ibm licensing

IBM Software Audit Process – A Step-by-Step Guide

IBM Software Audit Process

  • IBM sends a formal audit notification.
  • A kick-off meeting is held to discuss the process.
  • The scope is defined, and data gathering begins.
  • Auditors test and verify compliance.
  • A final report is shared with the customer.
  • IBM negotiates the settlement based on findings.
  • The audit closes with final documentation and lessons learned.

IBM Software Audit Process

IBM Software Audit Process

IBM software audits are a reality for many organizations that use IBM products. These audits are designed to verify compliance with licensing terms and can have significant financial implications if non-compliance is found.

Understanding the audit process is crucial for preparing adequately and managing the audit to minimize disruption and potential costs.

This article provides a step-by-step guide to the typical process of an IBM software audit, from the initial notification to the final resolution.

IBM License Audit Process

IBM License Audit Process

1. Notification

The IBM software audit process begins with a formal notification letter from IBM. This letter officially announces that IBM intends to conduct a compliance verification audit. The notification typically includes:

  • Audit Scope: The specific software products and licensing agreements will be reviewed.
  • Targeted Legal Entity: The part of your organization that will be audited.
  • Auditor Name: IBM’s appointed third-party auditor, usually Deloitte or KPMG.

Key Considerations:

  • Frequency: IBM audits are generally conducted every 3-4 years.
  • Response: Upon receiving the notification, it’s important to acknowledge it promptly and prepare for the audit.

2. Kick-off Meeting

After the notification, a kick-off meeting is scheduled. This meeting involves representatives from IBM, the third-party audit firm, and your organization.

The meeting’s purpose is to discuss the audit process, address any initial concerns, and clarify each party’s roles and responsibilities.

During the Kick-off Meeting:

  • Audit Process Overview: The auditors will explain the audit process and outline the expected timeline.
  • Concerns and Questions: You can raise any concerns about the audit, such as timing or the choice of auditor.
  • Non-Disclosure Agreements (NDAs): NDAs are signed to protect sensitive information shared during the audit if necessary.

Key Considerations:

  • Preparation: Use this meeting to clarify any uncertainties and ensure your team is aligned on the audit process.
  • Communication: Establish clear communication channels with the auditors to facilitate a smooth process.

3. Scoping

The scoping phase defines the parameters of the audit. The auditors work with your organization to determine the scope and approach, considering your contractual arrangements, organizational structure, and available data sources.

Key Activities:

  • Defining Scope: The scope of the audit is aligned with your IBM contracts and the specific products under review.
  • Proposing Alternatives: If certain aspects of the audit scope are likely to cause business disruption, you may propose alternative approaches within the guidelines of the Passport Advantage agreement.

Key Considerations:

  • Minimizing Disruption: Proactively suggest alternative audit approaches if they can reduce the impact on your business operations.
  • Scope Agreement: Ensure both parties agree on the scope to avoid misunderstandings later in the process.

4. Data Gathering

The data-gathering phase is one of the most critical parts of the IBM audit. During this stage, the auditors send information requests based on your IBM entitlements.

Your organization is required to provide data extracts and evidence of your IBM software deployments.

Types of Data Collected:

  • Machine Details: Information about each machine, including environment, status, processor details, RAM size, and machine type (physical, virtual, container).
  • IBM Program Information: Details about IBM programs installed on each machine, their versions, and their usage.
  • Entitlement and Contract Details: Proofs of entitlement, license agreements, and specific licensing terms applicable to the programs.
  • Deployment Evidence: Data is extracted from tools like IBM License Metric Tool (ILMT), BigFix Inventory, or IBM License Service.

Key Considerations:

  • Accuracy and Completeness: Carefully track and validate all data provided to ensure it is accurate and complete.
  • Duration: Data gathering can take several months, especially for larger organizations, so it’s important to manage this phase effectively to avoid delays.

5. Testing and Verification

Once the data has been gathered, the auditors move on to the testing and verification phase. This involves analyzing the data to assess your organization’s compliance with IBM’s licensing requirements.

The goal is to identify any potential license shortfalls or areas of non-compliance.

During Testing and Verification:

  • Data Analysis: The auditors use sophisticated tools and scripts to analyze the data provided.
  • Compliance Assessment: The analysis determines your effective license position (ELP) and identifies any gaps in compliance.
  • Mitigating Evidence: Your organization can review the findings and provide additional evidence to challenge or mitigate any identified shortfalls.

Key Considerations:

  • Engagement: Stay engaged with the auditors during this phase to ensure all relevant information is considered.
  • Mitigation: Proactively provide any mitigating evidence that can reduce the perceived compliance gaps.

6. Reporting

After the testing and verification phase, the auditors prepare a final Effective License Position (ELP) report.

This report documents your organization’s compliance status and details any license shortfalls or areas of non-compliance.

