Conquering IBM audit complexity with confidence

High-risk estates show M&A activity, lapsed support, missed reporting, or weak ILMT hygiene. These environments face a ≥60% annual audit probability, with many organizations paying over $1M in audit expenses within three years.

ILMT tracks IBM software usage for sub-capacity licensing. Common issues include partial deployment, outdated versions, incomplete reporting, and missing cloud or middleware inventory, all of which can lead to costly audit escalations. ILMT also does not track entitlements or report on product usage.

Consolidate entitlement records from both entities and create a unified view of IBM usage. Align or replace discovery tools, reconstruct entitlements internally, and expect integration to take more than 60 days for complex environments.

Remove unused installations, align maintenance with license counts, periodically reoptimize as environments change, rightsize editions, and leverage bundling to maximize installations per license. Attribute licenses correctly and rightsize compute resources.

It uses IBM authorized agents and is recognized as a system of record for IBM reporting, allowing you to satisfy quarterly reporting requirements and certify your effective license position. This avoids standing up and maintaining a heavy ILMT infrastructure while preserving sub-capacity eligibility.

Its bundling engine lets you group products to maximize installations covered per license and identify cheaper edition options (e.g., avoiding unnecessary DB2 Advanced). It also helps evaluate when full capacity on a consolidated host is cheaper than sub-capacity on scattered VMs.

Automated license reconciliation and optimization insights flag unused installs, and ensures licenses are used optimally according to product use rights.

It centralizes entitlement imports from multiple entities and unifies discovery and measurement into a single enterprise view. This shortens the window in which newly merged environments are vulnerable to audit gaps. Research from PWC shows 65% of organizations are audited within 12 months of an M&A event.

By eliminating on-prem ILMT stack overhead, you avoid server, database, upgrade, and patching burdens. Optimization recommendations then right size licensing to match what you actually need.

Consistent, timely, and comprehensive reports reduce disruption, let legal and audit leads control scope, and demonstrate command of your IBM estate. A strong reporting posture can deter future audits once reliable evidence is consistently produced.

[00:33] Welcome and housekeeping

Jennifer Kuvlesky: Welcome to this webinar, Conquering IBM audit readiness.

With me today we have Bill Sudbrook and John Schwartzenberger.

Before we get started, please use the Q&A section for questions. If you would like to say where you are joining from or give a shout-out to one of our speakers, you can use the chat. But if you have questions, please put them in the Q&A so others can upvote them and we can address the most popular ones first.

[00:50] Speaker introductions

Bill Sudbrook: My name is Bill Sudbrook. I’ve been with Flexera for about six months as Senior Director of Solutions Advisory. Prior to coming to Flexera, I ran the AT&T IT asset management program for about 10 years. I’m very happy to be talking about a topic that is very close to my heart today.

John Schwartzenberger: I’m John Schwartzenberger. Good day to everybody, wherever you are in the world. I’ve been with Flexera and this December will mark four years. Before that, I spent more than 25 years leading major ITAM transformations in healthcare and fintech.

This topic is near and dear to both Bill’s heart and mine, so we’re excited to have this conversation with you today. With that, let’s get started.

[01:45] Agenda

John Schwartzenberger: We’re going to cover a few things today:

• Audit trends in the market
• IBM risk profiles
• IBM compliance programs
• Practical tips on how to prepare for an IBM audit
• How Flexera One helps solve IBM licensing complexity
• IBM optimization opportunities
• Next steps

I think you’ll be excited to hear what we have to share.

[02:21] Market trends and audit pressure

John Schwartzenberger: One of the things I love about Flexera is that we go out and conduct industry polling through our annual State of ITAM Report as well as our cloud and SaaS research. We look at what is happening across the industry from several perspectives.

Specifically on audits, one of the top concerns we see is the burden of responding to them. Nearly half of the organizations we polled reported paying more than $1 million in audit-related expenses over the past three years.

The key message is that audits are top of mind across the board. As software environments become more complex, especially in hybrid environments, it becomes harder and harder to get your arms around software licensing and compliance.

[03:29] Why IBM audit readiness matters

John Schwartzenberger: When we asked organizations which vendors had audited them in the last three years, IBM ranked a strong number two, just behind Microsoft. We wanted to better understand environmental risk profiles and the estimated annual probability of audit based on infrastructure and licensing complexity.

A simple environment might mean a few IBM products, a handful of physical servers and full capacity licensing. That generally gives you a lower audit probability, in the range of 5% to 10%.

A moderate environment might include ILMT installed, some virtualization and limited middleware. That increases the probability to around 15% to 25%.

A complex environment is where higher risk starts to show up. That usually means subcapacity licensing, multiple IBM products, hybrid cloud and potentially weak ILMT hygiene. In our survey, more than a third of the 500 companies that responded said they had been audited by IBM in the last three years. That’s a really striking statistic.

