An IBM audit is inevitable for any organization that uses the company’s software. IBM audits customers every three to four years like clockwork. Here’s the thing: being found out of compliance could get very expensive rather quickly. It pays to be proactive about internal IBM audit defense and license management to guarantee your company is fully in compliance when that next audit comes.
Every IBM audit begins with a letter “invoking IBM’s right to audit, which is detailed in the verification clause” assigned to each software product. Audits are conducted by an IBM Licensing Representative and supported by a third-party auditing partner.
It has been our experience that most organizations subject to the IBM audit are out of compliance in at least one or two ways. In addition, most organizations are completely unaware that they are not in compliance.
Financial Penalties Apply
IBM has built into its licenses the legal right to insist on remedial action among organizations found out of compliance. It would be inappropriate for us to get into what those actions could be, but needless to say they can be very costly. The larger the organization, the higher the potential cost of being out of compliance.
It is our position that organizations spend far less on proactive measures then they would spend on obtaining additional licenses and other remedial actions. It is really a ‘pay me now or pay me later’ type of thing. Investing in license reviews and a product like our IBM Audit Defense is worth it.
When the Time Comes
Routine license reviews and subscription management keeps an organization on the right track heading into its next IBM audit. When the time for an audit actually comes, an organization receives that introductory letter. Not only does the letter inform of IBM’s right to audit, but it also outlines the scope, target, and auditor details.
The organization in question assembles a team of representatives from various departments. Typically, this means representatives from IT, purchasing, deployment, and legal. Every team member is qualified to contribute to the audit process. The team’s main function is to conduct an inventory and review that looks at, and records, all current IBM software installations and their licenses.
An IBM audit follows this basic six-step process:
- IBM sends the notification letter.
- An introductory call between the organization, IBM, and auditor is conducted.
- Data is collected by the organization’s team and submitted for review.
- IBM and its auditor analyze the data for compliance; testing is included.
- An exit meeting takes place; findings are discussed along with next steps.
- IBM and its auditor finalize the audit and issue a report.
A typical audit takes between three and five months to complete. From your organization’s point of view, the most critical aspect is selecting the right team and then collecting and recording the right data. Incomplete or incorrect data only slows down the process and increases the risks associated with noncompliance.
Resolving Shortfalls
IBM refers to being out of compliance as a shortfall. If a noncompliant issue is found during an audit, IBM will work out a satisfactory means of resolving the shortfall with the client. All shortfalls must be resolved in order for the audit to be officially closed.
It goes without saying that a typical IBM audit is an involved and thorough process. It doesn’t pay to cut corners. More importantly, it does not pay to not be prepared for an audit. We help organizations not only prepare, but also maintain preparedness in between audits. Contact us to learn more about our IBM services and their ability to protect your organization.