Tips for Handling an IBM Software Audit
An IBM Software Audit can be an utterly grueling experience. While there is no way to completely eliminate your risk of incurring an audit from IBM as long as you have their products, being prepared for an audit, should one occur, is your best means of defense.
MetrixData 360, we have helped countless clients prepare for an IBM audit and successfully defend themselves against IBM auditors. Here are our recommendations for making sure you’re properly prepared for your IBM audit.
Have IBM’s License Metric Tool (ILMT) Properly Deployed
ILMT comes with many benefits, namely providing you with protection when faced with an IBM software audit. To summarize, IBM’s License Metric Tool (ILMT) is a software asset management tool freely available to IBM’s customers that is used to monitor consumption of IBM’s products.
Not having ILMT puts a huge target on your back for a software audit from IBM as it will make IBM suspect that you have no way of tracking your consumption without it. Unless you meet the criteria that exempts you, you will have to license all IBM products under Full-Capacity terms if you don’t have ILMT.
If you are found to have IBM’s software that has been deployed for 90 days and it doesn’t have ILMT on the same virtual server, then it is no longer eligible for Sub-Capacity licensing. If it is not licensed at Full-Capacity either, then it can be subject to heavy penalties. This is where many IBM customers find compliance issues during a software audit.
But….Don’t Expect ILMT to Protect You from Everything
Even if you have ILMT, that doesn’t mean that you are safe from compliance issues during an IBM Software Audit. In fact, many companies experience a lot of technical issues surrounding ILMT’s deployment. For instance, you could be subject to any of the following issues that can result in the loss of your sub-capacity eligibility:
- Not generating and properly keeping quarterly reports from ILMT
- Having an outdated version of ILMT
- ILMT agents can fail when it comes to agent scans and capacity scans because of incompatibility, lack of disc space, or credential issues
- If you want to selectively deploy ILMT to only servers with IBM products on them, then ILMT might come across issues detecting and identifying which servers to monitor. Anything that is missed will lose its Sub-Capacity eligibility.
- Having any IBM products deployed on Operating Systems that ILMT doesn’t support
- ILMT can easily struggle with accurately bundling unique software signatures for reporting. To do this successfully requires knowledge of your specific license restrictions and entitlements.
Failure to remain compliant simply because of technical issues regarding ILMT may open a company up to the possibility of a concession regarding the adverse findings but such a case would be difficult to achieve since it is reliant on a number of factors.
These issues include when you first tried to deploy ILMT, if IBM support was ever contacted, if ILMT was set to deploy over your entire estate or simply over IBM’s products, if problems with ILMT were reported and how much effort you put into solving the issue.
For more information on IBM’s ILMT, you can check out our article: IBM ILMT: Everything You Need to Know.
Expect Either KPMG or Deloitte to be Involved
Software vendors each approach software audits a little differently. Some have an internal audit team, but IBM outsources the project to either KPMG or Deloitte. However, simply because the auditors are a third-party does not mean that they are neutral.
IBM hired them to find compliance gaps in your infrastructure, so they will take the worst-case scenario as reality when given the chance to make assumptions. Since they are outsourcing the project, you can (and should) have a Non-Disclosure Agreement with the auditors so that neither your data, nor the estimated licensing position (ELP) that the auditors come up with can go to IBM without your approval first.
This will play to your advantage because the wide array of confusing and complex IBM products and their licensing will almost ensure that the initial ELP that auditors come up with will be far from an accurate depiction of what you actually owe.
If You’re Found Out of Compliance, Expect to Pay Retroactive Maintenance Fees
IBM sends out their audits roughly every four years. As nice as it may sound not having to worry about having auditors at your door every year, if you are found out of compliance, not only will you have to pay for your missing licenses, you will also have to pay retroactive maintenance fees going back years.
IBM Licenses Changes
You can expect IBM to change up their license metrics when they acquire a new software company or release new versions of their existing products.
IBM will continue to take maintenance fees based on old licensing models, so don’t let the fact that they are still taking your company’s money be any indicator that you are adhering to the correct licensing model.
If you have an arrangement that allows for licenses to be used on an unlimited basis, you could very easily lose that privilege after IBM acquires the product and releases the first upgrade after the acquisition. So it is important you keep up to date on any industry updates concerning IBM and what that could mean for your company.
Preparing Your IBM Audit Defense
IBM is a massive company with complex products that can prove a challenge to keep track of but that doesn’t mean it is impossible to keep on top of your IBM licensing. Being prepared will keep you from potentially paying out expensive auditing penalties and losing your Sub-Capacity eligibility.
At MetrixData 360, we know how to defend our clients when they are facing off against IBM. They only pay what they actually owe. If you’d like to learn more about how you can get yourself ready for an audit, download our free Audit Risk Checklist today!