Key Activities:

  • Reviewing the Report: The draft report is shared with your organization for review. This is your opportunity to provide feedback and address any inaccuracies.
  • Finalizing the Report: Once all feedback has been incorporated, the report is finalized and released to IBM.

Key Considerations:

  • Accuracy: Ensure the final report accurately reflects your compliance status and includes any mitigating evidence provided.
  • Feedback: Provide timely and thorough feedback to address discrepancies before finalizing the report.

7. Settlement

Following the final report’s release, IBM will re-engage with your organization to negotiate the settlement.

This phase involves agreeing on the final audit findings and determining any required license purchases to resolve the compliance gaps.

Key Activities:

  • Negotiation: IBM and your organization negotiate the settlement terms, including purchasing additional licenses.
  • Bill of Materials: A bill outlines the licenses and associated costs required to address the compliance shortfalls.
  • Commercial Terms: The settlement’s financial terms, including any discounts or payment terms, are finalized.

Key Considerations:

  • Negotiation Strategy: Approach the negotiations with a clear strategy to minimize the financial impact of the settlement.
  • Final Agreement: Ensure all terms are documented and agreed upon before finalizing the settlement.

8. Closure

The audit process concludes with the formal closure of the audit. IBM issues a notice confirming that the audit has been completed and that any outstanding issues have been resolved.

Key Activities:

  • Archiving: Your organization should archive all project materials related to the audit for future reference.
  • Lessons Learned: Conduct a review to identify any process improvements that can be implemented to better manage future audits.

Key Considerations:

  • Documentation: Keep thorough records of the audit process, including all communications, data provided, and the final settlement agreement.
  • Process Improvement: Use the audit’s lessons to enhance your compliance processes and reduce the risk of future non-compliance.

Data Collection During the IBM Software Audit

Data Collection During the IBM license Audit

The data collection phase is one of the most intensive parts of the IBM audit process.

The auditors gather the information needed to assess your compliance using a combination of tools, scripts, and data extracts.

Common Tools and Methods:

  • IBM License Metric Tool (ILMT): A key tool IBM provides to track and manage software usage, particularly for sub-capacity licensing.
  • Scripts Run on Servers: Auditors may request that scripts be run on your servers to collect data on IBM software installations, hardware details, and usage metrics.
  • Data Extracts from Customer Systems: This includes data from software asset management tools, configuration management databases (CMDB), and other inventory systems.
  • Deployment Evidence from IBM Software: Data collected directly from IBM software, such as the IBM License Service for containerized environments.

Key Considerations:

  • Security Concerns: If running scripts on servers conflicts with your security protocols, discuss alternative data sources with the auditors.
  • Data Accuracy: Meticulously track and validate all data provided to ensure it accurately reflects your environment.

Roles of IBM, KPMG, and Deloitte in the Audit Process

Roles of IBM, KPMG, and Deloitte in the IBM Audit Process

IBM software audits involve multiple parties, each with specific roles:

IBM’s Role:

  • Initiation: IBM initiates the audit and sends the formal notification letter to the customer.
  • Outsourcing: IBM outsources the audit to KPMG or Deloitte, which handles the data collection and analysis.
  • Negotiation: Once the audit report is finalized, IBM re-engages with the customer to negotiate the settlement.

KPMG and Deloitte’s Role:

  • Audit Execution: As third-party auditors, KPMG and Deloitte are responsible for conducting the audit on behalf of IBM.
  • Data Collection and Analysis: They lead the data gathering, testing, and verification phases, analyzing the information to determine the customer’s effective license position.
  • Reporting: They prepare the final audit report, which is first shared with the customer for review before being released to IBM.

Separation of Duties:

  • Technical vs. Commercial: KPMG and Deloitte handle the technical aspects of the audit, while IBM manages the commercial negotiations. This separation allows IBM to remain at arm’s length from the technical compliance discussions, focusing instead on the settlement terms.

Conclusion

An IBM software audit can be complex and lengthy, but understanding the step-by-step procedure can help your organization navigate it more effectively.

By preparing adequately, engaging actively with the auditors, and maintaining a clear focus on accuracy and compliance, you can minimize the disruption and financial impact of the audit.

Key Takeaways:

  • Proactive Preparation: Start preparing as soon as you receive the audit notification. Understand your compliance position and gather all necessary documentation.
  • Engagement and Communication: Communicate openly with the auditors throughout the process. Address any concerns promptly and ensure all data provided is accurate.
  • Strategic Negotiation: Regarding the settlement phase, approach negotiations with a clear strategy to reduce costs and ensure a favorable outcome.

Following these steps, you can effectively manage the IBM software audit process and protect your organization from unnecessary financial exposure.

Read about IBM Audit Defense Service.

Get Help from our IBM Audit Experts

Please enable JavaScript in your browser to complete this form.
Author
  • Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts