IBM License Audit from the Auditor’s Perspective

IBM License Audit

IBM operates a worldwide licensing verification program that aims to verify that clients comply with the license terms governing the IBM programs they use. Verification typically takes the form of an audit conducted by an independent auditor. This guest post describes an IBM License Audit process from the Auditor’s Perspective.

About IBM License Audits

We know that IBM license terms can be complex. The ever-changing IT and business landscapes make staying compliant more difficult. IBM’s license agreements require clients to show that they follow IBM’s licensing terms. One means of achieving this is through an audit.

Audits allow IBM and clients to check that the use of IBM offerings remains within the license terms. Clients can expect to be audited every three to four years. All audits start with a formal notification letter sent to the client invoking IBM’s right to audit. Each audit is led by an IBM Licensing Representative, usually supported by a third-party auditor.

Stages in an IBM License Audit

From an auditor perspective, there are six stages in an IBM license audit:

  1. Notification
  2. Kick-off Meeting
  3. Data Collection
  4. Testing and Verification
  5. Reporting
  6. Close Out

1. Notification

Notification of an audit is sent in writing to the client. Notification letters will identify the IBM contact team and the audit auditor. An introductory call from the IBM Licensing Representative will usually follow the letter.

2. Kick-off Meeting

After the notification, a more detailed meeting or call will be held with IBM’s Licensing Representative, the client, and the auditor. The purpose is to set out the audit approach and to agree on an appropriate timetable for the audit and other planning matters. It also provides an opportunity for a more in-depth explanation of the audit process and the information necessary, an introduction to the people involved, and a high-level overview of the client’s use of IBM offerings and their IT estate.

3. Data Collection

The auditor will provide a detailed information request, often in the form of a workbook the client can complete. This will request information about the client’s IT architecture, including system reports, log files, user lists, and related items. The confidentiality terms in the license agreement between IBM and the client protect the provision of this information.

4. Testing and Verification

Information provided by the client will be tested and verified. This may involve further use of scripts, additional data requests, and interviews with relevant client personnel. Data collection, testing, and verification are often an iterative process. A vital aspect of this is testing completeness: all IBM offerings have been identified.

5. Reporting

An Effective License Position (‘ELP’) is the output of an audit. This identifies license or S&S surpluses and license shortfalls or S&S reinstatement requirements for all IBM offerings within the agreed-upon scope at the kick-off meeting.

A draft report will be shared with the client before it is formally provided to IBM to enable the client to check the report’s accuracy, provide any additional information, and comment on the draft findings. Shortly after, the IBM Licensing Representative will give a formal report, amending any errors or omissions in the draft report and including the client’s comments.

6. Closing

The resolution of any shortfalls will be agreed upon with the client by IBM’s License Compliance team. Per the Passport Advantage agreement, the resolution will include charges for any excess use and Subscription and Support (S&S) for that excess use for two years or from the date the shortfall arose (which is shorter).

Auditor’s Activities at each stage in IBM audit

1. Team Coordination

Auditors identify and coordinate with internal stakeholders, including Software Asset Managers, Infrastructure Management, and Application Owners.

2. Review Documentation

Auditors familiarize themselves with IBM’s licensing agreements, client entitlements, and historical data to understand the scope of the audit.

3. Detailed Planning

Auditors and IBM Licensing Representatives meet with the client to outline the audit approach, agree on timelines, and clarify the required data and documentation.

4. Information Requests and Confidentiality

Auditors provide a workbook requesting detailed information about the client’s IT architecture, including system reports, scripts to run discovery outputs, product-specific outputs, log files, user lists, and more. The auditor should also ensure data protection following the confidentiality terms in the IBM and client license agreement.

5. Data Validation

Auditors test the completeness and accuracy of the provided data, ensuring all IBM offerings are identified. This may involve running specific commands or automated scripts. Further data requests and Q&A may be conducted to clarify and verify the initial findings.

6. Building the Effective License Position (ELP)

Auditors analyze the data collected and compile an ELP identifying license or Subscription and Support (S&S) surpluses and discrepancies for the client at each product level. The draft report is shared with the client for review, allowing for corrections or additional information before finalizing the report.

7. Close Out

Auditors produce the final draft of the ELP report with the IBM Licensing Representative and the client. Further, IBM and the client will discuss any shortfalls and discrepancies that will be addressed per IBM’s License Compliance team’s guidelines.

IBM’s involvement at each stage in an IBM audit

IBM is involved in three main situations:

1. Initial Audit Notification:

IBM initiates the audit and provides guidance. They send the notification letter. They will introduce the nominated IBM Licensing Representative.

2. Support and Guidance:

IBM assists in understanding licensing terms and compliance requirements.

3. Final Review:

IBM reviews the audit report (ELP) and discusses remediation steps with the client.

Common Mistakes Made by Clients in an IBM License Audit

1. Incomplete Data

Clients often fail to gather comprehensive, accurate data on software usage and entitlements. Incomplete data can lead to inaccurate audit results and potential non-compliance issues. It may also prolong the audit process as auditors must repeatedly request additional information.

2. Misclassification of Environments

Incorrectly classifying production, development, and test environments can lead to incorrect license calculations, as different environments may have different licensing requirements. This can result in either over-licensing or under-licensing, which have financial implications.

3. Inactive User Accounts

Oversight of not removing inactive or obsolete user accounts may lead to including them in license counts, which in turn inflates the number of required licenses, leading to unnecessary costs.

4. Virtualization Compliance

Virtualized environments require precise configuration to ensure accurate measurement of license usage. Misconfigurations can lead to significant discrepancies in reported usage, potentially resulting in compliance breaches and financial penalties.

IBM License Audits

IBM license audits are essential for ensuring compliance with licensing terms and optimizing software usage. Through a structured process involving notification, data collection, testing, and reporting, both IBM and clients can achieve a thorough understanding of software deployments and license requirements.

Common client mistakes like incomplete data collection and misclassification of environments can be mitigated with proper preparation and ongoing monitoring.

IBM’s involvement at various stages ensures guidance, support, and final review, helping clients address discrepancies and maintain compliance.

FAQ

  • How often are IBM license audits conducted? IBM audits are typically conducted every three to four years.
  • What is an Effective License Position (ELP)? An ELP is a report identifying license surpluses and shortfalls, ensuring compliance with IBM licensing terms.
  • What should clients expect during an audit? Clients should prepare for detailed data collection, validation, and iterative testing, followed by a comprehensive report and remediation steps if necessary.
  • How can clients avoid common audit mistakes? By gathering accurate data, correctly classifying environments, removing inactive user accounts, and ensuring proper virtualization configurations, clients can avoid common mistakes and ensure compliance.
  • What support does IBM provide during an audit? IBM offers initial guidance, ongoing support to understand licensing terms, and a final review of the audit report to ensure accuracy and compliance.

For more details on IBM License Audits, visit the IBM License Audit page.