If you read nothing else
An Oracle audit is a contractual license review Oracle opens with 45 days' written notice under your Oracle Master Agreement, and the day-by-day sequence of your response decides the bill. On Day 0, acknowledge the letter and name one contact — nothing more. Do not run Oracle's USMM or LMS scripts, do not return the Oracle Server Worksheet, and do not concede scope until an NDA and a defined scope are in writing. Oracle's opening claim is priced at list and runs 3–5× what you actually owe; settle from a rebuilt count, not from Oracle's number.
This Oracle audit field manual maps the first 90 days hour by hour and milestone by milestone: Day 0, the first 48 hours, the Week 1 kickoff call, the data request, the script decision, the findings, and the settlement that follows. Every pricing and policy figure carries a source and a date so you can act on it the morning the letter lands.
Key takeaways
- Day 0 is for acknowledgement, not data — the Oracle Master Agreement lets Oracle audit "upon 45 days written notice," and the same clause bars an audit that would "unreasonably interfere with Your normal business operations" (Oracle Master Agreement, 2026). Your first reply should name one contact and request an NDA — never script output.
- The kickoff call arrives in Week 1 and Oracle issues the Oracle Server Worksheet (OSW) — a spreadsheet asking for every Oracle deployment, server, core count, and user. The OSW is Oracle's broadest default scope; you negotiate it down to the named entities, products, and a defined lookback period before returning anything.
- Running Oracle's USMM and LMS scripts unreviewed is the single biggest day-by-day mistake — you have contractual discretion over the format and scope of the data you provide, and those scripts report option and management-pack usage you may never have knowingly enabled.
- Oracle opens enterprise audits at $2M–$40M priced at list, and the gap between the opening claim and the signed settlement averages 30–60% once the count is rebuilt; well-evidenced defenses compress claims 40–90% (industry audit-defense benchmarks, 2026). An audit runs three to nine months from letter to settlement.
- Across 600+ Oracle engagements, customers who put a single controlled response channel in place within the first 10 days settled materially lower than those who let data leak before Day 30 (Oracle Licensing Experts engagement data, 2026).
Recommendations by role
The audit letter lands on one desk and is fought across four. Here is each owner's day-by-day brief for the first 90 days.
CIO / Head of Infrastructure
- Day 0–2: freeze every contact with Oracle technical and account staff; route all requests through one named owner so nothing is volunteered informally.
- Days 8–30: do not run USMM or LMS scripts on production until your own team has reviewed exactly what they collect and report.
- Days 8–30: stand up an internal deployment baseline — processors, cores, options, and feature usage — before Oracle defines the count for you.
VP Procurement / Vendor Management
- Day 0–2: acknowledge the letter in writing, confirm the contractual audit clause invoked, and pin the 45-day window in your reply.
- Week 1: insist on an NDA before any data scoping and require Oracle to name the exact entities, products, territory, and lookback period in scope.
- Months 3–9: treat Oracle's first number as an opening position, never an invoice — settle on rebuilt evidence and realistic pricing.
SAM / ITAM Manager
- Days 8–30: reconcile installed Oracle programs against entitlement, flagging options — Diagnostics Pack, Tuning Pack, Partitioning — that may be on by default.
- Days 8–30: document the virtualization architecture; VMware and soft-partitioning positions are where Oracle inflates processor counts.
- Days 30–60: build the curated evidence pack that answers Oracle's in-scope questions on your terms, in your format, by your deadline.
CFO / General Counsel
- Week 1: hold the NDA and nondisclosure terms; audit findings are confidential and must not become a sales lever against you.
- Days 60–90: model the worst-case exposure — new licenses plus back support — so the settlement target is set by you, not Oracle.
- Months 3–9: treat the audit as a commercial negotiation with a legal spine, not an IT housekeeping task.
The Oracle audit field manual: the first 90 days, milestone by milestone
Each question below is one a CIO, GC, or procurement lead asks on a specific day of the audit. Lead with the answer; the move follows.
