Introduction to IBM License audits
When it comes to an IBM license audits it is understandable if you are feeling overwhelmed. Managing your IBM licensing at the best of times is complex without the added pressure and cost of an IBM audit. Hopefully this step-by-step guide on how to respond to an IBM software license audit will help. It contains the lessons learnt by our IBM license experts at License Hawk (About Us) who have completed more than 100 IBM license audit projects (Success Stories)
In this guide we’ll cover:
- What is an IBM License Audit
- What you can expect
- Recommended stages and steps to responding to an IBM license audit
What is an IBM license audit?
An IBM license audit is one of the ways IBM verifies that you are following their licensing terms and conditions. IBM assign a third-party auditor to carry out what they prefer to call a software license review (SLR). The auditor will then proceed to collect data, calculate your use of IBM products and provide a report on your compliance. Finally, if you have a compliance gap, you’ll be required to buy licenses to make up the short fall.
Your organisation agreed to support license audits when they signed the IPLA, see clause 11 & 4.1 in the agreement for more detail.
Why an IBM license audit is significant for your businesses
There are many reasons to be selected for an IBM audit. Here is a list of some of the IBM License Audit Triggers. If you haven’t received an audit notice in the last 3 years you can expect one in the coming 12 months.
An IBM audit is significant to your business because the costs of licenses to address a compliance gap are frequently in the millions. It is an unbudgeted expense which your CFO will not be happy about. It also requires significant time and resources from an organisation respond to the auditor’s request.
What you can expect in an IBM license audit
The official IBM software audit process has 6 steps:
- Kick-off and Scoping
- Data Collection
- Testing and Verification
- Close Out
IBM estimate it takes 2-3 months to complete an audit. In reality an IBM software license audit will take significantly longer if you hope to reduce the final settlement with IBM.
The IBM Auditors role
In an IBM license audit the auditor’s role is to collect and analyse data to produce an IBM license position. It is their interpretation of the data and IBM licensing rules. An auditor will not discuss the financial implications of any compliance gaps, which is left to IBM. Keep this in mind when dealing with the auditor.
The IBM Account Managers role
The IBM account manager will introduce the auditor at the kick off and scoping meeting. They may also be involved if there is a request to change scope or to provide clarification on some aspect of entitlement or the contract. The next time they are involved is when the license position has been calculated and the auditor provides their audit report. They should not be involved in the audit process until the final report has been agreed by client. They should not receive any indication of the compliance position until you have approved the final report.
Recommended stages and steps to responding to an IBM license audit
Here are the stages and steps we recommend you consider when responding to an IBM license audit to ensure you get the optimum outcome. Our process for responding to an IBM license audit has 8 stages. Each stage has a list of steps with a link to more detail where available. The stages are focused on the client activities as they prepare to respond to the auditors’ requests.
8 Stages to responding to an IBM license audit
Our process has been divided into 8 stages.
- Initial License Audit Response
- Initial Risk Assessment
- IBM License Audit Scope
- Internal IBM License Audit
- Optimisation, Remediation & Defense Strategy
- External IBM License Audit
- Commercial Settlement of IBM license audit
- IBM License Audit Project Close
Although the stages are listed in sequence you can change the order or skip stages depending on time available.
1. Initial License Audit Response
When the email declaring you are receiving an IBM license arrives you should take time to prepare before responding. Steps in initial license audit response are:
- Invoke Vendor Audit Protocol
- Verify Audit Request
- Inform Stakeholders
- Single Point of Contact (SPC)
- Initiate an Audit Defence Project
- Engage IBM License Consultants
- Confirm receipt and Conditional Support to auditor
Click the link for more detail on IBM License Audit – Initial Response.
2. Initial Risk Assessment (for IBM licensing)
The purpose of the initial risk assessment stage is to quickly estimate the size of any license compliance risk. Including an estimate of the financial risk of non-compliance. Steps include:
- Collect available Entitlement information
- Collect available Deployment Information
- focus on data from BigFix/ILMT
- Prepare Initial License Position
- Estimate financial risk (by product)
- Identify quick fixes
You should aim to complete the initial risk assessment in 1-2 weeks.
3. IBM License Audit Scope and NDA
The license audit notification letter from IBM is very high level. You will need to agree an audit specific NDA with the auditor as well as document the scope in a Statement of Work (SOW).
Steps in this stage include:
- Agreeing audit specific NDA.
- Negotiate scope of IBM license audit
- Where required document methods for measuring product deployment
- Agree SOW
Many aspects of the SOW are negotiable. IBM will also need to approve the SOW. Read the Guide to Non-Disclosure Agreements in an IBM license audit for more information
4. Internal IBM License Audit
The purpose of the internal license audit is to simulate the activities of external auditor. There is a significant advantage to knowing if and where the compliance risks are before sharing information with the external auditor. Steps include:
- Collect all Entitlement
- Collect all Deployment (all products)
- PVU and Non-PVU
- Server List Completeness Check
- Prepare ELP with financial details
- Identify and quantify compliance risks
Assuming you have done an initial risk assessment this stage will take 2 weeks depending on number of products and responsiveness of the product owners.
5. Reduce & Remediate
The purpose of the reduce & remediate stage is to reduce known compliance risks as much as possible, in advance of sharing information with external auditor. Steps include:
- Prioritise compliance risks by financial impact
- Prepare and implement reduction or remediation plans
- Prepare strategy for remaining compliance risk
- Recalculate ELP
This stage may run parallel to other stages as compliance risks maybe spotted at any time.
6. External IBM License Audit
The stage focuses on engaging with the external IBM license auditor. It assumes the NDA and SOW have been agreed. Steps include:
- Establish Project
- Agree Entitlement Position
- Agree Deployment Position
- review deployment evidence
- provide deployment evidence
- repeat until auditor satisfied
- Auditors Report
- Auditor prepares report on findings
- Review and provide feedback
- Notes added to report
- repeat until agreement reached
- Auditor report is released to IBM
7. Commercial Settlement of IBM license audit
This stage focuses on engaging with IBM and reaching a commercial settlement. Steps include:
- Negotiating and final agreeing on audit findings
- Bill of materials for purchase
- Commercial Negotiations
- Formal close of audit
8. License Audit Close
The final stage focuses on closing the audit. Steps include:
- Archive project materials
- Formal notice of audit closure from IBM
- Internal Project Close Report and presentation
- Lessons learnt and proposed process improvements
The IBM license audit process described here will help you to structure your response to an IBM license audit. The links to supporting article will provide more detail on specific steps and supporting resources.