IBM Insight: Mitigating over $100m in IBM license compliance risk


ibm license compliance audit

Our IBM expert helped Fortune 500 company, Altus, successfully navigate its IBM license compliance audit, mitigate a substantial compliance risk and successfully deploy ILMT as part of the post-audit settlement agreement


Altus is a Fortune 500 company based in the United States. ITAA’s IBM software licensing expert was approached to help Altus through a long-running IBM license compliance audit. The audit had started 18 months before and was not even close to being finalized.

Our approach to concluding the license compliance audit

Step 1: Collecting the data

Altus’s main challenge was delivering the huge amount of data items that the third-party auditor was requesting. Our first priority therefore was to carefully review the open requests and determine the most efficient way to collect the information.

In many cases, we were able to push back on the data requested and identify alternative data sources that would meet the audit evidence requirements with a much lower effort.

Within just two months, Altus had delivered all open data requests to the auditor, relieving the operational staff of this ongoing burden.

Step 2: Interpreting the license compliance audit report

Once we had completed the data collection phase, the auditor shared its draft audit report with Altus. Given their significant IBM software footprint, the initial draft was complex and included compliance calculations for around 100 IBM products.

We have extensive IBM audit experience and could quickly help the Altus team to interpret the report, estimate their compliance exposure and identify key flaws and ambiguous interpretations.

Step 3: Negotiating to reduce exposure

Based on the license shortfalls reflected in the initial draft audit report, we estimated the total exposure to be $120m. A significant proportion of this risk was due to the auditor’s assessment that Altus had not adequately met the requirements for sub capacity licensing.

Through extensive analysis and conversations with technical staff at Altus, we prepared a comprehensive set of arguments, product by product, that Altus could present to the auditor and IBM.

Examples included corrections of entitlements and the interpretation of technical data, pushback on the interpretation of licensing terms and arguments in support of sub capacity licensing.

Our counter report was a key factor in helping Altus to achieve a final settlement of $5m.

Step 4: Implementing the IBM license metric tool (ILMT)

As part of the post-audit settlement agreement, Altus agreed to implement the IBM license metric tool (ILMT) to fully meet the requirements for sub capacity. This is a concession that IBM often requires as part of audit settlements.

Many companies face technical challenges in deploying ILMT in their environment, and Altus was no exception. With less than three months to fully deploy and configure ILMT in a server estate exceeding 10,000 servers, Altus asked us to help them implement ILMT to meet their contractual deadline.

We helped Altus to set up the technical prerequisites and ILMT server, deploy the BigFix agent to all targeted machines and configure ILMT reports to meet the reporting requirements – including accurate software classification.


Through the course of this project, we successfully mitigated $8m of previously unknown compliance risk through technical configuration changes and optimized software license allocations. We also trained the Altus team to maintain their ILMT implementation on an ongoing basis.

As a result, Altus fully met their post-audit ILMT implementation obligations on time. With the comprehensive roll-out of ILMT and their newly implemented processes, Altus has greatly reduced the chance of similar compliance exposure occurring in the future.

Can we help you defend an IBM license audit? Please contact us to find out.

 *Protecting our clients’ confidence is of utmost importance at ITAA. While our case studies are based on true projects, we have used fictitious names and removed or changed other identifiable details.

We take processes apart, rethink, rebuild, and deliver them back working smarter than ever before.