IBM Software Audit:
Frequently Asked Questions
If your business, company, or organization uses IBM products, you may have some questions about software licensing and how to protect yourself against a software audit.
An audit from IBM can be an exhausting experience that no business wants to go through, and if you fail the audit, it can also be very costly.
While most companies strive to uphold their software contract agreements the best that they can, the ever-changing nature of IBM contracts and IBM audits can make things complicated.
Understanding some of the tools available to help you maintain compliance and what to do if you are audited by IBM can be useful.
A: The IBM audit process can take a few months to a year or more, depending on the size of the network or products and services used by the company being audited by IBM. While IBM likes to say that its audit process is not disruptive to a company’s business operations, the audit process can be extremely expensive and use significant resources. Hiring experienced legal counsel can help minimize business interruptions due to IBM’s audit process.
A: In most contracts, IBM includes an audit clause that requires a company to keep records of its system and tools for an independent auditor to verify compliance with its licensing rules. IBM requires compliance during the time of the agreement and while the customer continues to use the IBM products. For example, in some instances in IBM contracts, the duty to comply with licensing obligations remains in effect for up to 2 years after the contract has been completed or terminated and the products are no longer in use.
A: IBM has an aggressive auditing department and strives to audit each of its customers at some point during the professional relationship. IBM seems to prioritize certain cases where it believes that there likely is a compliance gap between what its customers own and what they have installed.
A: It is not advisable for you to ignore the request. Most IBM license agreements give IBM the right to audit an organization that has its products deployed. Failure to allow the audit to proceed may jeopardize an IBM user’s right to continue using the products.
A: In many cases, it is possible and advisable to negotiate the scope and timing of a requested audit before proceeding with any data collection or other audit steps. It is important to have a clear understanding of the products, lines of business and locations to be included in an audit. Where appropriate, it is also important to break the audit into phases in order to make the process more manageable.
A: IBM’s auditors typically request on-site inspections as part of the process. However, in some instances, the auditors will consent to a verification process that is conducted remotely.
A: It is always a good idea to require IBM’s auditor to sign a confidentiality agreement protecting the secrecy of the raw data to be collected.
A: It is important for an organization to understand the potential financial impact of the audit materials prior to submitting. Additionally, if there is someone who is unfamiliar with IBM’s process, the materials could be submitted incorrectly, potentially increasing the financial exposure.
A: Unlike internal audits and IT-vendor audits, attorney-conducted audits are protected by the attorney-work-product and attorney-client privileges. This means that the audit results typically are exempt from disclosure in the event of litigation and therefore cannot be used against you or your company in court.
A: First, it is vital to carefully review the audit findings in detail. IBM's customers often do not receive all the license credit they are entitlted to, and IBM typically will agree to modify its initial demands if there is a mistake in the calucations. Sometimes, IBM’s compliance teams often do not have a complete file of all license agreements that an audited company may have signed. In many cases, the negotiated terms of a license agreement can include alternative counting rules or other variables that change the way license requirements are determined for certain products. If the auditors are unaware of those terms, then the calculated audit discrepancies likely will be inflated and erroneous.
If your company uses IBM software, it’s important to understand IBM’s ILMT tool for software audits. The IBM License Metric Tool (ILMT) is a non-chargeable software application that measures the full and sub-capacity PVU/RVU based software deployed in your environment.
It is a free software asset management tool that can help you maintain compliance and take advantage of IBM’s sub-capacity software by keeping tracking of your software inventory, monitoring your license usage and keeping a list of hardware.
All IBM customers are also expected to be running the most up-to-date version of ILMT, and supplying hardware and installation is left up to customers.
A: ILMT is a free software asset management tool to help you better manage and uphold your IBM software licensing agreements and be ready to respond to an IBM audit. It is mandatory for all customers with PVU sub-capacity licensing and recommended for full capacity PVU environments as well. Sub-capacity customers who do not deploy ILMT within 90 days of using IBM’s software will no longer be eligible for sub-capacity licensing and you can face additional penalties.
A: Unfortunately, ILMT is not the simplest software, and it requires some technical knowledge and expertise to install, configure, manage and maintain. Having an IBM specialist on your team is the best bet.
A: Unfortunately, just running ILMT does not keep you safe from a software audit by IBM. Many customers who run ILMT, and have every intention of complying with IBM’s contract agreements, still find themselves being audited by IBM.
Here are some of the other reasons why companies can be audited:
- Not having the newest version of ILMT.
- Running IBM products on operating systems that are not supported by ILMT.
- Lack of disc space or credential issues can cause ILMT agents to fail due to incompatibility issues.
- Not generating quarterly ILMT reports.
- If you’re bundling unique software signatures for reporting, ILMT can have trouble.
Other issues can affect your IBM audit outcomes as well, such as if you ever contacted IBM to fix any issues you were having and how much effort you put into solving the problem.
A: Here are some frequently asked questions companies have who are chosen to be audited by IBM:
What are some reasons for failing your IBM software audit?
There are four primary reasons you could fail an IBM software audit. They include:
- Not updating records. Contracts are constantly updated by IBM and you need to keep track of all the changes as they happen. When past records are in disarray, you can’t defend your company in a software audit by IBM.
- Not keeping records. As companies grow and acquire new software, it is essential they keep a record of every purchase. Failing to do so can set you up for an IBM audit software failure.
- Software installs. Keeping track of new software installations, where software is being used and how many licenses are at play is up to you.
- Contract changes. Contracts are in a constant state of flux, and it’s up to you to stay on top of changes and keep accurate records.
Managing all your business’ software licenses is a difficult job, and it’s easier than most people think to fail an IBM software audit. If your company or business is facing an audit by IBM, it’s a good idea to speak with an experienced software audit attorney who can help you prepare the best strategy to represent your company.
A: When a formal audit letter appears, the first step to take is validate IBM’s right to audit under IPAA, Section 1.12 Compliance Verification. There may be contractual exceptions that prohibit IBM from auditing you. If that’s not the case, you must formally respond to IBM showing your willingness to cooperate.
After that, here are the next steps you should take:
- Negotiate. At the beginning, it’s important to negotiate and clarify the scope and timing of an IBM audit to give yourself time to prepare before data collection begins.
- Form a team. A response team should include IT and critical members of the C-suite, an IBM expert and an experienced software licensing attorney.
- Collect and review data. You will be given instructions by the IBM auditor to collect and submit data from software titles.
Self-audit. Perform a self-audit to measure the IBM software deployments based on IBM’s licensing metrics.
Unfortunately, IBM provides no grace period for companies to become compliant with their terms and conditions.
When you’re audited by IBM, your company is not the only one that will be preparing an experienced team. IBM will hire lawyers from large firms to negotiate and resolve disputes in their favor, which can mean expensive non-compliance fees for you and your company.
At Scott & Scott, our knowledgeable software audit attorneys have represented businesses of all sizes and successfully defended them against software license violations by IBM for many years. We can help you put together the best IBM audit defense strategy.
If your company organization is being audited by IBM, contact us today at (214) 880-8711 or online to schedule a free 30-minute call with one our qualified attorneys.