IBM audit defense

A best practices guide

Valuable insights and practical steps that you’ll need to optimize your IBM license position proactively and prepare for an audit with confidence.

Speak with an expert Download PDF

Table of contents

The case for proactive audit preparation

Learn how proactive IBM audit readiness can dramatically reduce audit risk, save millions in costs and cut preparation time from months to weeks.

IBM audit rules

Understand IBM’s contractual and reporting requirements so you can stay compliant and avoid costly penalties.

Knowing your licenses and license usage

Discover how to accurately track entitlements and usage across ACEP and UEP programs to maintain compliance and control costs.

Inventory how your organization uses and applies licenses 

Learn how to validate and optimize your inventory data to ensure accurate license reconciliation and prevent compliance gaps.

Understanding and applying use rights

Master IBM’s complex licensing metrics—PVU, VPC, UVU, RVU and more—to avoid over-licensing and unexpected audit findings.

License optimization opportunities

Identify practical strategies to reduce IBM software spend through smarter license allocation, environment sizing and portfolio rationalization.

What to do if you’re facing an audit

Get expert guidance and resources to navigate an IBM audit with confidence and minimize business disruption.

“Flexera empowers us as the IBM experts, playing a key role in achieving substantial yearly savings on underutilized software renewals. We also promptly report any exposure, effectively mitigating audit risk.”

Shelby Day, Senior Analyst, American Airlines Source: UserEvidence

The case for proactive audit preparation

Among all software vendor audits, IBM software audits can be especially challenging and prolific. In fact, according to the Flexera 2025 State of ITAM Report, IBM had the third-highest number of audits over a 3-year period.

As daunting as IBM software audits seem, your next IBM audit doesn’t have to be. By taking some proactive measures, your organization can streamline the audit process and even experience major benefits from proactive audit preparation.

Here are some of those benefits and real examples of how our customers realized them.

Significantly fewer audits and less audit risk

Aviva had 100% audit risk mitigation for two IBM audits.

Cost avoidance

Aviva saved £75M over 5 years with proactive license management.

Time savings

Momentum reduced their audit preparation time from months to weeks.

45% of companies paid $1M+ in vendor audit fines

Flexera leads the industry in audit readiness, giving you the visibility and control needed to stay compliant and avoid costly surprises. Contact our team today to see how Flexera can help you stay ahead of audits and protect your bottom line.

Contact us

IBM audit rules

To comply with the Passport Advantage Agreement, you must submit an annual report of all deployed programs with supporting documents and keep these records for at least two years. IBM may request a report anytime, which must be provided within 30 days. IBM and its auditors can verify license compliance at any site, so accurate records and readiness are required.

Audit readiness best practices

  • Report snapshots must show software classification, license usage and entitlements, with the reporting period clearly labeled in folder or file names.
  • Digitally sign reports to verify approval and timestamp; use Microsoft Excel or Adobe Acrobat Reader DC for signing Excel or PDF files.

Licensing compliance tips

  • Be aware of products that are not eligible for sub-capacity licensing and ensure they are configured appropriately.
  • Accurately classify software components under the relevant IBM products or bundles, in accordance with your IBM license terms.

Tool-specific guidance

  • Reports generated by ILMT must align with your entitlements (PVU-Sub Capacity Report, UVU Licenses, etc.).
  • For IBM Cloud Pak audit snapshots, you will need to run a REST API request (see IBM documentation).
  • If using Flexera One IT Asset Management as a replacement for ILMT, ensure configuration adheres to IBM’s guidelines.
  • Leverage IBM License Service for license usage tracking and reporting container licensing.
  • If using Flexera One IT Asset Management for audit defense, you can view all audit reports, including those for VPC-based Cloud Pak licenses from Flexera One.

Warning

If you’re noncompliant when using IBM License Service for tracking and reporting container licensing, IBM will charge you for ALL the cores in the entire cluster as your penalty.

Did you know?

Flexera One IT Asset Management (ITAM) is the only certified solution for unified sub-capacity reporting by integrating with the IBM License Service.

Discover the Flexera advantage

Knowing your licenses and license usage

Your IBM licenses will fall into two main categories: licenses under an Aggregate Cap Enterprise Program (ACEP) and licenses under an Uncapped Enterprise Program (UEP).

