Top Findings in an IBM Audit: Re-Cap

Updated: Feb 23

These are the challenges of being in compliance with IBM software:

  • Licensing terms and metrics are complicated and always changing, from version to version and from day to day.

  • The number of IBM software products in an organization - and the metrics to track them – is vast.

  • Software asset management tools overpromise and underdeliver. The tools do not count everything; they can’t track certain metrics.

  • New technology adds complexity. Legacy licensing terms and conditions are difficult to apply in the era of machine virtualization and the cloud.

Full-Capacity vs. Sub-Capacity

  • Imagine a pie, where full-capacity means you bought the entire pie, and it doesn’t matter how much you eat - you paid for the whole thing.

  • Sub-capacity means you pay per slice (or virtual core of your server), or just what you need. This option provides opportunity for cost savings and is how IBM/resellers typically quote the software cost. The issue is that during an audit, companies are often found out-of-compliance because they didn’t configure ILMT properly (or at all), so the licenses are counted as if they’re utilizing more IBM software licenses than they paid for (the full-capacity).


  • Even when used properly, ILMT can’t count products on servers where the agent isn’t deployed; typical ILMT agent coverage of IBM product installs is between 75% to 95% (and there are still plenty of companies who choose to forgo it altogether). That 5%-25% gap can result in millions of dollars of IBM audit findings.


  • There’s a methodology built into ILMT to identify products based on the part numbers you’ve purchased, but it’s imprecise. There are lots of manual configurations that go into this tool to make sure it’s reporting accurately, and customers may not know how (or neglect) to do them. IBM is starting to roll out software ID tags to help address this, but most legacy deployments do not have these tags.


  • You’re allowed to make an exclusion for supporting products when they come with other products you’ve purchased and deployed. But if you’ve put these supporting products on a separate server and not noted the use case, the IBM auditor may count the licenses and find you out-of-compliance.

  • IBM software partners often include and/or embed software in their offerings. You don’t pay IBM separately for these products and you may not even notice that IBM’s DB2 came with your SAP purchase or a recent hardware purchase. The IBM auditor will scan your servers, note that DB2 is there, and find you out-of-compliance.

  • Also, when you buy a copy of DB2 Advanced, it comes with dozens of supporting products. When you deploy one of these secondary programs, or a supporting program within that secondary program, IBM auditors may challenge whether you’re entitled to that program. Most users aren’t sure how to reconcile their entitlements in these situations.


  • Many exclusions are found by auditors to be invalid, such as DR copies, proof-of-concept use, or software that the customer considered decommissioned.

VM Manager

  • ILMT must have connectivity to VMware managers so they can ID how many cores are being utilized by the virtual machines, but many users fail to set this up to be properly captured.


  • IBM software has been around for a long time, so a lot of your entitlements are old, and maybe you’ve migrated to a newer version which goes by another name. Some licenses are converted to the new products, others not. Further, IBM requires you to produce the legacy contract, and sometimes it gets misplaced and cannot be produced. Or they ask for the purchase order entitlements (POEs), and this information has somehow gone missing. Or your company has acquired or been acquired by another firm, and this information gets lost in the merger. Auditors will default to IBM licensing terms if you can’t produce your license.

  • Infrequent User: You’re told by the sales team that a product is licensed by user value units, and that IBM licenses for users who only sign on, say, once a month, will be steeply discounted. What they fail to tell you is that the onus is on you to develop a system to track and prove actual log-ins to get these discounts.

  • Tebibyte: IBM counts “terabytes” for storage data by tebibyte (two to the fortieth power), while most default to terabyte (ten to the twelfth power). There is a 10% difference between these calculations, and many users don’t realize, or fail to notice in the contract, how IBM is capturing terabyte usage.

  • Disaster Recovery: IBM doesn’t generally charge for cold or warm standby servers, but they are aggressive about calling an “idling” program hot. You will be charged for a program that IBM considers is “doing work”. This includes, for example, production, development, maintenance, testing and other things such as mirroring of transactions, updating of files, and synchronization of programs. They can define what “work” is – and meanwhile you’re thinking all this recovery is free.

  • User Configuration: Sometimes everyone in a group is given access to a program, or a group is granted greater access than they require. This can cause compliance issues. Moreover, if it’s a legacy program, chances are that access privileges have not been reviewed in a long time, and it’s going to be found out-of-compliance.

Our IBM compliance practice is comprised of former professional auditors. We help a lot of our clients conduct self-audits to figure out how they want to handle renewals, or where they may be exposed prior to an official audit. We’ve seen a lot of “wiggle room” regarding IBM’s full capacity findings. It’s important to examine these areas carefully because once IBM auditors come in, your ability to negotiate with any leverage is severely limited. To learn more about our IBM audit preparation and defense services, please contact your ClearEdge representative.

Click here to view our IBM Audit Findings webinar recording.