IBM Audit Avoidance or Revenue Acceleration?

Updated: Feb 23

IBM and its partners are heavily promoting the current IBM Authorized SAM Provider (IASP) program. But what exactly do the participants gain from it? Below is a summary IASP program benefits, according to one of IBM’s authorized partners:

IBM states it will not audit you if you sign up for the service. Let's examine the validity of that claim and consider the program’s other terms and conditions.

“Customers in the IASP program are fully exempt from traditional license reviews, thus reducing business disruption and surprises.”

1. Audit Exemption

False. The program is itself an outsourced audit program meant to drive revenue and compliance with IBM software. To participate in the program, you must provide third-party (IASP provider) reports to IBM. Just to be clear: this is an audit. KPMG and Deloitte do the same thing officially -- they regularly create license reports about your compliance position and send it to IBM. Additionally, if you check the IASP terms closely, you will see that IBM reserves the right to audit you while you’re in the IASP program if they suspect a violation (limited to a specific product scope). This means if the IASP provider gives inaccurate advice, you’re on the hook to resolve it.

  1. Per the terms, the IASP will perform annual baseline audits of your entire IBM environment (including your mainframes). Also, every subsequent quarter they will spot-check ILMT. After each audit, you will have to true-up with IBM. That means four (!) audits a year (the annual baseline includes a review of ILMT), while IBM's historical business policy has been to audit once every three to five years. (This doesn't count all those follow-on ILMT audits, which IBM doesn't consider a full audit.)

  2. If you decide to leave the program, you will be on standard verification terms with a two-year lookback, which may include the time you were in the program.

“ASP ensures that installation is optimized and compliant for Sub-Cap licensing. There are no Full-Capacity charges regardless of historical ILMT status.”

2. Sub-Capacity Licensing

Misleading. While the IASP terms stipulate that there is no relief from sub-capacity requirements, IBM's auditors have granted sub-capacity consideration if the system has an ILMT agent on it at the "point-in-time" of the audit. The IASP providers do the same, ensuring you have full agent coverage. This is vexing to many IBM customers as findings quickly add up after discovering a handful of VMs that aren't tracked by ILMT (the entire reason for finding a friendlier way to collect audit dollars). Assigning an ILMT agent is a relatively straightforward solution to remediating risk (the idea is straightforward, though the execution is often far more complex). You really don't need a partner to help you determine if every IBM virtual server has an ILMT agent. However, a knowledgeable partner can provide value in determining the accuracy of ILMT, which consistently misreports IBM software and requires manual corrections and bundling exclusions to create reliable point-in-time license positions.

“No audit fees, back S&S, or other punitive charges. Customers receive normal discounts even for compliance issues, all transactions may be processed through customers’ preferred IBM resellers.”

3. Commercial Benefits

Misleading. IASP program terms do not include a waiver of the IPLA's standard two-year lookback for S&S. Also, most of the companies that IBM would invite to participate in this program are large ESSO/SA customers, whose agreements include ACP catalogs full of discounted prepaid software that can be leveraged to draw down and resolve audit findings (this is not always written into the terms of the agreement, but it is a very effective tactic). Furthermore, you are now on the hook to pay the "audit fees" that historically IBM paid to Deloitte and KPMG (either directly to the third-party provider, or indirectly via your ELA payments).

  1. Given the existing practice of using ACP catalogs to pay down compliance bills, the argument that “Customers receive normal discounts even for compliance issues” is a moot point. Your ACP funds are no additional cost to you. Getting a “normal discount” is great, but the real concern is, how can you be sure the partner is providing accurate guidance? You are handing over both licensing true-up decisions and the ongoing software subscription and support (S&S) stream to a third-party provider who is there at IBM’s request. Setting aside the compliance discounts, what about your ongoing S&S bill for licenses on which you true-up in error or disagreement? Is that ongoing bill worth it? What other business objectives could have been funded in place of erroneous “discounted” compliance findings?

“Customers have the opportunity to perform certain optimizations prior to submitting reports to IBM. IASP will support in mitigating risk, optimize license spend, predict license budget, and aid with intelligent procurement and planning.”

4. IBM License Optimization & Insight

Maybe. Except for EY, all the authorized providers have assisted IBM in performing software audits at some point in time, which builds a skillset you cannot find anywhere else. However, each of these providers had to sign-up to enter this program. This presents an inherent conflict of interest, as IBM is using these providers as agents to perform audit services, and therefore expects to replace formal audit dollars with friendly IASP dollars. Can you trust the IASP provider to optimize findings on your behalf surrounding grey areas (of which there are many), or will the provider side with IBM? If IBM discovers that providers are not living up to the financial expectations (or providing optimization advice/insights that are contrary to IBM’s contractual interpretation), how will the vendor react? Will they perform a product-specific audit with another party? Might the company just disband the program, like it did with its last "friendly audit" program: the License Management Options (LMO), which featured:

  1. No formal audits if you were actively participating, though IBM reserved the right to request that the reports and supporting data be made subject to auditor review.