When prepping your ITAM tool to automate license compliance calculations, you’ll need to provide it with your IBM contract, purchase and entitlement data. Here are some tips and best practices for providing that information on ACEP and UEP entitlements.

ACEP

  • Entitlements for IBM licenses under an ACEP will likely have a separate transaction document.
  • ACEP products may be deployed up to an agreed date (the “ACEP Calculation date”) and up to a specified value, based on the Unit Consumption Rate specified in the document.
  • Include some identifying text such as “ACEP” in the name of license records in your ITAM tool for ACEP programs and maintain the entitlement (purchased) count assigned to these licenses to reflect the current maintained entitlement.

UEP

  • Entitlements for IBM licenses under a UEP will likely have a transaction document.
  • UEP programs may be deployed without license quantity limitation subject to the terms agreed with IBM.
  • Include some identifying text such as “UEP” in the name of your license records.

Did you know?

ILMT does not have an option for adding purchases, but Flexera One ITAM does.

Inventory how your organization uses and applies licenses

IBM license types will have different data collection requirements. To scope an IBM license reconciliation project, it is important to understand which products are critical for the initial license position and which you can defer for a later phase. This will help narrow inventory requirements.

Whether using Flexera Inventory or a third-party inventory source, it is imperative to validate the health of the inventory source by looking for abnormalities, such as:

If using Flexera One ITAM to inventory licenses, Flexera automatically matches the IBM SKU to the correct license calculation.

Schedule a demo

Machines where the number of cores or processors = 0.

Machines where the number of cores or processors are unusually high

(e.g., mid-range x86-64 servers with only 1 processor but which are reporting 64 cores).

Virtual machines or partitions without a host, especially if these systems contain sub-capacity PVU-licensed products.

Understanding and applying use rights

As mentioned previously, IBM license types have different data collection requirements and strategies for tracking license usage. Here’s an overview of license metrics and what to consider in ensuring a compliant or optimal position.

PVU and VPC

Peak consumption tracking required

For new installations that do not strictly require license entitlements to be consumed (e.g., because the installation is supporting other licensed software, or the installation is on a cold/warm standby system, etc.), exempt these monthly so they do not unnecessarily increase peak consumption.

Required CPU hardware inventory information

To accurately calculate Processor Value Unit (PVU) and Virtual Processor Cores (VPU) license use, ensure precise CPU hardware inventory from all relevant devices. If hardware details are missing, software installations will not be covered by an IBM PVU or VPC license. Regularly check for IBM software installations without valid licenses; computers lacking required CPU information are included in this assessment.

Sub-capacity vs. full-capacity licensing

Typically, PVU- and VPC-based licenses will be managed on a sub-capacity basis. Sometimes it may be appropriate to license a PVU- or VPC-based license on a full-capacity basis (be sure to identify which IBM products are ineligible for sub-capacity licensing). A common unwelcome IBM audit surprise occurs when you’ve used IBM sub-capacity software on "ineligible technology," e.g., Windows Server 2012, etc.

Don’t pay 8X more than you should

Leverage an ITAM tool (Flexera One ITAM or ILMT) that allows for sub-capacity licensing calculations. Here's an example of why sub-capacity calculations are so important when using IBM WebSphere running on a VM that, in turn, is running on a 32-core physical server.

  • If you're only using 4 of the licensed cores, you'll need to license 480 PVUs (At $100 per PVU, that’s $48k).
  • If you're not tracking sub-capacity, then you’ll be licensing 32 cores or 3,840 PVUs (At $100 per PVU, that’s $384k).

Environmental constraints

PVU and VPC licenses may be designated for use within specific environments, such as “non-production" or "production." In your ITAM tool, identify target environments with enterprise groups (locations, cost centers, business unit) or assign devices to roles such as production, development and test to reflect consumption correctly for each license environment.

Tracking points rules for non-standard IBM SKUs

If using a third-party ITAM tool such as Flexera One ITAM, the SKU library may not recognize non-standard PVU SKUs. If this is the case, you’ll need to manually configure a points rule table to enable license consumption calculations.

UVU

Definition

  • User Value Unit (UVU) licenses: IBM software based on user counts and type; use program-specific ratios.

