How Oracle LMS Conducts Audits
Oracle's licence audit function operates through two teams: Licence Management Services (LMS) for standard audit delivery, and Global Licence Advisory Services (GLAS) for larger strategic accounts. Oracle's right to audit is embedded in most Oracle Master Agreements and typically allows Oracle to audit with 45 days' written notice, during business hours, using Oracle-provided scripts and tools.
The primary tool Oracle deploys in database audits is the Oracle LMS Script — a collection of SQL queries that Oracle asks customers to run against their Oracle databases and return the output. These scripts identify installed products, enabled features and options, CPU counts, and other licence-relevant data. Oracle cross-references this output against the customer's licence records to identify gaps. For customers running Oracle software on VMware or other virtualised infrastructure, Oracle also requests physical server and virtual machine configuration data to assess the processor licensing obligation under Oracle's virtualisation policy.
Oracle's LMS team is a revenue-generating organisation with internal targets. Audit letters are rarely purely administrative — they are strategic commercial tools deployed at moments of Oracle's choosing, typically when Oracle perceives commercial leverage.
The 10 Most Common Oracle Compliance Violations
Oracle Database Options Enabled But Not Licensed
Oracle Database Enterprise Edition ships with numerous Options (Partitioning, Advanced Security, Diagnostics Pack, Tuning Pack, etc.) enabled by default in the database binary. Many database administrators enable these features — or they are enabled during installation without explicit action — without realising that each Option requires a separate licence costing 25–40% of the underlying Database licence per Processor. The Oracle LMS Script specifically queries which options are enabled in each database. Oracle Partitioning alone is listed at $11,500 per Processor at list price; in a 20-Processor environment, that is $230,000 in unlicensed exposure.
VMware and Virtualisation Processor Miscounting
The most financially significant Oracle compliance violation is the failure to licence Oracle Database (and middleware) based on all physical cores in VMware host servers. Oracle's soft partitioning policy requires licensing all physical processor cores in any server running Oracle software, regardless of vCPU allocations. Enterprises running Oracle in a VMware environment frequently licence based on vCPUs, creating gaps that Oracle calculates at full physical-core licence counts. See our dedicated guide to Oracle partitioning rules and VMware for the full analysis.
Named User Plus Undercounting
Enterprises on NUP licensing routinely undercount their authorised user obligations because they count only direct database users rather than all users of applications that access the database. An ERP system accessed by 600 employees creates a 600-NUP obligation even if only 15 DBAs have database credentials. At Oracle Enterprise Edition NUP list price of $950/user, this is a $571,500 licence exposure plus $125,730 in annual support — before any options.
Oracle Java SE Unlicensed Deployments
Following Oracle's January 2023 Java SE licence model change, any commercial use of Oracle JDK (Java SE) requires a subscription — charged per employee, not per installation. Enterprises that continued using Oracle JDK after January 2023 without a subscription are in violation. This affects Java deployments in production, development, and test environments across the entire enterprise headcount. Oracle has been actively enforcing this change through audit letters. See our Oracle Java licensing guide for the complete 2026 position.
Oracle Real Application Clusters (RAC) Across Unlicensed Nodes
Oracle RAC requires Processor licences for every core in every node of the cluster. Enterprises that add nodes to a RAC cluster (for performance or DR purposes) without a corresponding licence purchase create unlicensed exposure across the entire expanded cluster. Monitoring and DR nodes are equally subject to licensing requirements as production nodes. A 4-node RAC expansion on dual-socket servers adds 32 Processor licence obligations at list price — $1,520,000 in licence exposure plus $334,400/year in support.
Unlicensed Software After Infrastructure Migrations
Server migrations, data centre consolidations, and cloud migrations routinely introduce Oracle compliance gaps. When Oracle Database is migrated from physical servers with a known processor count to new servers with higher core counts (or to VMware clusters with larger physical footprints), the licence obligation increases. These migrations often happen without a corresponding licence review, leaving the enterprise under-licensed from the migration date onwards. Oracle's LMS team tracks infrastructure changes through support system data and targets customers whose server hardware has changed since the last renewal.
