The Challenge
A prominent medical hospital in the United States was notified of a formal IBM software audit. IBM's initial findings produced a non-compliance claim of $7 million — a potentially devastating figure for a healthcare institution where every dollar is tied to patient care, medical research, and life-critical operations.
The hospital's IT infrastructure supported a broad range of mission-critical functions, including patient care systems, administrative tools, and medical research platforms. However, due to its decentralised IT structure and heavy reliance on virtualised environments, discrepancies had arisen in two key areas:
| Compliance Issue | Root Cause | IBM's Claim |
|---|---|---|
| Sub-Capacity Licensing | Decentralised IT structure led to inconsistent ILMT deployment and reporting gaps across virtualised servers | Full-capacity licensing applied where sub-capacity should have qualified |
| PVU Calculations | IBM's audit team used inflated Processor Value Unit calculations that did not accurately reflect actual workload distribution | Overstated licence requirements across the virtualised estate |
Healthcare organisations are particularly vulnerable to IBM audits. Decentralised IT structures, rapid virtualisation adoption, and limited internal licensing expertise create a perfect storm for compliance discrepancies. IBM knows this — and healthcare is a sector where audit claims can be especially aggressive because the cost of non-compliance (disrupted patient care) creates pressure to settle quickly.
With limited internal resources to manage the audit and no IBM licensing expertise on staff, the hospital engaged Redress Compliance to safeguard its financial and operational stability.
The Process
Redress Compliance deployed a structured, four-phase audit defence strategy designed to challenge IBM's findings with accurate data, expert analysis, and strategic negotiation.
Phase 1: Initial Assessment
🔍 Audit Review & Gap Analysis
- Thorough review of IBM's audit findings to identify inconsistencies and inaccuracies
- Analysed the hospital's licensing agreements, entitlements, and deployment data
- Mapped IBM's claimed compliance gaps against actual contractual entitlements
- Identified areas where IBM had applied incorrect licensing rules or inflated metrics
📊 Key Findings
- IBM's PVU calculations were incorrect or inflated for multiple virtualised servers
- Sub-capacity licensing rules had not been properly applied to qualifying environments
- Several licence entitlements were not credited in IBM's audit — creating phantom gaps
- Over-provisioned licences existed that could be reallocated to close genuine gaps
Phase 2: Data Collection & Validation
📋 Data Validation Steps
- Gathered precise usage data across all servers, virtual machines, and cloud platforms — working directly with the hospital's IT team.
- Verified sub-capacity usage metrics against ILMT data, identifying areas where IBM's calculations were demonstrably incorrect or inflated.
- Mapped actual software usage to entitlements — revealing over-provisioned and under-utilised licences that IBM had not accounted for.
- Built a comprehensive Effective Licence Position (ELP) — the definitive record of what the hospital owned versus what was deployed.
The Effective Licence Position (ELP) is the single most important asset in any IBM audit defence. It is your organisation's own independently verified record of licences owned versus software deployed. When built properly, the ELP becomes the factual foundation from which to challenge every line item in IBM's audit findings. Without it, you are negotiating in the dark.
Phase 3: Strategic Negotiation
With accurate data and a defensible ELP in hand, Redress Compliance engaged IBM's audit team directly:
| Negotiation Tactic | Details | Impact |
|---|---|---|
| Dispute Initial Findings | Presented accurate data and justifications proving compliant usage where IBM had claimed non-compliance | Eliminated the majority of IBM's claimed exposure |
| Challenge PVU Calculations | Demonstrated that IBM's PVU calculations were inflated and did not reflect actual virtualisation configurations | Reduced the claimed licence shortfall significantly |
| Highlight Mission-Critical Context | Emphasised the hospital's critical role in healthcare and the need for uninterrupted IBM software access | Secured concessions from IBM on remaining disputed claims |
| Leverage Licensing Policy Expertise | Applied deep knowledge of IBM's own licensing policies to counter aggressive interpretations | IBM accepted the hospital's compliance report as accurate |
Phase 4: Optimisation & Compliance Planning
🔧 Remediation
- Identified and reallocated unused licences to close remaining compliance gaps — without additional purchases
- Closed all compliance gaps identified during the internal review
- Ensured the hospital's compliance report was accepted by IBM as accurate and complete
🛡️ Future-Proofing
- Delivered a customised compliance roadmap with automated tracking tools for ongoing monitoring
- Provided IBM licensing training for the hospital's IT staff
- Established processes to prevent similar compliance risks from recurring
The Outcome
| Metric | Before Redress | After Redress | Result |
|---|---|---|---|
| IBM Audit Claim | $7,000,000 | $0 | 🟢 100% reduction |
| Final Settlement | — | $0 | 🟢 No fees paid |
| Compliance Status | Non-compliant (per IBM) | Fully compliant (IBM accepted) | 🟢 Clean compliance |
| Operational Disruption | Risk of service interruption | Zero disruption | 🟢 Patient care unaffected |
| Future Readiness | No tracking or processes | Automated monitoring + trained staff | 🟢 Audit-ready going forward |
The IBM audit posed a significant threat to our operations, but Redress Compliance delivered extraordinary results. Their expertise resolved the audit without penalties and empowered us with tools to manage compliance proactively. Their partnership was invaluable.
— Chief Information Officer, US Medical Hospital
Key Takeaways for ITAM Professionals
✅ IBM Audit Defence Lessons
- Never accept IBM's audit findings at face value. IBM's initial claims are often based on inflated PVU calculations and aggressive licensing interpretations. Independent verification routinely reveals significant errors.
- Build your Effective Licence Position (ELP) before engaging with IBM. A defensible ELP — mapping entitlements to actual deployments — is the foundation of every successful audit defence.
- Sub-capacity licensing rules are frequently misapplied. IBM auditors often default to full-capacity calculations in virtualised environments. Challenging these with accurate ILMT data can eliminate millions in false exposure.
- Unused licences are a hidden asset. Over-provisioned and under-utilised licences can be reallocated to close compliance gaps — often eliminating the need for additional purchases entirely.
- Invest in ongoing compliance processes. Automated tracking tools and staff training are far cheaper than reactive audit settlements.
- Engage independent experts early. IBM licensing is complex and designed to favour the vendor. Independent advisors with former IBM experience understand the audit playbook and can challenge it effectively.
📄 Download Our White Papers — Expert guides on IBM, Oracle, Microsoft, SAP, and Salesforce licensing optimisation and audit defence
Download White PapersRelated Case Studies & Resources
Explore Our IBM Advisory Services
Facing an IBM Audit? We Can Help.
Redress Compliance has defended organisations against multi-million dollar IBM audit claims — and won. Our team includes former IBM employees with 200+ years of collective IBM licensing experience. We're 100% independent with zero vendor affiliations.
Fredrik Filipsson
20+ years in enterprise software licensing. Former IBM, SAP, and Oracle. 11 years as an independent consultant advising 500+ enterprise clients — including numerous Fortune 500 companies — on Oracle, Microsoft, SAP, IBM, Salesforce, and ServiceNow licensing, contract negotiations, and cost optimisation.
View All Posts →