ILMT Audit & Compliance

Expert IBM license audit preparation and ongoing compliance assurance

Why ILMT Compliance Matters

If your organization runs IBM software under a Passport Advantage agreement, you can be audited. IBM does not need a reason. The right is built into your contract. And when that letter arrives (usually from Deloitte, PwC, or KPMG on IBM's behalf), your ILMT data is the first thing they will ask for.

Here is what is at stake. ILMT is the only tool IBM accepts as proof that you qualify for sub-capacity licensing. Without valid ILMT data, IBM calculates your license requirements based on the full physical capacity of every server running their software. If you have WebSphere deployed on a VM with 4 virtual cores, but the physical host has 40 cores, then without ILMT you need licenses for all 40. Across a fleet of servers running Db2, MQ, Integration Bus, and other middleware, the difference between sub-capacity and full-capacity pricing can easily reach hundreds of thousands of euros.

The problem is that ILMT breaks quietly. Agents stop reporting after a server reboot and nobody notices. A new VMware cluster gets provisioned but the ILMT team is not informed. Someone updates the BigFix relay infrastructure and half the agents lose connectivity. The ILMT console still looks fine because it only shows you what it knows about. It cannot tell you about servers it has never seen.

By the time an audit starts, those gaps are already baked into your historical data. You cannot retroactively fix a 6-month reporting blackout.

Our ILMT Audit & Compliance Services

Pre-Audit Assessment

We log into your ILMT console and check what is actually there, not what you think is there. How many agents are deployed versus how many servers run IBM software? Are all agents reporting, or did some go silent weeks ago? Is the software catalog current, or is it still on a version from 2019? We compare the ILMT endpoint list against your CMDB or infrastructure inventory. We routinely find 10-20% of servers missing from ILMT in environments that the internal team believed were fully covered. You get a prioritized list of gaps with specific fix instructions, not a generic recommendations document.

Compliance Gap Analysis

We pull your Passport Advantage entitlement records and compare them line-by-line against your ILMT audit snapshot data. This is where things often get uncomfortable. It is not unusual to discover that your WebSphere Application Server Network Deployment licenses do not actually cover the number of PVUs ILMT is reporting, or that a Db2 installation on a test server was never properly categorized and is being counted at full production pricing. We document every gap with the specific financial exposure it represents. To be honest, sometimes the review reveals that you owe IBM money. But it is far better to know that now, on your terms, than to find out during a formal audit.

Report Accuracy Verification

ILMT reports are only useful if they are accurate. We have seen reports where PVU values were inflated because ILMT misidentified the processor type, or where a VMware DRS migration caused a temporary spike that made it look like software was running on more hosts than it actually was. We check that your virtualization topology is correctly reflected, meaning ILMT recognizes your VMware clusters, PowerVM LPARs, and Hyper-V partitions properly. We also look for false positive software detections. ILMT's software catalog is not perfect; it sometimes flags a file as an IBM product when it is actually something else entirely. Each issue like this inflates your reported usage and could cost you real money during an audit.

Audit Response Support

Already received the audit letter? We can help you respond. We prepare the data package the auditors are asking for: ILMT audit snapshots, entitlement documentation, infrastructure details. When the audit firm comes back with their preliminary findings, we review their calculations. Auditors make mistakes too. We have seen cases where they used incorrect PVU-per-core values for a processor, or miscounted license entitlements because they did not account for bundling rules. Having someone on your side who understands ILMT at a technical level makes a real difference when you need to push back on specific findings.

Not Sure Where You Stand with IBM?

Most organizations we talk to suspect they have gaps but do not know how serious they are. A compliance review gives you a clear answer and a plan to fix what needs fixing before IBM comes asking.

Request a Compliance Review

When Should You Request a Compliance Review?

There is no wrong time, but some situations make it especially urgent:

  • You have heard IBM is auditing companies in your industry or region. Audit waves are real. If two competitors got letters in the same quarter, you might be next. Better to find out what your data looks like now.
  • You just migrated servers, consolidated data centers, or moved workloads to the cloud. These are the changes that break ILMT coverage. We reviewed one environment where a data center migration left 40+ servers running IBM middleware without ILMT agents for almost 6 months. Nobody noticed because the old ILMT server was decommissioned and the new one was set up from scratch.
  • Your Passport Advantage renewal is coming up. If you know your actual sub-capacity usage, you negotiate from facts, not guesses. We have seen clients discover they were over-licensed on some products and under-licensed on others, which changed the entire renewal conversation.
  • You inherited an IBM environment through an acquisition or team change. If you did not set it up, you do not know what you are working with. A baseline review tells you exactly where things stand.

