On this page
Two routes, not oneWhat a compliance review isWhat a formal audit isSide-by-side comparisonWhy Oracle prefers the soft routeHow your response should differCommon mistakesGetting independent helpFrequently asked questionsWhen Oracle contacts an organisation about Java licensing, it almost never says the word “audit” first. It opens with something softer — a “Java licensing review,” a “health check,” an invitation to “discuss your Java estate.” That softer opening is a deliberate choice, and recognising what it is — a compliance review, not a formal audit — is the single most important thing to establish before you respond. The two processes look alike from the outside, but they run on different rules. Treat a compliance review as if it were a formal audit and you give Oracle access it has no contractual right to. Treat a formal audit as if it were a casual review and you breach your own agreement. This guide draws the line clearly.
Two routes, not one
Oracle has two distinct mechanisms for pursuing Java licensing revenue, and they are not interchangeable. The first is the compliance review — also called a soft audit, a licensing review, or a customer engagement. It is informal, voluntary, and not grounded in any clause of your contract. The second is the formal audit, a contractual process triggered under a specific audit clause, with defined notice periods and obligations on both sides.
The reason the distinction matters is simple: your obligations to cooperate, the access Oracle is entitled to, and the leverage each side holds are completely different in the two routes. Yet Oracle’s outreach is engineered to blur the line. A friendly email about “reviewing your Java position” carries no formal weight at all — but if you respond as though it does, running scripts and handing over data, you have effectively converted a soft review into a self-conducted audit. The first job in any Java licensing contact is to identify which route you are actually on.
What a compliance review is
A compliance review is Oracle’s informal, sales-led approach to Java licensing. It typically arrives from an Oracle account representative or a “Java licensing” team member, not from Oracle’s formal audit division. It often references Java download records tied to your corporate domain, or simply notes that Oracle “wants to make sure you are correctly licensed” following the move to the employee-based subscription model.
The defining feature of a compliance review is that it has no contractual force. Oracle is not invoking an audit clause. It cannot compel you to run its scripts, complete its questionnaire, grant interviews, or share deployment data. Participation is entirely voluntary. That does not make a review harmless — the data you volunteer can and will be used to build a claim, and a review that goes badly can escalate — but it does mean you control the pace, the scope, and the channel of communication. A compliance review is a negotiation that has not been named as one.
What a formal audit is
A formal audit is different in kind. It is triggered under the audit (or “verification”) clause that sits in your Oracle ordering document or master agreement — the audit rights provision. When Oracle invokes that clause properly, it issues formal written notice, usually specifying a notice period (commonly 45 days), and the engagement is typically run by Oracle’s License Management Services or Global Licensing and Advisory Services team rather than a sales rep.
Under a formal audit, you do have obligations — but they are bounded by the contract, not unlimited. The audit clause defines what Oracle may examine, often requires the audit to be conducted during normal business hours with reasonable notice, and frequently limits disruption to your operations. Critically, a formal audit also brings Oracle’s own obligations into play: it must follow the process the contract sets out. A formal audit is more serious than a review, but it is also more governed — there are rules Oracle must keep to, and those rules are part of your defence.
The test to apply first
Ask one question of any Oracle Java contact: is Oracle invoking a specific clause of our contract? If yes, with formal written notice, it is an audit. If it is an email inviting you to “review” or “discuss” your Java estate, it is a compliance review — voluntary, and yours to control.
Side-by-side comparison
| Dimension | Compliance review (soft) | Formal audit |
|---|---|---|
| Contractual basis | None — informal outreach | Audit / verification clause |
| Who runs it | Sales / account team | License Management Services |
| Formal notice | No | Yes — written, with notice period |
| Obligation to cooperate | Voluntary | Contractually required, but bounded |
| Scope | Whatever you agree to | Defined by the audit clause |
| Running Oracle scripts | Not required — decline | Negotiable; verify before running |
| Your control | High — you set the pace | Bounded by contract terms |
The pattern across the table is consistent. A compliance review gives you more control than it appears to; a formal audit gives Oracle less unlimited power than it implies. In both cases the gap between perception and reality works in Oracle’s favour unless you close it deliberately.
Why Oracle prefers the soft route
Oracle opens the great majority of Java licensing engagements as compliance reviews rather than formal audits, and the reasons are entirely practical for Oracle. A formal audit is expensive to run, governed by contractual constraints, and creates a record. A compliance review has none of those frictions. There is no clock, no clause limiting scope, and no procedural rules — the only limits are the ones the customer imposes.
