Have you received an IBM Software License Review notification letter? Are you wondering what will happen and what you should do next?
In this article we will walk you through the typical stages and give you some key pointers on how to optimally prepare for, and manage, the audit process.
Before we start describing the audit process, a quick clarification on terminology. IBM, and the audit firms, typically refer to this activity as an “IBM Software License Review”. The corresponding section in the Passport Advantage terms and conditions is titled “Compliance Verification”, and it describes how IBM may use an “independent auditor” to perform this verification. IBM and its auditors will typically prefer not to use the word “audit” to describe this activity, as it could draw unwanted parallels with formal financial audits. However, we find that ITAA clients usually use the word “audit” to describe this activity, and so we will in this article.
IBM license compliance audits are a common occurrence for IBM customers. Many customers experience the process as being disruptive and they often lead to unexpected compliance exposure. The key success factors in managing IBM software audits are preparation and attention to detail. Audits are typically performed by one of IBM’s auditors, Deloitte and KPMG. Every audit is different and will vary depending on, for example, the product scope, the size and complexity of your organization and the data sources you have available. Even though every audit is different, they are typically organized in the stages outlined below.
IBM Software License Review notification
The IBM Software License Review notification letter is the formal announcement by IBM that it intends to have a compliance verification performed at your organization, either by Deloitte and KPMG. Carefully review the contents of the notification letter as it may help you determine the intended scope such as targeted legal entity, audit scope (e.g. ILMT-only vs. full audit) and the name of the auditor. If you have concerns about the timing of the audit or the auditor selected, this is the right moment to raise those concerns.
Kick-off meeting with IBM and the audit firm
A typical kick-off meeting is a three-way call between IBM, the customer and the audit firm. IBM and the audit firm will present their process. You may be asked to share details about your IT environment and IBM software footprint. However, at this stage it is not yet necessary for you as a customer to have all the details ready. If your organization has any requirements regarding external auditors signing non-disclosure agreements this is the right time to raise the requirement and start that process. Keep in mind that if you wish to implement a confidentiality agreement other than the standard IBM Agreement for the Exchange of Confidential Information (AECI), the Passport Advantage terms state that this must be completed within 60 days.
Software license review scope and approach
Very soon after the kick-off meeting, and sometimes during, the audit discussion will focus on the audit scope and approach. It is important to make sure the audit approach aligns with your contractual arrangements, internal organization and available data sources. It is always possible to propose alternative approaches to the audit as long as the auditor can still effectively perform and complete their compliance verification. For example, the auditor may request that you run scripts on all servers in your IT environment as part of the data collection procedures. However, if running such scripts would conflict with internal security protocols, and you have equivalent sources of information available, it is always possible to negotiate a different audit approach. The compliance verification clause in the Passport Advantage agreement states that the verification will be “conducted in a manner that minimizes disruption to the Client’s business”. This means that, within reason, you can always request adjustments to the audit timeline and approach if doing so reduces the impact on your business and IT operations.
This stage is where most of the actual audit activities take place. The auditor will provide you with a series of information requests that are partially based on the IBM entitlements you own. Even if you have the IBM License Metric Tool (ILMT) installed, the auditor will still have many information requests as ILMT does not capture all required information. Larger and complex organizations should expect this stage to take several months (if not more) as finding the right administrators to collect IBM product-specific extracts can be challenging. Information requests are, naturally, designed to assess whether you are meeting the requirements for license compliance. It is therefore important that you understand why each information item is requested and how your response will be interpreted by the auditor. The auditor does not have the bandwidth to fully understand all aspects of your IT environment, so the onus is often on you as the customer to provide mitigating evidence that can reduce, or eliminate, apparent license shortfalls.
An important recommendation we always give customers is to assign a single contact person within your organization who manages the flow of information to, and from, the external auditor. This will ensure that you have the complete set of data on which the audit report will be based. Also, this will provide you with a useful starting point to implement your own license compliance management processes after the audit is completed.
