How to spot an audit coming from IBM signals.

The commercial signals.

The clearest indicators are commercial, not technical. A lapse or non-renewal of support and subscription is the single strongest trigger, because it removes IBM's recurring revenue and creates an incentive to recover value another way. A long gap since the last review matters too: three or more years without an audit moves an account up the list. So does a renewal that stalled, a competitive migration IBM caught wind of, or a sudden drop in spend after years of growth.

• Support or subscription not renewed on a meaningful product
• Three or more years since the last license review
• A renewal negotiation that stalled or ended without a deal
• Signals of a migration away from IBM toward a competitor

The product mix signals.

IBM weights audits toward the products where overage is common and lucrative. Heavy deployment of high-risk middleware, WebSphere, Db2, Cognos, MQ, Maximo, and Tivoli, raises the probability simply because those products carry the metrics that are easiest to get wrong. Rapid growth in any of them, a major virtualization project, or a move into containers and Cloud Pak all change your risk profile, because each introduces a place where sub-capacity rules are easy to break.

The behavioral signals.

Some triggers you create yourself. Requesting support for a product you are not licensed for is a flag, because the support request is itself evidence of an unlicensed install. Asking pointed entitlement questions, downloading newer versions than you own, or expanding a bundled component beyond its allowed scope can all draw attention. An unusually detailed data request from your account team, framed as a routine review rather than an audit, is often the soft opening before a formal one.

What to do in the window.

Spotting the signal is only useful if you act on the time it gives you. The window before a notice is when you run a quiet, independent reconciliation: recalculate PVU per core, confirm the sub-capacity conditions are met, retire idle deployments, and correct ILMT miscategorizations before they become a finding. Anything fixed proactively in this window is a fix. The same item found inside an audit is a back-payment with a lookback that can span several years.

What this means under audit.

Audits feel sudden only to the unprepared. The signals, a lapsed renewal, a stale review cycle, a high-risk product that grew, a support request for an unlicensed install, almost always precede the notice. Treat each as a prompt to contain early. The work you do in the warning window is the same work that wins the audit, done on your timeline instead of IBM's.