For many organizations, going through an IBM license compliance audit can be a stressful and unnerving experience. Due to the broad scope of IBM products and license metrics, the audit data collection procedures performed by Deloitte or KPMG can span many months, requiring a significant amount of time and effort from IT staff within the organization. Once the data validation phase is complete, and the auditors start preparing the Effective License Position (ELP) report, organizations are often happy to be nearing the end of the audit. However, at that stage a new concern begins to emerge – what will the results of the audit be? And, more importantly, what financial impact will the auditor’s findings have?
Many organizations assume that the results will not be too bad, given that they have always managed their software licenses in good faith and fully cooperated with any information requests from IBM and/or the auditor. Unfortunately, IBM audit reports (or ELPs) frequently contain unexpected findings, some of which can result in financial implications far surpassing the organization’s annual expenditure on IBM software licenses. For example, it is not unheard of for an organization spending $3M on IBM license subscription & support (S&S) per year to be faced with reported license shortfalls exceeding $200M in value.
At this point, some level of panic may set in, as well as a desire to resolve the compliance issues quickly through commercial negotiation. It is important, however, to keep a cool head and carefully review the audit report content. IBM customers often focus on reviewing the accuracy of the license entitlements information reflected in the report, comparing it with their own purchase records. Although this is a useful and necessary exercise to perform, it is much more important to review the software deployment information and corresponding calculations. Performing an IBM audit is highly complex and even experienced auditors may struggle to correctly interpret all of the software deployment data collected. In most cases, auditors need to compile their compliance report using multiple customer data sources and apply certain assumptions and shortcuts to arrive at their conclusions.
At ITAA we are frequently contacted by clients who have gone through an IBM audit and have just received the draft IBM audit report prepared by Deloitte or KPMG. In the majority of cases, we can help our clients reduce the value of the license shortfalls reported in the ELP by more than 90%, in some cases even 100%. In this article, we will share some of the key areas we focus on when reviewing draft ELPs:
1. Identify false positives
Most IBM customers, especially those managing large data centers, seek to automate the process of identifying what software installations are where as far as is possible. This approach makes sense, as manually collecting this information from thousands of machines would be a virtually impossible task. For this reason, IBM’s auditors will normally request data from software discovery tools during audits. When IBM customers use the IBM License Metric Tool (or ILMT – more on this tool below), auditors always request specific reports from this tool. Additionally, they will request extracts from any other data sources that can help to establish what IBM software is deployed where, and how many licenses are required for each installation.
Relying too heavily on automated software inventory reports is always problematic as they will almost certainly contain false positives unless they have been manually corrected. IBM software components installed on a server can often be licensed in a myriad of ways. Even ILMT, which is better than most tools at identifying IBM software, will need to guess how a certain IBM component is licensed. IBM customers who blindly trust automated reporting often see inflated software deployment quantities vastly exceeding what they are licensed for. Exacerbating this issue is the concept of software “bundling” – many IBM products are included free of charge with other IBM products. Tools such as ILMT may not always correctly recognize bundling relationships, leading to the erroneous inflation of software deployment quantities.
The majority of people do not get excited by the idea of manually validating software deployment information, but at the end of an IBM audit it is an exercise almost always worth doing. Administrators who manage IBM software products within an organization can often help to differentiate legitimate installations from false positives. IBM server products can be quite pricey, the more expensive products costing hundreds of thousands of dollars for each server installation. With these stakes it is worth triple-checking each IBM software installation listed in an audit report.
2. Clarify sub & full capacity licensing
IBM customers who have managed their IBM licenses for a long time are usually familiar with the concept of sub capacity licensing and the importance of meeting their respective requirements.
In essence, for any products licensed based on the number of processors (e.g. PVU, VPC, RVU MAPC), by default, IBM requires you to license all the processors within the physical host on which the software is installed (“full capacity”). “Sub-capacity” licensing allows you to license only the processors that are allocated to virtual machines / LPARs, instead of the full capacity of the hosts. Depending on the technical details of the physical hosts and virtual machines, licensing based on full capacity can be up to 10x – 20x more expensive than licensing based on sub-capacity. Certain requirements apply to sub-capacity licensing, including the use of ILMT (or alternative tools from HCL / Flexera).
Considerable numbers of IBM customers are aware that not meeting the requirements for sub capacity licensing is the single biggest IBM license compliance risk in financial terms. Despite this increased awareness, this issue continues to significantly contribute to the compliance risk identified in audits. This is because there are often shortcomings in how sub capacity reports are generated by customers, causing “full capacity” licensing to be applied on certain systems by the auditor. It may only take a few systems being counted at full capacity to cause compliance risk in the millions.
In audits, the best way to mitigate this risk is by ensuring that any sub capacity reporting tool is in optimal shape before the audit starts. However, even at the end of the audit a substantial amount of the risk can be mitigated by providing the necessary context to address full capacity claims. Any circumstances that explain gaps in sub capacity reporting, for example prior technical issues that needed to be overcome, can increase the chances of an audit settlement based on sub capacity licensing value.
A compliance pitfall that is increasingly impacting organizations is the removal of sub capacity eligibility from legacy operating systems. Organizations that still use Windows 2012 and/or Red Hat Linux 6 will be exposed to full capacity licensing risk when IBM removes sub-capacity eligibility for these operating systems in the course of 2024. Proactively identifying the issue and planning the migration away from these technologies is the best way to mitigate this risk.
3. Review authorized user lists
When IBM products are licensed based on authorized users, auditors commonly request and receive the list of user accounts granting access to the IBM product. However, user account lists may not always correspond with the exact number of people who have access to the software. For example, duplicate accounts, accounts of people who have left the organization, system accounts, etc. do not necessarily need to be counted for license compliance purposes. Whenever an Authorized User product is reported as having a license shortfall in the ELP, it is worth carefully reviewing the user ID list in the report to make sure each one represents a user that needs to be licensed.
4. Review licensing terms carefully
Each IBM product and version has its own set of licensing rules captured in the License Information (LI) document. This document contains details such as the definition of the license metric, the list of IBM products that are included (Bundled and Supporting Programs), any scenarios that permit free-of-charge use of the software, and other relevant clauses. IBM’s auditors are typically familiar with the LI documents in the scope of the audit but may not have the capacity to fully explore how the IBM customer can optimally benefit from certain LI document terms. For any products where a license shortfall has been reported in the ELP, it is highly recommended to meticulously examine the corresponding LI documents to ensure no beneficial licensing clauses have been overlooked.
When IBM acquires software products from other vendors, it is beneficial to look for legacy contracts with those vendors. As an IBM customer, it is advisable to identify any past license model changes that have negatively impacted your license compliance status. Since most IBM licenses are perpetual, it can be argued that their scope should not be diminished through unilateral license model changes.
5. Identify cold/warm standby machines
During an audit, auditors may or may not explicitly enquire about software installations being cold or warm standby. These machines are free of charge. However, IBM customers often overlook them. Identifying these machines with their supporting documentation, after the initial draft ELP is released, can help reduce license shortfalls.
6. Optimize existing licenses
As previously mentioned, IBM software components can often be licensed in multiple ways. IBM customers may even own multiple license types that can cover the same product. This applies to products such as Cognos and Maximo, but also to the relatively new IBM Cloud Pak licenses, which can flexibly be assigned to different products, environments (production vs. non-production), and sometimes even license models (Authorized Users vs. PVUs). Whenever multiple options are available, auditors will often be inclined to pick the option that is the most straightforward to report on in the ELP. However, it can be very worthwhile to investigate alternative ways to allocate existing licenses. In some cases, this can help to mitigate the reported license shortfall altogether.
7. Consider alternative licensing options
Even when license shortfalls are accurately reflected in the audit report, and they cannot be mitigated, it is often possible to consider alternative ways to address the reported shortfall. For example, even though a license shortfall is reported in PVUs, it is not necessarily the case that PVU licenses must be acquired to address this shortfall. In some cases, purchasing licenses for the same product but with a different license model, such as Authorized User or Virtual Processor Core, can lead to a significantly reduced audit settlement cost.
Conclusion
When the initial draft report is sent over by Deloitte and KPMG, the audit is not over – a lot of important analysis can still take place. The topics listed above address the common issues, yet every audit is unique and there may be numerous additional aspects of the ELP warranting further investigation. In cases where there are two valid competing interpretations of a licensing situation, it is recommended to add explanatory comments in the ELP to facilitate subsequent discussions with IBM.
If you have recently received your IBM audit report from Deloitte or KPMG and find the results surprising and/or inaccurate, please do not hesitate to contact us. more than happy to review the report without obligation and make recommendations on how to achieve the audit outcome. Furthermore, if you are just starting your audit journey, we can help guide you through the entire process from start to finish.