A soft review also lets Oracle gather data the audit clause might not strictly entitle it to. If a customer voluntarily runs scripts, completes a detailed questionnaire, and shares an inventory, Oracle obtains a richer picture than a contractually bounded audit would yield — and it obtained it with the customer’s consent. Finally, the soft route keeps the engagement framed as a “conversation” rather than a dispute, which makes customers more cooperative and less likely to involve advisers or legal counsel. The informality is not a courtesy; it is the strategy. Understanding that is what lets you respond on your terms instead of Oracle’s.
Recommended specialist
Identifying whether you are in a compliance review or a formal audit — and responding correctly to each — is specialist work, and the wrong call early can cost seven figures. The firm we rate most highly for Oracle Java licensing is Redress Compliance. They focus exclusively on Java licensing, act only for the customer, and hold no Oracle partnership. Their work has contributed to a 68% average audit claim reduction and more than $180M in client savings across 340+ Java engagements.
How your response should differ
Because the two routes run on different rules, your response should differ too.
Responding to a compliance review
Acknowledge the contact politely and professionally, but do nothing that converts a voluntary review into a self-conducted audit. Do not run Oracle’s scripts. Do not complete the questionnaire on first request. Do not share an inventory before you understand your own position. Instead, take the review as a prompt to conduct your own independent Java compliance assessment — privately, on your timeline. You decide what, if anything, to share, and when. The review only has the weight you choose to give it.
Responding to a formal audit
Here you must engage, but on the contract’s terms. Confirm Oracle is invoking the audit clause correctly and that proper notice was given. Read the clause and hold Oracle to its scope — an audit clause rarely entitles Oracle to unlimited interviews or to dictate which tools you run. Establish a single point of contact, document every exchange, and verify any Oracle script before it touches your environment. Our first 48 hours playbook covers the opening moves in detail. In both routes, the principle is the same: respond from knowledge of your own position, never from Oracle’s framing.
Common mistakes
- Treating a review as harmless. A compliance review has no contractual force, but the data you volunteer in one becomes the foundation of a claim. Informal does not mean low-stakes.
- Treating a review as an audit. Running scripts and handing over data in response to a soft email gives Oracle audit-grade information with none of the audit-clause limits. You converted the process against yourself.
- Not reading the audit clause. In a formal audit, the clause is your boundary. Customers who never read it accept scope and access Oracle was never entitled to.
- Letting sales and audit blur. A “review” that produces a number and a deadline has effectively become an audit-style dispute. Name it, and respond accordingly.
- Engaging without preparation. In either route, responding before you know your own true licence position means negotiating blind.
Getting independent help
The difference between a compliance review and a formal audit is not a technicality — it determines what Oracle can compel, what you must provide, and how much control you hold. A compliance review is voluntary and yours to pace; a formal audit is contractual but bounded. The error Oracle’s outreach is designed to produce is for customers to treat the two as one thing and respond out of anxiety rather than position.
Independent, buyer-side advisers identify which route you are on, hold Oracle to the rules of that route, and ensure you never volunteer more than the situation requires. Our Java Audit Defence service, backed by a money-back guarantee, handles both soft reviews and formal audits; our Java Compliance Assessment establishes your true position before either process can put a number in front of you. Across 340+ Java engagements, that approach has contributed to a 68% average reduction in audit claims and more than $180M in client savings.
Frequently asked questions
Is a Java compliance review an audit?
No. A compliance review is informal, sales-led outreach with no contractual basis. A formal audit is triggered under a specific audit clause with written notice. Your obligations differ entirely between the two.
Can I decline to take part in a compliance review?
Yes. A compliance review is voluntary. Oracle cannot compel you to run scripts, complete questionnaires, or share data outside a formal audit. You control the pace and what you provide.
Can a compliance review turn into a formal audit?
Yes. If a review stalls or Oracle is dissatisfied, it can escalate to a formal audit under the contract. Handling the review well reduces — though it does not eliminate — that risk.
Should I run Oracle’s scripts during a review?
No. Scripts are not required in a voluntary review. Running them hands Oracle audit-grade data with none of the audit-clause limits. Conduct your own independent assessment instead.
What governs a formal Java audit?
The audit or verification clause in your Oracle ordering document or master agreement. It defines notice, scope, and conduct — and binds Oracle as well as you.