  2. You first created a baseline with an external third party ("audit"), which required a true-up at the end.

  3. You then managed the environment on your own based on a License Management Plan (LMP) which was created during the baseline exercise, then actively trued-up via self-reporting every quarter thereafter.

  4. Due to poor adoption rates, and likely some mistrust about the self-reported findings, this program was abandoned by the vendor.

“IASP customers can use Flexera in place of ILMT/BigFix as the approved IBM sub-capacity tool.”

5. Reduction of needed SAM tools

Misleading. All Flexera (FNMS) and HCL (BigFix Inventory) customers already have this option available to them.

  1. Also, ILMT is optional and customers can choose to license at full-capacity and/or utilize BYOSL (Bring Your Own Software License) where it makes sense. The BYOSL policy allows customers to utilize the public cloud at sub-capacity consumption without utilizing ILMT. As public cloud adoption continues to ramp up, many customers may find less need to keep ILMT around. The text of the policy can be viewed here.

“IASP customers will have access to some of the industry’s greatest minds when it comes to IBM licensing.”

6. Industry-leading IBM licensing knowledge

True-ish. As noted above, there is no way to thoroughly understand all the nuances of IBM licensing rules and policies without having some sort of audit experience gathered over years of interaction with myriad environments and licensing scenarios. That said, we urge clients to exercise caution regarding the business models of the IASP providers.

  1. Big 4 audit companies typically have a staff turnover rate of 15-20%, which means the odds are low of getting a 10-year IBM licensing veteran to perform analysis on your behalf. I can also assure you that the seasoned directors and partners are not doing any of the analysis and do little more than a “rubber stamp” review.

  2. These companies move as much analysis offshore as possible, where lower-cost resources enable them to increase profits. In my experience, I noted even higher turnover rates among offshore resources, which required constant training of new resources. This further decreases the likelihood of getting an accurate license analysis.

  3. “Industry-leading” can be a misleading term. Confirm the relevant experience of all the professionals with whom you engage to work on your account, and ensure there is not a bait-and-switch after you sign the SOW. Consider implementing an SLA or inserting contract language to validate who is doing work on your behalf.

  4. Please do not underestimate the importance of experience and expertise (breadth and depth). I have witnessed hundreds of auditor mistakes which the IBM customers ended up paying for, costing them millions of dollars. These were not mistakes made with ill-intent, just inexperience or lack of proper QA procedures. ClearEdge's clients have saved millions of dollars due to our identification of improper analysis and inaccurate pricing. For example, we advised a client about the wrong part number being associated with a valid deployment, and once corrected, resulted in over $1M in savings. This had cleared the auditor, IBM, and the client; it would have been paid for had we not identified it. It bears repeating: mistakes occur regularly, very often due to the complexity and scope of the IBM portfolio.

If customers do opt for the IASP, they must meet the following requirements to qualify as an “Active Participant”:

1. Select an Authorized Provider, of which there are currently four to choose from:

  1. Anglepoint - SAM-focused consulting firm founded by former KPMG software auditors; in the past they performed ILMT audits on behalf of IBM

  2. Deloitte - Big 4 auditing firm with SAM capabilities; current provider of software audits on behalf of IBM

  3. EY - Big 4 auditing firm with a smaller footprint of IBM license compliance expertise

  4. KPMG - Big 4 auditing firm with SAM capabilities; current provider of software audits on behalf of IBM

2. Provide a baseline report (i.e., audit report/license position) to IBM within 6 months of selecting a provider, and an updated baseline at least annually.

3. Provide reports on ILMT at least quarterly.

4. True-up within 60 days on any findings identified within any report.

In summary, there are many pros and cons to the new IASP program. People considering this path are trying to better monitor and control their IBM spend with proactive SAM policies and procedures, while mitigating audit risk. But if you are serious about improving SAM oversight of your IBM portfolio, there are many other options that should be considered before committing to this program. For instance, you could choose an independent SAM Managed Service Provider, or diligently perform regular self-audits to measure usage and identify risk or assign internal resources to oversee and vigorously defend the audit when it arises.

Jared Frehner is a Senior Manager on ClearEdge’s Software Asset Management and Compliance Services team, and a former professional IBM software auditor with KPMG.

This blog post was inspired by the webinar, IBM's IASP program: Fact or Fiction?. You can access the full recording to this webinar below. To learn more about this subject, check out our blog on IBM audits or contact your ClearEdge representative.