The Soft Audit Versus the Formal Audit

Not every Java review announces itself. Long before a formal audit letter arrives, many organizations receive a friendly inquiry: an offer to help review their Java estate, a question about how they license Java, or a suggestion that a subscription would give them peace of mind. This is the soft audit, and it is where a great deal of ground is lost. The soft approach feels like a courtesy, so people answer it like one, volunteering data and accepting framing that later hardens into a claim. The formal audit, by contrast, arrives with contractual weight and a defined process. Knowing which one you are facing, and how each works, is the difference between a measured defense and an unforced error.

For the licensing mechanics behind either kind of review, keep the Oracle Java licensing guide for 2026 open alongside this article.

What the soft audit looks like

The soft audit rarely uses the word audit. It comes as an email or a call from an account representative or a licensing specialist, often warm and helpful in tone. It might mention that Oracle has noticed you may have Java in use, that it wants to help you stay compliant, or that it can walk you through your options. There may be a request to confirm a few details about your environment or your headcount. None of it feels adversarial, and that is precisely the design. The soft approach is a qualification step, testing whether you will volunteer information and whether you look like a likely buyer.

What the formal audit looks like

The formal audit arrives in writing and usually cites the audit clause in your Oracle agreement. It names License Management Services, defines a scope, and sets expectations for data, timelines, and access. It carries contractual weight, which means it cannot simply be ignored, but it also means it operates within defined limits. A formal audit is more intimidating on its face, yet in some ways it is more predictable than the soft approach, because its boundaries are written down and can be held to.

The key differences

Why the soft audit is the more dangerous one

Counterintuitively, the soft approach often does more damage than the formal one. Because it carries no apparent obligation, people answer it casually, on the phone, without legal or procurement in the room. A confirmed headcount, an admission that Java is widely deployed, or a shared inventory can all be captured in a single helpful conversation. Once that data exists in Oracle's hands, the formal claim that follows is built on your own words. The Universal Subscription is priced per employee, from 5.25 to 15.00 dollars per employee per month across every full time and part time employee, every contractor, and every temporary worker, so a casually confirmed headcount can translate directly into a very large number.

How to answer the soft inquiry

The right response to a soft inquiry is polite, brief, and non committal. Acknowledge the contact, do not confirm headcount or deployment on the spot, and route the matter to the people who own the Oracle relationship. You are not obligated to volunteer data in response to an informal question, and you should not. Buy yourself the time to understand your own estate before you say anything about it. The instinct to be helpful and quick is the instinct that hands Oracle its opening.

How to answer the formal audit

When a formal audit begins, the first hours still matter, but the playbook shifts. Acknowledge the notice, route it to the relationship owners, and read the audit clause carefully to understand exactly what Oracle can and cannot demand. Hold the scope and the lookback to what the contract actually permits rather than what the letter assumes. In 2026 these reviews intensified and reach back across a three year lookback, so confirming the agreed boundaries early prevents the scope from drifting. Above all, separate the compliance question from any commercial discussion from the first exchange. For the contractual basis, read what triggers an Oracle Java audit, and to understand the people running it, read the role of Java telemetry in audits.

The common thread: prepare before either arrives

Whether the contact is soft or formal, the buyer who has already swept the estate, validated the counted population, isolated Oracle Java to the workloads that truly need it, and migrated the rest to a free OpenJDK distribution is in a far stronger position. Preparation turns both kinds of review from a scramble into a process. You know your numbers, you hold your evidence, and you answer on your terms rather than Oracle's.

How a buyer side advisor helps

Reading these signals correctly and acting on them before a review begins is exactly where an independent buyer side advisor earns its place. We know how Oracle builds a Java claim, which signals tend to precede a formal review, and how to turn a clean estate into a smaller defended residual. We sit between you and Oracle and we never take vendor money, so the advice points one way only. We work two ways, both built so the risk sits with us. A Fixed Fee starts from $18,000, agreed up front. Or choose Gainshare, a share of verified savings or avoided exposure, with zero retainer and no risk to you. We have defended more than $120M in Java exposure and over 300 Java audits, with more than 20 years of combined experience and an average reduction of 68 percent versus Oracle's opening number.

Where to go next

The soft inquiry and the formal audit are two stages of the same motion, and the soft one is where most ground is lost. Give nothing away early, hold the formal scope to the contract, and prepare before either lands. Book a Strategy Call to pressure test your response before you reply to Oracle.