IBM Audit Defence: New York Government Entity Reduces $35M Claim by 96%

Why Public-Sector IBM Audits Are Structurally Different

IBM audits of government entities operate in a fundamentally different context from commercial enterprise audits. Public-sector IT environments accumulate complexity over decades — infrastructure purchased across multiple budget cycles, administered by multiple agencies, under multiple contracts, and supported by procurement rules that often prevented the kind of centralised licence management that commercial enterprises take for granted.

IBM's audit teams understand this complexity intimately. In our experience across more than a dozen public-sector IBM audit engagements, IBM's initial claims against government entities are typically inflated by 85 to 97 percent. The inflation is not arbitrary — it is a calculated opening position that exploits the inherent difficulty government entities face in reconstructing complete entitlement records and demonstrating ILMT compliance across sprawling, heterogeneous infrastructure.

The New York engagement described here is illustrative of the structural patterns IBM exploits in government audits, and equally illustrative of how those patterns can be systematically dismantled by a team with deep IBM licensing expertise and the patience to reconstruct years of entitlement history from fragmented procurement records.

Client Background: Scale and Complexity

The client is a large New York government entity responsible for public safety infrastructure, transportation coordination, healthcare systems, and citizen-facing digital services. With more than 12,000 employees across 14 agencies, the entity operates one of the most complex public-sector IT environments in the northeastern United States — a hybrid of mainframe, on-premises server infrastructure, and more recently adopted cloud-managed services.

The IBM product footprint at the time of audit was extensive. Core products included IBM Db2 on z/OS (mainframe), IBM WebSphere Application Server across multiple agency web platforms, IBM MQ for inter-agency messaging, IBM Cognos Analytics for public reporting and budget management, IBM SPSS Modeller for public health analytics, and IBM Security QRadar deployed across the entity's centralised security operations centre.

The entity had held a series of IBM Enterprise Licence Agreements over the prior decade, with the most recent ELA expiring eighteen months before the audit notice arrived. Post-ELA expiration is one of IBM's most reliable audit triggers — IBM knows that organisations that have relied on ELA coverage often allow compliance monitoring to lapse after the agreement ends, and that the transition period creates measurable gaps between deployed entitlements and actual usage. This is particularly pronounced when the ELA era covered PVU-licensed middleware that is now being migrated to VPC-based Cloud Pak deployments, where the metric transition itself creates additional documentation gaps IBM exploits.

IBM's $35 Million Claim: Four Principal Components

IBM's audit notice arrived in January 2023, covering the period from 2019 through 2022. After a carefully managed 90-day data collection phase in which we controlled all communications with IBM's audit team and the scope of data submitted, IBM issued preliminary findings structured around four main claim categories.

Component 1: WebSphere Full-Capacity PVU — $14.2 Million

IBM's largest claim element targeted WebSphere Application Server deployments across six agency web platforms. IBM identified ILMT agent gaps on 31 virtual servers spread across three data centres, and applied full-capacity PVU pricing to the entire WebSphere estate for the full audit period. At IBM's published PVU rates for the server hardware in question, the full-capacity claim reached $14.2 million.

The ILMT gaps were real but their cause was explicable: the entity's centralised ITAM team had maintained ILMT coverage for servers directly under its administration, but agency-managed servers — provisioned locally without reference to the centralised ITAM team — had not received ILMT agents. This is a governance gap, not a compliance avoidance strategy, and it is a pattern IBM encounters in virtually every multi-agency public-sector environment.

Component 2: Post-ELA Deployment Overages — $9.8 Million

IBM's second claim addressed the period following the expiry of the entity's most recent ELA. Under the expired ELA, the entity had broad deployment rights for specified IBM products. At ELA expiry, those rights reverted to the perpetual licence holdings documented in Passport Advantage. IBM's auditors compared current deployment levels against the retained perpetual entitlements and identified significant shortfalls across Db2, WebSphere, and Cognos Analytics.

IBM calculated the shortfall using full list pricing for each product, producing a $9.8 million figure. This calculation methodology is almost always challengeable: it ignores the sub-capacity licensing options that remain available post-ELA, applies current pricing to historical periods, and fails to credit entitlements that had been acquired during the ELA period but not explicitly documented in IBM's own records.

