IBM Audits by Deloitte and KPMG: What to Expect.

Why IBM uses third party auditors.

The use of Deloitte, KPMG, and a small number of other large accounting firms to deliver IBM software compliance reviews is now the dominant model for Fortune 500 engagements. The reasons are structural. Third party auditors carry an independence narrative that is commercially useful for IBM, they bring a methodology brand that is harder for the customer to challenge, and they free IBM internal compliance resources to focus on the smallest and largest tiers of the customer base.

From the buyer side, the third party auditor presence changes the engagement in five material ways. The contracting structure, the methodology, the posture and tone, the settlement dynamics, and the data handling. Each of these has a buyer side response. The starting point is to recognise that a Deloitte or KPMG audit is still an IBM audit. The contractual right to audit is exercised by IBM, the settlement is paid to IBM, and the auditor is acting on instructions from the IBM Software Group compliance organisation. The buyer side should not be confused by the auditor brand.

Written from the buyer side by independent advisors. We are not an IBM Business Partner. For an orientation to our independence and conflict of interest position, see why independence matters.

How the engagement is structured.

The third party auditor engagement is structured as a tri partite arrangement. IBM holds the contractual audit right against the customer. IBM engages the third party firm to deliver the audit. The third party firm produces a report that is delivered to IBM. The customer is the data subject and the settlement counterparty.

The customer signs a Non Disclosure Agreement with the third party firm, typically at the start of the engagement. The NDA scope is one of the most consequential documents in the audit and is frequently signed without buyer side review. The NDA can include data retention provisions, work product ownership, and dispute resolution language that are unfavorable to the buyer. See the audit data rights guide.

The auditor is not your auditor.

A critical mental model. The third party firm is not acting in an audit capacity for the customer. The work product is not a customer financial audit. The firm is acting as IBM commercial counsel under an engagement letter that names IBM as the client. The customer relationship is incidental. The buyer side discipline is to treat the third party firm as IBM commercial counsel, not as an independent auditor.

Methodology differences.

The Deloitte and KPMG methodologies differ in detail but share a common structure. Three phases. Scoping interview, data collection, and reconciliation against entitlement.

Scoping interview.

The scoping interview is the first formal step. The third party firm asks for an overview of the IBM estate, the deployment environments, and the licence management processes. The interview output shapes the data request that follows. The buyer side preparation for the scoping interview is the single highest leverage moment in the audit, and most often handled poorly. See the audit notification response guide.

Data collection.

The data request is more granular than an IBM internal audit data request. Deloitte and KPMG typically ask for ILMT exports, virtualisation inventory, Active Directory and CMDB extracts, server build sheets, and in some cases hypervisor configuration files. The data request volume is typically two to three times what an IBM internal audit would request. The buyer side response is to scope the request to the contractually obligated data, not the requested data. See data rights.

Reconciliation.

The reconciliation matches deployed inventory against entitlement at the product, version, and licence metric level. The reconciliation is where the third party methodology adds the most rigour. The findings are typically more granular, more product specific, and more difficult to dispute than an IBM internal audit would produce. The buyer side response is to dispute the reconciliation at the methodology level, not the finding level.

Posture and tone.

The Deloitte and KPMG engagement teams are typically more measured in tone than an IBM internal compliance team. They are also more procedural. The procedural posture cuts both ways. It produces a less aggressive conversation but it also produces a less negotiable one. The third party auditor has limited authority to deviate from the documented methodology. Concessions are routed through the IBM commercial team rather than the auditor.

The implication for the buyer side is that the auditor relationship is not the settlement relationship. Buyer side energy spent on the auditor relationship is energy spent in the wrong place. The settlement relationship is with IBM Software Group commercial. The auditor is delivering the input to that conversation, not running it.

Settlement dynamics.

The third party audit produces a findings report delivered to IBM. The settlement conversation begins after the report is delivered. Three structural patterns recur in third party audit settlements.

First, the settlement is typically larger as a starting position than an IBM internal audit settlement. The third party report carries methodological authority that is harder to dispute, and the IBM commercial team typically opens at the full report number.

Second, the settlement is typically faster to close once the structural disputes are resolved. The third party report has framed the conversation, and the negotiation tends to converge once the methodology disputes are settled.

Third, the settlement is more frequently bundled into a forward commitment. The third party audit creates a natural opportunity for IBM to propose an ELA, a multi year prepay, or a Cloud Pak migration as the settlement structure. The bundled settlement is sometimes attractive to the buyer side but the structure should be evaluated on its forward economics, not on the audit relief it provides. See ELA vs Passport Advantage.

The buyer side response playbook.

Five plays anchor the buyer side response to a Deloitte or KPMG IBM audit.

Play one. Review the NDA before signing.

The NDA is the single most consequential document signed in the audit. Buyer side counsel should review it. The data retention, work product ownership, and dispute resolution clauses are the priority review areas.

Play two. Scope the data request to the contract.

The contractual audit right defines the data IBM is entitled to. Most third party data requests exceed the contractual scope. Scoping the request to the contractual scope is a legitimate buyer side response and rarely contested when documented.

Play three. Run the reconciliation in parallel.

The buyer side should run an independent reconciliation against entitlement before the auditor delivers the findings. The independent reconciliation is the evidence for the methodology dispute. See the self assessment guide.

Play four. Engage IBM commercial directly.

The auditor delivers the input. The settlement is with IBM commercial. The buyer side should establish the IBM commercial relationship early in the audit and route the substantive conversations there.

Play five. Negotiate the settlement structure, not just the number.

The settlement number is one variable. The settlement structure is the larger variable. A bundled forward commitment that resolves the audit can be the right answer or the wrong answer depending on the forward economics. The buyer side should evaluate the structure independently. For the settlement negotiation guide see the linked article.

Where to go next.

For the integrated audit defense methodology that frames the third party auditor response, see the audit defense complete guide. For the audit data rights that anchor the data request response, see audit data rights. For the settlement negotiation playbook, see the settlement guide. For the audit triggers that precede the third party engagement, see audit triggers. For the legal rights framework, see your audit rights. For the audit defense service, see the audit defense service page.

For a scoped advisory conversation about an active Deloitte or KPMG IBM engagement, the contact page is the entry point. A senior advisor responds within 24 hours.