And then you have the high-risk category. These are companies with lots of M&A activity, internal organizational changes, lapsed support on their IBM estate or missed reporting obligations. They may not even have ILMT in place at all. In that case, the audit probability can reach 60% or greater.

[05:21] Common IBM audit risk factors

John Schwartzenberger: Some of the most common gaps we see include:

• ILMT installed only on a subset of systems
• Older ILMT versions
• Incomplete reporting
• Missing snapshots
• Incomplete historical records
• Peak reports that do not align with the environment
• No tracking of IBM middleware, Kubernetes or OpenShift
• Gaps in entitlement documentation
• Shadow IT
• Incomplete inventory across on-premises, virtual and cloud environments

Bill Sudbrook: One item that really jumps out at me is BYOL to cloud. This is an area where you have to be very careful with IBM licensing.

IBM often sells the same product one way for on-premises use and another way in the cloud, such as through a Cloud Pak. You need to be careful when migrating to the cloud to make sure you actually have the rights to run those products there. That’s a very high-risk area.

[06:58] Audience question: What is the most expensive risk?

Jennifer Kuvlesky: What is the most expensive risk? More specifically, what costs customers the most in your opinion?

John Schwartzenberger: In my opinion, one of the biggest costs comes from the inability to proactively deliver the required reports on time.

The legal obligation, entitlement and contract management side of this is often overlooked. If you are required to produce quarterly reports, for example, then you need to retain three years of those reports and be able to provide that evidence.

Another major issue is failing to manage ILMT across all relevant infrastructure components. We often see IBM ask a few simple questions, which can quickly reveal that an organization may not be managing this as well as it should. That can trigger further scrutiny and potentially an audit.

If I had to pick the single biggest issue, though, it would be sub capacity versus full capacity licensing.

If you have PVUs or RVUs and you are not monitoring those high-water marks properly or cannot report on them, IBM may simply assume you are not eligible for sub capacity and charge you for full capacity instead. That can be an enormous financial hit.

Bill Sudbrook: Exactly. If you expect to pay based on virtual machine cores but end up paying based on physical cores, you are going to be paying a lot more.

[08:58] What it means to be audit ready

John Schwartzenberger: Being audit ready is not always about perfection. It is about having documentation, visibility and control. If you can explain what you have, what you are using and how it is licensed, then you are in a much stronger defensive position.

Some practical recommendations include:

• Collecting and organizing all IBM contracts and purchase records across the estate
• Understanding entitlements across regions, business units and procurement systems
• Inventorying all IBM deployments across on-premises, virtual, cloud and SaaS environments
• Validating the correct license model in advance, whether that is sub capacity, user-based or BYOL
• Fixing gaps proactively
• Right-sizing and removing unauthorized or unused software where appropriate

If you have software that has not been used in three to six months, that is often a good candidate for removal before an IBM audit.

Bill Sudbrook: It is also very important to understand the virtual-to-physical relationships of your systems in order to qualify for sub capacity licensing.

John Schwartzenberger: Exactly. Those host-to-VM relationships and cluster relationships are critical to understanding IBM usage rights.

Bill Sudbrook: The ideal scenario is to prepare before you are audited. That gives you a lot more options.

[11:33] Controlling the audit process

John Schwartzenberger: Another key recommendation is to control the audit process.

For people who have never been through a software audit, it can be intimidating and disruptive. There is usually a sense of urgency from the C-suite downward because there are so many unknowns. But it is okay to control that process.

You should:

• assign a single point of contact for the auditor
• involve legal review
• make sure the scope is defined in writing
• provide reports on time
• avoid granting direct system access to your infrastructure

This is something we also cover in our audit readiness workshops. You should build an audit team so everyone knows the scope, the roles and the expectations.

And finally, maintain strong ongoing SAM governance. Conduct regular internal license checks and run mock audits. In my past roles, after completing a major IBM renewal, I had the team stress-test the environment every year to ask: are we audit ready, compliant and aware of any gaps?

That mock audit process makes a huge difference.

[13:31] How Flexera solves IBM complexity

John Schwartzenberger: Bill and I have both led teams that worked to maximize these opportunities. One of the big advantages is the use of Flexera agents with IBM-authorized tooling. We know ILMT is accepted by IBM, but in certain cases Flexera agents can also be used under approved arrangements.

Years ago, I was part of one of the first large fintech environments where IBM approved the use of Flexera agents in place of ILMT. I was ecstatic because we had a huge environment and a large ILMT infrastructure that was clunky, difficult to manage and expensive to maintain.

Moving to lightweight Flexera agents and managing that through Flexera One was a major improvement.

Bill, why don’t you expand on IBM Cloud Paks, because that was a big area from your background.

