Quick recap: In the second blog of the series we looked at How to meet Sub Capacity Requirements . Understanding and implementing IBM’s sub-capacity licensing requirements is a critical step in ensuring compliance and avoiding unnecessary costs. However, even with the right tools in place, organizations must be cautious about how they handle audit-related data. Before sharing any sensitive information with IBM auditors, there’s another crucial safeguard to consider—a Non-Disclosure Agreement (NDA).

An NDA can protect proprietary business information, ensuring that details shared during the audit process aren’t misused or disclosed beyond what is necessary. In our next blog, we’ll explore why securing an NDA should be an essential part of your audit strategy and how to structure it effectively.

IBM License Compliance: Importance of a Non-Disclosure Agreement

IBM software audits involve a deep dive into your organization’s licensing, deployments, and compliance status. These audits require organizations to provide extensive data about their IT infrastructure, including software usage, licensing records, and system configurations. Given the sensitivity of this information, businesses should strongly consider requesting a Non-Disclosure Agreement (NDA) before engaging with IBM auditors.

A well-structured NDA can limit exposure, ensuring that confidential business information isn’t used beyond the scope of the audit. In this blog, we’ll explain why an NDA is vital, what it should cover, and how to negotiate favorable terms.

Why an NDA is Essential for an IBM Audit

IBM and its appointed auditors (typically Deloitte or KPMG) will request access to detailed software deployment data, which may include:

• Server configurations and infrastructure details
• Software license entitlements
• Internal usage patterns
• Potentially sensitive contract terms

Without an NDA in place, there’s no contractual limitation on how auditors can use or share this data. While IBM’s standard agreements contain confidentiality clauses, they may not adequately protect your interests in an audit scenario.

Key Benefits of an NDA:

✅ Protects sensitive business data – Prevents auditors from sharing competitive or commercially sensitive information with IBM beyond audit requirements.
✅ Defines the scope of data sharing – Clarifies which information can be shared and which should remain confidential.
✅ Restricts unauthorized disclosures – Limits auditors’ ability to use collected data outside of the specific audit engagement.
✅ Prevents data misuse – Ensures compliance with your organization’s data security policies and internal governance frameworks.

What Should Your NDA Cover?

A strong NDA should address the following key points:

1. Data Protection Measures

Clearly define what types of data the auditor can collect, process, and store. Your organization may require:

• Data masking for personally identifiable or security-sensitive information.
• Encryption and secure file transfer methods for audit-related documents.
• Regional data processing restrictions to ensure compliance with regulations such as GDPR.

2. Limitations on Data Sharing

The NDA should explicitly restrict the auditor from sharing certain data with IBM unless necessary. This is particularly important for:

• Commercially sensitive pricing or discount structures.
• Contractual details that could impact future negotiations.
• Information related to other software vendors in your IT environment.

3. Audit Findings Control

IBM auditors typically compile a compliance position report, known as an Effective License Position (ELP). Your NDA should allow you to:

• Review and challenge findings before they are shared with IBM.
• Ensure that IBM only receives final, agreed-upon audit conclusions rather than raw data or preliminary estimates.

4. Data Retention and Destruction Policies

Define how long auditors can retain your data after the audit concludes and specify that all copies must be securely deleted once the audit is closed.

When Should You Request an NDA?

Timing is crucial. Request an NDA immediately after receiving the audit notification letter—before sharing any data with IBM or its auditors. Early engagement ensures that data protection measures are in place from the outset.

It is also advisable to involve your legal and procurement teams in NDA discussions to ensure that terms align with your company’s compliance policies and security standards.

Final Thoughts: Safeguarding Your Organization During an IBM Audit

While IBM’s audit process may seem routine, the data you provide could have long-term implications. A well-negotiated NDA ensures that your proprietary business information is used strictly for audit purposes, minimizing risk and protecting your organization’s interests.

In our next blog, we’ll dive into another crucial step in the IBM audit process: Negotiating the Audit Scope. Properly defining the audit’s boundaries can help you manage expectations, reduce workloads, and prevent unnecessary data exposure.

Want to access the full guide on IBM license compliance audits? Download it here:

Your Email*

Consent*

By submitting this form the entered data will be handed over to and stored by us for contact purposes. You can review additional information about your data and rights in our Privacy Policy.*

About the Author

Koen Dingjan, IBM Service Director

Koen is a seasoned expert in IBM licensing with nearly two decades of experience. A former Deloitte auditor, he has led over 60 IBM compliance reviews and developed an industry-recognised IBM compliance certification course. At ITAA, Koen helps clients manage IBM license compliance, defend against audits, and optimize license management strategies.