For over 15 years, IBM has been one of the most active software publishers in performing license verification activities. After a small break (due to the global Covid pandemic), the license verifications started again at full throttle. In addition, with the introduction of IBM’s Cloud Paks, the governance for the end-user organizations became even more complex due to the new container licensing model based on product ratios and Virtual Processor Core (VPC) metric. If you’re an IBM user, what are your options when it comes to license verifications?
IBM follows three different procedures to conduct a license verification:
1. Self-assessment
A self-assessment is initiated by IBM and the software publisher relies on the data provided/declared by you as an end-user. The “testing” activities (e.g.: a sample test on the whole IT environment and data completeness checks) are typically not part of the “self-assessment”. Usually, this type of verification is conducted on small-sized end-users or done for reduced product scope (e.g.: where IBM expects that there is a lack of governance on a specific software program). Depending on how the self-assessment is progressing, IBM may decide to turn the self-assessment into an official standard audit.
2. Standard audit
A standard audit is conducted by IBM and a Third-Party Auditor (Deloitte or KPMG). The audit is invoked through the “Compliance Verification” clause included in the Passport Advantage Agreement and is the most “invasive” verification. Invasive because the auditor will analyze the deployment and use of the IBM programs from the last 2 years and will require end-users to run scripts, conduct (positive and negative) sample testing and it typically also includes an onsite visit (which can be done remotely as well if need be). As a rule of thumb, each IBM customer is audited every 2-4 years.
3. IBM Authorized SAM Provider Program (IASP)
This program is an IBM Partner assisted self-reporting program, in which details and how IBM consumption reporting is managed is very strictly defined by IBM. In this program, an end-user signs up for the IBM services with one of a very select few IBM approved partners (Anglepoint, KPMG, EY, or Deloitte) to become their IASP Service provider. The benefits presented to the end-users include the limitations of receiving a formal IBM audit and optimization of the contract if the customer remains active on this program. In practice, end-users are however on a “continuous audit” and perceive this service as not delivering value to the IASP partner is required to share the deployment and usage data obtained to IBM and does not have the sole interest of the end-user at heart.
More details on IBM’s Verification practices can be found here.