Oracle WebLogic and Middleware on Unlicensed Servers
WebLogic Server deployed by development teams or DevOps on servers not included in the Oracle middleware licence agreement is a persistent source of compliance exposure. Test servers, continuous integration environments, containerised deployments, and pre-production systems all require licences if Oracle middleware runs on them. Many organisations have mature licence management processes for their production Oracle estate but lack visibility into non-production middleware deployments.
Oracle Audit Vault and AVDF Deployed Without Licences
Oracle Audit Vault and Database Firewall (AVDF) is commonly deployed by security teams as part of database activity monitoring initiatives. Many organisations do not realise that AVDF is a separately licensed Oracle product. Similarly, Oracle Data Masking and Subsetting, Oracle Key Vault, and Oracle Database Security Assessment Tool each have separate licence requirements that are routinely overlooked. Security-focused Oracle products are rarely included in initial software negotiations but are subsequently deployed by security teams operating independently of the Oracle licence management function.
Oracle ULA Certification Errors — Under-Certifying
For enterprises on an Oracle Unlimited Licence Agreement (ULA), the certification process at ULA end determines the number of perpetual licences received. Under-certifying — reporting fewer deployments than actually exist — results in a perpetual licence count that does not cover the full deployed footprint, leaving the enterprise in an ongoing compliance deficit. This often occurs because the certification process is rushed, excludes non-production environments, or misapplies Oracle's virtualisation counting rules. Our Oracle ULA negotiation guide covers the certification process in detail.
Oracle Fusion Applications Licensing Gaps
Oracle Fusion Applications (ERP Cloud, HCM Cloud, SCM Cloud) deployed in hybrid configurations — with on-premises integrations, custom Oracle Database deployments, and Oracle middleware in the technology stack — generate complex licence obligations that are frequently miscounted. The technology infrastructure supporting Oracle Fusion (WebLogic, SOA Suite, Oracle Identity Management) may require separate middleware licences in addition to the application SaaS subscription fees. Enterprises migrating from Oracle E-Business Suite to Fusion Cloud are particularly susceptible to licence gaps during the transition period when both environments run simultaneously.
Prevention: Building a Compliance Programme
Proactive Oracle licence compliance management prevents the most costly audit outcomes. An effective programme requires three elements: an accurate software inventory, a licence tracking process, and change management controls that flag Oracle-relevant infrastructure changes before they occur.
Conduct an internal Oracle licence position review at least annually — ideally six months before your Oracle contract renewal. This review should use the same Oracle LMS scripts that Oracle would use in an audit, applied against your own environment, with results reviewed by someone with Oracle licensing expertise. The findings from an internal review give you time to remediate genuine gaps (by purchasing licences at better-than-audit pricing), to challenge Oracle's counting methodology where it is genuinely disputed, and to enter renewal negotiations with a clear understanding of your true position.
If You Receive an Oracle Audit Letter
Receiving an Oracle LMS audit letter is not the same as receiving a legal summons. It is the opening of a commercial negotiation. Your first response should be to engage experienced Oracle licence counsel or advisory support — not to run the Oracle scripts and return results immediately. The data you provide to Oracle in response to an audit request becomes the evidentiary basis for Oracle's finding; how you respond, what you include, and how the data is presented all affect the outcome.
Oracle audit letters typically claim a right to access and audit within 45 days. This timeline is negotiable. Request an extension to allow adequate preparation. Review your Oracle Master Agreement to understand the exact scope of Oracle's audit rights — many agreements limit the audit scope to specific products, time periods, or locations. Engage your legal team to verify that Oracle's request falls within the contractual audit rights before providing any data.
Our Oracle Audit Defence Guide provides a step-by-step response framework. The Vendor Audit Defence Handbook includes template response letters, Oracle audit script analysis protocols, and negotiation strategies for resolving findings at 20–40% of Oracle's initial demand. For immediate support with an active Oracle audit, our Vendor Audit Defence team provides response management and negotiation services for enterprise Oracle audits.