Understanding the IBM Compliance Audit Process

October 13, 2015
Editorial Staff


Editorial Staff

IBM compliance checks are time- and resource-intensive for all parties: the manufacturer, the auditor, and the customer. Since IBM software is much more complex and expensive compared to other software publishers, customers face a greater financial risk if IBM finds that their IBM software portfolio is non-compliant.

IBM conducts a significant number of software audits (over 40% of its enterprise customers in a single year), followed by Adobe and Microsoft. These audits last between 6 and 18 months, depending on the size of the IT environment. My IBM consulting experience aligns with that study: the shortest IBM Audit where I have supported customers lasted 6 months, the longest was approximately 2 years.

How does the IBM audit process work?

IBM conducts audits with select accounting firms, such as Deloitte or KPMG. Unlike manufacturers such as Microsoft, IBM conducts only “hard” audits, no “soft” audits. This means that IBM customers usually can’t actively conduct a License Assessment with a partner of their choice in order to remain audit-free for a certain period. For large accounts with high volume contracts like ESSO or OIO, exceptions apply (e.g. License Management Option). Companies undergoing a hard audit can expect the IBM audit process to go something like this:

After the organization receives the IBM Audit Letter and the kick-off takes place, the auditor will send various licensing questionnaires, called Workbooks (in Deloitte terms) or Data Request Sheets (in KPMG terms). These questionnaires will focus on the software customers have deployed within their company, requesting them to execute commands/statements and/or providing screenshots etc. It is important to understand that this is a self-assessment, so the organization determines their own licensing needs, and the auditor ensures they receive those licenses.

The goal of these questionnaires is that the auditor gets the right information to calculate the license need, which is generally the most time-consuming part of the audit.

After the organizations delivers all the relevant licensing information, the auditor checks:

  • The accuracy of the data during an onsite visit (or online, if applicable).
  • Different systems in order to ensure that the data quality the customer provided is valid.
  • “Sample systems” that the organization did not mention within the questionnaire in order to ensure that on no other systems have IBM software deployed.

I had experiences where IBM software components showed up where none of the organization’s parties expected them.

After the IBM auditors receive the relevant information, a Draft License Entitlement Position will be provided. This draft will be reviewed and approved by the organization before the auditing company provides the final Entitlement License Position to IBM. In the last stage, it is up to the organization to finish the audit with IBM, agree on an outcome, and possible licensing gaps.

What can organizations do prior to an IBM Compliance Audit?

In an ideal world, the organization would have a license position or SAM Tool Report at hand prior to an IBM Audit, i.e. on the one hand, the organization should have an overview of its commercial software assets and, on the other hand, be familiar with its IBM software deployment and hardware usage.

So from a commercial point of view, the inventory containing an entitlement history (initial licenses/maintenance/reinstatement etc.) should be up-to-date with Proof of Entitlements for the last 10 years, including corresponding amendments (waiver documents etc.). License evolutions (product name/metric changes) as well as current and previous contracts, especially ISV-/OEM contracts and hardware purchases, should be well-known.

From a technical perspective, all systems should be up to date. The organization should also have an overview of IBM software installations and know who within the company is responsible for each application. License Key Files should be reviewed for correctness, e.g. ensure license entries in the Jazz Team Server are correct. Test/Eval/Beta installations should be in conformance with relevant rights and the Domino Directory should be clean, just to mention some examples.

Last but not least, especially in terms of Sub-capacity licensing, the IBM License Metric Tool (ILMT) should be implemented, and the ILMT reports of the last 8 quarters should be available.

Are there IBM audit mistakes to avoid?

There are quite a few mistakes that can be avoided if the right steps are taken to understand non-compliance issues commonly found in many IBM audits. Two such mistakes include:

  1. IBM License Metric Tool Installation – The tool is required to be installed if you’re going to take advantage of IBM’s Sub Capacity Pricing Model.
  2. Software Discovery Tool Usage – This tool periodically scans devices to check for inventory of software installed on them.
  3. Outdated IBM Account Contact – IBM keeps careful records of what contact they send notifications to. If your IBM contact information isn’t updated, you might miss important notifications.

All of these mistakes are completely avoidable with the right software management in place.

If my company is already in an IBM audit, what can I do?

If your company is undergoing an IMB audit, consult a third-party IBM licensing expert to consult on your behalf and provide audit relevant knowledge and experience in order to achieve the best outcome.

SoftwareONE’s IBM Consultants overcome the resource-intensive audit phase while providing support in determining the correct data just-in-time, as well as review the data before it is sent to the auditing company.

If you’re undergoing an IBM audit and would like some consultation, click the banner below and fill out the following form, and a SoftwareONE Software Asset Management expert will reach out to you shortly.

Leave a Reply