What should you do on Day 0, the day the Oracle audit letter arrives?
Almost nothing — on purpose. On Day 0 you acknowledge receipt in writing, confirm which contract clause Oracle is invoking, name a single point of contact, and request an NDA before any data moves. You do not answer questions, accept a kickoff date, or promise script output. An Oracle audit is a contractual compliance review, not a regulatory proceeding, and the 45-day notice is a window to prepare — not a deadline to surrender data.
The letter is usually addressed to a named C-suite executive and signed by an Oracle GLAS representative. GLAS (Global Licensing and Advisory Services) is Oracle's rebranded License Management Services function, and it sits inside the sales organization — its job is to find shortfalls that convert into license and support revenue. Read the letter as the opening of a negotiation, because that is what it is.
If the letter, or a friendly Oracle account rep, asks you to "just run the script and send the output" or "fill in the worksheet by Friday," that is the costliest moment in the audit. Anything you send before review becomes Oracle's count — and you cannot un-send it.
What must you do in the first 48 hours after an Oracle audit notice?
Lock down the response channel. Within 48 hours, freeze all Oracle contact, designate one audit owner — usually procurement or vendor management — and route every technical and commercial request through that person. Convene IT, SAM/ITAM, legal, and procurement, and engage buyer-side advisory early, because the defense is most effective in the first 30 days. The single most expensive leak is an engineer answering a "quick question" or an account manager dropping by to "help."
This is also when you start the internal clock. Confirm the contract version Oracle is relying on, locate the exact audit clause, and check for any ordering document that extends notice to 90 days or adds restrictions. The buyer who controls the channel by Day 2 controls the audit; the buyer who lets four people talk to Oracle has already lost scope.
Across 600+ Oracle engagements, customers who established a single controlled response channel within the first 10 days of the letter settled materially lower than those who let data leak before Day 30 (Oracle Licensing Experts engagement data, 2026).
What happens in Week 1: the kickoff call and the Oracle Server Worksheet?
Oracle proposes a kickoff call, introduces the assigned LMS/GLAS audit manager, and issues the Oracle Server Worksheet (OSW) — a detailed spreadsheet asking for every Oracle deployment, server, core count, and user. The OSW represents Oracle's broadest default scope, and returning it as received hands Oracle a global map of your estate. Treat Week 1 as scope-setting, not data-collection.
Before the call, decide your scope position. The audit clause confines Oracle to verifying compliance with "the applicable order and the Master Agreement" it invokes — not your whole global estate, not affiliates on different contracts, not products you never licensed. Use the call to pin the legal entities, the program list, the territory, and the lookback period (Oracle typically reaches back three years) in writing, and to require an NDA so findings stay confidential.
"Please confirm the exact contractual clause authorizing this review, the precise legal entities, products, and geographies in scope, the audit period, and whether the review is run by GLAS directly or a third party." A vague answer means the scope is still negotiable — in your favour.
Days 1–30: how do you handle the data request without overreaching?
You provide reasonable assistance to verify compliance; you do not build Oracle's case for it. In the first 30 days, respond formally and promptly, but supply only what answers the specific, in-scope question — processor counts, named-user totals, deployment evidence — in your own format and on your timeline. The audit clause obliges cooperation and access to information "reasonably requested," not raw access to your environment or unrelated systems.
Decline, politely and in writing, anything beyond the stated scope: systems outside the named entities, products not under review, or speculative "while we're here" requests. Every data set leaves your hands through the single audit owner, logged, after review. A request to "also include your VMware clusters" or "the other subsidiaries while we have the data" is scope creep, and the clause does not require you to entertain it.
Returning the Oracle Server Worksheet in full, early, and unreviewed is scope creep you invited. Fill in only the in-scope rows, after your own reconciliation, and never volunteer environments the letter did not name.
Days 30–60: should you run Oracle's USMM or LMS scripts, and when?
