IBM Audit Findings: The Common Issues.

Why this matters.

Audit findings cluster. Across more than five hundred IBM audit engagements, ten finding types account for the vast majority of dollar exposure. Each finding has a known cause, a known evidence pattern, and a known remediation. The buyer that understands the catalogue arrives at the audit conversation able to anticipate what the audit firm will surface and prepared with the counter position before the preliminary findings letter arrives. This article documents the ten finding types and the buyer side action for each.

The catalogue applies to traditional sub capacity products, to Cloud Pak deployments, and to the mainframe estate. The discipline is the same. The audit firm will surface the gaps it can document with the data the buyer submitted. The buyer side response begins with the data submission and ends with the settlement letter. See the full audit framework in the IBM audit complete guide.

Finding 1. ILMT not deployed, stale, or under reporting.

The IBM License Metric Tool gap is the single most common finding. The audit firm asks for ninety days of ILMT reports. The buyer cannot produce them, or produces reports that do not cover all sub capacity eligible hosts, or produces reports with agents that have not checked in for thirty plus days. The contractual consequence is full capacity licensing on the affected hosts.

The remediation is the ILMT deployment program. Agents on every sub capacity eligible host, version current, configured against the live VM Manager, with the bundle and instance reports run on the scheduled cadence. See ILMT guide and the ILMT deployment playbook for the full implementation pattern.

Finding 2. VM Manager not connected.

The VM Manager is the data source the ILMT environment uses to identify the partition topology. Without a live VM Manager connection, the ILMT bundle report cannot determine the true partition size and the sub capacity calculation defaults to full capacity. The audit firm will surface the gap by cross referencing the hypervisor data with the bundle report.

The remediation is the VM Manager configuration. Connect each VM Manager that hosts sub capacity workload. Verify the connection in the ILMT console. Confirm partition sizing in the bundle report matches hypervisor topology. The discipline is documented in the ILMT expertise page.

Finding 3. PVU rating gaps on legacy or refreshed hardware.

The IBM PVU table assigns a per core processor value. When hardware refreshes, the new PVU rating moves. When legacy hardware was never properly rated, the entitlement may have been understated against full capacity. The audit firm will surface PVU rating exceptions on the hardware inventory submission.

The remediation is the PVU reconciliation. Map every host in the inventory to the current PVU table. Identify the hosts where the deployed entitlement diverges from the rated capacity. Document the variance, the cause, and the corrective entitlement. See IBM PVU explained and PVU optimization.

Finding 4. The sub capacity 30 day reporting rule miss.

The sub capacity terms require the bundle report at no less than every thirty days. A gap longer than thirty days in the bundle report sequence converts the affected period to full capacity. The audit firm finds the gap by scanning the report metadata for the sequence breaks.

The remediation is the bundle report calendar. Schedule the report. Monitor the schedule. Document the report log. Where a gap exists, document the operational cause and the remediation. The sub capacity discipline is documented in sub capacity expertise and the sub capacity licensing white paper.

Finding 5. Cloud Pak entitlement to deployment mismatch.

The Cloud Pak entitlement model uses Virtual Processor Cores and conversion ratios from the legacy product entitlements. When a buyer converts to a Cloud Pak, the entitlement is calculated at the conversion table rate. When the deployment exceeds the converted entitlement, the audit firm surfaces the shortfall against the new Cloud Pak metric, not the legacy metric. The exposure is the new metric pricing.

The remediation is the Cloud Pak deployment topology. Map each containerised workload to a Cloud Pak. Compute the VPC consumption. Reconcile against the entitlement. Run the conversion at the deployment cadence. See Cloud Paks expertise and the Cloud Pak licensing white paper.

Finding 6. Authorised user counts over deployed.

The authorised user metric counts every named user with access to the product, whether the user is active or not. The audit firm will surface the gap by comparing the LDAP roster, the application access list, and the entitlement count. The variance is often material on collaboration and analytics products.

The remediation is the user reconciliation discipline. Quarterly access review. Decommissioned user deletion. Service account documentation. Role based access design that maps to the entitlement metric. The discipline is part of the broader license harvesting practice.

Finding 7. Test, development, and disaster recovery environments licensed as test when used in production.

IBM entitlement rules around non production use vary by product. Some products allow unlimited cold standby. Some require the warm standby to be licensed. Some have specific test entitlement carve outs. The audit firm will surface the finding by reviewing the host workload metadata and matching it against the IBM use rules per product.

The remediation is the environment classification audit. Inventory each environment. Classify by use. Match the classification against the IBM use rules per product. Reclassify or relicense where the use exceeds the rule. The discipline is documented in the audit defense playbook.

Finding 8. Bundled product unbundling.

Many IBM products are sold in bundles where the bundle entitles the use of specific components. When the buyer deploys a component outside the bundle context, the audit firm surfaces the deployment as a standalone use requiring separate entitlement. WebSphere components inside a Cloud Pak that are deployed standalone is the most common pattern.

The remediation is the bundle compliance review. Map each bundle. Inventory the bundle component deployments. Confirm the use is within the bundle context. Document the bundle use rules per the buyer commercial contract. See Passport Advantage.

Finding 9. M and A entity ambiguity.

When an organisation acquires or divests an entity, the IBM entitlement does not automatically follow. The acquired entity may have its own Passport Advantage agreement, its own renewal calendar, and its own deployed estate. The audit firm will surface the finding by comparing the legal entity disclosure against the deployment topology.

The remediation is the post M and A entitlement reconciliation. Inventory the inherited estate. Map the inherited entitlements. Reconcile against the parent contract. Negotiate the consolidation. The discipline is documented in the M and A license compliance white paper.

Finding 10. Contract and entitlement documentation gaps.

The buyer cannot produce the contract amendment. The buyer cannot produce the entitlement certificate. The buyer cannot produce the trade up election. The audit firm proceeds without the document and the IBM commercial team applies the position that is favourable to IBM. The exposure is administrative but the impact is material.

The remediation is the contract repository discipline. Every Proof of Entitlement filed. Every amendment indexed. Every trade up election documented. Every transfer record retained. The contract repository is the foundation of every audit defense. See software vendor management white paper.

Related reading.

• The IBM Audit Complete Guide (pillar)
• What triggers an IBM audit
• The IBM audit timeline
• Your IBM audit legal rights
• IBM audit settlement negotiation
• IBM self assessment guide
• ILMT best practices
• IBM audit defense service
• Audit Defense Playbook (white paper)
• Renewal negotiation (cross cluster)
• IBM Licensing Complete Guide (cross cluster)