IBM Audit Defence

IBM Audit Defence Checklist

Complete checklist for preparing for and responding to an IBM software licence audit. 30+ action items across 6 phases.

30+
Action Items
6
Phases
ILMT
Key Factor
Your Progress
0/32 (0%)
🚨
Phase 1: Immediate Response
5 items
0/5
Verify the IBM audit notification is legitimate
Confirm the letter references your Passport Advantage agreement audit clause. IBM uses third-party auditors (Deloitte, KPMG, EY).
Important
Do NOT respond to IBM or their auditor without strategy
Any data shared can be used against you. Pause and prepare before engaging.
Critical
Engage independent IBM licensing advisory
IBM-appointed auditors work for IBM. You need independent representation.
Critical
Assemble your internal audit response team
Include: IT infrastructure, middleware team, procurement, legal, and an executive sponsor.
Locate all Passport Advantage agreements and entitlement records
Gather PVU entitlements, Authorised User counts, and all IBM licence certificates. Missing records = assumed non-compliance.
Important
🔍
Phase 2: ILMT & Sub-Capacity Assessment
6 items
0/6
Verify ILMT is deployed on ALL servers running IBM software
ILMT must cover 100% of servers. Any gap invalidates sub-capacity rights for your ENTIRE estate.
Critical
Confirm ILMT is generating reports at least every 90 days
IBM requires regular ILMT reporting. Missing reports invalidate sub-capacity rights.
Critical
Verify ILMT report retention covers the required 2-year period
IBM can request 2 years of ILMT data. Missing historical reports are a major audit finding.
Important
Validate ILMT agent coverage matches actual server inventory
Compare ILMT agent list against your CMDB. Every server with IBM software must have an active ILMT agent.
Check ILMT bundling and exclusion rules are correctly configured
Incorrect ILMT configuration is the #1 cause of inaccurate sub-capacity reporting. Validate all bundling rules.
Important
If ILMT is NOT deployed, calculate full-capacity exposure immediately
Without ILMT, IBM will licence at full physical server capacity. This can be 5-10x the sub-capacity requirement.
Critical
📊
Phase 3: Licence Position Analysis
6 items
0/6
Build your IBM Effective Licence Position
Map every IBM product deployment against PVU or Authorised User entitlements.
Important
Calculate PVU requirements using the IBM PVU table
Different processor families have different PVU-per-core values. Apply the correct values from the IBM PVU table.
Map all virtualisation platforms (VMware, PowerVM, KVM, Hyper-V)
Virtualisation licensing rules differ by platform. VMware without ILMT = full physical server in scope.
Critical
Identify all IBM products including middleware and database
WebSphere, MQ, Db2, Cognos, and other middleware are commonly underlicensed. Inventory every product.
Check for IBM products installed by third-party applications
Some applications bundle IBM runtime components that may require separate licensing.
Quantify compliance gaps at your contractual discount level
Know your exposure before IBM does. Calculate using your Passport Advantage pricing.
🤝
Phase 4: Auditor Engagement
5 items
0/5
Control the data you share with the IBM auditor
Provide only what your contract requires. Do not share raw infrastructure scans or CMDB exports.
Important
Challenge any attempt to licence at full capacity if you have ILMT
If ILMT is deployed and reporting, sub-capacity licensing must be recognised. Push back on full-capacity claims.
Critical
Dispute any findings based on incorrect PVU calculations
Verify the auditor is using the correct PVU-per-core values for your specific processor types.
Challenge container and Kubernetes licensing claims
Container licensing rules are complex. IBM may claim entire Kubernetes clusters are in scope when only specific pods run IBM software.
Important
Track all auditor communications and requests
Maintain a detailed log of every interaction, data request, and finding.
💰
Phase 5: Negotiation & Resolution
5 items
0/5
Do not accept the initial IBM compliance claim
IBM audit claims are typically inflated. Challenge every finding with evidence.
Critical
Negotiate at your Passport Advantage discount level
Compliance purchases should be at your existing rates, not list price.
Important
Consider an ELA or PULA to resolve gaps cost-effectively
An unlimited licence arrangement may cost less than back-licensing individual product gaps.
Negotiate a compliance grace period for remediation
Request time to bring ILMT into compliance rather than paying for historical gaps.
Tip
Document all resolution terms precisely
Include exact product names, entitlement counts, PVU quantities, and compliance confirmation.
Important
🛡️
Phase 6: Post-Audit Governance
5 items
0/5
Achieve and maintain 100% ILMT agent coverage
This is your single most important ongoing compliance task. Automate agent deployment.
Critical
Automate quarterly ILMT report generation
Set up automated reporting with email alerts to prevent gaps.
Implement change management for IBM deployments
Require approval for any new IBM product installations or infrastructure changes.
Run quarterly internal compliance reviews
Review ILMT data quarterly. Fix issues before they become audit findings.
Negotiate improved audit terms at next Passport Advantage renewal
Limit audit frequency and require advance notice in your next agreement.
Tip

Get Your Personalised Report

Enter your details to unlock your downloadable checklist and receive expert follow-up guidance from our advisory team.

Please use your company email address.
Your details are shared only with Redress Compliance.

Need IBM Audit Defence Support?

Redress Compliance provides independent IBM audit defence. We help enterprises validate ILMT data, challenge audit findings, and negotiate fair resolutions.

Book a Free Consultation