Run them internally first — never blind on production for Oracle. Oracle requests permission to run USMM (its measurement utility) and LMS diagnostic scripts on in-scope systems; they report deployment, options usage, and feature access across your databases. You have contractual discretion over the format and scope of the data you provide, and the Oracle Master Agreement does not require you to run Oracle's specific tools blindly and forward the raw logs.
The danger is options and management packs that activate on use without a separate purchase — Diagnostics Pack, Tuning Pack, Advanced Compression, Partitioning, Real Application Testing. A DBA who once clicked into Enterprise Manager's performance pages can trigger a Diagnostics Pack finding. Run the scripts yourself, interpret the output with someone who knows how Oracle reads it, switch off and document anything inadvertently enabled, and only then decide what to present.
Treat USMM output as a draft you review and remediate against — not a report you forward. Self-assess first, present a clean, evidenced position, and let Oracle reconcile to your numbers rather than the other way around.
Days 60–90: how does Oracle present its findings — and why are they inflated?
Oracle's LMS/GLAS team analyses the script output and OSW, constructs a compliance position, and prices any shortfall at list. The draft report is large by design: it counts every detected option as a separate license, applies the Core Factor Table and processor metrics to maximize the count, often treats VMware estates as if every host runs Oracle, and adds back-support arrears on the alleged shortfall going back several years. None of that is a settled invoice — it is an opening position.
This is why the same audit can produce a $12M letter and a $0–$2M settlement. Oracle opens enterprise audits at $2M–$40M; the gap between opening claim and signed settlement averages 30–60% once the count is rebuilt, and aggressive, well-evidenced defenses compress claims 40–90% (industry audit-defense benchmarks, 2026). The reduction comes from rebuilding the count, correcting the licensing model, and stripping unjustified back-support — not from pleading.
The "shall not unreasonably interfere with Your normal business operations" language is a genuine lever. Use it to set the pace, batch data requests, and refuse open-ended live access — on your operational timeline, not Oracle's.
Beyond Day 90: when and how do you settle the Oracle audit?
You settle once you have rebuilt the count, corrected the licensing model, and stripped the unjustified back-support — not before. The strongest single target is back-support arrears, which Oracle seeks on the alleged shortfall on top of new licenses at 22% of net license value per year (Oracle Software Technical Support Policies, 8 May 2026); a compounding annual uplift turns a modest support line into a far larger number over a decade, and the arrears are frequently negotiable to zero.
Oracle's commercial preference is to convert the audit into forward spend — a cloud commitment, a ULA, or a larger renewal — rather than collect a one-time penalty. That preference is your opening: a clean, evidenced compliance position plus a forward conversation almost always beats paying the list-price claim. An Oracle audit usually runs three to nine months from letter to settlement, so the first 90 days are the foundation, not the finish line. Get written closure that confirms the scope is resolved.
"We acknowledge your notice dated [date] invoking the audit clause of [agreement]. Please provide an NDA and confirm the entities, programs, territory, and audit period in scope. We will provide reasonable, in-scope compliance data in our standard format within a mutually agreed schedule that does not unreasonably interfere with operations."
The Oracle audit day-by-day calendar, phase by phase
| Phase | Window | Oracle's move | Your move | Trap to avoid |
|---|---|---|---|---|
| Notice | Day 0 | Audit letter cites the clause, names scope, proposes a kickoff | Acknowledge in writing only; name one contact; request an NDA | Replying with data, dates, or admissions |
| Mobilize | Days 1–2 | Account team offers to "help" run scripts | Freeze Oracle contact; convene IT, SAM, legal, procurement; engage advisory | Letting engineers answer "quick questions" |
| Kickoff & scope | Week 1 (Days 3–7) | Kickoff call; LMS/GLAS manager assigned; OSW issued | Demand NDA; pin entities, products, territory, and period in writing | Accepting Oracle's broad default scope |
| Self-assessment | Days 8–30 | Awaits OSW and script output | Run scripts internally; reconcile entitlements; remediate options on by default | Forwarding raw USMM/LMS output |
| Controlled data exchange | Days 30–60 | Analyses data; asks follow-ups; expands scope | Provide curated, in-scope evidence in your format; log everything | Open-ended live access and scope creep |
| Findings | Days 60–90 | Draft report priced at list, plus back-support | Rebuild the count; correct the model; strip back-support | Treating the number as an invoice |
| Settlement | Months 3–9 | Pushes cloud, ULA, or renewal conversion | Settle from evidence; cap back-support to zero; get written closure | Conceding forward spend you don't need |
Decision matrix: where you are in the calendar when you take control
Figure 1 — Your play depends on how far into the audit calendar you are when you mobilize and how strong your evidenced compliance position is once you self-assess.
