Latest news 1 year ago

IBM Insight: IBM audit defense mitigates $250M license compliance risk

ITAA were engaged to help an IBM customer address the draft findings in an IBM software license review report (audit report) created by Deloitte.

How we helped a large public sector organization mitigate $250M license compliance risk identified in an IBM audit report.

ITAA were engaged to help an IBM customer address the draft findings in an IBM software license review report (audit report) created by Deloitte. Through in-depth analysis of the audit data and interviews with key internal stakeholders we were able to mitigate over 95% of the report’s findings. This allowed the customer to negotiate a new agreement on their own terms, without having to purchase unnecessary licenses or pay back Subscription and Support (S&S) fees.

IBM audit findings valued as $250M license compliance risk

The IBM audit process had been underway for roughly a year before Deloitte shared their initial report with the customer and ITAA were engaged. For each IBM software product the audit report, also known as an Effective License Position (ELP), compares the number of entitlements (or licenses) purchased with the software quantity deployed. Any license shortfalls are reflected in the report. Since the report does not contain financial values, ITAA used current pricing data to calculate the total compliance risk value, which exceeded $250M. The customer was requested to provide feedback on the findings within two weeks, after which time the audit report would be sent to IBM for financial settlement negotiations.

Challenging the assumptions in the audit report

From our experience we know it’s critical to thoroughly review the ELP and take as much time as needed to ensure the report contents are fully accurate, even if this exceeds the timelines proposed by the auditor. Many compliance calculations in audit reports are based on assumptions which need to be carefully and systematically examined. At this customer we found many areas which lead to significant corrections to the compliance report, including:

False positives in IBM License Metric Tool (ILMT) reporting

This customer uses ILMT, as many customers do, in order to be compliant with the requirements for sub capacity licensing. Historic ILMT audit snapshot reports are a key source for auditors to establish software deployment quantities for each product. However, ILMT miscategorizes many software installations unless these are manually corrected in the tool. Applying these manual corrections is a highly complex task, especially in large environments. Many of the customer’s IT services had been managed by the IBM managed services team (currently Kyndryl), including the management of ILMT. If the categorization errors are not corrected, auditors often end up counting software installations that do not in fact exist. Using our extensive experience and with specific input from internal product owners we helped the customer retroactively apply software classification corrections, including software bundling and exclusions.

Legacy OS

One of the major elements contributing to the initial compliance risk estimates was the use of legacy operating systems, in particular Windows 2008. IBM frequently updates the list of operating systems that are no longer eligible for sub capacity licensing. This is a growing IBM audit risk area for many customers as it can often be challenging and time-consuming to migrate legacy applications to new platforms. ITAA leveraged both customer-specific contextual arguments as well as licensing arguments to push back on the full capacity calculations applied by Deloitte.


In many IBM audits the auditor may determine that some information cannot be collected, for example for systems that have been decommissioned in the course of the audit. However, sometimes such extrapolation is even applied to areas where data is missing but could have been collected through follow-up data collection. In this audit ITAA highlighted and addressed the implausible assumptions and extrapolation by collecting additional data that was not collected during the audit.

Entitlements corrections

Several prior license conversions from Processor Value Unit (PVU) to Virtual Processor Core (VPC) had not been accurately captured, converted and applied in the license compliance calculations.

From audit defense to negotiating with IBM on equal terms

After detailed analysis of the ELP, covering these and many other areas, we produced a 40-page counter report with a product-by-product description of the required corrections and additions to Deloitte’s report. This evidence not only provided the customer with a comprehensive set of arguments to move discussions with Deloitte and IBM forward, but also allowed the customer to shift from a position of audit defense to one where negotiations proceeded on equal terms. By clearly identifying and addressing the 95% of findings that were either caused by inaccurate reporting or debatable interpretations of the licensing terms, the customer could shift the focus during settlement discussions to actual business requirements. This ensured new IBM software was acquired using optimized licensing quantities and ongoing services were procured on favorable terms.

For more information on how ITAA can support your organization, either in dealing with a license compliance audit or preparing for one, please contact us.

*Protecting our clients’ confidence is of utmost importance at ITAA. While our case studies are based on true projects, we have used fictitious names and removed or changed other identifiable details.

Transform your business. Find out how we can help.

We’d love to meet. For an interview, a request for a proposal or just a question: Please fill out the form and we’ll be in touch within 24 hours.

Have a question? Visit our contact us page for more options.
Talk to us today