IBM Software Audit: How to Prepare a Defense and Handle it Like a Pro
An IBM Software Audit can be an utterly grueling experience. While there is no way to completely eliminate your risk of incurring an audit from IBM as long as you have their products, being prepared for an audit, should one occur, is your best means of defense. We at MetrixData360 have helped countless clients prepare for an IBM audit and successfully defend themselves against IBM auditors. Here are our recommendations for making sure you’re properly prepared for your IBM audit.
Our Process and Recommendations:
Have a Non-Disclosure Agreement (NDA) At The Ready
IBM strives to have an audit engagement with their customers at least once a year as outlined in the terms of their contracts. Due to this, it is advisable to put in place a Non-Disclosure Agreement (NDA) or confidentiality agreement for IBM’s auditor to sign so you can protect the data that will be collected from your environment. This step is essential in every audit situation.
Have IBM’s License Metric Tool (ILMT) Properly Deployed
ILMT comes with many benefits, namely providing you with protection when faced with an IBM software audit. To summarize, IBM’s License Metric Tool (ILMT) is a software asset management tool freely available to IBM’s customers that is used to monitor consumption of IBM’s products.
It is compulsory for any customer who wishes to benefit from IBM’s sub-capacity licensing and its primary function is to make sure a customer is within compliance and using the products efficiently.
Most organizations do not adequately configure, manage, or maintain their IBM License Metric Tool (“ILMT”) and are relaxed about Sub-Capacity (“SC”) reporting. The current IBM Passport Advantage Agreement (“IPAA”) relevant language is:
“For Sub-Capacity usage of EPs, Client agrees to install and configure the most current version of IBM’s license metric tool (ILMT) within 90 days of Client’s first Sub-Capacity-based Eligible Sub-Capacity Product deployment, to promptly install any updates to ILMT that are made available, and to collect deployment data for each such EP”
“Reports (generated by ILMT or manual if Client meets manual reporting exemptions) must be prepared at least once per quarter and retained for a period of not less than 2 years. Failure to generate Reports or provide Reports to IBM will cause charging under full capacity for the total number of physical processor cores activated and available for use on the server.”
Not having ILMT puts a huge target on your back for a software audit from IBM as it will make IBM suspect that you have no way of tracking your consumption without it. Unless you meet the criteria that exempts you, you will have to license all IBM products under Full-Capacity terms if you don’t have ILMT.
Organizations that fail to meet their contractual obligations will have an IBM Licensing conundrum. Not meeting these obligations exposes your organization to IBM’s Full-Capacity (“FC”) licensing, which bloats the Processors Value Units (“PVU”) and consequently exposure to financial risk.
If you are found to have IBM’s software that has been deployed for 90 days and it doesn’t have ILMT on the same virtual server, then it is no longer eligible for Sub-Capacity licensing. If it is not licensed at Full-Capacity either, then it can be subject to heavy penalties. This is where many IBM customers find compliance issues during a software audit.
Here is what an example of what this would look like:
The Road to IBM Audits are Paved with Good Intentions
It’s our experience that most organizations have intentions to abide by their contractual agreements; however, those intentions rarely manifest into reality. Some notable reasons for this are:
-
- Shifting Sands: IPAA is ever-changing, and the standard agreement does not need two-party written consent to have the language. Thus, the agreement you reviewed when you entered into the contractual relationship with IBM is not the agreement you have now.
-
- Effort vs. Reward: ILMT is only required for IBM’s Processor Value Units (“PVU”) and Resource Value Units (“RVU”) to gain Sub-Capacity rights. IBM has hundreds of other licensing metrics that require manual efforts outside of ILMT. Thus, operationality can at times become perceived as a lower priority or value.
-
- Technical Complexity: ILMT was not designed with simplicity as a guiding principle. The installation, configuration, maintenance, and management require technical knowledge as well as dedication. Thus, most organizations may use the initial installation; however, ongoing maintenance and operation are forgotten.
Don’t Expect ILMT to Protect You from Everything
Even if you have ILMT, that doesn’t mean that you are safe from compliance issues during an IBM Software Audit. In fact, many companies experience a lot of technical issues surrounding ILMT’s deployment. For instance, you could be subject to any of the following issues that can result in the loss of your sub-capacity eligibility:
- Not generating and properly keeping quarterly reports from ILMT
- Having an outdated version of ILMT
- ILMT agents can fail when it comes to agent scans and capacity scans because of incompatibility, lack of disc space, or credential issues
- If you want to selectively deploy ILMT to only servers with IBM products on them, then ILMT might come across issues detecting and identifying which servers to monitor. Anything that is missed will lose its Sub-Capacity eligibility.
- Having any IBM products deployed on Operating Systems that ILMT doesn’t support
- ILMT can easily struggle with accurately bundling unique software signatures for reporting. To do this successfully requires knowledge of your specific license restrictions and entitlements.
Failure to remain compliant simply because of technical issues regarding ILMT may open a company up to the possibility of a concession regarding the adverse findings but such a case would be difficult to achieve since it is reliant on a number of factors.
These issues include when you first tried to deploy ILMT, if IBM support was ever contacted, if ILMT was set to deploy over your entire estate or simply over IBM’s products, if problems with ILMT were reported and how much effort you put into solving the issue.
For more information on IBM’s ILMT, you can check out our article: IBM ILMT: Everything You Need to Know.
Expect Either KPMG or Deloitte to be Involved
Software vendors each approach software audits a little differently. Some have an internal audit team, but IBM outsources the project to either KPMG or Deloitte. However, simply because the auditors are a third-party does not mean that they are neutral.
IBM hired them to find compliance gaps in your infrastructure, so they will take the worst-case scenario as reality when given the chance to make assumptions. Since they are outsourcing the project, you can (and should) have a Non-Disclosure Agreement (NDA) with the auditors so that neither your data, nor the estimated licensing position (ELP) that the auditors come up with can go to IBM without your approval first.
This will play to your advantage because the wide array of confusing and complex IBM products and their licensing will almost ensure that the initial ELP that auditors come up with will be far from an accurate depiction of what you actually owe.
If You’re Found Out of Compliance, Expect to Pay Retroactive Maintenance Fees
IBM sends out their audits roughly every four years. As nice as it may sound not having to worry about having auditors at your door every year, if you are found out of compliance, not only will you have to pay for your missing licenses, you will also have to pay retroactive maintenance fees going back years.
Watch Out for IBM Licenses Changes
You can expect IBM to change up their license metrics when they acquire a new software company or release new versions of their existing products.
IBM will continue to take maintenance fees based on old licensing models, so don’t let the fact that they are still taking your company’s money be any indicator that you are adhering to the correct licensing model.
If you have an arrangement that allows for licenses to be used on an unlimited basis, you could very easily lose that privilege after IBM acquires the product and releases the first upgrade after the acquisition. So it is important you keep up to date on any industry updates concerning IBM and what that could mean for your company.
Preparing Your IBM Audit Defense
IBM is a massive company with complex products that can prove a challenge to keep track of but that doesn’t mean it is impossible to keep on top of your IBM licensing. Being prepared will keep you from potentially paying out expensive auditing penalties and losing your Sub-Capacity eligibility.
At MetrixData 360, we know how to defend our clients when they are facing off against IBM. They only pay what they actually owe. If you’d like to learn more about how you can get yourself ready for an audit, download our free Audit Risk Checklist today!
Take the IBM Licensing Quiz:
If you want IBM licensing professionals handling your IBM assets, take stab at our IBM ILMT Quiz: