Quick recap: In the third blog of the series, we explored the importance of securing a Non-Disclosure Agreement (NDA) before engaging with IBM auditors. An NDA helps protect sensitive business information, ensuring that data shared during an audit is not misused or disclosed beyond its intended purpose. But while an NDA limits how your data can be used, it does not determine what data is collected—or how much.

That is where audit scope comes in.

In this instalment, we break down how to negotiate the scope of an IBM audit—from timelines and product coverage to data collection methods. Setting clear boundaries early in the process is one of the most effective ways to stay in control, reduce risk, and minimise audit disruption.

Audit Scope: Why You Should Negotiate Before the Audit Begins

Once an IBM audit is triggered, many organisations feel pressure to comply immediately and without question. But while IBM (or its auditors, like KPMG or Deloitte) will set the process in motion, that does not mean you are powerless.

The scope of the audit is negotiable—and shaping it early can significantly reduce risk, cost, and disruption.

Here’s what you should focus on:

1. Set a Realistic Audit Timeline

IBM audits are notorious for consuming internal resources. A rushed timeline only makes things worse.

✅ Negotiate a timeline that accommodates internal bandwidth. Align with your team’s busy periods—end-of-quarter close, holiday periods, etc.
✅ Allow ample time for validation at the end of the audit to catch and correct errors in the Effective License Position (ELP).

⏳ Remember: The audit clause in IBM’s Passport Advantage Agreement specifies that audits should “minimize business disruption.” Use this to your advantage.

2. Clarify the Scope of Review

In larger organisations with complex IT estates, it is essential to pin down what is actually being audited.

📌 Which legal entities are in scope? Mergers, acquisitions, and divestments can blur the boundaries. If systems or subsidiaries are legally and operationally distinct, they may be excluded.
📌 What software entitlements are included? Request a list of IBM software entitlements the auditor believes are in scope. This avoids ambiguity and surprise inclusions.
📌 Are any embedded or third-party solutions out of scope? If IBM software is licensed via a third-party vendor or included as a component of another solution, it may be exempt from direct audit.

🔍 Tip: The audit letter will name the entity under review. Make sure that matches your understanding.

3. Define Acceptable Data Collection Methods

Auditors often propose their own tools and scripts for data gathering. But here is the truth:

You do not have to use them.

✅ Use your own inventory tools—especially ILMT, which is required for sub-capacity licensing anyway.
✅ Review auditor scripts with internal security teams before deployment. These tools can pose unnecessary risk if not properly vetted.
✅ Avoid “false positives” and “false negatives” by checking for tool misconfigurations, outdated sources, or duplicate systems.

🚫 If the auditor insists on a particular method, push back with justified alternatives that achieve the same outcome.

Why Early Negotiation Matters

Once the audit starts, it becomes harder to change direction. Auditors may already be working with assumptions or data sources you have not agreed to. By setting expectations upfront:

• You reduce compliance risk
• You protect sensitive data
• You gain control over the audit process

Think of it as setting the rules of engagement—because once the audit begins, your leverage quickly diminishes.

What is Next?

Now that you have established a solid foundation by negotiating the audit scope, the next step is assigning a central point of contact to streamline communication and avoid costly missteps.

We will cover that in our next blog next month. Stay tuned!

Want to access the full guide on IBM license compliance audits? Download it here:

Your Email*

Consent*

By submitting this form the entered data will be handed over to and stored by us for contact purposes. You can review additional information about your data and rights in our Privacy Policy.*

About the Author

Koen Dingjan, IBM Service Director

Koen is a seasoned expert in IBM licensing with nearly two decades of experience. A former Deloitte auditor, he has led over 60 IBM compliance reviews and developed an industry-recognised IBM compliance certification course. At ITAA, Koen helps clients manage IBM license compliance, defend against audits, and optimize license management strategies.