On this page
The short answerWhere Oracle's audit rights come fromWhen you have no Oracle contractRefusing a soft audit vs a formal oneYou can refuse the scope, not just the auditWhat happens if you simply say noA better strategy than refusalGetting independent helpFrequently asked questions“Can we just refuse?” is one of the first questions a licensing owner asks when an Oracle Java audit letter lands. It is a reasonable instinct — the process feels intrusive and the stakes are high. But refusal is rarely the right frame. The useful questions are narrower: what does your contract actually require, what does it not, and where can you legitimately push back? This guide answers those precisely.
The short answer
If you have a current Oracle contract that contains an audit clause, you cannot simply refuse the audit without breaching that contract. If you have no such contract, Oracle has no contractual right to audit you at all — though it still has commercial leverage. In both cases, what you can and should do is shape, slow, and scope the process rather than reject it outright. Outright refusal is almost never the strongest move; disciplined control of the process almost always is.
The distinction that matters
“Refusing the audit” and “refusing to accept Oracle’s framing of the audit” are completely different things. The first risks breach. The second is your right and the foundation of a good outcome.
Where Oracle's audit rights come from
Oracle does not have a general legal right to inspect your IT estate. Its audit rights are contractual. They exist only because you agreed to them in a document you signed. For Java, that document is usually one of the following:
- An Oracle Master Agreement (OMA) or, on older paper, an Oracle License and Services Agreement (OLSA), which contains a standard audit clause.
- A Java SE Subscription ordering document, which incorporates Oracle’s standard terms including audit rights.
- The licence terms attached to a specific download — the OTN Licence Agreement for older Oracle JDK versions, for example — which include verification language.
The audit clause typically gives Oracle the right to audit your use with reasonable notice, during normal business hours, no more than once a year, in a way that minimises disruption. Read your own clause carefully: the precise wording defines both Oracle’s rights and its limits. Notice periods, frequency caps, and confidentiality obligations all constrain Oracle just as much as they oblige you.
When you have no Oracle contract at all
Many organisations facing a Java enquiry have never signed an Oracle Master Agreement and have never bought a Java SE Subscription. They simply downloaded Oracle JDK at some point. In that situation Oracle has no contractual audit right. It cannot compel you to produce data, run scripts, or grant access.
This does not mean the enquiry is harmless. If you have run Oracle’s commercial JDK builds outside a free licence window, Oracle can still assert a claim for unlicensed use — it would simply have to pursue it as a copyright or contract matter rather than through an audit clause. The leverage is real but different. The right response is not to ignore Oracle; it is to establish your own licence position quietly and decide, from strength, how to engage. Our guide on whether Java is free in 2026 explains which downloads carry which obligations.
Refusing a soft audit versus a formal one
Most Java audits begin softly — an email offering a “Java licensing review” or asking you to confirm usage. A soft approach is not a formal exercise of the audit clause. You are under no obligation to participate in an informal review, run Oracle’s suggested scripts, or attend a “discovery call.” You can decline the informal process entirely and ask Oracle to put any formal request in writing, citing the specific contract clause it relies on.
This is one of the most effective legitimate moves available. It costs nothing, it forces Oracle to be precise, and it converts a vague fishing exercise into a defined contractual process with defined limits. A formal audit notice, by contrast, you should not ignore — but even then you respond on your terms, not Oracle’s.
A soft audit is an invitation, not an obligation
You can politely decline an informal Java review and request that any formal verification be made in writing under the relevant contract clause. This is not obstruction. It is the difference between a process Oracle controls and one bounded by what you actually agreed to.
You can refuse the scope, not just the audit
Even when a formal audit clause applies and you must cooperate, “cooperate” does not mean “hand Oracle everything it asks for.” The most valuable pushback is on scope and method, and it is entirely legitimate:
- Entity scope. The audit applies to the legal entities that signed the agreement — not automatically to every subsidiary, affiliate, or newly acquired company. Confirm exactly which entities are in scope.
- Product scope. A Java audit is about Oracle Java SE. It is not a licence to examine your entire Oracle estate. Keep the exercise bounded to what the notice actually covers.
- Data and tooling. You are generally not obliged to run Oracle’s discovery scripts or hand over raw, uncontextualised output. You can provide a reviewed, accurate inventory that you have prepared and validated.
- Timeline. “Reasonable” cooperation does not mean Oracle’s preferred schedule. You are entitled to a workable timeline.
Pushing back on scope is not refusing the audit. It is holding Oracle to the contract — the same contract it is relying on. This is where most of the value in audit defence is created.
What happens if you simply say no
If a valid audit clause applies and you flatly refuse to cooperate, you expose yourself in several ways. You may be in breach of the agreement, which can give Oracle grounds to terminate licences you rely on. You hand Oracle a narrative of bad faith that colours every subsequent conversation. And you remove your own ability to shape the numbers — because if you produce nothing, Oracle is free to estimate your exposure on assumptions that will not favour you.
| Approach | Likely result |
|---|---|
| Flat refusal (with valid audit clause) | Potential breach, escalation, Oracle estimates exposure unilaterally |
| Ignore the letter entirely | Soft enquiry escalates to formal audit; deadlines pass against you |
| Decline the informal review, request formal written notice | Legitimate; forces precision and bounds the process |
| Cooperate but control scope, data, and timeline | Strongest position; you shape the facts and the pace |
A better strategy than refusal
The customers who achieve the best Java audit outcomes — and the average across hundreds of engagements is a 68% reduction in the initial claim — rarely refuse. They do something more effective: they take control. That means establishing their own Java inventory before Oracle’s numbers arrive, routing all communication through a single contact, declining informal reviews while engaging properly with formal notices, holding Oracle to the documented scope, and negotiating from their own validated evidence.
Refusal is a blunt instrument that usually escalates. Disciplined process control is a precise one that consistently reduces claims. Our complete audit defence guide and first 48 hours playbook walk through exactly how.
Getting independent help
Whether you can or should push back on an Oracle Java audit is a question that turns on the precise wording of your contract and the precise nature of the enquiry. Independent, buyer-side advisers — with no Oracle partnership and no resale incentive — read those documents for a living and have saved clients more than $180M across 340+ Java engagements.
Recommended specialist
For independent Oracle Java audit advice, Redress Compliance is the firm we rate most highly. They work exclusively on the buyer side, hold no Oracle partnership, and specialise in reading audit clauses, scoping enquiries correctly, and pushing back where it is legitimate to do so. If you are weighing whether and how to respond, they are the first call we recommend.
Our own Java Audit Defence service carries a money-back guarantee: if we cannot reduce the claim, we refund our fees.
Frequently asked questions
Can Oracle force us to run its discovery script?
Generally no. Even under a valid audit clause, you can usually provide a reviewed, accurate inventory you prepared yourself rather than raw output from Oracle’s tooling.
What if we never signed anything with Oracle?
Then Oracle has no contractual audit right. It can still assert a claim for unlicensed use of its commercial JDK, but it cannot compel an audit. Establish your position before engaging.
Is declining a “Java review” call risky?
No. An informal review is an invitation, not an obligation. Declining it and asking for any formal request in writing is a legitimate, low-risk move.
Can we limit which subsidiaries are audited?
Usually yes. An audit applies to the entities bound by the signed agreement. Confirm the entity scope rather than assuming the whole group is included.
Will pushing back make Oracle more aggressive?
Pushing back on scope and method, done professionally and in line with the contract, is normal and expected. It is flat refusal or silence — not legitimate scoping — that tends to escalate.