Privilege and confidentiality during an IBM audit.

Q: Does running the audit through counsel hide non-compliance?

No. Facts must be reported accurately. Privilege protects your internal analysis, strategy, and assessment of weak points from becoming a document IBM can use against you.

Q: Should we sign IBM's data request as written?

Not before it is scoped. Narrowing the request to what the agreement requires and confirming confidentiality terms comes first. Producing raw exports on IBM's template adds avoidable exposure.

An IBM audit is a data exercise, and every file you hand over becomes part of the record IBM builds against you. Protecting privilege and confidentiality means deciding in advance what runs through counsel, what gets scoped, and what never leaves your network in raw form. Independent, not affiliated with IBM Corporation.

Most companies treat an audit as a compliance chore and start exporting data the moment IBM asks. That instinct is the single most expensive mistake in the process. Once raw deployment data is in IBM's hands, you cannot un-share it, and you have lost the ability to frame what it shows. Privilege and confidentiality are not legal niceties here. They are the controls that keep you in charge of the narrative while you build your own position.

Why the data request is the real exposure.

The audit clause in your Passport Advantage agreement gives IBM a right to verify compliance, not a blank check to your environment. The scope of what you owe is negotiable, and the form it takes matters. A raw ILMT export, an unfiltered discovery scan, or a spreadsheet of every install across the estate hands IBM more than the agreement requires and more than you can defend on the spot. The goal is to satisfy the verification right while controlling what is produced and how it is read.

Route the audit through counsel.

Bringing legal counsel in early, whether in-house or outside, lets the bulk of the analytical work proceed under attorney direction. Internal analysis of your own exposure, the reconciliation of entitlements against deployment, and the strategy memos that follow are far better protected when they are prepared at counsel's request rather than circulated freely as operational email. This does not make facts disappear, but it does keep your working assessment of weak spots from becoming a document IBM can demand.

Practical steps that preserve the position include:

Channel sensitive analysis through counsel so that internal compliance assessments are prepared under privilege rather than as open business records.
Limit the circulation of draft findings, gap analyses, and exposure estimates to the smallest group that needs them.
Mark and handle work product carefully, separating raw factual data from the legal and strategic conclusions drawn about it.

Confidentiality on what you do produce.

Whatever you decide to share with IBM should go out under the confidentiality terms of your agreement and a clear understanding of how IBM may use it. Auditors and the third-party firms IBM engages are bound by confidentiality provisions, and it is reasonable to confirm those terms before data moves. Production should be scoped to the products and the period genuinely in question, delivered in a controlled format, and logged so you have a record of exactly what was handed over and when.

Curate, do not dump.

Containing the data request is the first step of our method for a reason. Nothing should reach IBM until it has been scoped, validated, and reconciled against your own PVU and sub-capacity calculation. A curated production answers the verification right with accurate, defensible numbers. A raw dump invites IBM to find the gaps for you, then price them at full-capacity rates. The difference between those two approaches is frequently the difference between a manageable settlement and a multi-million claim.

What this means under audit

Treat every byte that leaves your network as evidence. Decide what runs through counsel, scope the production to what the agreement actually requires, and reconcile your own numbers before IBM sees a single file. Privilege and confidentiality are how a buyer keeps control of the audit instead of handing IBM the pen.

Common questions.

Can IBM demand any data it wants in an audit?

No. The verification right is bounded by the audit clause in your agreement. You owe enough to demonstrate compliance for the products and period in question, not unrestricted access to your environment. The scope and format of production are negotiable.

Does running the audit through counsel hide non-compliance?

No. Facts remain facts and must be reported accurately. What privilege protects is your internal analysis, strategy, and assessment of weak points, so that your own candid evaluation does not become a document IBM can use against you.

Should we sign IBM's data request as written?

Not before it is scoped. Containing and narrowing the request to what the agreement requires, and confirming confidentiality terms, comes first. Producing raw exports on IBM's template is how avoidable exposure enters the record.

Audit notice in hand?

We contain the data request and build your buyer side position before IBM finishes theirs, from first notice to signed settlement.

Explore Audit Defense →

The IBM Audit Brief

Audit triggers, ILMT pitfalls, and settlement tactics for IBM software buyers.

IBM Audit

Independent, buyer side IBM software audit defense and negotiation. Not affiliated with IBM Corporation.

Services

Audit Defense Audit Negotiation ILMT Remediation Sub-Capacity Defense

Products

WebSphere Db2 Cognos Cloud Pak

Company

About Contact Journal White Papers

Independent. Not affiliated with IBM Corporation.Buyer Side · Est. 2019