Key actions

  • Configure user class ratios in your ITAM tool (e.g. 1 user license for 15 "external users").
  • Apply scaling factors to each user class to calculate effective user count (normal, infrequent, external).
  • Implement a process to gather and verify total user counts regularly.

RVU

Definition

  • Resource Value Unit (RVU) licenses: IBM software based on resource units (e.g., devices, cores, transactions) defined in the product documentation.

Pro tip

Schedule quarterly updates to ensure resource values are current and accurate.

Key actions

  • Establish a process to populate resource consumption values into the relevant license regularly.
  • Use business importers to bring in resource metrics (e.g., order lines, managed cores).
  • Manually configure points rule tables for non-standard SKUs in third-party ITAM tools.

Authorized User

Definition

  • Authorized User licenses: Assign entitlements to unique, named individuals, regardless of device count.

Common pitfall

Underestimating minimum quantity requirements can result in licensing gaps.

Key actions

  • Configure appropriate ratios for infrequent/external users and bulk users in your ITAM tool.
  • Ensure purchased quantity meets minimum requirements based on installation counts.
  • Regularly review installation and purchase counts to maintain compliance.

Concurrent and Floating Users

Definition

  • Concurrent/Floating User licenses: Based on the maximum number of simultaneous users at any time.

Pro tip

Flexera’s FlexNet Manager for Engineering Applications can help track concurrent usage of some IBM applications.

Key actions

  • Implement monitoring tools to track maximum concurrent users.
  • Use tracked data to validate license consumption for concurrent/floating user licenses.
  • Ensure monitoring tools are configured to capture maximum current usage accurately.

Installs

Definition

  • Install licenses: Require entitlements for each installed copy of the software.

Common pitfall

Servers and end-user computers may also have a PVU-based license for the same product, so ensure the appropriate devices are consuming the relevant licenses.

Key actions

  • Track installations using inventory data for physical and virtual disks.
  • Identify client devices and confirm license applicability based on IBM definitions.

Client devices

Definition

  • Client devices: Include appliances, ATMs, meter readers, cash registers, end-user devices and servers.
  • IBM licensing differs by device type, so check each device’s classification in the license terms.

Key actions

  • Check IBM license documentation to determine what qualifies as a client device for each application.
  • Ensure client devices are correctly inventoried in your ITAM tool.
  • Verify that servers and end-user computers are consuming the appropriate PVU-based licenses when applicable.

Terabytes

Definition

  • Terabyte licenses: Measure capacity in TB for data stored or managed by the program.

Pro tip

Review tier thresholds regularly to optimize license purchases.

Key actions

  • Use ITAM tools to automatically track and recalculate peak consumption.
  • Consolidate terabyte purchases to align with licensing tiers.

License optimization opportunities

Proactive IBM license management enables so much more than great audit preparation. It also empowers organizations to identify cost saving and license consumption optimization opportunities.

  • Stop paying support and services (S&S)/maintenance entirely for a specific license at a site if no longer needed.

  • Reduce S&S quantities for licenses your organization is no longer using (But be sure future quantities will not increase as the S&S reinstatement costs can be as much as 75% of the purchase price).

  • Regularly review and optimize license allocations, exemptions and bundles.

  • Ensure proper configuration of device roles (e.g., production vs. non-production, cold/warm backups vs. hot environments).

  • Confirm that you’re only counting licenses your organization is responsible for and not licenses from a third-party infrastructure provider.

  • Efficiently size virtual environments (including IBM Power LPARs) to ensure optimal license consumption.

  • Regularly perform application portfolio rationalization by looking for related products from IBM and other publishers to determine if there are less expensive products with the same feature set.

  • Identify and remove software installations your organization isn’t using.

Note: IBM software applications installed via installation methods such as IBM Installation Manager will need to be removed in the same manner as they were installed.

What to do if you’re facing an audit

If you’ve received an audit notice letter, don’t panic. Move forward with confidence and start your audit journey by checking out our guide—10 steps to navigating a software audit.

We also recommend you register for Flexera’s Vendor Audits Readiness Workshop. In these sessions, up to three members of your team will participate in a hands-on workshop with former audit defense practitioners on Flexera’s Solutions Advisory team. These experts will equip you with audit preparation best practices, advice on your rights and obligations during a vendor audit, clarity on the data you’ll need to meet audit demands—and much more.

Request your workshop