Table of Contents
What Triggers an IBM License Audit?
The first thing to understand is that IBM has the contractual right to audit any Passport Advantage customer at any time. This right is embedded in the Passport Advantage Agreement itself, in a section typically titled "Verification" or "Audit Rights." When you signed Passport Advantage, you agreed to it. Every IBM customer has.
That said, IBM does not audit everyone every year. They have a finite number of audit resources, so they prioritize. While IBM does not publish its selection criteria, patterns emerge based on our experience helping clients through these processes.
Random selection is real. IBM maintains a rotation and some audits are simply your number coming up. There is nothing you could have done to prevent it and nothing you did to trigger it. It just happens.
Mergers and acquisitions are a common trigger. When two companies merge, their IBM license positions need to be reconciled. IBM knows about these events (they are public information) and often initiates audits during or shortly after the integration period. This is also the time when license compliance is most likely to slip, because infrastructure teams are consolidating environments and license tracking tends to fall through the cracks.
Significant changes in your IBM spending pattern can attract attention. If your Passport Advantage renewals have been declining steadily, IBM may want to verify that the reduction in spending matches a genuine reduction in usage. Conversely, if you have been buying very few new licenses while maintaining a large installed base, that can also prompt a review.
Tip-offs from former employees or business partners are rare but they do happen. Someone who knows your IBM environment was under-licensed contacts IBM, and that triggers an investigation.
The honest truth is this: you cannot prevent an audit. You can only prepare for one. Treating audit readiness as an ongoing practice rather than a scramble after the letter arrives is the single best thing you can do for your organization.
The IBM Audit Timeline
Understanding the timeline helps you plan your response and manage expectations internally. IBM audits follow a fairly predictable process, though the duration varies.
The audit letter. You will receive a formal notification, usually by email to your Passport Advantage primary contact, and sometimes by registered mail. The letter states that IBM is exercising its audit rights under your agreement. It will identify the auditing firm. In Europe, this is typically Deloitte, PwC, or KPMG. In North America, IBM sometimes uses its own License Compliance team or engages similar firms. The letter specifies the scope of the audit (which products, which time period) and requests an initial meeting to discuss the process.
Initial meeting and data request. Within the first two to four weeks, you will have a call or meeting with the audit team. They will explain the process, provide a formal data request list, and agree on a timeline for data delivery. The standard data delivery window is about 90 days from the initial notification, though this varies. If you need more time, you can request an extension. Auditors generally accommodate reasonable requests, especially if you are cooperating in good faith.
Data collection and submission. This is where the real work happens. You gather the requested ILMT reports, entitlement documentation, infrastructure data, and anything else on the list. The quality and completeness of what you submit here determines the trajectory of the rest of the audit. We will cover exactly what auditors ask for in the next section.
Analysis phase. The auditing firm reviews your data. This can take one to three months depending on the complexity of your environment. During this phase, they may come back with follow-up questions or requests for additional data. Respond promptly and precisely. Delays on your side extend the entire audit timeline.
Preliminary findings. The auditors present their initial findings. This document lists any discrepancies between your license entitlements and your actual software deployment. It is important to understand that preliminary findings are a starting point for discussion, not a final invoice. We will talk about negotiation later.
Resolution. You review the findings, raise any disagreements, provide additional evidence if needed, and work toward a resolution. This might involve purchasing additional licenses, accepting a settlement amount, or demonstrating that the auditor's findings were incorrect. The resolution phase can take anywhere from a few weeks to several months.
The entire process, from the first letter to final resolution, typically takes 3 to 12 months. Complex audits involving multiple products, large environments, or significant compliance gaps can extend beyond a year.
What Auditors Actually Ask For
Knowing exactly what documents and data the auditors will request helps you prepare in advance. Here is the typical data request list, based on audits we have been involved with.
ILMT Audit Snapshot reports. These are the primary evidence of your sub-capacity license position. Auditors want Audit Snapshots covering the entire review period, which is usually the full sub-capacity reporting period since your last audit or the last two to three years. Each snapshot should be a complete export from your ILMT server, not a filtered or partial report. The snapshots contain product identification, PVU consumption, server inventory, and virtualization topology data.
Passport Advantage entitlement records. These are your Proof of Entitlement (PoE) documents. They show what IBM software licenses you actually own, the quantities, and the effective dates. Auditors will compare what ILMT says you are using against what your PoE documents say you are entitled to use. If you cannot produce your PoE records, the auditors will work from IBM's own records, which may not reflect all of your purchases (especially if some licenses were acquired through third parties or predecessors in a merger).
