What should you do first when an Oracle audit letter arrives?
When an Oracle audit letter arrives, the first action is to acknowledge receipt in writing, route every audit communication through one named owner, and run no Oracle scripts until you have read the audit clause in your contract. An Oracle audit is a negotiation dressed up as an inspection, and the preliminary finding will arrive inflated at list price. The first 48 hours set the conditions under which the whole negotiation plays out, so the goal is control, not speed.
The audit notice usually comes from Oracle Global Licensing and Advisory Services, formerly the License Management Services team, under the audit clause in your Oracle Master Agreement. It typically opens a response window of 30 to 45 days. That window is your preparation time, and the worst mistake is to treat the letter as a demand that must be satisfied at once.
Acknowledge in writing, name one owner, read your contract, and run nothing. A calm 48 hours protects the 60 to 80 percent reduction a line by line review of the eventual finding typically achieves.
Do you have to respond to the letter immediately?
No, you do not have to respond in substance immediately, and you should not. A short, professional acknowledgement confirming that you have received the notice is enough on day one. It tells Oracle you are engaging, while committing you to nothing about scope, data, or timing. Resist the instinct to demonstrate good faith by volunteering information, because anything sent in the first hours leaves before anyone has reviewed it against the contract.
The single most valuable structural decision in these first hours is to establish one channel in and one channel out. Every request from Oracle, and every answer back, should pass through a single named owner. This prevents the scattered, casual admissions that arise when several people answer independently. The discipline is set out in the single point of contact rule, and deciding who fills that role is covered in who should be in your audit response team.
Should you run Oracle's audit scripts straight away?
No, you should not run Oracle's collection scripts in the first 48 hours, because running them is a decision, not an obligation. Oracle's scripts can overcount across virtualization layers, returning output that reads as far more usage than the contract actually obliges you to license. If that raw output leaves your organisation before review, you have handed Oracle the very ground a defense needs to recover.
Remember that the policy document is not the contract. Many of the largest findings, including cluster wide virtualization claims and accidental options usage, rest on Oracle policy papers that are often weaker than your signed agreement. Contract language beats policy. So the first 48 hours are for reading your own agreement and understanding your own deployment, not for generating data that Oracle will interpret. The mechanics of what those scripts actually capture are explained in the Oracle audit defense guide.
The clock is yours to manage
The 30 to 45 day response window is often treated as a deadline imposed on you. In practice the timeline is itself negotiable, and a measured opening response can confirm scope, ask Oracle to put its requests in writing, and propose a workable schedule. Managing the clock deliberately is one of the quiet advantages of a single channel, because one owner can sequence the work rather than scrambling against scattered requests.
| Hour | Action |
|---|---|
| 0 to 4 | Acknowledge receipt in writing, name the single owner |
| 4 to 24 | Locate the Oracle Master Agreement and read the audit clause |
| 24 to 48 | Brief the response team, instruct staff to route all contact through the owner |
What you must provide, in what form, and on what timeline is contract dependent. The audit clause and any data provisions in your agreement set the boundary, so the single channel reads them before answering rather than letting Oracle requests define the obligation.
The 48 hour checklist
The actions that matter most in the first two days are few and specific. None of them require generating data, and all of them protect your position.
- Acknowledge the notice in writing, confirming nothing about scope or data yet
- Name a single owner and instruct all staff to route Oracle contact through them
- Find the signed Oracle Master Agreement and read the audit clause and any data terms
- Do not run any Oracle scripts and do not send any deployment data
- Decline informal calls and ask for every request in writing
- Decide whether to bring in an independent buyer side advisor before substance is exchanged
Done well, these steps cost nothing and change the footing of the entire audit. They also buy the time to assess your real position before any number is conceded, which is where the value of an independent review begins.
Your next step
If the letter has just arrived, the fastest way to protect your position is to put one calm acknowledgement out, freeze all data sharing, and get an independent read on your exposure before Oracle does. Our Oracle audit defense service can hold the channel for you and review every line, on a Fixed Fee or Gainshare basis with no risk to you. We reduce your Oracle exposure or we reimburse our service fee.
A letter just landed? Get a Quote or contact us today, and read the audit defense pillar guide for the full sequence.