IBM audit readiness: How to prepare, respond and protect your license position

IBM audits are typically triggered by commercial signals (e.g., intent not to renew), risk-based indicators (missing reporting, M&A, organizational changes, lapsed support) or time-based factors (no audit in a significant period). The webinar outlines a four-tier risk profile—from simple environments with 5–10% annual audit probability to high-risk environments exceeding 60%. Understanding your risk tier is the first step to proactive preparation.

IBM requires organizations using sub-capacity licensing to deploy an eligible tool (ILMT or Flexera), scan devices every 30 minutes and retain quarterly reports for a minimum of two years. If any reports are missing or incomplete, IBM can require full physical capacity licensing instead of virtualized cores—significantly increasing your license obligation and cost.

Flexera One ITAM is IBM-certified authorized tooling that replaces ILMT while adding capabilities ILMT doesn't offer: contract and entitlement data ingestion, effective license position calculation, Cloud Pak VPC counting, license optimization and multi-vendor coverage (Oracle, Microsoft, VMware and more) from the same agent and platform.

IBM requires the IBM License Service for sub-capacity reporting in containers—it's the only tool IBM accepts. Without it deployed and properly configured, organizations must license all cores in the cluster at full capacity. The webinar shares a real example where a customer's container estate grew from an estimated 3,000 to 75,000 without adequate visibility.

Under Passport Advantage terms, non-compliant organizations must purchase excess licenses at IBM's then-current list prices and may owe up to two years of back maintenance if they can't prove when the excess started—plus additional taxes, duties and fees. Proactive management with defensible data is the best way to avoid or minimize this outcome.

Nathan Stevens (13:29 – 22:09)

All right, thank you everybody for joining us today. So we're just gonna give everyone a few seconds to join us on the stage today, get familiar with Goldcast and join us.

And we can see some people coming into this session, the webinar today. So just get familiar with the controls, get comfortable.

For the next half an hour, we're gonna go through IBM audit readiness. And for those that have just joined us as well, so we're going to have q and a at the end of the session today.

So if there's any pressing questions about your IBM order readiness, please drop them in the chat. We we will address them at the end of the session today.

We'll be there to answer those questions for you. I'm joined today by Toby who is going to cover off all the details that I can.

He's one of our experts around the IBM topic. So today, there is no surprises, no setbacks.

So it's a topic that we're really keen to bring into the team across APAC today. So we're really looking at how do we actually prep for an audit? You know, we wanna make sure that we're right sizing the investment in the technologies that we're consuming, and IBM is no different to the likes of the Microsoft, the Oracles, the Adobe's.

So we wanna make sure that if you do get the audit letter or you're really just prepping and planning and being proactive throughout the year, it's leveraging the Flexera technology to get those outcomes for you, right sizing the investment on technology that you're consuming and owning. So we wanna make sure that we're investing in things that you actually need, that you actually own, and you're actually using.

So today's all about that and some guidance around how we get to those outcomes. So for those that have joined us maybe for the first time, you know, this is a series of webinars that we've run over the course of last year and this year.

So the eight on screen in front of you summarize the topics that we've covered during that time frame. So if you're keen to learn a little bit more about those, Ash will actually put those links into the chat for you today, and you can look at those on demand and actually consume that content whenever you feel is appropriate.

So some great content previously to catch up on. So just looking ahead, so today, April 22 is all about IBM and audit readiness.

So gonna dive into what triggers, you know, an audit or the proactiveness and preparedness around an audit, look at some of the fundamentals. So Toby is gonna take us through the fundamentals of what it means to go through and be prepared for an audit, some of the gotchas, some of the things that you need to be very mindful about, you know, passport advantage contracts, how to get that into the system, and really dive into the drug dynamics in the very complex IT environment.

In May, we've had a bit of a change in the schedule that we were originally planning for those that have joined us last month, but we're gonna dive into vulnerabilities and patching. So a very interesting topic about how to see the risks that others miss in terms of the vulnerability of states and what you should be looking out for and where maybe CVEs aren't really up to scratch anymore and where Flexera can help.

