A major US airline received an IBM sub capacity audit claim totalling forty two million dollars. Redress Compliance ran the audit defense and rebuilt the entitlement license position. The final settlement closed at five point three million dollars, an eighty seven percent reduction without litigation.
IBM's audit team opened with a forty two million dollar claim built around alleged sub capacity non compliance, ILMT gaps, and PVU undercounting across the airline's mainframe and middleware estate. The signed settlement landed at five point three million.
The customer is a top five US passenger airline operating a hub and spoke network across the continental United States, the Caribbean, and Latin America. The IBM footprint covered an extensive WebSphere Application Server estate behind the reservation platform, an MQ messaging backbone connecting the loyalty engine to revenue management, a DB2 z/OS landing for crew operations, and a Cognos Analytics tier for the corporate reporting function. The IBM audit notice arrived in late April, four weeks before the summer schedule peak. The notice cited the standard audit clause and named the IBM partner, a global tier one firm, as the engagement lead.
The customer's CIO had previously engaged Redress for an Oracle audit defense engagement two years prior. The directive to the procurement team was clear. The airline would cooperate fully, but the airline would not accept the partner's claim at face value. The buyer side procedure would apply. A 47 step IBM audit defense checklist was issued internally on day one alongside a communications protocol that routed all IBM and partner inquiries through a single authorised inbox.
The IBM partner delivered the preliminary findings six weeks into the audit. The findings broke down into four lines.
First, the partner asserted that the airline's ILMT deployment had gaps across the VMware vSphere clusters that hosted the WebSphere Application Server farm. The partner argued that without continuous ILMT capture, the airline could not claim sub capacity licensing. The partner therefore counted the full physical PVU value of every host in every cluster that ran a WebSphere image, regardless of whether the image was active. That single assumption added eighteen million dollars to the claim.
Second, the partner counted MQ message broker instances on every VMware host that had ever received an MQ image, including hosts where the image had been retired but where the manifest had not been cleaned. That added six point five million dollars.
Third, the partner asserted that DB2 z/OS workloads operating in failover mode on the disaster recovery LPAR required full capacity licensing during the test windows. The customer had run two scheduled DR tests in the prior twelve months. That assumption added eleven million dollars.
Fourth, the partner counted Cognos Analytics named user IDs against an aggregate population that included terminated employees, contractor accounts that had not been reaped, and a small population of test accounts. That added six point five million dollars.
The Redress team opened the engagement with a license entitlement reconstruction. The reconstruction pulled every IBM Passport Advantage entitlement, every Sub Capacity Reporting Tool report from the prior twenty four months, every VMware vCenter inventory snapshot from the prior thirty six months, and every DB2 z/OS workload report from the mainframe team. The reconstruction took sixteen working days and produced an alternative effective license position that contradicted the partner's claim across all four lines.
On the WebSphere line, the reconstruction showed that the ILMT deployment was in fact continuous across the relevant period, with two scheduled outages totalling fourteen hours that fell inside the IBM published tolerance for sub capacity reporting. The Redress team produced the IBM technical bulletin that confirmed the tolerance and the outage tickets that confirmed the timing. The eighteen million dollar line collapsed to a residual three hundred thousand dollars covering a single host that had been brought online during a tolerance period.
On the MQ line, the reconstruction produced the VMware host manifests that confirmed the MQ image retirement on the contested hosts. The IBM partner had counted hosts that had not run an MQ workload in over fourteen months. The six point five million dollar line collapsed to seven hundred thousand dollars covering one cluster where retirement was incomplete.
On the DB2 line, the Redress team produced the IBM disaster recovery licensing policy and the customer's DR test logs. The DR test windows fell inside the IBM published cold standby allowance and did not trigger full capacity licensing. The eleven million dollar line collapsed to zero.
On the Cognos line, the reconstruction produced the airline's joiners movers leavers feed and the contractor account governance policy. The terminated employees, the dormant contractors, and the test accounts came out. The six point five million dollar line collapsed to one point three million dollars covering legitimate active named users above the entitled population.
The complete buyer side IBM audit defense playbook covering ILMT readiness, sub capacity reconstruction, partner engagement, and settlement strategy. 47 page PDF gated behind a work email.
Get the Guide →The 47 step audit defense readiness checklist tells you in twenty minutes whether your IBM estate is ready for an audit notice. Free interactive tool, no gating.
Run the Checklist →The Redress reconstruction was delivered to the IBM partner in week eleven of the engagement. The partner pushed back on three of the four lines. The Redress team held the technical bulletins, the VMware manifests, and the IBM policy documents on every contested point. By week fourteen, the partner reduced the claim to nine point two million dollars. By week sixteen, the IBM commercial team replaced the partner as the customer interface. By week eighteen, IBM accepted a settlement of five point three million dollars covering the residual sub capacity, the residual MQ retirement, and the residual Cognos overshoot, plus a one year maintenance true forward.
The settlement cleared without litigation, without escalation to the airline's general counsel beyond a routine review, and without disturbing the airline's operational IBM relationship through the summer peak. The customer subsequently retained Redress for a continuous IBM advisory engagement covering the next two renewal cycles.
The post audit remediation program covered four work streams.
First, the airline's ILMT governance was rebuilt around a single owner, a documented outage tolerance procedure, and a quarterly attestation cycle. The airline's audit committee adopted the attestation cycle as a standing reporting line.
Second, the MQ retirement process was formalised. Every VMware host that had ever run an MQ image was required to pass a manifest sweep before the retirement was signed off. The retirement evidence was retained for six years.
Third, the DB2 z/OS DR licensing policy was documented in the airline's licensing policy library and cross referenced against the IBM published cold standby allowance. The mainframe team adopted a DR test logging discipline that produced audit ready evidence by default.
Fourth, the Cognos named user governance was tied directly to the joiners movers leavers feed. Account creation, account deactivation, and entitled population reporting were aligned on a monthly cycle.
The airline case is consistent with the wider IBM audit pattern observed across the Redress IBM practice. IBM partner audit teams typically open with claims that combine three pressure points. They count physical capacity where sub capacity should apply. They count retired or dormant deployments alongside active deployments. They apply licensing rules to scenarios that vendor policy explicitly excludes. The reduction from forty two million to five point three million is large but not unusual. The Redress IBM practice has run audit defense engagements where the opening claim was higher and the settlement was lower in absolute and percentage terms.
The pattern reinforces the case for continuous audit readiness rather than reactive audit defense. A buyer side Vendor Shield program produces audit ready evidence as a standing operational output, which collapses the response time when an audit notice arrives and reduces the settlement risk before any claim is opened. The 47 step IBM audit defense checklist is the operational backbone of that program.
