7 Oracle Audit Defense Strategies You Can Deploy When the Audit Notice Shows Up

Share on linkedin
Share on twitter
Share on facebook
What is your Oracle audit defense?

Don’t you hate those click bait things? “7 crazy ways to reduce belly fat!!” I think to myself, “Hey, I wouldn’t mind reducing belly fat! Maybe I should click on this.” Then the better part of an hour later, after going through slide after meaningless slide, I find that the only trick is the one being played on me for clicking on their garbage link to begin with.

Well, it is my intent to make this blog post 100% useful, and no extra clicks required! House of Brick has provided Oracle audit defense for hundreds of clients worldwide. You could be running Oracle on AWS, Azure, VMware, or AIX; your auditor could be from Romania, Toronto, Texas, or California; but the bottom line is that the Oracle playbook is pretty well universal across all those different dimensions.

Let’s crack that playbook open and share some things we have learned. And if you feel like you would like a coach through the process, don’t worry! We are here for you.


So, here are the seven crazy Oracle audit defense strategies you can deploy as soon as the audit notice hits your inbox.

Take a deep breath and tell yourself, “This won’t be so bad. I can do this!”

One of Oracle’s greatest audit tactics is intimidation. They seem to want people to be afraid of the audit process. When people are intimidated, they are more likely to immediately respond to the emails and meeting invitations. You might think that if you don’t respond immediately that Oracle will accuse you of not cooperating. You will do everything you are supposed to do but slowing down will help you avoid costly mistakes.

Take your time.

Did you know that your Oracle license agreement allows for at least 45 days for you to even respond to the audit notice? We have seen recently that Oracle acknowledges the 45 days, but then presses you to schedule a meeting, login to their portal, and provide information before the 45 days is up. You may want to kindly acknowledge receipt of the audit notice, but then tell them that you will get back to them in six weeks.

Resist the temptation to overshare information.

Now that you are calm, and centered, it is time to take your hands off the keyboard. Resist the urge to immediately login to the portal and tell Oracle everything they want to know. I am going to let you in on a little secret that Oracle wishes I wouldn’t tell you. They routinely ask for things that are completely outside the scope of the audit, or even outside the scope of your Oracle license agreement. It is best to verify all requests for data, script output, architecture diagrams, AWS or Azure cloud deployments, VMware configurations, etc., against your actual binding contract.

Before starting the audit response, organize an internal audit defense team.

It really takes a team to appropriately review and respond to Oracle’s license audit demands. Here are a few people that should be invited to the audit defense team: Oracle DBA, DBA/IT manager, system/cloud architect, procurement/contract manager, executive sponsor, and legal team. Inviting a House of Brick consultant to your team is also an excellent idea! One person on this team (and only one) will become the sole point of contact for audit communications.

Let people in your company know about the audit.

You need to inform everyone that Oracle might possibly reach out to that you are under audit. Oracle has been known to circumvent established points of contact to try to get data, or even encourage C-level execs to put pressure on their staff. Tell everyone that you are under audit, and that if Oracle contacts them, that they should just send them back to the point-of-contact.

Oracle audits are not license compliance checks, but rather sales generation events; treat them as such.

Of course, your Oracle license agreement provides Oracle the ability to perform a license compliance audit. It also obligates you to participate in the audit. You should understand, however, that Oracle treats their audits like sales generation activities. We have years of experience uncovering Oracle’s “good cop, bad cop” routine between the auditor and the sales team. Your obligation is to report your Oracle license compliance. You have no obligation to provide them with information that might turn into sales pressure for unneeded purchases.

Independently review and validate all Oracle audit findings.

Oracle is notorious for putting findings in their audit reports that are not only wrong, but wildly misleading. We had a client we defended in an Oracle audit where the compliance finding was for hundreds of millions of dollars (if you can believe that)! Once we engaged in our audit defense services, and deployed our validating software, we were able to get the actual audit result down to $0. Just because Oracle says you are out of license compliance in the audit does not mean you actually are non-compliant.

Bonus Suggestion: You don’t have to do this alone! House of Brick can help.

You know that saying on TV, “do not attempt this at home”? While we are certain that you have the ability to successfully navigate an Oracle audit on your own, wouldn’t it be more helpful to have a trained professional on your team? We don’t always get our audit findings down to $0, but we always get our audit findings to the actual amount of non-compliance or lower. We do not try to negotiate a middle-ground number. We push Oracle hard to get you the lowest possible result.

House of Brick has the services and software to validate your actual Oracle license compliance. If you want to know your compliance position before an audit, we would be happy to help. It is so much easier to defend an Oracle audit if you already know what they will find. Just contact us and we will let you know your options for how we can help.

Table of Contents

Related Posts

House of Brick focuses on cloud adoption & secure management for enterprise applications and databases