How We Work

We need remote access to your ILMT console. That is the starting point, and everything else follows from what the data actually shows. We look at agent deployment status, reporting continuity, software catalog version, scan schedules, and the generated audit snapshot reports. We then pull your Passport Advantage entitlements and your infrastructure documentation (vCenter exports, HMC data, whatever you have) and start cross-referencing.

The output is a findings report. Not a 60-page document full of boilerplate — a focused report that tells you exactly what is wrong, how serious it is, and what to do about it. Critical issues (like missing agents on production servers or reporting gaps that would trigger full-capacity calculations) are separated from lower-priority items (like outdated software catalog entries that do not affect your PVU count).

If you are already in an active audit, the approach shifts. We work backward from the auditor's timeline and focus on the fixes that will have the biggest impact on your compliance position. Some things can still be corrected mid-audit. Others cannot, but even then understanding the exposure helps you negotiate from an informed position rather than just accepting whatever number the audit firm presents.

We have been doing this since 2015 across environments of all sizes, from a single ILMT server managing 30 endpoints to multi-site deployments with 500+ servers running the full IBM middleware stack on VMware, PowerVM, and hybrid cloud. That experience means we know what the auditors look for, which issues actually matter, and which ones are noise.

Frequently Asked Questions

How do I prepare for an IBM license audit?

The most important thing is to not panic and not rush. You typically have 90 days from the initial audit letter to provide data, so use that time wisely. First, check your ILMT agent coverage. Log into the ILMT console and compare the list of managed endpoints against a list of every server where IBM software is installed. We regularly find servers that were provisioned after the initial ILMT rollout and never got an agent. Next, generate audit snapshot reports and look for red flags: servers showing zero software but known to run WebSphere or MQ, PVU values that seem unreasonably high or low, or gaps in reporting history. Pull your Passport Advantage entitlement report from IBM and compare it against your ILMT output. One thing people overlook is the virtualization documentation. Auditors will want to see your VMware cluster configuration, host-to-VM mappings, and any PowerVM LPAR definitions. They use this to verify that ILMT is correctly calculating sub-capacity values.

What actually happens during an IBM software audit?

It starts with a letter, usually from a third-party firm like Deloitte, PwC, or KPMG acting on IBM's behalf. The letter references your Passport Advantage agreement and formally requests license compliance data. You typically get about 90 days, though IBM sometimes negotiates extensions. The auditors send a detailed data request: ILMT reports (audit snapshots covering the entire sub-capacity period), your Passport Advantage entitlement records, infrastructure documentation, and sometimes raw BigFix inventory data. They compare what you are entitled to against what ILMT says you are using. The whole process takes 3-9 months in practice, and longer for complex environments. Here is the part that catches people off guard: if your ILMT data has gaps (say agents were offline for several months), auditors can default those periods to full-capacity calculations. That is where the big numbers come from. We have seen cases where a 3-month gap in agent reporting on a VMware cluster turned a minor shortfall into a six-figure compliance claim.

Can ILMT reports actually reduce my IBM license costs?

Yes, and this is the entire point of ILMT. Without valid ILMT data, IBM requires you to license every processor core in the physical server where their software runs. With ILMT, you only license the virtual capacity allocated to the VM. A concrete example: if you run WebSphere on a VM with 4 virtual cores inside a host with 40 physical cores, that is the difference between licensing 4 cores and 40. Multiply that across a fleet of servers and you can see why sub-capacity licensing routinely saves 60-80% compared to full-capacity. But here is the catch: ILMT must be properly deployed and continuously reporting for the entire measurement period. It is not something you can install a month before an audit and expect IBM to accept. The sub-capacity licensing terms (the ILMT/Sub-Capacity Attachment to your Passport Advantage agreement) are specific about this. If ILMT was not running, or was not running correctly, you lose the sub-capacity benefit for that period.

How long does an ILMT compliance review take?

It depends on the size of the environment, but most reviews take 1-3 weeks. For a smaller setup, say 20-50 servers, one data center, and a handful of IBM products, we can usually get through it in about a week. Larger environments with hundreds of endpoints across multiple sites take longer, especially if the ILMT server has performance issues or the data is messy. The biggest time factor is usually not the analysis itself but getting access. We need remote access to the ILMT console, your Passport Advantage entitlement documentation, and ideally your virtualization management tools (vCenter, HMC). Once we have all that, we move fast. We share preliminary findings as we go. If we spot something critical on day two, we will tell you on day two, not wait for the final report.

Not Sure If You Are Audit-Ready?

Tell us what your ILMT setup looks like and we will give you an honest assessment, including whether you actually need our help or can handle it internally.

Get in Touch

Our Services

Find Out Before IBM Does

Every compliance issue we find before an audit is one you can fix on your own terms. The ones auditors find first tend to be more expensive.

Request a Compliance Review