IBM Software Audit Checklist
- License Entitlements: Purchase orders, certificates, and agreements.
- Deployment Records: Installation logs, server inventory.
- ILMT Reports: Quarterly reports, proof of compliance.
- Usage Data: PVU calculations, user access logs.
- Maintenance Contracts: Proof of support and renewals.
IBM Software Audit Checklist
IBM software audits can be challenging and time-consuming, especially if organizations are not fully prepared. The best way to ensure a smooth audit is to have all necessary documentation in advance.
This article provides a detailed checklist of the documents and records organizations should prepare to expedite and simplify the IBM audit process.
By having these documents readily available, companies can significantly reduce the risk of penalties and improve their audit outcomes.
1. Proof of License Entitlements
Proof of License Entitlements is the cornerstone of the audit process. These documents show that you have the right to use the IBM software in your environment.
- Purchase Orders: These confirm the purchase of licenses and establish the quantities and versions of software bought.
- License Certificates: Certificates issued by IBM that detail the software products and license rights you are entitled to.
- License Agreements: Copies of IBM’s licensing agreements, including any amendments or addenda, to understand the terms of your license entitlements.
- Renewal Records: Documents detailing any renewals of licenses or subscription-based services to verify continuity of entitlements.
Best Practice: Keep all proof of license entitlements in a centralized location and ensure they are up-to-date, reflecting any upgrades, renewals, or additional purchases.
2. Deployment Records
Deployment records are essential for proving where and how IBM software is deployed in your organization.
- Installation Logs: Maintain logs of every installation of IBM software, including product name, version, and installation date.
- Deployment Maps: Network or system diagrams that map the software installations within your IT infrastructure.
- Virtual Environment Details: Details on how IBM software is deployed in virtual environments, including specifics of each virtual machine and host configuration.
- Server Inventory: A comprehensive list of all servers where IBM software is installed, including their hardware specifications.
Best Practice: Maintain a live document that records all new software installations and removals. Ensure the IT team updates this document promptly to keep it accurate.
3. License Metric Tool (ILMT) Reports
If you are using sub-capacity licensing, the IBM License Metric Tool (ILMT) is mandatory to demonstrate compliance. Proper ILMT reports are critical for validating your sub-capacity licensing eligibility.
- Quarterly ILMT Reports: Generate and retain ILMT reports at least once every quarter, as IBM requires.
- Report Retention: Ensure that reports are retained for at least two years, as they may be needed for historical audit checks.
- Health Check Logs: Keep logs showing that ILMT agents are deployed on all applicable servers and that data collection occurs as required.
- Sub-Capacity Compliance Records: Records that show compliance with sub-capacity requirements, including proof of correct ILMT setup and maintenance.
Best Practice: Automate ILMT report generation and retention to prevent lapses. Store these reports centrally, with backups, to avoid data loss.
4. Usage Data and Metrics
Usage data provides IBM auditors with insight into the actual usage of IBM software within your environment. This helps IBM verify that usage matches entitlements.
- Processor Value Unit (PVU) Calculations: PVU consumption data provides a breakdown of the processing power used by each instance of IBM software.
- User Access Logs: Logs of named users who have accessed IBM applications for user-based licensing. This is particularly important for Named User Plus (NUP) licensing products.
- Resource Allocation Records: Data showing how server resources, such as CPU and memory, are allocated to each IBM software deployment, especially in virtual environments.
- Capacity Reports: Reports showing the total server capacity vs. allocated capacity to verify that you comply with your licensing limits.
Best Practice: Regularly review usage data and metrics to ensure they align with your entitlements. This practice helps prevent surprises during the audit.
5. Proof of Decommissioned Software
During an audit, IBM will examine historical deployments and current usage. If the software was once deployed but has since been removed, proof of decommissioning is required.
- Uninstallation Logs: Keep detailed logs for every uninstallation of IBM software, including the date, reason for removal, and relevant system information.
- Decommission Certificates: Formal certificates confirm that software has been uninstalled and is no longer used.
- Decommission Verification: Any documentation that verifies decommissioning steps, such as server wipe logs or deactivation certificates from virtualization platforms.
Best Practice: Archive all decommission records for at least two years to ensure you have proof of compliance for removed software if IBM requests it.
6. Maintenance and Support Contracts
Maintenance and Support Contracts prove that your licenses are covered for updates, upgrades, and support.
- Active Maintenance Agreements: Documentation of any active maintenance or support contracts for IBM software, including coverage dates.
- Renewal Notices: Renewal confirmations for maintenance contracts that demonstrate continuity of support and eligibility for product updates.
- Upgrade Eligibility Proof: Documents showing eligibility for software upgrades based on maintenance agreements or subscriptions.
Best Practice: Consolidate all maintenance contracts in a central repository and update them whenever renewals or changes are made.
7. Third-Party Hosting Agreements
If your IBM software is hosted on third-party infrastructure, specific documentation will be required to ensure compliance.
- Hosting Agreements: Copies of agreements with third-party hosting providers that detail how IBM software is deployed and managed.
- Resource Allocation Proof: Documentation showing the resource allocations provided by the hosting service to verify alignment with IBM’s licensing requirements.
- Sub-Capacity Verification: If using sub-capacity licensing on third-party platforms, ensure IBM approves the hosting provider for sub-capacity usage.
Best Practice: Work closely with your hosting provider to ensure all required documentation is readily available and properly formatted for IBM’s review.
8. Software Asset Management (SAM) Tools Reports
Software Asset Management tools are essential in ensuring compliance and simplifying audits.
