The Challenge
A leading Swedish bank, known for its extensive retail and corporate banking services, was subjected to a formal IBM software audit. IBM's initial findings produced non-compliance claims totalling SEK 140 million — a figure that threatened to divert significant capital away from technology investment and regulatory compliance programmes.
The bank's vast IT infrastructure supported a range of mission-critical operations that could not tolerate disruption:
| Operational Area | IBM Dependency | Risk if Disrupted |
|---|---|---|
| Digital Banking Platforms | Online and mobile banking, customer portals, API gateways | Customer access, competitive positioning, revenue generation |
| Transaction Systems | Core banking engines, payment processing, SWIFT integration | Settlement failures, regulatory penalties, reputational damage |
| Customer Databases | CRM systems, KYC/AML platforms, customer analytics | Regulatory non-compliance, data integrity, service quality |
| Risk & Compliance | Risk modelling, regulatory reporting, fraud detection | Regulatory sanctions, financial losses, supervisory action |
IBM's audit findings alleged three primary compliance issues:
| Compliance Issue | Root Cause | IBM's Claim |
|---|---|---|
| Sub-Capacity Licensing Violations | Inconsistent ILMT deployment across virtualised banking environments | Full-capacity licensing applied where sub-capacity should have qualified |
| Cloud System Misconfigurations | Rapid cloud adoption without corresponding licence adjustments or monitoring | Unlicensed IBM software usage in cloud and hybrid environments |
| Entitlement Mismatches | Complex legacy licensing history with multiple contract generations | Gaps between deployed software and documented entitlements |
Financial institutions face heightened IBM audit risk. The banking sector's combination of complex virtualised environments, strict regulatory requirements, rapid cloud adoption, and deep IBM dependencies creates exactly the conditions that produce inflated audit claims. Banks also face additional pressure to settle quickly — regulatory scrutiny means any disruption to IT systems can trigger supervisory concern, giving IBM implicit leverage during negotiations.
Given the highly regulated nature of the Swedish financial industry and the potential financial impact, the bank engaged Redress Compliance to address the audit and mitigate risks.
The Process
Redress Compliance deployed a structured four-phase audit defence strategy tailored to the specific regulatory and operational requirements of a Nordic financial institution.
Phase 1: Audit Assessment
🔍 Audit Report Analysis
- Initiated a detailed review of IBM's audit report, focusing on sub-capacity calculations and entitlement usage
- Analysed historical agreements and software entitlements to establish an accurate compliance baseline
- Cross-referenced IBM's claims against actual contractual terms across multiple contract generations
- Identified where IBM had applied incorrect licensing rules or failed to credit existing entitlements
📊 Key Findings
- Significant inaccuracies in IBM's sub-capacity calculations across virtualised banking environments
- Cloud system licensing claims based on incorrect assumptions about deployment configurations
- Multiple historical entitlements not credited by IBM's audit team
- Underutilised licences and misaligned entitlements that could be optimised to close gaps
Phase 2: Data Validation & Collection
📋 Data Validation Process
- Collaborated with the bank's IT and compliance teams to gather precise usage data from on-premise servers, virtual machines, and cloud platforms across all banking environments.
- Validated sub-capacity licensing metrics using ILMT data, uncovering systematic overestimations in IBM's audit calculations.
- Mapped actual software usage to entitlements across all contract generations — identifying underutilised licences and misaligned entitlements that could address gaps.
- Built a comprehensive Effective Licence Position (ELP) — the definitive, independently verified record of what the bank owned versus what was deployed.
For regulated financial institutions, the ELP serves a dual purpose: it is both the foundation of audit defence and a critical input for regulatory compliance. Swedish financial supervisors expect institutions to maintain accurate records of all technology assets and their licensing status. A well-constructed ELP not only challenges IBM's audit claims — it demonstrates to regulators that the bank has robust IT governance in place.
