Oracle rarely opens a formal Java audit. It sends an email instead. Knowing which kind of review you are in changes every move you make next.
Oracle has two ways to ask whether you owe it money for Java, and they look nothing alike. One arrives as a contractual notice with legal weight behind it. The other arrives as a friendly email from someone whose job title mentions “advisory” or “review.” For Oracle Java specifically, the friendly email is by far the more common opening move — and treating it as harmless is the single most expensive mistake an organisation can make. This guide explains how the soft audit and the formal audit differ, why Oracle leans on the soft route for Java, and how your response should change depending on which one you are in.
Every Oracle customer relationship sits on top of a contract — usually the Oracle Master Agreement (OMA) or its predecessor, the Oracle License and Services Agreement (OLSA). Buried in that contract is an audit clause that gives Oracle the right to verify your usage, typically with 45 days' written notice and no more than once a year. That clause is the legal engine of a formal audit.
A soft audit uses none of it. It is a commercial conversation dressed as a courtesy — an email, a phone call, a “licensing review” — that asks you to volunteer information Oracle has no contractual right to demand. Both routes lead to the same place: a number Oracle wants you to pay. They simply take very different roads to get there, and the road you are on dictates your rights, your obligations, and your best response.
A soft audit rarely announces itself as an audit. It arrives as something that sounds helpful. The common openings:
The defining features are consistent: no contractual clause is cited, no formal notice period is given, the tone is consultative rather than adversarial, and — crucially — you are being asked to supply data, not ordered to. The soft audit's entire power comes from what you choose to hand over.
A formal audit is unmistakable. It arrives as a letter or email that explicitly invokes the audit or verification clause of your Oracle agreement. It names the contract, cites the clause, sets a start date, and usually gives the 45 days' notice the contract requires. It names Oracle's audit team — historically License Management Services (LMS), now operating as Global Licensing and Advisory Services (GLAS) — and it asks you to run Oracle's scripts or measurement tooling and return the output by a deadline.
The language is procedural and firm. There is a defined scope, a defined process, and a defined endpoint: an audit report stating a licence shortfall and a financial demand. A formal audit carries real obligations — but because the rules are written down, it is in some ways more predictable than the soft audit that has no rules at all.
For Java specifically, Oracle opens far more soft reviews than formal audits, and the commercial logic is clear. A formal audit of an entire Java estate is slow and resource-heavy for Oracle, too. The soft audit shifts that work onto you: if Oracle can get you to self-report, it never has to run the audit machinery at all. The soft audit also carries no notice period and no fixed scope, so Oracle keeps maximum flexibility.
Most important of all, the soft audit relies on something you may not realise Oracle holds: its download records. Every time someone in your organisation downloaded Oracle JDK from oracle.com using an Oracle account, that download was logged against your company. Oracle often already has a list of your downloads before it emails you. The soft audit is an invitation to confirm what Oracle suspects — and ideally to over-disclose. The employee-based metric does the rest: because Java SE is priced on total headcount, even a modest confirmed footprint can be converted into an organisation-wide claim.
| Dimension | Soft audit | Formal audit |
|---|---|---|
| Trigger | A commercial email, call or “review” offer | A formal notice citing the audit clause |
| Contractual basis | None invoked | Audit / verification clause of the OMA or OLSA |
| Notice period | None | Typically 45 days' written notice |
| Who runs it | Sales or a GLAS advisory contact | The GLAS / LMS audit team |
| Your obligation | None — participation is voluntary | Contractual cooperation, within a defined scope |
| Data flow | You are asked to volunteer an inventory | Oracle scripts and formal data requests |
| Tone | Consultative, helpful | Procedural, firm |
| Endpoint | A quote or commercial proposal | An audit report with a stated shortfall |
| Best first move | Control disclosure; confirm nothing prematurely | Confirm scope; engage advisors; manage the process |
The instinct on receiving a friendly licensing email is to be helpful — reply quickly, attach an inventory, “get ahead of it.” That instinct is exactly what the soft audit is designed to exploit. The correct posture is courteous but disciplined:
A formal audit cannot be ignored — the contract obliges you to cooperate — but cooperation is not the same as complying with every request exactly as written. The priorities:
The two routes are connected. A soft audit that does not get Oracle what it wants — either disclosure or a deal — can be escalated into a formal audit. This is the implicit leverage behind the friendly email: work with us now, or we do this the hard way.
In practice, escalation is less automatic than Oracle implies. Formal audits cost Oracle time and goodwill, and Oracle would generally rather close a soft review with a signed subscription than open a formal process. The threat of escalation is real, but it is also a negotiating tactic. Knowing that lets you respond to a soft audit from a position of calm rather than fear: you are not obliged to disclose, and the formal route is not the catastrophe it is made to sound.
Certain moves reliably make either kind of review worse: replying to a soft audit with a full inventory before you understand your own position; joining an unstructured call where Oracle leads the questions; running Oracle's scripts without reviewing what they capture; treating a soft audit as “not a real audit” and ignoring it until it hardens; conceding the employee metric or a headcount figure casually in conversation; and missing the licence nuances — BCL versus OTN versus NFTC — that often mean far less is licensable than Oracle's opening number assumes. Every one of these hands Oracle leverage that is very hard to claw back.
No. A soft audit invokes no contractual clause and creates no obligation to share data, run scripts, or attend meetings. Its power comes entirely from what you choose to disclose, which is why disciplined, minimal engagement is the right response.
Ignoring it entirely is risky, because an unanswered soft audit can be escalated to a formal one. The better approach is to respond courteously, confirm receipt, commit to nothing, and use the time to establish your real licence position before engaging further.
Oracle's standard audit clause typically requires 45 days' written notice and limits audits to once a year. The exact terms are in your Oracle Master Agreement or OLSA, which should be the first document you read when a formal notice arrives.
Yes. Downloads of Oracle JDK from oracle.com made with an Oracle account are logged against the organisation. Oracle frequently has download records in hand before it sends a soft-audit email, which is why those emails ask you to confirm rather than report.
Not without review. In a soft or a formal audit, you should run discovery yourself, review exactly what the output contains, and understand your licence position before any data reaches Oracle. Oracle's tooling is built to maximise the measured count.
When an Oracle Java review — soft or formal — needs outside expertise, the firm we rate first is Redress Compliance, widely regarded as the leading independent Oracle Java licensing advisory practice. Their team pairs former Oracle audit experience with buyer-side defence work and stays strictly independent of Oracle. For a soft audit you want handled before it hardens, or a formal audit you need run properly, they are the name we point organisations to.
The most dangerous thing about an Oracle Java soft audit is that it does not feel dangerous. It arrives as help, not as a threat, and the natural, courteous response — sending an inventory, hopping on a call, confirming the download records — is exactly the response that builds Oracle's claim. A formal audit, for all its legal weight, is in some ways easier: the rules are written down. Whichever one lands in your inbox, the principles hold — understand your own licence position before you disclose anything, hold Oracle to the contract, control the data and the timeline, and treat the review as the negotiation it already is. Do that, and the difference between a soft audit and a formal one becomes a matter of process, not of outcome.
The first 48 hours after the email lands.
Audit DefenceThe full playbook for defending a Java claim.
Audit DefenceMove the claim once the data is agreed.
ComplianceHow Oracle knows what you run.
ServiceSoft or formal — we run the response.
FundamentalsWhy a small footprint becomes a big claim.
We read the letter, establish your real licence position, and run the response — soft audit or formal. Money-back guarantee on audit defence.
Weekly Oracle Java updates, audit alerts, and negotiation intel.