And we push the what was in May into June around proving ITEM value, and once again, we'll be joined by some other colleagues of ours to really drive into, you know, where we can help around that value discovery, understanding how to really talk about ITAM at the executive level. So keep an eye out for those, keep an eye out for the links on LinkedIn, and please register your interest across those three.

Alright. So today, we're gonna dive in specifically around IT asset management.

Now for those that have been through other sessions, we've really touched on a number of different, you know, capabilities of the FlexeraOne portfolio here, and today is really about IT asset management and narrowing down. It may touch on some other elements, but really 99% of what we're doing is focusing on the data that we collect and present within IT asset management, and looking at the contracts and the entitlements that you own and how to attribute those or how to assign those out within the environment.

So today we're going to focus in just on that particular green square in front of you. Now as always, I do like to start these sessions with, you know, placing us at the center of the world.

So really, you know, we're at that tipping point of technology spend, and technology is only really ever, you know, second to people spend within an organization. So that technology spend is something that we compete in for budgets with against people, but that technology spend is also increasing year on year.

When we start to look at, you know, IBM and other vendors out there, there's more and more investment in terms of technology spend being a business enabler. Now over the last three years in particular, around 47–51% on cloud and SaaS spend, we see that growth throughout the market, whether that's on premise, in SaaS, or in cloud.

And this market is growing rapidly, so we need to make sure that we're in control of spend within our technology landscape.

Now really, why focus on IBM? There's a couple key reasons, but at the end of the day is IBM is still auditing and second on this list only after Microsoft.

And now Toby's gonna take us through the IBM environment risk profile and take us through what it means to be prepared with IBM, being proactive and using Flexera to do that.

Toby Ivens (22:09 – 50:32)

Thank you, mate. Hi.

So in terms of the IBM risk profile, so you can see on the screen here, we've got simple, moderate, complex, and high risk. Simple representing few products, physical servers, full capacity licensing, so a simple environment.

And then, obviously, down to high risk where we've got mergers and acquisitions, organizational changes, lapsed support, lack of reporting, and no ILMT.

Now what we've got on the next slide is a breakdown into the details for these scenarios in terms of the risk profile.

Firstly, IBM has a number of different contractual reporting requirements that are required. If we do not have all of the reporting requirements being conducted regularly and per the terms, that raises the risk profile from an audit perspective.

Audits are typically commercially based, risk based, or time based. IBM won’t state a single reason, but there are usually signals.

ILMT deployment is required for sub-capacity reporting. Flexera is an eligible replacement, but it must be properly deployed and configured.

Reports must be taken quarterly at a minimum, monthly recommended, and retained for two years. Missing reports can invalidate sub-capacity terms.

Hardware topology, cloud visibility, and containerized IBM software all introduce risk if not properly inventoried and reported.

The IBM License Service is the only accepted tool for container sub-capacity reporting, but Flexera integrates with it.

Entitlements and proof of purchase must be accurate and aligned with Passport Advantage and signed contracts.

User-based licensing introduces complexity, especially with shared or indirect access.

IBM Passport Advantage requires annual license verification reporting and allows audits across all environments.

Non-compliance can result in list-price purchases and up to two years of back maintenance.

Proactive management includes centralizing entitlements, inventorying deployments, validating license configurations, fixing gaps, controlling the audit process, and maintaining ongoing SAM governance.

Flexera is IBM-authorized tooling, an ILMT replacement, and provides entitlement management, Cloud Pak counting, optimization, and multi-vendor coverage.

Nathan Stevens (50:32 – 52:23)

Perfect. Now look, appreciate Toby, and the detail you've gone through in explaining how we manage IBM.

One of the case studies that really drives this home is DBS in Singapore, proactively managing Oracle and IBM with Flexera.

If you're concerned about how you're managing IBM audits and want to learn more, please reach out via the QR code on the screen.

We'll now move into Q&A and answer any questions in the chat. Thanks everyone for your time today.