The Challenge

A Northeast US defence and aerospace contractor with approximately 9,500 employees received a standard IBM licensing audit notice in early 2026. The organisation operated under strict government security protocols, maintaining physically and logically separated classified and unclassified networks to comply with ITAR (International Traffic in Arms Regulations) and DoD Information Security directives. These separation requirements meant that any system or network architecture information could potentially be classified as Controlled Unclassified Information or higher.

The client's IBM environment included Db2 database servers, MQ messaging platforms, and Rational engineering tools deployed across both network tiers, supporting engineering design, manufacturing systems, and operational networks. IBM's preliminary estimate, based on purchase order history and assumed coverage, projected an $5.4M underpayment claim. However, the fundamental problem was structural: IBM's third-party audit firm required detailed ILMT (IBM License Metric Tool) reports, deployment logs, system inventory data, network topology documentation, and utilisation metrics to validate the claim. This information could not be disclosed to external auditors without violating security classification protocols, export control regulations, and DoD handling requirements.

The security officer and IT compliance team faced an intractable conflict: provide sufficient technical detail to defend their licence position and demonstrate compliance, or maintain classified network security and protection of sensitive government contractor information. IBM had already indicated that non-compliance with audit requests could trigger enforcement action, potential support suspension, and possible escalation to legal intervention. The organisation had 90 days to respond.

The Approach

Rather than force a choice between audit cooperation and security compliance, Redress developed a two-track strategy:

1. Redacted ILMT Compliance Reporting

We designed a reporting framework decoupling inventory aggregation from system identification. Instead of submitting raw ILMT data and deployment logs—which would expose classified system names and network architecture—we aggregated licence usage and provided summary metrics satisfying IBM's audit requirements while redacting security-sensitive elements.

The redacted report included installation counts, processor allocations, and licence metrics by product family, but did not identify which systems were classified, their locations, or DoD relevance. This preserved audit integrity while maintaining classification boundaries.

2. Negotiated Acceptance with IBM

We engaged IBM's licensing team and third-party auditor to explain security constraints and propose an alternative validation pathway. We established that redacted reporting was compliance with legally binding security requirements, not evasion, and demonstrated that aggregated reporting could provide IBM sufficient evidence to validate licence claims.

IBM's audit firm agreed that licence validation could proceed based on aggregated deployment metrics and certificate-of-compliance rather than system-by-system disclosure. This meant the organisation could be audit-responsive without violating security protocols.

3. Technical Licence Defence

Analysis of purchase orders, maintenance agreements, and deployment records revealed the client's actual IBM licence position was substantially stronger than IBM's preliminary $5.4M estimate. Legacy perpetual licences, active maintenance agreements, and compliant deployments meant the calculated position nearly matched actual expenditure. The estimated underpayment did not withstand technical scrutiny.

"We needed to respond to IBM's audit without exposing our classified infrastructure to a third party. Redress showed us that defending our position and protecting security weren't mutually exclusive—we just needed a framework that served both."

4. Enterprise License Agreement Restructuring

We negotiated a new 3-year ELA reflecting actual deployment patterns and incorporating explicit audit-specific provisions respecting classification boundaries. This eliminated future audit friction and created a sustainable compliance framework.

The Outcome

The $5.4M claim was closed at $0 settlement. IBM accepted the redacted ILMT compliance report in full, and the vendor agreed that future audits would follow the same security-compliant protocol, allowing the organisation to remain audit-cooperative and responsive while maintaining its ITAR and DoD security posture without compromise.

Key measurable results achieved:

  • Claim Resolution: $5.4M underpayment claim closed to zero without any settlement payment, renegotiation of terms, or additional licence purchases.
  • Compliance Framework Delivery: ITAR and DoD-compliant audit response protocol established and implemented in 10 weeks, with documented approval from both IBM's licensing team and the client's security officer.
  • Security Preservation: Classified system inventories and network architecture remained completely undisclosed; no export-controlled information, deployment details, or security classification data shared with third parties.
  • Long-Term Contract Structure: New 3-year Enterprise License Agreement includes built-in, pre-approved security-compliant audit provisions, reducing the risk of future audit escalation and streamlining compliance cycles.
  • Operational Efficiency Gain: Contract eliminated the need for ad-hoc redaction processes in future audits—the security-compliant framework is now standard in the ELA, reducing future legal and compliance resource spend.

Key Takeaways

1. Classification Constraints Are Not Audit Blockers

Organisations operating under DoD, ITAR, or other security classification regimes often assume that vendor audit cooperation requires full system disclosure. This is a false binary. Properly structured redacted reporting can satisfy audit requirements while preserving security posture. The key is agreeing the framework in advance with the vendor and your auditors.

2. Aggregated Metrics Defeat Preliminary Claims

IBM's preliminary $5.4M estimate was based on purchase order history and assumptions about deployment scope. When actual deployment data—even redacted—was aggregated and analysed, it revealed over-provisioning in the preliminary claim. Many organisations accept preliminary claims without technical review; this case shows the value of detailed (and compliant) data analysis.

3. Security Officers Are Audit Partners

Too many vendor audits treat security and compliance as separate functions. This client's security officer became the auditor's primary stakeholder—certifying the redacted report and validating compliance boundaries. This partnership resolved a potential standoff and created a reusable framework.

4. Contract Structure Prevents Audit Escalation

The new 3-year ELA embedded the redacted audit framework into the contract terms, meaning future audits would follow the pre-approved protocol. This eliminated the need to renegotiate compliance boundaries every audit cycle and reduced the risk of IBM escalation.

Facing an IBM audit or licensing compliance challenge?

Get a compliant audit defence strategy tailored to your environment and risk constraints.
Explore IBM Audit Defence →