Data review and validation
After an initial round of data collection, the auditor will piece all the evidence together and determine whether there is any missing information. During this phase the auditor may also perform certain validation procedures (such as sample testing) to confirm that the data collected is complete and accurate. In some cases, specific data validation procedures can be agreed upon during the scoping phase. Also here, it is important to keep track of the data being collected as that can become useful during the remainder of the audit and thereafter.
Draft Effective License Position (ELP) report
Once the auditor completes the data validation phase they will work on creating a draft Effective License Position (ELP). This report will show the license compliance position of all the products measured during the audit. It is important for you as the customer to carefully review this report and provide any feedback and mitigating arguments you may have. A common pitfall is for customers to focus mainly on the entitlements information reflected in the report, and search for additional purchases that are not yet reflected in the draft report. Although this may be useful, the most valuable corrections you can make in the ELP are usually related to the software deployment information. Interpreting software deployment information as it relates to the licensing terms and conditions is not a straightforward task, so an auditor often needs to rely on assumptions to prepare the ELP. In some cases they may have simply misinterpreted the data you provided to them (or you may have misinterpreted their original information request). We usually recommend focusing on the following key areas:
- Which data sources were used to establish the software deployment position? Was this information independently validated? Any data source, including ILMT, may contain false positives. IBM software bundling relationships are also notoriously complex, so make sure to double-check that bundled software installations are not erroneously reported as requiring a license.
- How was the collected data interpreted? Even when the most reliable data sources are selected, it can be easy to misinterpret the data being collected. Were user account lists reviewed to correct for duplicate and inaccessible accounts? Were hardware details correctly interpreted and translated to PVUs? Making reasonable assumptions is unavoidable as not every data point can be manually validated. However, it is important to look for and identify incorrect assumptions that can be costly.
- How were the licensing terms and conditions interpreted? Licensing terms can often be interpreted and applied in multiple ways, and initial draft audit reports typically reflect a single point of view by the auditor. As mentioned before, the onus is on you as the customer to provide mitigating information. For example, some products allow free-of-charge software installations within certain limitations, and cold/warm standby installations are free for most products.
- Are there alternative licensing models available? In some cases, you may be able to reduce, or eliminate, reported license shortfalls by matching software installations to other licenses you own. And even if you admit that there are license shortfalls, you can still look for alternative license models offered by IBM which would allow you to settle for a lower price. This may not directly change the results of the ELP but can be used as input for the settlement discussions with IBM.
Final ELP report and settlement
Once you reach this stage, all your comments/feedback should be reflected in the ELP. IBM will often be eager to close the audit and settle (if applicable), and so may you. However, it is still important to focus not just on the financial outcome of the settlement but also on the licenses you are buying (and, if applicable, the new agreement you are signing). Select the right licenses to ensure you remain compliant in the future and avoid non-compliance risk. Even at this stage, if you find factual inaccuracies in the ELP it is never too late to bring it up until you sign the settlement agreement.
The issue of full capacity versus sub capacity licensing is still the most significant area of compliance exposure in most audits. However, even customers who have not (fully) met the requirements for sub capacity licensing do not need to resign themselves to accept a settlement based on full capacity. With the right arguments and negotiation points it is often possible to reach a settlement deal that is based on the “Observed Point In Time Minimum Available” (OPITMA) calculation, i.e. a point-in-time calculation of your sub capacity compliance position.
IBM Software License Review support
In our experience customers can sometimes feel overwhelmed by the IBM Software License Review process and the potential compliance exposure. ITAA can help to guide you through this process, regardless of whether your audit has yet to start or if you are already in the settlement phase of the audit. With most of our clients we start by having an obligation-free conversation, or a short project to identify your key compliance risks. You are then free to choose whether you would like our continued support during the audit. More information on our IBM audit services can be found here. Our IBM vertical lead Koen Dingjan has supported over 100 clients navigate their IBM audit process and can quickly help you draw up a plan for yours. Please feel free to contact us if you would like more information about these services.