Infrastructure documentation. Auditors want to understand your physical and virtual infrastructure. This includes server hardware inventories, VMware vCenter exports showing VM-to-host mappings and resource allocations, HMC data for Power Systems environments, and Hyper-V host configuration data. They use this to cross-reference against what ILMT reports. If ILMT shows a VM running on a host with 20 cores but the vCenter export shows 40 cores, the auditor will use the higher number.
Virtualization configuration details. Beyond basic topology, auditors may ask for detailed virtualization settings. For VMware, this means vCenter cluster configurations, resource pool settings, DRS rules, and CPU affinity configurations. For PowerVM, they want LPAR configurations, shared processor pool settings, and capping information. These details determine whether a VM qualifies for sub-capacity licensing or needs to be counted at full capacity.
Organizational and contractual information. The auditors may request a list of all legal entities covered by your Passport Advantage agreement, any subsidiary relationships, and details about any mergers or acquisitions during the review period. IBM licensing is tied to legal entities, and products used by an entity not covered by your agreement create compliance exposure.
Received an Audit Letter from IBM?
We have helped organizations through dozens of IBM audits. Get in touch early and we can help you prepare the right response. The first conversation is always free.
Talk to Us NowThe ILMT Data Checklist
Your ILMT data is the foundation of your audit defense. If it is clean, consistent, and complete, the audit is manageable. If it is not, you are starting from a position of weakness. Here is what "clean" actually means in practice.
Agent coverage must be complete. Every server in your environment that runs IBM software needs a BigFix agent that is actively reporting to your ILMT instance. This includes production, development, test, staging, disaster recovery, and training environments. It includes physical servers, virtual machines, and LPARs. If an auditor discovers IBM software running on a server that ILMT does not know about, that server's entire software deployment becomes a compliance finding. Run a comparison between your server inventory (from your CMDB, Active Directory, or VMware inventory) and your ILMT endpoint list. Any discrepancies need to be resolved before the audit.
Report continuity must have no gaps. ILMT needs to have been running continuously throughout the review period. Gaps in reporting mean gaps in your sub-capacity evidence. Check your ILMT data for periods where the number of reporting agents dropped significantly, where the ILMT server was offline, or where data imports failed. Even a few days of missing data can be problematic if they occur at a time when your environment changed (new servers deployed, VMs migrated, or capacity increased).
The software catalog must be current. ILMT identifies IBM products by matching installed files against its software catalog. If your catalog is outdated, ILMT may fail to recognize newer product versions or may misclassify products. Check the catalog version in your ILMT settings and compare it against the latest available from IBM. If you are more than one version behind, update it immediately.
Bundling rules must be correct. IBM products often include entitlements to other products. WebSphere Application Server Network Deployment includes a limited-use license for IBM HTTP Server, for example. DB2 Enterprise Server Edition includes several DB2 tools. If your ILMT bundling rules do not reflect your actual entitlements, the reports will overcount your license consumption. Review your bundling configuration against your Passport Advantage entitlements and correct any mismatches.
Virtualization data must be complete. The VM Manager connections in ILMT need to be working and current. Check that every VMware cluster is connected through vCenter, every PowerVM environment is connected through the HMC, and every Hyper-V host has an active BigFix agent. Missing virtualization data means ILMT cannot calculate sub-capacity values for the affected VMs, and the auditor will default to full-capacity calculations.
What Goes Wrong During Audits
Based on our experience helping organizations through IBM audits, these are the problems that cause the most financial damage.
Gaps in ILMT Data Defaulting to Full Capacity
This is the most expensive problem we see. When ILMT data has gaps, whether from the server being offline, agents not reporting, or data imports failing, IBM can treat those periods as if sub-capacity evidence does not exist. That means full-capacity calculations. For a VMware environment with even a modest number of hosts, the difference between sub-capacity and full-capacity pricing can be enormous. We worked with one organization where a three-month ILMT outage during a server migration resulted in a preliminary finding of over 400,000 euros. The actual sub-capacity consumption during that period would have been a fraction of that amount, but without ILMT data to prove it, there was no way to demonstrate the lower number.
Incorrect Bundling Inflating PVU Counts
When bundling rules in ILMT do not match your actual Passport Advantage entitlements, the reports show higher PVU consumption than reality. Products that should be covered by a bundle get counted as standalone installations. This inflates your apparent license consumption and, in an audit, gives the auditor a larger compliance gap to start from. While you can correct bundling during the audit by providing entitlement documentation, it is much better to have clean reports from the start. Auditors tend to trust data that has been consistently accurate over data that gets corrected after they start looking at it.
