The IBM Software License Audit. How It Works.

An IBM software audit is won or lost on the IBM License Metric Tool, because without current sub capacity reports IBM defaults you to full capacity licensing.

How does an IBM software license audit actually run?

An IBM audit is exercised under the verification clause of the Passport Advantage agreement. IBM, or an appointed firm, sends a notice, requests deployment data, measures entitlement against usage, and presents a finding.

The process is procedural, not adversarial by default. How it ends depends almost entirely on the quality of your sub capacity evidence.

The notice and the kickoff

The audit opens with a formal notice citing the agreement clause. A kickoff call sets scope, timeline, and the data request. Treat the kickoff as a scoping negotiation, not a formality.

• Notice: confirms the legal basis and the products in scope.
• Kickoff: sets the data request and timeline, both of which are negotiable.
• Data collection: you provide ILMT reports and deployment records.

Measurement and the draft finding

IBM compares measured deployment against your entitlement and issues a draft finding. This is the point to challenge methodology and correct measurement errors before the number is finalized.

Why does the IBM License Metric Tool decide the outcome?

IBM sub capacity licensing lets you license only the virtual cores assigned to an IBM product, not every core in the host or cluster. The right to do that is conditional on running the IBM License Metric Tool and keeping reports.

The requirement is strict. The sub capacity terms in the Passport Advantage sub capacity rules require ILMT installed within ninety days and reports retained for two years.

What happens without compliant ILMT

• Full capacity default: IBM counts every physical core on the host, not the virtual cores assigned.
• Multiplier effect: a small product on a large host can be charged at many times its real footprint.
• No retroactive fix: installing ILMT after the audit notice does not restore sub capacity for the past period.

Keeping ILMT defensible

Install ILMT on every host running IBM software, confirm it discovers all instances, and keep the reports current. The license terms for each product sit in the IBM license agreements catalog at IBM Terms.

How do you control the audit data request?

The data request defines how much of your estate the audit touches. A broad request invites scope creep and surfaces unrelated exposure. A scoped request keeps the audit to the products actually in question.

• Products in scope: confirm the audit covers only the named products.
• Environment boundary: limit data to the in scope environment, not the whole estate.
• Format and channel: agree the report format so you control what is shared.

Where the common advice on IBM audits is wrong

The standard advice is to cooperate fully and quickly with the auditor to show good faith and close the audit fast. We disagree. In more than half the IBM audits we defended in 2024 and 2025, fast and broad cooperation surfaced 20 to 30 percent more environment than the audit needed, inflating the finding. The buyer side move is to cooperate professionally but scope tightly, submit only clean sub capacity proof for the products in question, and challenge methodology on the draft finding. Speed is the auditor's interest, accuracy is yours, and the two are not the same.

36

IBM audits defended, 2024 to 2025

52%

Median exposure from ILMT gaps

27%

Average finding reduction achieved

Source: Redress Compliance advisory engagement file, 2024 to 2025.

On an IBM audit the number IBM opens with is almost never the number you owe. Clean sub capacity proof, not speed, closes the gap.

What buyer side moves cut IBM audit exposure?

The defense is evidence and scope control. Bring current ILMT reports, a host inventory, and the entitlement records. IBM settles against defensible data, not assertions.

• Confirm ILMT coverage: verify the tool discovers every host running IBM software before submitting.
• Scope the request: hold the audit to the named products and in scope environment.
• Challenge the draft: correct measurement errors and methodology on the draft finding.
• Reconcile entitlement: credit unused and shelved entitlement against the exposure.

How to prepare before a notice arrives

Audit readiness is a standing task. Keep ILMT current, retain two years of reports, and reconcile entitlement quarterly. An estate that is always ready treats the notice as routine.

What to do next

1. Confirm the IBM License Metric Tool is installed and reporting on every host running IBM software.
2. Verify ILMT discovers all instances and that reports cover the last two years.
3. On receiving a notice, confirm the legal basis and the exact products in scope.
4. Negotiate the data request scope and timeline at the kickoff call.
5. Submit only clean sub capacity proof for the in scope products.
6. Challenge methodology and correct measurement errors on the draft finding.
7. Credit unused entitlement against the exposure before agreeing any settlement.

Frequently asked questions

How does an IBM software license audit work in 2026?

An IBM audit is run under the verification clause of the Passport Advantage agreement, usually through an appointed firm. IBM sends a notice, requests deployment data, measures usage against entitlement, and presents a draft finding. The outcome depends largely on the quality of your sub capacity evidence.

Why is the IBM License Metric Tool so important in an audit?

ILMT is the condition for sub capacity licensing, which lets you license only the virtual cores assigned to an IBM product rather than every physical core on the host. Without current ILMT reports, IBM defaults to full capacity, which can multiply the licensed core count and the finding.

What happens if I do not have ILMT installed?

IBM measures full physical capacity, counting every core on the host running the product rather than the virtual cores assigned. A small product on a large host can then be charged at many times its real footprint, and installing ILMT after the notice does not restore sub capacity for the past period.

Can I negotiate the scope of an IBM audit?

Yes. The data request set at the kickoff call defines how much of your estate the audit touches, and it is negotiable. Confirm the audit covers only the named products, limit data to the in scope environment, and agree the report format so you control what is shared.

Should I cooperate fully and quickly with an IBM auditor?

Cooperate professionally, but scope tightly. Fast and broad cooperation often surfaces more environment than the audit needs and inflates the finding. Submit only clean sub capacity proof for the products in question, and treat the kickoff as a scoping negotiation rather than a formality.

How much IBM audit exposure comes from real over deployment?

In our 2024 to 2025 defenses, 40 to 60 percent of initial exposure traced to ILMT gaps and stale reports rather than genuine over deployment. Fixing the sub capacity proof, not buying more licenses, removed most of the apparent exposure.

How long must I keep ILMT reports?

The Passport Advantage sub capacity terms require ILMT installed within ninety days of first deployment and reports retained for two years. An estate that keeps current reports across that window can defend sub capacity on every host the auditor questions.

How do I prepare for an IBM audit before the notice arrives?

Treat readiness as a standing task. Keep ILMT installed and reporting on every host running IBM software, confirm it discovers all instances, retain two years of reports, and reconcile entitlement quarterly. An estate that is always ready treats an audit notice as routine rather than a crisis.