ITAM reviews. The 75+ item checklist in this article reflects what Oracle's LMS team examines when they arrive. Completing it proactively is the difference between a routine compliance review and a multi-million-dollar back-license claim.

Get an Expert Review Compliance Review Service
75+Due diligence checks across Database, Java, ULA, Cloud & Support
3–5×Average Oracle audit back-license claim vs actual exposure
AnnualRecommended frequency for Oracle license compliance review

Table of Contents

  1. Why Oracle Licensing Due Diligence Is Different
  2. Oracle Database License Due Diligence
  3. Oracle Java SE Due Diligence
  4. Oracle ULA & Agreement Due Diligence
  5. Oracle Cloud & OCI Due Diligence
  6. Oracle Support & Contract Due Diligence
  7. M&A Specific Due Diligence
  8. After the Review: Remediation Priorities

Why Oracle Licensing Due Diligence Is Different

Oracle licensing due diligence is harder than most enterprise software compliance reviews because Oracle's license agreements are deliberately complex, Oracle's audit tools (LMS scripts, USMM, Review Lite) capture evidence at a technical level that most ITAM teams do not monitor proactively, and Oracle's commercial incentives mean that audit findings are almost always structured to maximize Oracle's revenue rather than to achieve an accurate compliance position.

The average Oracle LMS audit claim is 3–5 times what the enterprise actually owes after proper technical and commercial challenge. This is not because enterprises are systematically non-compliant by large margins — it is because Oracle's LMS scripts capture every possible scenario where a license obligation could theoretically exist and presents all of them as findings without applying the benefit-of-the-doubt analysis that a forensic review would apply. Oracle's LMS team is Oracle's sales and revenue enforcement team, not an independent auditor.

Effective due diligence means understanding exactly what Oracle's tools measure and ensuring that your compliance position is defensible against Oracle's most aggressive interpretation of the data. Our Oracle Compliance Review service executes this checklist for your estate and produces a position paper that documents your compliance status before Oracle arrives. The Oracle Audit Guide provides the broader context for how Oracle conducts LMS audit processes.

Oracle Database License Due Diligence

Oracle Database is the highest-value and most scrutinised product in Oracle's license portfolio. The following checks cover the core Database compliance risks that LMS scripts and USMM routinely capture.

Free Weekly Briefing

Oracle Licensing Intelligence — In Your Inbox

Audit alerts, contract renewal tactics, Java SE updates and negotiation intelligence from former Oracle insiders. Corporate email required.

2,000+ enterprise Oracle stakeholders. Unsubscribe anytime. No personal emails.

Database Core Compliance (Items 1–20)

  1. Confirm physical server socket and core counts for every Oracle Database host. Document processor model and Core Factor Table value.
  2. Calculate current Processor license requirement per server: (sockets × cores per socket × Core Factor). Compare to owned Processor licenses.
  3. For Named User Plus (NUP) licenses: count all authorized users including administrators, batch users, and indirect access users. Apply the 25-NUP-per-Processor minimum.
  4. Run USMM feature usage query (select * from dba_feature_usage_statistics where last_usage_date is not null and currently_used='TRUE') on each database instance. Document all features showing current usage.
  5. Verify CONTROL_MANAGEMENT_PACK_ACCESS setting. If set to "DIAGNOSTIC+TUNING," confirm Diagnostics Pack and Tuning Pack licenses are held for all covered instances.
  6. Check for Partitioning Option usage (check v$option where parameter='Partitioning'). If TRUE, verify Partitioning Option licenses.
  7. Check for Real Application Clusters (RAC) usage. Verify RAC licenses for all clustered instances. RAC is a separate option — EE license does not include RAC.
  8. Check for Oracle Advanced Security usage (TDE, Data Redaction, Network Encryption). Verify Advanced Security Option license if any TDE tablespace encryption is in use.
  9. Check for Oracle In-Memory Database Option. Verify the INMEMORY_SIZE parameter and DBA_FEATURE_USAGE_STATISTICS for In-Memory usage. Verify In-Memory Option license.
  10. Check for Oracle GoldenGate deployment. Verify GoldenGate Processor licenses for all source and target GoldenGate instances.
  11. For VMware environments: determine whether Oracle's hard partitioning rules have been satisfied. If VMware soft partitioning is used, Oracle counts all physical CPUs in the VMware cluster, not just vCPUs assigned to Oracle VMs.
  12. For CDB/Multitenant architecture (19c+): count PDBs per CDB. Verify Multitenant Option licenses if any CDB contains more than the permitted number of PDBs without the option.
  13. Check for Oracle Standard Edition 2 (SE2) installations on servers exceeding the SE2 socket limit (maximum 2 sockets). SE2 on 4-socket servers creates an EE license requirement.
  14. Check for Data Guard usage. Verify whether Active Data Guard (real-time query on standby) is enabled — this requires an Active Data Guard Option license beyond the base EE entitlement.
  15. Review Oracle Label Security and Database Vault installation status. Verify licenses if either feature is active beyond basic installation.
  16. Check for Oracle Spatial and Graph usage beyond the freely permitted "database spatial metadata" tables. Commercial spatial analysis requires Spatial and Graph Option license.
  17. Run Review Lite or equivalent script on all Oracle Database instances and compare output against licensed products and quantities in your Oracle license agreement.
  18. Verify that all Oracle Database licenses are attached to valid CSI (Customer Support Identifier) numbers and that support is current. Licenses without active support cannot be used in production.
  19. For Oracle Database Free Edition (23ai): verify it is deployed only on approved hardware configurations and only for the use cases Oracle permits without a commercial license.
  20. Document all Oracle Database instances in DR, development, and test environments. Apply Oracle's DR license policy (one cold standby permitted per licenced production instance) and verify development/test environments meet NUP or Processor license requirements.

Oracle Java SE Due Diligence

Oracle Java SE licensing changed fundamentally in January 2023 when Oracle switched from a CPU-based metric to the Java SE Universal Subscription — an Employee metric that counts all employees in your organization, not just Java users. This creates compliance exposure for organizations still operating under pre-2023 Java licenses or misunderstanding the scope of the Employee metric.

Java SE Compliance Checks (Items 21–35)

  1. Inventory all Java SE installations across your estate using discovery tools (Flexera, Snow, or equivalent). Document version, installation host, and installation type (JDK vs JRE vs embedded).
  2. Identify all Oracle JDK 8 update 202 and later installations. These require a Java SE subscription license. OpenJDK, Eclipse Temurin, Azul Zulu, and Amazon Corretto do not require Oracle Java SE licenses.
  3. For organizations with Java SE subscriptions under the Employee Metric (January 2023+): verify your subscription quantity against your total employee count (full-time + part-time + fixed-term). Contractors and temporary staff definitions in Oracle's employee metric vary — review your contract language.
  4. Check for Oracle JDK installations on servers running non-Oracle applications (middleware, third-party applications that bundle Oracle JDK). These create Employee Metric license obligations.
  5. Review CI/CD pipeline tools (Jenkins, GitLab, GitHub Actions) for Oracle JDK installation as a build dependency. CI/CD server Oracle JDK deployments count toward Java SE license obligations.
  6. Check for Spring Boot or other framework deployments that bundle Oracle JDK. Even if the application is not an Oracle application, bundled Oracle JDK creates license obligations.
  7. Verify that development environments using Oracle JDK are licensed. Oracle's OTN license for development/personal use was restricted in 2019 — commercial development environments require a subscription.
  8. For subsidiaries and controlled entities: verify your Java SE subscription covers all entities in your Oracle-defined organization. Oracle uses the ultimate parent company definition for Employee Metric counting.
  9. Review Docker container images for embedded Oracle JDK. Container images derived from Oracle JDK base images count toward license obligations if deployed on servers accessible to end users.
  10. Check Java Management Service (JMS) data if deployed. JMS provides Oracle with visibility into your Java estate — ensure all JMS-discovered Oracle JDK installations are covered by your subscription.
  11. Verify that Oracle Java SE subscription invoices align with your contracted employee count, not an inflated count that Oracle may have calculated. Oracle has issued invoices based on incorrect employee counts in several enterprise deployments.
  12. For pre-2023 Java licenses under NUP metric: document each named user authorized to use Oracle JDK and verify the NUP count against your Oracle contract quantity.
  13. Review migration plans for Oracle JDK to alternative distributions (Azul, Temurin, Corretto). Document migration status and ensure any servers where migration is complete have Oracle JDK fully uninstalled.
  14. Verify Java SE license scope covers all geographic locations where Oracle JDK is deployed. Oracle's Employee Metric typically requires coverage of all employees worldwide unless explicitly restricted in your contract.
  15. Check for Oracle Java SE Extended Support requirements. Java 8 and Java 11 are past their Premier Support end dates — deployments on these versions require Extended Support licenses or migration.

Oracle ULA and Agreement Due Diligence

Oracle Unlimited License Agreements require specific due diligence steps that differ from standard per-unit license reviews. The most important due diligence for a ULA is tracking deployment counts accurately toward certification.

ULA Compliance Checks (Items 36–50)

  1. Confirm ULA certification date. Calculate time remaining. ULA certification exercises must be initiated and completed before the ULA expiry date.
  2. Verify which Oracle products are included in the ULA. ULAs are product-specific — deployment of Oracle products not listed in the ULA Schedule constitutes standard (per-license) commercial use.
  3. For each ULA-covered product, count deployments using Oracle's required counting methodology (Processor metric for Database, NUP for some applications, Employee for Java if included).
  4. Verify ULA territory coverage. Most ULAs specify deployment territories (e.g., "worldwide" or specific countries). Deployments outside the ULA territory require separate licenses.
  5. Check ULA entity coverage. ULAs typically cover specific named entities. Subsidiaries acquired after the ULA was signed may not be covered — verify the entity definition in your ULA contract.
  6. If the ULA includes Oracle Database, verify that Multitenant/CDB deployments are counted correctly toward certification. Document PDB counts per CDB.
  7. Verify that VMware deployments within the ULA period are counted using Oracle's VMware counting rules (all physical CPUs in the cluster), not just vCPUs assigned to Oracle VMs.
  8. If the ULA is approaching expiry, run a maximisation assessment: identify additional Oracle product deployments that can be legitimately added before certification to maximize the post-certification perpetual license quantity.
  9. Verify DR and non-production deployments are documented within ULA deployment counts. These count toward certification in most ULAs.
  10. For ULA certification preparation: prepare the certification report in Oracle's required format before the certification meeting. Do not allow Oracle to define your certification count — independently calculate and present your count.
  11. Review ULA renewal terms if approaching expiry. Oracle's standard ULA renewal involves price escalation — benchmark current renewal pricing against market rates and negotiate before expiry deadline pressure applies.
  12. Verify that Oracle support charges under the ULA are calculated correctly. ULA support is typically based on net license value at certification — ensure the support cost calculation is based on your certified deployment count, not a higher count that Oracle's team may propose.
  13. If the ULA is being terminated rather than renewed, ensure post-ULA perpetual license assignments are documented before Oracle removes ULA status from your CSI.
  14. For PULA (Perpetual ULA): verify PULA-specific terms around deployment territory, entity coverage, and Oracle Cloud deployment rights if applicable.
  15. Review Oracle's audit rights clauses within your ULA. Some ULAs restrict Oracle's audit rights during the ULA period — understand your rights before responding to any Oracle compliance inquiry.
Expert Oracle License Due Diligence

Our Oracle Compliance Review team executes this complete checklist for your estate and produces a defensible compliance position report — before Oracle's LMS team arrives.