Missing Dev and Test Servers
Development and test environments are frequently left out of ILMT deployments. The reasoning is understandable but incorrect: "It is just a test server, it does not count." IBM's licensing terms apply to all environments. If a developer installed DB2 on a test VM to build a proof of concept, that installation requires a license. If that VM does not have a BigFix agent, ILMT does not see it. But an auditor who reviews your vCenter inventory or Active Directory will find it. And the license cost for software that ILMT missed is always counted at full capacity because there is no sub-capacity data to support a lower calculation.
Outdated Software Catalog Missing Products
When the ILMT software catalog is not kept current, newer IBM product versions may not be recognized. The products are still installed and running, but ILMT does not report them. This creates a false sense of compliance. Your ILMT reports look clean, but the auditor's analysis, which uses IBM's current catalog data, identifies products that your reports missed. The result is a compliance finding for products you did not even know you had, calculated at full capacity because ILMT has no historical data for them.
Want to Check Your Audit Readiness?
We review ILMT environments specifically for audit preparedness. Tell us about your situation and we will give you an honest assessment of where you stand.
Request an Audit Readiness ReviewHow to Respond to an Audit Letter
You have received the letter. IBM is exercising its audit rights. Here is what to do, step by step, based on what we have seen work in practice.
Do not panic. An audit letter is not a lawsuit. It is not an accusation. It is IBM exercising a contractual right that every Passport Advantage customer agreed to. Take a breath and approach this methodically.
Do not rush. The instinct to respond immediately and provide everything at once is natural but counterproductive. You have time. The initial data delivery deadline is typically 90 days, and extensions are negotiable. Use that time to prepare properly rather than sending incomplete or inaccurate data under pressure.
Assemble your team. You need someone who understands your ILMT data (your ILMT administrator or BigFix team), someone who manages your IBM entitlements (procurement or vendor management), and someone who can coordinate the response (often an IT manager or compliance lead). If nobody on your team has been through an IBM audit before, this is the time to consider engaging external help from someone who has.
Review your ILMT data before submitting it. Generate fresh Audit Snapshots, review them for completeness, check agent coverage, verify the VM Manager connections, and fix any obvious issues. You want the data you submit to be as clean and accurate as possible. First impressions matter, and an auditor who receives well-organized, complete data from the start will approach the audit differently than one who receives messy, incomplete data.
Provide exactly what is asked for. Answer the data request completely but precisely. Do not volunteer additional information that was not requested. Every piece of data you send becomes part of the auditor's analysis. If you send a complete server inventory that includes 200 servers and ILMT only covers 150, you have just identified 50 servers that need further investigation. Only send what the data request specifies.
Keep a record of everything. Document every communication, every data submission, every meeting, and every follow-up. If the audit reaches the negotiation phase, having a clear paper trail of your cooperation and data quality is valuable.
Can You Negotiate Audit Findings?
Yes. Almost always. This is something many organizations do not realize, and it is one of the most important things we tell our clients.
The preliminary findings document is not a final bill. It is the auditing firm's initial assessment based on their analysis of your data. It is a starting point for discussion, and the auditors expect you to review it and come back with questions, corrections, and counterarguments.
Common areas of negotiation include the following.
Methodology disagreements. The way the auditor calculated PVU consumption may not align with how IBM's own documentation describes the calculation. If you can demonstrate that the auditor applied the wrong PVU value to a processor type, used incorrect core counts, or miscalculated sub-capacity values, those findings should be adjusted. We have seen cases where the auditing firm used an outdated PVU table or misidentified a processor architecture, resulting in inflated PVU calculations that were corrected during review.
Product bundling questions. Auditors sometimes count products as standalone installations when they are actually covered by a bundle or included in another product's entitlement. If your Passport Advantage agreement includes WebSphere Application Server Network Deployment, the IBM HTTP Server instances on those same machines are covered. If the auditor counted them separately, that is a correction you should raise.
Effective license position calculation. The way entitlements are applied against consumption can change the outcome significantly. The order in which products are matched to entitlements, whether partial coverage from one entitlement can combine with partial coverage from another, and how historical entitlements apply to current usage are all areas where reasonable people can disagree. Push back on calculations that do not reflect your actual entitlement position.
Remediation credits. In many cases, the negotiation is not just about the size of the compliance finding but about how to resolve it. IBM may offer to apply the settlement amount as credit toward new purchases. If your organization was already planning to renew or expand its IBM footprint, a settlement structured as a purchase commitment can be more palatable than a standalone compliance payment.
The key is to engage constructively. Auditors respond well to organizations that review findings carefully, provide clear evidence for their position, and negotiate professionally. They respond poorly to organizations that ignore findings, refuse to engage, or make arguments without supporting evidence. Come prepared, stay factual, and treat the process as a business negotiation rather than a confrontation.