The Challenge: €18M IBM Audit Claim
A leading Italian retailer with a 15+ year relationship with IBM received a surprise audit demand for €18 million. The claim covered three major categories: sub-capacity licensing errors (€10.2M), entitlement mismatches (€5.1M), and virtualisation overages (€2.7M). The retailer was using Db2, WebSphere, MQ, and Tivoli across multiple environments—enterprise infrastructure that IBM auditors believed had been significantly under-licensed.
The retailer had invested heavily in these products over more than a decade, but IBM's audit methodology suggested that usage had outpaced their existing license footprint. The scale of the claim threatened to disrupt the entire commercial relationship and absorb a year's IT budget in a single payment.
Understanding IBM's Audit Methodology
IBM's audit approach relies on three primary techniques, each of which contains potential for overcounting:
- Sub-capacity counting: IBM measures peak usage rather than sustained usage, artificially inflating license requirements.
- Entitlement reconciliation: IBM matches licenses to purchase orders, often failing to account for bundled entitlements, reseller agreements, and components included as part of larger software packages.
- Virtualisation full-capacity fallback: When ILMT (IBM License Metric Tool) data is incomplete or contains gaps, IBM assumes full-capacity licensing for entire virtual environments, regardless of actual usage.
In this retailer's case, all three methods had been applied aggressively. The audit report did not attempt to reconcile actual usage patterns with existing licenses; instead, it simply identified differences between peak usage and installed capacity, then charged for the gap.
Systematic Audit Deconstruction: Four Phases
Our engagement followed a disciplined four-phase methodology to systematically challenge each element of the claim:
Phase 1: Complete Data Analysis
We collected and normalized all license purchase orders, system configurations, ILMT data, and entitlement records. This allowed us to establish a baseline of what the retailer actually owned and how it was deployed.
Phase 2: Technical Data Validation
We validated ILMT metrics against actual system logs, decommissioning records, and capacity planning data. We identified gaps in ILMT that IBM had exploited to assume full-capacity licensing.
Phase 3: Corrected Audit Report
We produced a 95-page technical report that reconstructed the audit using accurate baseline data, sustainable usage metrics (not peak), and proper entitlement recognition. This report served as the foundation for negotiation.
Phase 4: Governance Implementation
We implemented ILMT hardening, centralised entitlement registers, and quarterly compliance reviews to prevent future disputes.
Challenge One: Sub-Capacity Claims €10.2M
IBM's largest claim category focused on sub-capacity licensing. The audit used peak 4-core processor utilisation snapshots to justify claims for full-capacity licenses. However, the retailer's infrastructure was highly variable: peak load only occurred 3-4 times per year during seasonal retail periods.
Our analysis revealed three critical errors:
- Peak vs. sustained: IBM counted peak usage days as the baseline for annual license demand, ignoring that usage returned to 30% of peak for 90% of the year.
- DRM miscounting: The Digital Rights Management (DRM) data IBM used double-counted cores during maintenance windows when systems were recycled but still reporting metrics.
- Decommissioned environments: The retailer had retired three environments 18 months prior. IBM's audit included these decommissioned systems in the claim because ILMT data was not properly cleared on shutdown.
"Redress Compliance delivered exactly what we needed: a rigorous technical challenge to IBM's inflated claim, backed by independent data. The corrected report was credible enough that IBM's licensing team couldn't defend their original position."
Italian Retailer CIO
By reconstructing the baseline using sustained usage (not peak), removing DRM double-counts, and excluding decommissioned systems, we reduced the sub-capacity claim from €10.2M to €420K—a 96% reduction in this category.
Challenge Two: Entitlements €5.1M
IBM claimed that the retailer was missing entitlements for various software components. However, this analysis ignored several legitimate sources of entitlements:
- Reseller purchases: The retailer had acquired some licenses through IBM reseller channels. IBM's audit used direct-purchase orders only, missing reseller documentation entirely.
- Bundled entitlements: Several large WebSphere and Db2 purchases included bundled components that IBM's audit counted as separate, unlicensed usage.
- Included components: Tivoli licensing includes certain components (monitoring, basic optimization) that IBM's audit treated as separate products requiring separate licenses.
- Test/dev exemptions: The retailer's test environments qualified for downgrade licensing under IBM's test/dev program, but the audit ignored these eligibilities.
We recovered entitlements across all four categories by systematically validating each purchase channel and correctly applying bundling and inclusion rules. The entitlement claim fell from €5.1M to €280K—a 94% reduction.
Challenge Three: Virtualisation Overages €2.7M
IBM claimed that virtualised Db2 environments required full-capacity licensing on the underlying server because ILMT data had a 17-day gap during a system migration. IBM's policy treats any gap longer than 14 days as a signal to assume full-capacity usage for that period.
However, the gap coincided with a planned maintenance window when the virtualised environment was offline entirely. Our technical validation showed that the system was powered down during the gap period, meaning there was no usage to license. Additionally, we applied IBM's proportionality defence, which permits downgrade licensing when usage is demonstrably below the licensed capacity.