Run the playbook
You control scope, the channel, and the count from Day 0. Self-assess, present clean evidence, and close the in-scope question fast.
Remediate inside the window
Switch off inadvertently enabled options, true up quietly where cheap, and present a remediated estate before any data leaves your hands.
Reopen the count
Even after data has gone, rebuild the deployment count and challenge the draft findings with evidence — the list-price claim is not the settlement.
Contain and convert
Cap back-support toward zero, negotiate exposure into a discounted forward deal you actually need, and secure written closure.
In every quadrant the same rule holds: never let Oracle's opening number, priced at list, stand as the settlement figure.
Your four day-by-day response postures, compared
| Posture | What it means | Strength | Caution |
|---|---|---|---|
| Run scripts and return the OSW immediately | Execute USMM/LMS and send raw output plus a full worksheet | Looks cooperative; fast | Hands Oracle the count and any inadvertent option usage — the costliest path |
| Self-assess first, then respond | Run scripts internally, remediate, share a curated in-scope position | Controls the count, the scope, and the narrative | Needs Oracle-fluent interpretation of the output |
| Delay or stonewall | Ignore or slow-walk the letter and the kickoff | None worth having | Breaches the clause, escalates Oracle, forfeits goodwill leverage |
| Engage independent advisory from Day 1 | Buyer-side experts run the calendar, the defense, and the settlement | Rebuilds count, strips back-support, negotiates forward | Engage early — value is highest in the first 30 days |
Acronyms & key terms
- Audit clause
- The audit clause is the Oracle Master Agreement term letting Oracle verify your use of the Programs on 45 days' written notice.
- LMS
- License Management Services was Oracle's licence-review function, responsible for audits and now rebranded as GLAS.
- GLAS
- Global Licensing and Advisory Services is Oracle's current licence-review function, the successor to LMS, sitting inside sales.
- USMM
- USMM is Oracle's measurement utility whose scripts collect deployment and options-usage data during an audit.
- OSW
- The Oracle Server Worksheet is the spreadsheet Oracle issues at kickoff asking for every deployment, server, core count, and user.
- OMA
- An Oracle Master Agreement is the umbrella contract whose schedule contains the standard 45-day audit clause.
- Lookback period
- The lookback period is the time window an audit examines, typically the last three years of deployment.
- NUP
- Named User Plus is Oracle's per-user license metric, carrying per-processor minimums that audits often enforce.
- Processor metric
- The Processor metric licenses by core count multiplied by the Core Factor, the basis Oracle uses to size most claims.
- Core Factor
- The Core Factor Table is Oracle's multiplier converting physical cores into required processor licenses.
- Management Pack
- A Management Pack (Diagnostics, Tuning) is a separately licensed Database option that can activate on use and trigger findings.
- Back-support
- Back-support is support arrears Oracle seeks on an alleged shortfall, often spanning several years, on top of new licenses.
Frequently asked questions
What should you do the day an Oracle audit letter arrives?
On Day 0, acknowledge receipt in writing, confirm the contract clause Oracle is invoking, name one point of contact, and request an NDA before any data moves. Do not answer questions, accept a kickoff date, or promise script output. The 45-day notice is a window to prepare, not a deadline to surrender data, so the only Day 0 deliverable is a controlled acknowledgement.