Book a Review

Oracle Cloud and OCI Due Diligence

OCI and Cloud Checks (Items 51–62)

  1. Inventory all Oracle Cloud subscriptions: OCI Universal Credits, Oracle Fusion Cloud (ERP, HCM, SCM, CX), Oracle SaaS applications, and any legacy Oracle Cloud classic subscriptions.
  2. For OCI BYOL deployments: verify that BYOL Oracle Database instances on OCI have explicit license assignments from your on-premise Oracle license pool. Document the assignment mapping.
  3. Verify OCPU-to-Processor license equivalence calculations for OCI BYOL. Each OCPU = 0.5 physical cores for Core Factor calculation purposes.
  4. Check OCI Universal Credit balance utilization. Unused committed credits are typically forfeited at contract end — ensure your cloud usage matches your committed credit quantities.
  5. For Oracle Fusion Cloud applications: verify Business User and Employee Metric user counts against contracted subscription quantities. Identify inactive accounts that inflate user counts.
  6. Review Oracle Fusion Cloud annual true-up provisions. Understand the pricing basis for over-usage users (contracted rate vs list price).
  7. Verify Oracle Support Rewards accrual if running Oracle Database on OCI. Support Rewards earn credits against Oracle annual support costs — verify the credit accrual is being applied to your support invoice.
  8. For OCI FastConnect: verify that BYOL Oracle Database instances on OCI are connected via FastConnect for LMS-defensible private connectivity.
  9. Check Oracle Cloud at Customer (ExaCC, DB@Customer) deployments for Processor license compliance. Cloud at Customer uses the same Core Factor rules as on-premise deployments.
  10. Review Oracle Cloud license portability terms in your Master Agreement. Some on-premise licenses cannot be ported to OCI BYOL under older Master Agreement terms — verify portability before migrating.
  11. For Oracle Autonomous Database on OCI: verify that usage beyond the Oracle Autonomous Database Free Tier triggers a license/subscription obligation. Confirm your OCI subscription covers Autonomous Database OCPU consumption.
  12. Verify Oracle Integration Cloud (OIC) and Oracle Analytics Cloud (OAC) subscription quantities against actual usage. These separately-licensed OCI services are commonly over-provisioned or under-licensed in multi-module Oracle Cloud deployments.

Oracle Support and Contract Due Diligence

Support and Contract Checks (Items 63–72)

  1. Verify annual support invoice amounts against the contracted support rate (typically 22% of net license value). Check for Oracle adding new licenses to the support schedule without authorization.
  2. Confirm that all CSI numbers associated with your Oracle licenses are active and correctly assigned. Inactive CSIs result in loss of patch entitlement.
  3. Review Oracle Master Agreement (OMA) terms for applicable restrictions on deployment territories, permitted use, and audit rights provisions.
  4. Check Order Forms for any product-specific deployment restrictions or metric definitions that differ from Oracle's standard policy documents.
  5. Verify that the Support Schedule accurately reflects your current license entitlements — not Oracle's desired support base. Oracle has historically added discontinued products to support schedules to prevent license termination notifications.
  6. For third-party support (Rimini Street, Spinnaker): review Oracle's reactivation fee policies before cancelling Oracle support. Understand the reinstatement cost if you need to return to Oracle support within 2–3 years.
  7. Check Oracle's Back Support provision in your contract. If you are behind on support payments, Oracle may charge back-support fees (reinstatement fees) that compound the cost of support non-compliance.
  8. Verify that software license keys and entitlement documentation are stored securely and accessible for audit response. Oracle requires production of license documentation within audit response timelines.
  9. Review Oracle master agreement or CSI-level discounts. Ensure these discounts are applied correctly in Oracle's support billing system.
  10. For contract renewals within 12 months: initiate renewal negotiations now. Oracle's renewal leverage increases significantly within 90 days of expiry. Our Contract Negotiation service recommends starting 12 months before renewal.

M&A Specific Due Diligence

Oracle license obligations in M&A transactions require specific due diligence steps beyond standard license compliance review. Acquirers frequently discover Oracle license gaps in target companies only after closing — when Oracle's LMS team initiates an audit triggered by the public announcement of the acquisition.

