Case Studies

Katerina Moltova
Katerina Motlova
IBM Specialist

Case Study: Reducing a $1.9million IBM Audit Bill for a West Africa Bank

Defending a software licence audit from a major vendor can be fraught with risk. In many cases, a customer may believe they have no compliance issues to worry about, only to be surprised by a large bill to settle noncompliance at the end of the audit. For this reason, it pays to fully understand your licensing position for your major software vendors and engage with a specialist audit defence partner at the beginning of the audit if you are not 100% certain of your compliance status.

This situation can be compounded further if third-party service providers have been involved who have also provided licenses to your organisation. Any uncertainty as to who owns the licences you are using or who has responsibility for ensuring compliance can lead to major audit headaches.

Failing to Prepare for an IBM Audit Can Lead to Catastrophe

A recent IBM audit case involving FisherITS highlighted the perils that customers can face if they do not understand their audit compliance risk and simply go along with the audit process, only realising that there is indeed a problem when it is almost too late.

In this case, a financial institution based in West Africa was approached by IBM in 2019. The customer received an audit notification letter and began to provide data to the auditors as per IBM’s request. At this early stage the customer did not clarify the scope of the audit with IBM or fully understand what should be agreed to begin with. This is immediately a problem for any audit defence and had a large part to play in the difficulties experienced later in the audit. It is crucial for organisations to have a pre-planned response to licence audits, confirming a communications protocol, establishing the vendor’s contractual right to audit, and assessing any risk that may exist.

In this case, the customer initially put their trust in IBM and the auditing partner, following their requests and expecting the auditors to lead the way.

Licence Audit Defence

 

 

 

 

 

 

Upon receiving the audit report from IBM some months later, the customer was surprised to be informed that they had a large noncompliance liability. IBM immediately deployed their favoured tactic of suggesting the customer purchases new IBM products instead of paying a settlement fee. This offer is framed as being better ‘value for money’ for the client. The customer was presented with two settlement options costing $1.5million and $1.9million respectively.

The options for new product purchases were not suitable for the customer, in this case the customer had no need to invest in such software. IBM software made up a relatively small, yet crucial part of the customer’s software estate and they had no desire to increase their investment in IBM software.

Engaging with an IBM Audit Defence Specialist

Upon receiving this offer from IBM, the customer contacted FisherITS to provide an audit advisory and defence service as the potential settlement offers were far more than the customer expected or felt comfortable paying.

The IBM auditing experts at FisherITS were able to quickly establish the facts and timeline of actions in the build up to the audit and the associated noncompliance claim by IBM. As is common in many IBM noncompliance cases, the customer did not have a functioning instance of ILMT deployed, causing a genuine noncompliance issue. The situation was further complicated by the presence of two third-party service providers who had recently assisted the customer to implement their IBM products. Two separate providers had been engaged to help the customer deploy the IBM solution, a fact that emerged as a major issue in this audit.

Taking Responsibility for IBM Licensing Compliance

The IBM licences and services provided by the third parties were not provided in full. The first service provider initially lent the customer the IBM licences, meaning the customer did not have ownership of the licenses. These licences were later transferred to the customer’s ownership as per the customer’s request after the IBM audit was underway. The customer engaged a second provider to help them deploy the solution after the first provider failed to do so. As the owner of the licences, the third-party providers had responsibility for ensuring ILMT was deployed and reporting correctly. This did not happen. As the licences that were issued were calculated with the expectation of Sub-capacity usage, the failure to implement ILMT led to IBM’s claim for payment on a full-capacity basis.

In this case the customer should have ensured they were clear on the licensing and compliance implications for their IBM implementation, but the third-party provider should have also taken responsibility. FisherITS advise in such cases that the contract between the customer and third-party clearly states who is responsible for maintaining compliance.

Building an IBM Audit Defence Case

To build an audit defence case, the FisherITS team established the point-in-time licensing situation of the customer for when the audit notification letter was originally received in 2019. This confirmed the status of the third-party providers at that time and who had ownership of the licences. The customer did not have the licences in their own IBM Passport Advantage account in 2019, they remained with the third-party providers. The contract also didn’t state that the compliance responsibility lies with the customer rather than with the current owner of the licenses. This allowed FisherITS to advise the customer that they did not have responsibility for the licences at this point. This was a point that could be argued with IBM. It could then be negotiated with IBM that the genuine noncompliance issue of missing ILMT was understood, and this would be rectified moving forwards.

FisherITS advised the customer to stand firm with this approach until IBM were ready to settle, whilst demonstrating that the customer would be compliant moving forwards. As neither party had a desire to take the audit to court, involving the third-party suppliers, IBM agreed to a settlement figure of $750,000, with no obligation to purchase new software. Whilst obviously painful for the customer, this represented a significant improvement from the initial $1.5 – $1.9million offer.

Learning Lessons from an IBM Audit

As with most audit defence cases, the customer acknowledged that if they had engaged with a professional audit defence team to begin with, the audit would have not resulted in such a negative outcome and would have been resolved far sooner than the eventual two-year timeframe.

The major lessons learned from this audit can be summarised as follows:

  • Ensuring compliance proactively prevents nasty audit surprises
  • Having a pre-planned audit defence process far improves a customer’s audit defence response and prevents an audit from getting out of control or unnecessarily sharing harmful data
  • Agreements with third-party providers that involve the provision of software licences should have a clear contractual understanding of who is responsible for licensing compliance
  • If in any doubt, engaging with an audit defence specialist will reduce the pain experienced in a software audit

IBM customers, or customers of any major software vendor, should contact a specialist licensing consultancy provider such as FisherITS to ensure an audit does not result in an unnecessarily large and unplanned noncompliance payment.