How to Respond to an IBM Audit Notification (Revised)
- Manage the process carefully, addressing information requests and discrepancies promptly.
- Review the audit notification to understand the scope, entity, and timeline.
- Validate IBM’s audit rights as per your contract.
- Acknowledge receipt promptly and designate a single point of contact.
- Prepare internally by educating stakeholders, gathering documentation, and reviewing compliance.
- Negotiate the audit scope and approach to minimize business disruption.
IBM Audit Letter Response
Review the Audit Notification Carefully
When you receive the audit notification from IBM, carefully review the contents to determine important details such as:
- The targeted legal entity being audited
- The intended scope of the audit (e.g., ILMT-only vs. full audit)
- The name of the third-party auditor (usually Deloitte or KPMG)
- The proposed timeline for the audit
If you have concerns about the timing or the selected auditor, raise those concerns promptly with IBM.
Validate IBM’s Right to Audit
Confirm that IBM has the contractual right to conduct the audit under the terms of your Passport Advantage Agreement (IPAA), specifically Section 1.12 on Compliance Verification. Check for any exceptions that may prevent the audit.
Respond Promptly
After validating the audit request, respond to IBM to acknowledge receipt of the notice and confirm your willingness to cooperate, subject to negotiating the scope and timing. Designate a single point of contact within your organization to manage all communication and information flow with the auditor.
This ensures you maintain a complete record of all data provided.
Prepare Internally
- Educate procurement, IT, and legal stakeholders about the audit response protocol. Ensure they immediately report audit notifications to your software asset management team.
- Establish clear roles and responsibilities for each stakeholder involved in the audit process. Have a documented, repeatable framework in place.
- Gather your license entitlement data, including purchase records, Proofs of Entitlement, and contract terms. Verify this matches your current software deployments.
- Conduct an internal review to identify any potential compliance gaps. If necessary, purchase additional licenses to become compliant before the audit begins.
Negotiate Scope and Approach
Discuss the proposed audit scope and approach during the kick-off meeting with IBM and the auditor.
Ensure it aligns with your contractual arrangements, organization structure, and available data sources. You can propose alternative approaches if the auditor can still effectively verify compliance.
For example, if their suggested scripts would violate your security protocols, offer equivalent data sources instead.
The Passport Advantage agreement states the audit should be conducted to minimize disruption to your business. For this reason, you can request adjustments to the timeline and approach to reduce the impact on your operations.
Manage the Audit Process
- Carefully review each information request from the auditor. Understand why each item is needed and how it will be interpreted. Explain any apparent license shortfalls due to nuances in your IT environment the auditor may not know.
- If discrepancies are found in the auditor’s initial findings, you usually have a week or two to review and respond with corrections before it is finalized and handed to IBM.
The keys to a successful IBM audit are preparation, attention to detail, and effective communication. Accurate license positions, deployment data, and a clear response framework will help you navigate the process as smoothly as possible.
Read about IBM Audit Defense Service.