IBM Audit Readiness: The 90 Day Checklist Before IBM Counts
An IBM audit is decided before the notice letter arrives. Without compliant ILMT reporting, the same servers count at nearly four times the PVU, and the auditor will not accept evidence created after the fact.
Prepared by Redress Compliance · June 2026 · Representative IBM estate scenario (benchmark scenario, not a quote)
Executive Summary
IBM audits arrive under the Compliance Verification clause in Passport Advantage and are run by firms such as KPMG, Deloitte, and EY. The outcome is largely fixed before the letter lands: sub capacity rights depend on evidence that must already exist, ILMT deployed within 90 days and quarterly reports signed and retained for two years.
The fallback is brutal. Where ILMT coverage fails, IBM is entitled to count every core in the host or cluster at full capacity. In the representative estate modeled in this paper, that fallback moves the licensable position from 4,000 PVU to 15,840 PVU, a 3.96x swing on identical workloads.
The gaps are predictable. Across roughly 25 to 40 IBM audit readiness reviews in 2024 to 2025, ILMT was typically installed but silently missing 15 to 30 percent of eligible cores, entitlements did not match deployed versions, and no single owner could produce the sub capacity proof on request.
All of it is fixable in 90 days. This paper lays out the 30, 60, and 90 day readiness calendar, the documentation each virtualization platform requires, the evidence pack to assemble before any auditor arrives, and the governance cadence that keeps the estate audit ready permanently.
Why ILMT Compliance Decides the Audit Before the Notice
Sub capacity licensing is a conditional privilege, not a default right. The Passport Advantage sub capacity terms grant it only while you meet every condition: an eligible product, an eligible virtualization environment, ILMT deployed and reporting, and quarterly reports retained for two years.
Three contract mechanics matter more than the rest:
- The 90 day rule. ILMT must be implemented within 90 days of the first eligible sub capacity deployment, not when convenient.
- The full capacity fallback. Where the conditions fail, IBM counts every physical core the software could reach.
- The retention rule. Reports must be generated quarterly, reconciled, signed, and kept for two years.
The retention rule is the one buyers miss. An ILMT instance that runs today cannot recreate last year's quarters. If the signed history does not exist, the sub capacity position for those periods rests on goodwill, and auditors are not paid for goodwill.
Where do readiness reviews actually find the exposure? Mostly in cores the tool never saw.
Eligible cores not reporting to an installed ILMT.
Across the readiness reviews we ran in 2024 to 2025, ILMT was deployed but silent on 15 to 30 percent of eligible cores: new clusters never onboarded, agents broken after OS upgrades, and scan groups missing whole sites.
PVU findings versus the buyer's internal estimate.
On hosts without compliant ILMT reporting, audit findings ran 2.4 to 4.1 times the buyer's own estimate, because the count reverted to full capacity across every core in the cluster.
Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
The 30, 60, 90 Day Readiness Calendar
Readiness is a sequenced project, not a fire drill. The calendar below closes the 18 checklist items in dependency order: coverage first, reconciliation second, governance last. Each phase has six items and a hard exit test.
Find every core ILMT cannot see
- Inventory all hosts and clusters running eligible products.
- Compare the inventory to ILMT scan coverage, core by core.
- Onboard missing clusters and repair broken agents.
- Verify the PVU table and software catalog are current.
- Stand up IBM License Service on container platforms.
- Exit test: ILMT and License Service see 100 percent of eligible cores.
Match what runs to what you own
- Pull the entitlement baseline from Passport Advantage.
- Reconcile deployed products and versions to proofs of entitlement.
- Classify bundled and supporting programs correctly.
- Resolve duplicate and misidentified ILMT discoveries.
- Quantify and remediate any genuine license gaps.
- Exit test: a signed deployment versus entitlement position.
Make the proof producible on demand
- Generate, reconcile, and sign the quarterly ILMT report.
- Assemble the evidence pack described in section 4.
- Name one owner for sub capacity proof production.
- Document the virtualization topology per platform.
- Run a mock auditor data request end to end.
- Exit test: the full evidence pack delivered within five business days.
Sub Capacity Documentation Per Virtualization Platform
Each eligible virtualization technology has its own counting rule and its own proof. The auditor will test the platform records against the ILMT output; where the two disagree, the finding follows the platform.