How many days do you have to respond to an Oracle audit?
The Oracle Master Agreement gives Oracle the right to audit "upon 45 days written notice" (Oracle Master Agreement, 2026), and Oracle commonly requests an acknowledgement within about 30 days. Some ordering documents extend notice to 90 days. Treat the window as planning time: confirm the clause, demand an NDA, and pin the scope in writing before any data or worksheet leaves your hands.
What is the Oracle Server Worksheet (OSW)?
The Oracle Server Worksheet is a detailed spreadsheet Oracle issues around the Week 1 kickoff, asking for every Oracle deployment, server, core count, and user across your estate. It represents Oracle's broadest default scope. Do not return it in full or early. Complete only the in-scope rows, after your own reconciliation, and never volunteer entities, environments, or products the audit letter did not name.
When in the audit should you run USMM or LMS scripts?
Run them internally first, typically in the Days 8–30 self-assessment phase, and never blind on production for Oracle. You have contractual discretion over the format and scope of the data you provide. Running Oracle's scripts and forwarding raw output unreviewed is the single biggest day-by-day mistake, because it can surface options usage you never knowingly enabled. Remediate, then decide what to present.
How long does an Oracle audit take, day by day?
An Oracle audit usually runs three to nine months from the formal letter to settlement. The first 90 days set the trajectory: Day 0 acknowledgement, a 48-hour lockdown, a Week 1 kickoff and scope fight, Days 8–30 self-assessment, Days 30–60 controlled data exchange, and Days 60–90 findings. Concede data and scope in week one and the audit drags while the claim grows.
When is the right time to settle an Oracle audit?
Settle once you have rebuilt the count, corrected the licensing model, and stripped the unjustified back-support — not before. Oracle's findings are an opening position priced at list; the gap to the signed settlement averages 30–60% once the count is rebuilt. Back-support arrears, charged on top of new licenses at 22% per year, are the strongest target and are frequently negotiable toward zero.
Can you still negotiate the scope after the kickoff call?
Yes. The audit clause confines Oracle to verifying compliance with the specific order and Master Agreement it invokes, and bars unreasonable interference with operations. That limits the review to the named entities, products, territory, and period regardless of when you assert it. Get scope fixed in writing, require an NDA, and refuse "while we're here" requests for other subsidiaries, VMware clusters, or unlicensed products at any stage.
Methodology & sources
This field manual combines current Oracle contract, pricing, and policy documents with Oracle Licensing Experts engagement data drawn from 600+ buyer-side Oracle engagements and $1.8B in Oracle spend advised. Benchmarks labelled "Oracle Licensing Experts" reflect anonymised outcomes across our audit-defense work and are not attributable to any single client. Pricing and policy figures are Oracle's published rates and terms as of mid-2026 and exclude negotiated concessions. Exposure and settlement ranges reflect Oracle's standard opening positions and observed audit-defense outcomes, not guaranteed results.
Primary and authoritative sources cited:
- Oracle Software Technical Support Policies (oracle.com, 8 May 2026) — the 22% support rate, reinstatement, and annual uplift terms.
- Oracle Master Agreement (oracle.com) — the standard 45-day audit clause and nondisclosure terms.
- Rimini Street: Oracle License Audit (GLAS) — GLAS audit process, scripts, and data-collection mechanics.
- Scott & Scott LLP: Oracle Software Audits — audit-clause obligations, notice periods, and cooperation scope.
- Mondaq: 2026 — The Year Oracle's Java Audits Get Real — current GLAS audit behaviour and 2026 targeting.
Download the PDF
Take the full Oracle audit day-by-day field manual with you — the Day 0 reply, the 48-hour lockdown, the kickoff scope script, the calendar table, and the source list — in a board-ready PDF.
Request the PDF & a confidential audit briefing →Related white papers
The Oracle buyer's briefing
Quarterly Oracle audit, ULA, and pricing benchmarks, written for buyers. No Oracle spin.