Component 3: IBM Cognos Authorised User Overcounting — $6.1 Million

IBM claimed that Cognos Analytics had been deployed to a number of Authorised Users significantly in excess of the entity's entitlement. IBM's count of "Authorised Users" included every individual who had been provisioned with a Cognos user account, including accounts created for temporary projects that had long been deactivated, contractor accounts from expired engagements, and duplicate accounts created during a directory migration.

IBM's Authorised User metric covers users who can access the software — but "can access" requires an active, enabled account. Deactivated, expired, and duplicate accounts do not constitute active Authorised Users under the Passport Advantage definition. IBM's overcounting of Authorised Users is a routine audit tactic that inflates claims substantially against organisations that have not conducted regular user account hygiene.

Component 4: IBM QRadar Deployment Scope — $4.9 Million

IBM's fourth claim element addressed QRadar deployment across multiple agency security operations. IBM asserted that the entity's QRadar licensing did not cover certain log source counts and event processing volumes recorded during peak periods in 2021 and 2022, and applied event-based overage pricing to derive a shortfall claim of $4.9 million.

Defence Phase 1: Reconstructing the Entitlement Record

The single most valuable action in this engagement was the reconstruction of the entity's complete IBM entitlement history. Public-sector procurement records are maintained across multiple systems — the central comptroller's office, individual agency procurement departments, IT shared services, and the legacy records management system. IBM's own Passport Advantage portal did not contain a complete record of all entitlements acquired under the now-expired ELA.

Our team spent four weeks working with the entity's procurement and legal teams to compile every IBM purchase order, ELA schedule, Passport Advantage agreement, and contract amendment from the preceding decade. This exercise uncovered three categories of entitlements that IBM had not credited in its preliminary findings.

First, the expired ELA had included perpetual licence carry-forward rights for Db2, WebSphere, and Cognos Analytics that were significantly larger than IBM's audit team had assumed. The ELA schedules, properly interpreted, showed that the entity retained perpetual rights to a greater quantity of each product than IBM had credited, reducing the post-ELA overage claim substantially.

Second, the entity had acquired additional Cognos and WebSphere entitlements through a separate state technology procurement framework during 2020 and 2021 that had not been registered in the main Passport Advantage portal. These entitlements were valid but invisible to IBM's auditors. Their inclusion in the entitlement register reduced the relevant shortfall claims by approximately $4.7 million.

Third, a number of IBM product entitlements acquired during an earlier ELA period had been credited by IBM against that agreement's scope rather than retained as standalone perpetual entitlements. Review of the original ELA documentation demonstrated that these were perpetual entitlements that survived the agreement's expiry, providing additional offset against IBM's post-ELA overage claims.

Defence Phase 2: ILMT Evidence and Sub-Capacity Challenge

The ILMT gap defence for the WebSphere claim followed the same fundamental approach applied in our commercial-sector engagements, with one important modification for the public-sector context. Government entities often have access to infrastructure telemetry sources — network management systems, capacity planning platforms, and agency-level monitoring tools — that provide rich alternative evidence of sub-capacity usage even where ILMT coverage was absent.

For each of the 31 servers with ILMT gaps, we gathered performance data from the entity's centralised network monitoring platform, the VMware vCenter infrastructure used across two of the three data centres, and agency-level capacity planning reports submitted quarterly to the entity's CIO office. This multi-source evidence package demonstrated sub-capacity usage for 27 of the 31 affected servers throughout the gap period.

For the remaining four servers — older agency-managed physical servers where virtualisation telemetry was not available — we engaged IBM in a separate factual discussion about actual workload characteristics, ultimately agreeing to a blended sub-capacity rate based on the demonstrated usage patterns of comparable servers within the estate.

The sub-capacity licensing principle is straightforward: IBM's ILMT requirement exists to measure actual usage, not to serve as a penalty trigger. Where credible alternative evidence of sub-capacity usage exists, IBM — when presented with a well-documented and professionally supported challenge — will typically accept sub-capacity treatment. The key is that the evidence must be contemporaneous (from the actual gap period), credible (from infrastructure monitoring systems, not retrospective estimates), and comprehensive (covering every server in dispute).