Phase 3: Strategic Negotiations
Armed with validated data and a defensible ELP, Redress Compliance engaged IBM's audit team directly:
| Negotiation Tactic | Details | Impact |
|---|---|---|
| Present Corrected Data | Submitted detailed evidence disproving IBM's sub-capacity calculations and entitlement mapping errors | Eliminated the vast majority of IBM's claimed financial exposure |
| Challenge Cloud Claims | Demonstrated that cloud deployment configurations were properly licensed under existing entitlements | Removed entire categories of claimed non-compliance |
| Leverage Compliance Commitment | Emphasised the bank's proactive regulatory and operational compliance efforts and long-standing IBM investment | Secured goodwill concessions on remaining disputed items |
| Challenge Ambiguous Interpretations | Identified and disputed IBM's aggressive interpretations of licensing terms, citing contract language and precedent | Reduced the settlement to forward-looking licences only |
Phase 4: Optimisation & Governance
🔧 Remediation
- Reallocated unused licences to align with actual usage and close genuine compliance gaps
- Final settlement of SEK 5.6 million covered only additional licences required for new deployments
- Zero penalties or retroactive fees imposed — a purely forward-looking settlement
🛡️ Compliance Governance
- Designed a compliance management framework with real-time licence tracking and automated monitoring
- Implemented centralised licence management across all banking operations
- Delivered IBM licensing training for IT and procurement teams
- Established audit readiness processes to reduce risk of future claims
The Outcome
| Metric | Before Redress | After Redress | Result |
|---|---|---|---|
| IBM Audit Claim | SEK 140,000,000 | SEK 5,600,000 | 🟢 96% reduction |
| Savings Achieved | — | SEK 134,400,000 | 🟢 SEK 134.4M saved |
| Penalties / Retroactive Fees | Risk of full penalties | $0 | 🟢 Zero penalties |
| Settlement Composition | — | New deployment licences only | 🟢 Forward-looking only |
| Banking Operations | Risk of service disruption | Zero disruption | 🟢 All systems unaffected |
| Compliance Governance | No centralised tracking | Real-time monitoring + framework | 🟢 Audit-ready going forward |
IBM's audit presented a significant financial and operational challenge, but Redress Compliance delivered exceptional results. Their expertise saved us millions and left us better equipped to manage compliance in the future. Their partnership was invaluable.
— Chief Financial Officer, Large Swedish Bank
Why Financial Institutions Are High-Value Audit Targets
Banks share a common audit risk profile: deep IBM dependencies (mainframes, middleware, databases), complex virtualisation estates, rapid cloud adoption, and regulatory pressure that discourages prolonged disputes. IBM's audit methodology systematically exploits these characteristics. In this case, 96% of the initial claim was attributable to calculation errors, uncredited entitlements, and aggressive licensing interpretations — not genuine non-compliance. This pattern is consistent across our financial sector engagements globally.
Key Takeaways for Financial Sector ITAM Professionals
✅ IBM Audit Defence Lessons — Financial Sector
- IBM's sub-capacity calculations in banking environments are routinely inflated. Virtualised banking infrastructure with complex server pools and partitioning generates PVU calculations that favour IBM. Independent ILMT validation is essential.
- Cloud licensing claims require immediate scrutiny. Rapid cloud adoption without corresponding licence adjustments is a primary audit target. Validate that existing entitlements cover cloud deployments before IBM does.
- Legacy entitlements across contract generations are frequently uncredited. Banks with long IBM histories often have entitlements from multiple contract periods that IBM's audit team fails to consolidate. Contract archaeology can eliminate entire claim categories.
- Regulatory context strengthens your negotiating position. Banks can leverage their regulatory compliance obligations and long-standing IBM investment as goodwill factors during negotiations — provided they can demonstrate proactive governance.
- The settlement should be forward-looking. In this case, SEK 5.6 million covered only new deployment licences — zero penalties. This outcome is achievable when you have accurate data and expert representation.
- Implement centralised licence governance immediately. Real-time tracking, automated monitoring, and staff training are the most cost-effective defences against future audit exposure — and they satisfy regulatory IT governance expectations.
🔗 See all IBM audit defence results: IBM Licensing Case Studies
View All Case Studies📄 Download Our White Papers — Expert guides on IBM, Oracle, Microsoft, SAP, and Salesforce licensing optimisation and audit defence
Download White PapersRelated Case Studies & Resources
Explore Our IBM Advisory Services
Facing an IBM Audit? We Can Help.
Redress Compliance has defended financial institutions across Europe, the Americas, and Asia-Pacific against multi-million IBM audit claims — consistently achieving 90%+ reductions. Our team includes former IBM employees with 200+ years of collective IBM licensing experience. We're 100% independent.
Fredrik Filipsson
20+ years in enterprise software licensing. Former IBM, SAP, and Oracle. 11 years as an independent consultant advising 500+ enterprise clients — including numerous Fortune 500 companies — on Oracle, Microsoft, SAP, IBM, Salesforce, and ServiceNow licensing, contract negotiations, and cost optimisation.
View All Posts →