IBM Audit Defence: UK Pharmaceutical Group Closes £5.2M IBM Licensing Exposure

The Challenge

The pharmaceutical group operates a complex IT infrastructure spanning clinical trial data management, manufacturing systems, and research operations across global R&D and manufacturing sites. IBM InfoSphere serves as the central data governance and master data management platform. IBM Db2 manages clinical trial data in validated manufacturing environments subject to Good Manufacturing Practice (GxP) compliance.

In 2025, IBM conducted an audit of the client's licensing position covering the entire IBM software estate. IBM's preliminary claim centred on two critical findings: first, that historical ILMT (IBM License Metric Tool) deployment records were incomplete or absent in certain manufacturing environments, and second, that the group's IBM Passport Advantage entitlements did not adequately cover observed server and processor deployments in validated Db2 and InfoSphere installations.

The £5.2M claim broke down as follows: £3.1M from alleged InfoSphere under-licensing, £2.1M from Db2 capacity misalignment in validated environments, and additional exposure from IBM MQ deployments supporting GxP-regulated manufacturing integration.

The client faced a fundamental problem: GxP-validated systems require formal change-control approval before any new software (including ILMT) can be deployed. The traditional compliance audit cycle—deploy ILMT, collect metrics, reconcile usage—was unavailable. Change-control processes typically require 3 to 6 months of validation work before new tools can be introduced.

The Approach

Redress developed a parallel-track strategy designed to address the audit claim without requiring ILMT deployment in validated systems. The approach consisted of three concurrent workstreams:

Track 1: Fast-Track ILMT Deployment in Non-Validated Environments

The first priority was to establish current licensing metrics in non-GxP-regulated environments where ILMT could be deployed without change-control constraints. Redress identified IBM InfoSphere and Db2 deployments supporting research data management, analytics workloads, and development environments that did not require GxP validation. ILMT was deployed across this subset of the infrastructure within five weeks, establishing contemporaneous metric data for the non-validated estate.

This achieved two strategic objectives: it demonstrated the client's commitment to transparent licensing compliance, and it generated actual metric data that established baseline consumption patterns and validated the accuracy of the existing server capacity records.

Track 2: Documented Evidence-Based Defence for Validated Systems

For validated manufacturing environments where ILMT deployment was not feasible, Redress constructed a meticulous documented defence using existing historical records. The approach centred on three evidence sources:

• Server capacity records: Historical configurations of Db2 and InfoSphere production servers dating back eight years, captured in the client's IT asset management system and validated by the infrastructure team.
• Change-control logs: Complete audit trails of all system modifications, upgrades, and deployments in validated environments, demonstrating the exact scope of IBM software deployment at each change-control approval.
• Entitlement reconciliation: Line-by-line mapping of Passport Advantage agreements and maintenance contracts against observed deployments, identifying that existing entitlements covered larger capacity thresholds than IBM's preliminary claim suggested.

This evidence base directly challenged IBM's £3.1M InfoSphere claim by demonstrating that the metric used to quantify under-licensing was not supported by the underlying infrastructure documentation. The client's server capacity records showed that observed InfoSphere deployments fell within the bounds of existing PA entitlements when measured against the correct capacity unit.

Track 3: Passport Advantage Entitlement Reclassification

Redress reviewed the client's complete Passport Advantage agreement portfolio dating back to 2018. The analysis identified that certain Db2 capacity entitlements had been acquired under legacy licensing terms but had been incorrectly categorised in the client's internal tracking systems. Specifically, a multi-year PA agreement originally structured as a capacity commitment had been miscoded as a limited deployment entitlement in the client's contract register.

By reclassifying the entitlements to reflect the actual PA contract terms, the client's documented Db2 licensing position showed that the £2.1M claim was entirely misaligned with the actual contractual coverage. The reclassification did not require new licensing purchases—it required correcting how existing contractual rights were tracked.

The Outcome

Over a 16-week engagement, Redress guided the client through the three-track approach. The results exceeded expectations:

• IBM InfoSphere claim (£3.1M): Eliminated. Server capacity records demonstrated that observed InfoSphere deployments in validated environments used only 60 percent of the capacity covered by existing PA entitlements. IBM accepted the evidence and withdrew the InfoSphere claim in full.
• Db2 capacity misalignment (£2.1M): Resolved. The Passport Advantage reclassification showed that existing entitlements covered the full scope of observed Db2 deployments. IBM acknowledged the contractual position and closed the Db2 claim at zero incremental cost.
• IBM MQ deployments: A minor secondary claim regarding MQ licensing was resolved by identifying that MQ entitlements were bundled within existing application server entitlements, covering the observed deployments.
• 12-month ELA extension: As part of the settlement, the client negotiated a 12-month extension of the existing ELA at no cost increase, securing pricing stability through the end of 2027.
• ILMT deployment: The non-GxP ILMT deployment became a permanent capability, providing ongoing transparency into licensing compliance for 70 percent of the IBM software estate, with change-control-compliant expansion planned for validated environments over the following 12 months.

The final settlement was £0 against the £5.2M claim. No new licensing was required. The validated manufacturing systems continued to operate without change-control disruption, and the client established a sustainable licensing compliance model.

Key Takeaways

GxP Constraints Are Not Audit Vulnerabilities

Pharmaceutical, medical device, and regulated manufacturing organisations operate under legitimate change-control constraints that prevent the kind of rapid ILMT deployment possible in commercial IT environments. This does not make the organisation audit-vulnerable. Instead, it requires that audit defence strategies be designed specifically for regulated environments, using documented historical evidence in place of contemporaneous metrics.

Historical Records Are Admissible Evidence

IT asset management systems, change-control logs, and procurement records constitute valid audit evidence for licensing claims covering validated systems. When these records are comprehensive and contemporaneous to the deployments they document, they directly challenge vendor audit claims based on gaps or inconsistencies in metric collection.

Entitlement Reconciliation Often Resolves Claims Faster Than New Purchases

Many IBM audit claims arise not from actual under-licensing, but from misalignment between what the client actually owns (in PA contracts) and how those contractual rights are tracked internally. Before agreeing to new capacity purchases, always conduct a full entitlement reconciliation against the original PA agreements.

Parallel-Track Strategies Work When Single Approaches Fail

The client could not satisfy IBM's audit through a single avenue—neither through rapid ILMT deployment (prevented by GxP constraints) nor through retrospective licensing purchases (economically unjustifiable). The combination of non-GxP ILMT deployment, documented evidence construction, and PA reclassification created sufficient challenge to IBM's claim that the vendor withdrew it entirely.

Timing Matters in Vendor Audits

The engagement was structured as a rapid parallel response: ILMT deployment, evidence gathering, and entitlement analysis proceeded simultaneously. This compressed timeline—delivering challenge evidence within 16 weeks—prevented IBM from establishing a strong negotiating position. Delayed responses frequently lead to extended audit processes and higher settlement pressures.