With corrected metrics and proper proportionality adjustment, the virtualisation claim fell from €2.7M to €200K—a 93% reduction.
Negotiation: €18M to €900K
Armed with a credible, independently-authored 95-page audit report, we approached IBM's licensing team with a clear counter-proposal: accept the corrected findings or face a formal dispute. The report's technical rigor meant IBM could not dismiss it as advocacy or bias.
Our negotiation strategy emphasised three factors:
- Corrected report credibility: The report was authored by independent advisors using IBM's own methodology. It was defensible in arbitration.
- Commercial relationship value: The retailer was a long-standing customer. An adversarial dispute would damage the relationship.
- Future investment bundling: We proposed that the retailer's next major renewal include bundled commitments that would lock in volume pricing and reduce future compliance risk.
IBM agreed to settle at €900K, eliminating 95% of the original claim. The settlement included a corrected license baseline and a three-year commercial agreement with clear usage benchmarks.
Governance Implementation
We implemented a governance framework to prevent future disputes:
- ILMT hardening: We optimised ILMT collection to eliminate data gaps and double-counting. Daily metrics are now validated against capacity planning data.
- Centralised entitlement register: All licenses (direct, reseller, bundled, included) are now tracked in a single source-of-truth. This register is updated at purchase time and quarterly audited against systems.
- Quarterly compliance reviews: The retailer now conducts quarterly reviews of ILMT data versus actual system deployments. Any discrepancies are flagged and resolved within 30 days.
- Training for IT and procurement: We trained the IT and procurement teams on IBM's audit methods, bundling rules, and entitlement recognition to ensure future purchases are documented correctly.
Key Lessons
This engagement revealed five critical lessons relevant to any enterprise dealing with IBM licensing:
- Peak vs. sustained usage matters: IBM audits often target peak usage as the baseline. Demonstrating sustained, lower usage is your most powerful defence.
- Entitlement recovery is significant: Many enterprises underestimate the entitlements they already own. A 94% reduction in one category is not unusual.
- ILMT data governance prevents claims: Clean, gap-free ILMT data is your best protection. IBM is far less aggressive with audits when data is comprehensive and credible.
- Virtualisation rules are negotiable: The 14-day gap rule is not absolute. Proportionality defences and context around maintenance windows matter.
- A corrected report is your negotiating tool: IBM respects independent, technically rigorous counter-audit reports. This is where leverage lies.
Similar exposure? See how we defended a $20M claim for a Florida logistics company
Same audit methodology. Different industry, different outcome.
Download the IBM Audit Defence Framework
A 40-page guide to IBM's audit methodology, common overcharging patterns, and proven defence strategies. Includes worksheets for baseline calculations.
Download White Paper →Frequently Asked Questions
IBM focuses on three primary areas: sub-capacity under-licensing (claiming you've licensed fewer cores than you're using), entitlement mismatches (claiming you don't have licenses for components you actually own), and virtualisation over-licensing (claiming you must license full server capacity even when virtual machines use a fraction of it). Sub-capacity is by far the most common and aggressive claim category.
IBM's peak-usage methodology is defensible in principle but is often applied too aggressively. IBM licensing permits peak usage as a basis for sub-capacity calculations, but you have a right to demonstrate that peak is genuinely exceptional and that sustained usage is considerably lower. If your systems run at 30% of peak for 90% of the year, that should drive your license baseline, not the 3-4 peak days.
IBM's policy states that gaps longer than 14 days trigger a full-capacity assumption. However, this rule is context-dependent. If the gap is due to planned maintenance (when the system is powered down), or if other data sources demonstrate low usage during the gap, you can challenge the assumption. Proportionality defences often apply here—you can argue that licensing full capacity for a system that demonstrably uses a fraction of it is unreasonable.
Extremely important. IBM's audit report is one perspective. When you respond with an equally rigorous, independently-authored counter-report, you shift the conversation from accusation to technical debate. IBM's licensing team will take seriously a report authored by advisors using IBM's own methodology. It becomes difficult for IBM to dismiss without looking unreasonable.
Sustained usage refers to the average or typical usage level measured over a representative period (usually 90 days). Peak usage is the highest usage observed. IBM's audit should consider both, but many auditors focus only on peak. You can challenge this by providing metrics that show sustained usage is your baseline and peak is an outlier.
Reseller purchases are often missed in initial audits because IBM auditors primarily review direct purchase orders. If you've acquired licenses through resellers, ensure you have documentation (purchase orders, invoices, reseller confirmations). These entitlements should be included in your baseline and can significantly reduce exposure. Bundled licenses purchased through resellers are particularly important to document.
The proportionality defence argues that when a virtualised system uses only a fraction of its underlying server's capacity, licensing the full capacity is disproportionate. For example, if a virtual Db2 environment uses 2 cores of an 16-core server, you should be able to license proportionally to actual usage rather than the full server. IBM's policy acknowledges proportionality, but many auditors ignore it. This is a key negotiation point.
Subscribe to the Redress Compliance newsletter
Weekly insights on IBM audit strategy, licensing traps, and negotiation tactics. 500+ subscribers.