- SAM Tool Reports: Reports from SAM tools, such as Flexera or ServiceNow SAM, detail IBM software installations, usage, and licensing status.
- Compliance Snapshots: Periodic snapshots of your software environment, as generated by SAM tools, provide a comprehensive picture of your compliance status at different points in time.
- Issue Logs: Logs of compliance issues identified by SAM tools and the corrective actions to address them.
Best Practice: Use SAM tools regularly to ensure compliance and generate reports that can be used during audits as proof of ongoing management.
9. Virtualization Configuration Records
IBM has specific requirements for software used in virtualized environments. Proper documentation of your virtual setups is essential.
- Virtual Machine Details: List all virtual machines running IBM software, along with their specifications and configurations.
- Hypervisor Information: Documentation on hypervisors used (e.g., VMware, Hyper-V) and how resources are allocated to virtual machines.
- Resource Usage Reports: Reports on CPU, memory, and storage resource distribution among virtual machines hosting IBM software.
Best Practice: If using sub-capacity licensing, ensure that virtualization details are updated and that all virtual machines are included in your ILMT tracking.
10. Internal Policies and Procedures
Clear internal policies and procedures for software deployment and management are crucial for compliance.
- Software Deployment Policy: A documented policy outlining how software deployments are approved, tracked, and managed.
- License Compliance Policy: Procedures for ensuring software installations comply with IBM’s licensing agreements, including guidelines for adding or decommissioning licenses.
- Audit Response Procedures: An internal procedure detailing how to respond to an IBM audit, including roles, responsibilities, and timelines.
Best Practice: Regularly review and update internal policies to align with IBM’s latest licensing requirements and ensure all team members understand their responsibilities.
11. Communication Logs
It is vital to maintain clear communication with IBM auditors during an audit. Communication logs ensure transparency and can help streamline the audit process.
- Emails and Correspondence: Record all communications with IBM, including emails, letters, and meeting notes related to the audit.
- Meeting Summaries: Summaries of any meetings or discussions with IBM auditors that outline what was discussed, any action items, and deadlines.
- Status Updates: Documentation of status updates provided to IBM, including progress on requests for information and any issues encountered.
Best Practice: Assign a single point of contact for all audit communications and maintain detailed logs to ensure consistency and accuracy.
12. Records of Remediation Actions
If previous audits identified compliance issues, documentation of the corrective actions is essential.
- Issue Resolution Documentation: Records showing how compliance issues identified in prior audits were resolved.
- Corrective Action Logs: Detailed actions taken to correct any under-licensing or over-deployment issues.
- Ongoing Monitoring Proof: Proof that ongoing monitoring has been put in place to prevent the recurrence of previously identified issues.
Best Practice: Maintain remediation records as part of your audit preparedness documentation. This shows IBM that your organization is proactive about compliance.
FAQ on IBM Software Audit Checklist
Why is a software audit checklist important for IBM audits? A checklist ensures that all necessary documents are prepared in advance, simplifying the audit process and reducing the risk of non-compliance. It helps streamline information gathering and improves audit outcomes.
What documents should I gather for license entitlements? You should gather purchase orders, license certificates, and any licensing agreements with IBM. These documents are proof of your entitlements and show IBM that your software use is compliant.
Why are deployment records important in an IBM audit? Deployment records show where and how IBM software is deployed. This includes installation logs, server details, and system diagrams, all used to verify software compliance.
What is the role of ILMT reports in an IBM software audit? ILMT reports demonstrate compliance with sub-capacity licensing. IBM requires quarterly ILMT reports to verify that software usage aligns with your licensing agreements, especially in virtual environments.
How should I manage usage data for an IBM audit? Usage data includes PVU calculations, user access logs, and capacity reports. Managing this data ensures you can demonstrate compliance with user-based and processor-based licensing metrics during an IBM audit.
What should be included in maintenance contracts for IBM audits? Maintenance contracts should include active support agreements, renewal notices, and proof of upgrade coverage. These documents show that your licenses are supported and eligible for upgrades.
Why is documentation of decommissioned software needed? IBM may look at historical deployments during an audit. You need proof that any software previously deployed but no longer in use has been properly decommissioned to avoid potential licensing issues.
How do third-party hosting agreements impact IBM audits? If a third party hosts IBM software, hosting agreements must verify how the software is managed and resource allocations comply with IBM’s licensing requirements, including sub-capacity rules.
What role do SAM tools play in IBM audits? Software Asset Management (SAM) tools, like Flexera or ServiceNow, provide detailed reports on software installations, usage, and compliance. They help simplify the audit process by automating asset management.
How can internal policies and procedures help in an audit? Clear software deployment and management policies ensure that all team members follow consistent processes, reducing the risk of compliance issues during an IBM audit.
What should I include in communication logs during an audit? Keep records of all communications with IBM, including emails, meeting notes, and status updates. This ensures transparency and helps avoid misunderstandings during the audit process.
Why is a cross-functional audit team necessary? A cross-functional team ensures that all aspects of the audit are covered—from IT deployment to legal compliance—making it easier to gather information and respond effectively to IBM’s requests.
How should records of remediation actions be managed? Records of remediation actions show IBM that you have addressed previous compliance issues. Maintaining these records demonstrates your commitment to compliance and may lead to favorable audit outcomes.
What are virtualization configuration records, and why are they needed? Virtualization records include details of virtual machines, hypervisor information, and resource allocations. IBM requires these to verify compliance with licensing in virtual environments, especially for sub-capacity licensing.
How can I ensure that ILMT reports are properly retained? Automate ILMT report generation and store them in a secure, centralized location for at least two years. Back up these reports regularly to avoid data loss and ensure audit readiness.