Bill Sudbrook: Getting back to cloud usage rights, Flexera can help with that. It is very easy to fall into a trap and end up in a costly situation if you deploy software in the cloud without realizing it needs to be covered by a Cloud Pak.

It is extremely important to understand and measure that properly, and ILMT does not do that out of the box. That is something unique that Flexera can help with.

[15:02] Flexera One capabilities for IBM licensing

John Schwartzenberger: From there, Flexera One also delivers optimization capabilities. The reports you need are built in and the platform continuously looks at your environment, including the virtual-to-host relationships, to identify opportunities to right-size your estate, reduce costs and optimize licensing.

Another strength is data normalization. The data is enriched and accurate. The product catalog, SKUs, part numbers, usage rights and product use rights are all built into the platform. That takes a lot of complexity away from your IBM licensing analysts.

And of course, Flexera goes well beyond IBM. It supports thousands of software vendors across the enterprise including Oracle, Microsoft, ServiceNow and VMware. It also supports broader cloud and FinOps use cases.

Bill Sudbrook: One thing that is especially important from an optimization perspective is that the bundling capabilities in Flexera are far superior to ILMT.

Being able to bundle software appropriately can create a huge cost opportunity. For example, DB2 may be bundled with a set of other IBM products depending on the license terms. Flexera helps you determine where to bundle products most effectively so you can maximize installations per license. That can have a major financial impact.

[17:11] Key business benefits of Flexera One

John Schwartzenberger: First, from an ITAM practitioner perspective, it is all about cost takeout and compliance. Flexera helps right-size your IBM estate and reduce infrastructure costs. Running ILMT often means servers, operating systems, databases, upgrades and patching. It can easily cost several hundred thousand dollars per year to maintain. Flexera eliminates much of that complexity with a lightweight agent model.

Second, there is cost avoidance. If you can identify compliance issues in advance, you can address them before they become expensive. And if you have licenses that can be reharvested and reallocated, Flexera helps with that too.

Third, there is time savings. I’ve spoken with organizations that spent as much as a year pulling information together for an IBM audit. With automated license reconciliation reports and built-in product use libraries, you reduce management complexity and improve reporting quality.

And finally, there is trusted reporting. Flexera is a recognized system of record that supports quarterly reporting requirements and the calculation of an effective license position.

Bill Sudbrook: Time to value is a big issue here too. Standing up Flexera is much faster than standing up ILMT. If you do not already have a tooling solution and you are deciding where to start, you will get up and running much faster with Flexera and your output will come faster too.

What might take six months to a year using spreadsheets and manual effort can often be done in 90 days or less, even in complex environments.

[20:00] IBM license optimization opportunities

Bill Sudbrook: A few important optimization strategies include:

• Removing software installations that are no longer in use
• Reducing maintenance to align with the actual number of licenses you still need
• Regularly reviewing optimization allocations as environments change over time
• Capturing whether a system is production, non-production, cold backup or warm backup in your CMDB, because that affects licensing
• Checking full capacity versus subcapacity on every system
• Ensuring you are only counting the licenses your organization is actually responsible for
• Effectively sizing virtual environments
• Performing regular application portfolio rationalization

Portfolio rationalization is especially important. Flexera’s taxonomy helps identify overlaps where one product may be able to replace another. For example, in some cases PostgreSQL could replace DB2, or WildFly could potentially replace WebSphere. These activities not only modernize your environment, they also help reduce costs.

[22:54] Why device roles and environment classification matter

John Schwartzenberger: I recently worked with a customer that was not under audit but was going through a renewal. We looked at one of their stacks and every single product and application was marked as production, meaning everything was treated as licensable. There were no exemptions. That alone drove a licensing exposure of more than $5 million.

When we reviewed the estate more closely, they told us they had development, QA and DR environments too. We are now helping them map those correctly.

This is critical, especially in hybrid and cloud environments. You must understand the role of each device and how that aligns to IBM products, because there are many exemptions people do not realize they can take advantage of.

Bill Sudbrook: And that applies to DB2 as well. It is important to understand which edition of DB2 you are using. Many applications do not need DB2 Advanced Edition. If you identify the correct edition and bundle appropriately, there can be significant cost opportunities.

[24:57] Next steps and workshop invitation

John Schwartzenberger: Today was a high-level overview, but we want to extend that value beyond this conversation and help you minimize your audit risk over time.

You can register for Flexera’s Vendor Audit Readiness Workshop. In that session, we go much deeper than we did today. You can bring up to three people from your team and meet with Bill, me and some of our teammates.

We cover:

• Best practices for preparing for an audit
• Guidance for determining your rights and responding to a vendor audit
• The data required to meet audit requirements effectively
• A documented playbook to help you navigate each phase of the audit process