Defence Phase 3: Cognos User Account Hygiene

The Cognos Authorised User challenge required a systematic audit of every user account IBM had counted. Working with the entity's identity management team, we categorised every Cognos user account into four groups: actively accessing the system, provisioned but inactive for more than 90 days, deactivated or locked, and orphaned (no corresponding active directory record). IBM's count of Authorised Users had treated all four categories identically.

The analysis reduced the Cognos Authorised User count from IBM's claimed figure of 3,400 to a verified active count of 1,180 — a reduction of 65%. The additional users IBM had counted were either deactivated accounts from departed employees and expired contractors (which had been retained in the system for audit trail purposes but had no login access), or duplicate accounts created during the 2021 Active Directory migration that had never been deprovisioned.

IBM initially disputed the classification of dormant accounts, arguing that "provisioned" was equivalent to "authorised." We countered with the specific Passport Advantage language defining Authorised User access and provided technical evidence from the Cognos access logs showing zero login activity for the accounts in dispute over the entire audit period. IBM accepted the revised count, reducing the Cognos claim from $6.1 million to $380,000.

Settlement: Navigating Public-Sector Procurement Constraints

One of the most distinctive challenges in public-sector IBM audit settlements is the procurement constraint: government entities cannot typically enter into commercial agreements with vendors outside of established procurement frameworks. This creates a structural limitation on some of the settlement structures commonly used in commercial settings — specifically, the "roll the shortfall into a new forward agreement" approach that IBM account teams favour because it counts toward their annual quota.

IBM's fiscal year ends December 31, and settlement discussions in this engagement ran through October and November 2023, giving IBM's commercial team strong Q4 incentive to close. However, the entity's procurement framework required any new IBM commitment above a threshold value to go through a formal competitive or sole-source justification process that could not realistically be completed before IBM's fiscal year-end.

We structured the settlement as a pure retrospective licence acquisition — a one-time payment covering the verified compliance shortfall — combined with a formal IBM acknowledgement that the entitlements acquired under the settlement satisfied IBM's audit findings for the full audit period. This structure was compatible with the entity's emergency procurement authority and could be executed within IBM's Q4 window.

The final settlement of $1.4 million covered verified sub-capacity shortfalls for WebSphere across the gap period (calculated at sub-capacity rates using the multi-source infrastructure evidence), a modest post-ELA Db2 shortfall after crediting the reconstructed entitlement record, and the verified active Cognos Authorised User shortfall. The QRadar claim was withdrawn entirely after we demonstrated that IBM's event volume calculations had used peak measurements from a 48-hour security incident period rather than sustained average usage. An audit moratorium of 36 months was included in the settlement documentation.

Structural Lessons for Government IT Leaders

This engagement illustrates three structural vulnerabilities that are endemic to public-sector IBM relationships. The first is ELA expiry without compliance transition planning. Government entities that rely on ELA coverage to manage their IBM compliance posture need a formal compliance transition programme — including ILMT deployment verification, entitlement reconciliation, and deployment right-sizing — in the twelve months before ELA expiry. IBM's audit triggers activate reliably at the post-ELA transition point.

The second vulnerability is multi-agency ILMT governance. In government environments where IBM software is deployed across multiple agencies with independent IT operations, ILMT coverage cannot be managed solely by the central ITAM team. Every agency IT director needs to understand that ILMT agent deployment is a compliance obligation, not an optional monitoring tool. Gaps in agency-managed servers are IBM audit ammunition.

The third is user account hygiene for Authorised User-metric products. Products licensed per Authorised User — Cognos, SPSS, Planning Analytics, and others — require regular account deprovisioning cycles. Every dormant account, expired contractor, and orphaned record is a licence IBM will count against your entitlement in an audit. Quarterly account reviews are a cost-free compliance investment that government entities consistently neglect.

For public-sector IBM audit defence, ILMT advisory, or ELA transition planning, see our IBM Knowledge Hub or reach out directly via our IBM Advisory Services page.