| Platform | What IBM counts | Evidence that holds up |
|---|---|---|
| VMware vSphere | Cores available to the VM, bounded by the cluster the VM can reach under vMotion. | ILMT agents on every VM with eligible products, full cluster scan coverage, and vCenter topology exports showing cluster boundaries. |
| IBM PowerVM | Entitled capacity of the LPAR or shared processor pool, capped or uncapped. | ILMT plus HMC configuration records, pool entitlement history, and change logs for capacity moves. |
| IBM z/VM and LinuxONE | Capacity assigned to the guest, per the mainframe sub capacity rules. | ILMT or approved mainframe reporting, guest capacity definitions, and partition records. |
| KVM and Nutanix AHV | Virtual cores assigned to the guest, bounded by the physical host or cluster. | ILMT coverage of every guest, host core inventory, and cluster configuration exports. |
| Eligible public clouds | Virtual cores of the instance, per the eligible public cloud BYOSL terms. | ILMT or License Service inside the images, plus a cloud instance inventory tied to subscription records. |
| OpenShift and Cloud Paks | VPC consumed by containerized workloads, which ILMT cannot see. | IBM License Service reports per cluster, generated quarterly and retained for two years, with the Cloud Pak ratio mapping. |
The container row is the modern trap. Estates that moved WebSphere or Db2 workloads onto OpenShift often kept ILMT running happily on the empty VMs while nothing measured the containers. License Service is a separate deployment with its own retention duty, documented in the IBM License Metric Tool documentation family.
What the fallback costs: a representative estate
The representative estate below runs IBM middleware across three environments. With compliant evidence, it licenses 4,000 PVU. Without it, the same workloads count at 15,840 PVU.
| Environment | Physical cores | Sub capacity cores | PVU per core | Full capacity PVU | Sub capacity PVU |
|---|---|---|---|---|---|
| VMware production cluster | 128 | 24 | 70 | 8,960 | 1,680 |
| PowerVM LPARs | 24 | 12 | 100 | 2,400 | 1,200 |
| x86 development cluster | 64 | 16 | 70 | 4,480 | 1,120 |
| Total | 216 | 52 | 15,840 | 4,000 |
Representative IBM estate scenario (benchmark scenario, not a quote). PVU ratings vary by processor model; the table uses common ratings for illustration.
The Evidence Pack to Build Before the Auditor Arrives
An audit request is a document production exercise. The estate that can hand over a complete, internally consistent pack in days controls the narrative; the estate that assembles it under deadline concedes the auditor's numbers. Build the pack now, in one repository, with one owner.
What goes in the pack
Six artifact families, each kept current by the governance cadence in section 5:
| Artifact | Contents | Refresh |
|---|---|---|
| Entitlement baseline | Proofs of entitlement, Passport Advantage purchase history, active subscription and support records. | Quarterly |
| Signed ILMT reports | Quarterly audit snapshot reports, reconciled and signed, covering the trailing two years. | Quarterly |
| License Service reports | Container VPC consumption per OpenShift cluster, with Cloud Pak ratio mappings. | Quarterly |
| Deployment reconciliation | Deployed products and versions matched to entitlements, with bundling classifications. | Quarterly |
| Topology records | vCenter cluster exports, HMC and LPAR configurations, host core inventories, cloud instance lists. | Per change |
| Contract set | The Passport Advantage agreement, amendments, and any negotiated audit or sub capacity language. | Per change |
One rule governs the pack: nothing in it should surprise you. Every artifact is reconciled before it is filed, so the pack is a defense position, not a discovery risk.
The Governance Cadence That Maintains Readiness
A 90 day project that ends on day 90 decays back to exposure within two quarters. New clusters appear, agents break, products move into containers. The cadence below is the minimum that keeps the day 90 position true permanently.
| Cadence | Action | Owner |
|---|---|---|
| Quarterly | Generate, reconcile, and sign the ILMT and License Service reports; file them in the evidence pack. | SAM lead |
| Quarterly | Reconcile deployments and versions against the entitlement baseline; log and remediate variances. | SAM lead with procurement |
| Per change | Any new cluster, host, or eligible product triggers an ILMT coverage check inside the 90 day window. | Infrastructure owner |
| Semiannual | Run a mock auditor data request; measure days to produce the full evidence pack. | SAM lead |
| Annual | Review the Passport Advantage anniversary position: renewal dates, point levels, and audit posture together. | Procurement lead |
Ownership is the cadence's keystone. In the estates we reviewed, the recurring failure was not tooling but accountability: no single named person could produce the proof on request. Name the owner, put the cadence in their objectives, and the rest of the checklist tends to stay closed.
The cadence also converts readiness into negotiating power. An estate that can prove its position chooses what to buy at the anniversary on its own numbers, rather than buying its way out of an auditor's numbers under a deadline.
Recommendation
Start the 90 day calendar now, before any letter arrives. Every item on the checklist is cheaper, quieter, and more controllable before IBM starts the clock. The full capacity fallback only bites estates that cannot prove coverage, and proof takes 90 days to build but only a quarter of neglect to lose.
- Close the coverage gap first. The 15 to 30 percent of cores an installed ILMT does not see carry nearly half the exposure. Verify reporting core by core, including License Service on every container platform.
- Make the proof producible. One owner, one evidence pack, signed quarterly reports retained for two years, and a mock data request twice a year. Producible proof is what turns an audit from a settlement into a formality.
Redress Compliance runs these readiness reviews and the audit defenses behind them, on your side of the table only. We are glad to tie a meaningful part of the fee to delivered value.