M&A Oracle License Checks (Items 73–80)

  1. Request a complete Oracle license inventory from the target company: all CSIs, Order Forms, ULAs, Master Agreements, and Support Schedules.
  2. Verify target's Oracle Database deployments against license entitlements. Focus on VMware environments (Core Factor × all cluster CPUs) and any CDB deployments with multiple PDBs.
  3. Check whether the target's Oracle ULA (if applicable) covers the acquiring entity post-close. ULAs typically do not automatically extend to the acquirer — a separate Oracle agreement is required.
  4. Assess Oracle Java SE exposure in the target. Java licensing changed in 2023 — many mid-market targets still operate under old perpetual Java licenses that are technically in non-compliance under Oracle's current terms.
  5. Review Oracle's change-of-control clauses in the target's Master Agreement. Some Master Agreements include provisions that trigger Oracle's right to renegotiate terms upon change of control.
  6. Quantify the Oracle license remediation cost as part of the acquisition price negotiation. Oracle license gaps in target companies are M&A risk items that should reduce acquisition price or be covered by representations and warranties insurance.
  7. Assess the risk of Oracle LMS audit post-acquisition announcement. Public M&A announcements are a primary trigger for Oracle LMS targeting. Prepare an audit response strategy before the acquisition closes.
  8. Review Oracle support contract consolidation requirements post-close. Combining the acquirer's and target's Oracle support agreements into a unified Master Agreement structure requires Oracle's agreement and can be an opportunity to negotiate improved terms — or a risk if Oracle uses the consolidation process to reset pricing upward.

The Oracle audit M&A trigger guide and the Oracle ULA for M&A guide on this site provide detailed analysis of the specific Oracle licensing risks that M&A transactions create. The private equity portfolio Oracle optimization case study illustrates how a structured due diligence and remediation program delivered a 30% reduction in Oracle costs across a multi-company acquisition portfolio.

After the Review: Remediation Priorities

Completing this due diligence checklist will identify compliance gaps. The remediation priority order should be: first, technical remediation (disable unused features, uninstall unauthorised Oracle Java, correct virtualisation configurations) to eliminate exposure at zero cost; second, commercial negotiation (address remaining license gaps in a negotiated commercial package rather than under LMS audit pressure); third, documentation improvement (improve license assignment records, USMM monitoring, and compliance evidence storage to make the next review faster and more defensible).

Never disclose identified compliance gaps to Oracle's account team before the remediation and negotiation strategy is complete. Oracle's sales team and Oracle's LMS team share information — a candid conversation with your account executive about "some Database options compliance gaps we found" can initiate an LMS audit at the worst possible time. Complete your remediation plan and engage Oracle commercially only when you are ready to negotiate from a position of knowledge. Our Audit Defense team supports organizations through both the remediation process and any subsequent Oracle commercial negotiations.

Key Takeaways

Audit Preparation

Oracle Audit Preparation Checklist: 50 Steps Before Auditors Arrive

The complete pre-audit preparation process — technical, contractual, and commercial readiness steps.

 M&A

Oracle Licensing in M&A: Complete Due Diligence Checklist

Acquisition-specific Oracle license due diligence — ULA, change of control, and audit risk.

 Compliance

Oracle License True-Up: Annual Compliance Reviews & How to Prepare

Oracle's annual compliance review mechanics and how to manage the process proactively.
White Paper

Oracle Audit Defense Manual

Complete playbook for Oracle LMS audit defense — from first letter to final resolution. Includes evidence management, challenge frameworks, and negotiation tactics. Free download.

Download Free Guide
FF

Fredrik Filipsson

Former Oracle sales and licensing professional with 25+ years of experience. Founder of Oracle Licensing Experts. 100% buyer-side advisory — never works for Oracle. LinkedIn ↗

Newsletter

Oracle Licensing Intelligence

Weekly updates on Oracle audit trends, due diligence best practices, Java licensing changes, and Oracle compliance intelligence from former Oracle insiders.

OLE

Oracle Licensing Experts Team

Former Oracle insiders with 25+ years of experience in Oracle LMS audits, ITAM program design, M&A Oracle due diligence, and compliance remediation. Independent, buyer-side advisory. About us →

Independent Oracle License Due Diligence

Not affiliated with Oracle Corporation

We execute this complete Oracle licensing due diligence checklist for your estate — Database, Java, ULA, Cloud, and Support — and deliver a forensic compliance position report with prioritized remediation recommendations.

Schedule a Confidential Review