University IBM audit defense. 85 percent exposure reduction.

A leading university system received an IBM audit notification covering an estate spread across dozens of faculties and research units. Decentralized purchasing meant nobody held a complete entitlement picture.

The defense settled at an 85 percent reduction against the opening claim. The gap was mostly paperwork, not deployment.

What happened in this IBM audit defense?

The university settled its IBM audit at 85 percent below the opening exposure figure. Most of the reduction came from entitlement reconciliation across decentralized purchases and ILMT evidence repair on research clusters.

The estate ran Db2, WebSphere, SPSS, and Tivoli products across central IT and faculty managed infrastructure. The audit firm's calculation assumed the central entitlement file was complete. It was not close.

How the audit opened

The notification went to central IT, but the exposure sat largely in systems central IT did not manage. The first move was an internal freeze: no department was to answer auditor questions directly.

What did the deployment data actually show?

Deployment was broadly consistent with what the institution had actually bought over two decades. The claim was driven by missing paper, not missing licenses.

Entitlements surfaced from faculty purchase records, grant funded procurements, and education program agreements under Passport Advantage. Mapping legacy education SKUs to current product names recovered another tranche the auditor's file treated as unlicensed.

Repairing the ILMT position

Research clusters ran virtualized workloads outside ILMT coverage. Under sub capacity rules those hosts price at full capacity until coverage and history are repaired. Agents were deployed, history reconstructed where eligible, and the full capacity blocks reversed.

Reconciling decentralized entitlements

The reconciliation pass worked through four sources:

• Central Passport Advantage records. The baseline the auditor already had.
• Faculty purchase archives. Department level orders never registered centrally.
• Grant funded procurement. Licenses bought on research budgets with their own paper trails.
• Education agreements. Program pricing with entitlement terms that mapped to current SKUs.

Which levers cut the exposure by 85 percent?

Three levers produced most of the reduction: entitlement reconciliation, ILMT repair, and scope discipline on what the audit could actually examine.

Where the common advice on IBM audits is wrong

The common advice is that a large compliance gap means buying your way out quickly before penalties grow. We disagree. In roughly 20 to 30 engagements Morten Andersen advised across 2024 and 2025, the opening gap bore little relation to the settled one; in decentralized estates most of the claim was missing paperwork, not missing licenses. The buyer side move is to reconcile entitlements fully before conceding any number, because money spent settling a paper gap is simply wasted. Speed serves the auditor, accuracy serves the institution.

Each reversal was documented against IBM sub capacity licensing terms and the ILMT documentation, which is what made the corrected position stick.

What buyer side moves held the line?

Process discipline mattered as much as the evidence itself.

• Centralized response. One team answered for forty departments; contradictory data never reached the auditor.
• Internal discovery first. The institution measured itself before validating anything the auditor produced.
• Staged releases. Verified data went out in controlled tranches with documented assumptions.
• Settlement through the account team. The close moved from the audit firm to IBM commercial, where forward terms could be traded.

More IBM analysis lives in the IBM knowledge hub and the IBM practice.

What to do next

1. On audit notice, freeze direct departmental contact with the auditor and centralize the response.
2. Reconcile entitlements across every purchasing channel, including grants and education programs, before accepting any gap.
3. Map legacy SKUs to current product names; auditor files rarely do this in the customer's favor.
4. Repair ILMT coverage on research and lab clusters and reconstruct eligible history.
5. Release only validated data, in tranches, through one channel.
6. Move the close to IBM commercial and trade settlement for forward commitment.

Frequently asked questions

How much did the university reduce its IBM audit exposure?

The university settled at 85 percent below the opening claim. Entitlement reconciliation across decentralized purchases and ILMT repair on research clusters produced most of the reduction.

Why are universities exposed in IBM audits?

Decentralized purchasing scatters entitlement records across faculties, grants, and education programs, so auditor files dramatically understate real holdings. The apparent gap is usually paperwork, not unlicensed deployment.

Do education entitlements count in an IBM audit?

Yes. Education program purchases and grant funded licenses are real entitlements once mapped to current SKUs. They are also the records most often missing from the auditor’s file.

What was the role of ILMT in this case?

Research clusters outside ILMT coverage were priced at full physical capacity in the opening claim. Deploying agents and reconstructing eligible history reversed those blocks under IBM sub capacity rules.

Who should run an audit response in a decentralized organization?

A single central team with authority over every department’s communication. Contradictory departmental answers are one of the fastest ways an audit exposure grows.