A leading New York financial institution faced an IBM audit built on full capacity assumptions. Rebuilding the count from PVU, VPC, and ILMT evidence cut the claimed exposure by ninety percent before settlement.
A leading New York financial institution received an IBM audit report claiming material exposure across Db2, WebSphere, and MQ. The number was built on full capacity counting and entitlement gaps the auditor could not see past.
Ninety percent of the claim did not survive evidence. This case study shows how the defense was sequenced.
The institution reduced the claimed exposure by ninety percent by rebuilding the audit count line by line: sub capacity evidence restored under IBM sub capacity terms, entitlements completed from acquisition records, and out of scope findings removed.
The audit covered the classic financial services stack: Db2, WebSphere, and MQ under Passport Advantage, measured in PVU with VPC conversions in play.
Where ILMT coverage had gaps, the auditor counted full physical capacity across clustered hosts. Where entitlement records were incomplete, deployments counted as unlicensed. Both assumptions are contestable with evidence.
Deconstruction sorted the claim into four buckets: full capacity inflation, entitlement gaps, scope creep, and a genuine residual. Each bucket got its own treatment.
ILMT was remediated and historical virtualization configurations reconstructed to support sub capacity recalculation. Entitlement archaeology traced Passport Advantage agreements through two acquisitions and a product rebrand.
Three levers did the cutting: sub capacity recalculation on remediated ILMT evidence, completed entitlement records, and strict scope enforcement against the audited agreement.
The claim, deconstructed
| Claim component | Defense | Outcome |
|---|---|---|
| Full capacity counting | ILMT remediation and sub capacity recalculation | Largest tranche removed |
| Unmatched deployments | Entitlement archaeology across acquisitions | Substantial tranche offset |
| Out of scope findings | Agreement scope enforcement | Removed from the claim |
| Genuine residual | Commercial settlement inside renewal | Roughly 10 percent of opening claim |
The residual was real, so it was priced where the institution had leverage: folded into the renewal as committed spend rather than paid as a penalty. The audit closed; the relationship continued on corrected baselines.
The closing sequence was claim deconstruction, evidence build, a written contest of every disputed line, then commercial settlement of the residual inside the renewal envelope.
The standard advice is to negotiate an audit claim down as a commercial matter, taking the report as technically settled and haggling the percentage. We disagree. In roughly 15 to 25 IBM audit defenses we led across 2024 and 2025, the technical contest, not the haggle, produced the reduction: opening claims ran 3x to 10x the final position, and the gap closed on ILMT evidence, entitlement records, and scope enforcement before any commercial conversation started. The buyer side move is to treat the audit report as a first draft, rebuild the count line by line, and only then price what survives. Negotiating an uncontested report means paying for the auditor’s assumptions.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
The audit report was an opening position wearing the costume of a finding. We answered it with evidence, and the costume came off.
More IBM audit analysis lives in the IBM knowledge hub and the IBM audit defense playbook.
White Paper · IBM
The buyer side framework we use with Fortune 500 clients defending IBM software audits. Read it free.
The defense rebuilt the count: ILMT remediation restored sub capacity calculation on virtualized hosts, entitlement archaeology matched deployments to records the auditor missed, out of scope findings were removed, and only the genuine residual was settled.
Because the methodology defaults against the customer: full capacity counting where ILMT evidence is missing, and unlicensed status where entitlement records are incomplete. Both defaults are contestable with evidence, which is why opening claims ran 3x to 10x final positions in our defenses.
Counting every physical core on a host or cluster as licensable, rather than the virtual capacity actually allocated. IBM sub capacity terms permit the lower count only with ILMT deployed and reports retained, so lapsed coverage converts directly into claimed exposure.
Yes, materially. Acquisitions, product rebrands, and legacy bundles leave entitlement trails auditors rarely reconstruct. In our 2024 to 2025 defenses, documented entitlements offset 20 to 40 percent of claimed shortfalls.
Avoid it. A genuine residual priced inside the renewal as committed spend costs less and buys relationship continuity, while a penalty payment prices the auditor’s anchor. Settle commercially where your leverage lives.
The claim assumed our weakest paperwork was our whole story. The evidence told a different story, and ninety percent of the number left with it.
Confidential consultation. No follow up sales call unless you ask for one.
IBM audit patterns, PVU and VPC benchmarks, ILMT discipline signals, and the buyer side moves across the IBM estate.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
