The three year audit cycle and how IBM tracks it.
IBM revisits accounts on a recognizable rhythm, and three years since the last review is one of the clearest signals that you are due. Understanding the cycle turns the audit from a surprise into a date you can prepare for.
Software audits feel random to the company receiving the letter, but from the vendor side they follow patterns. One of the most reliable is the interval since the last review. An account that has gone three or more years without an audit is statistically overdue, and that interval is among the common triggers that move an account up the queue. Treating the cycle as knowable is the first step to never being caught flat.
Why three years recurs
The interval is not a contractual promise of frequency, but a practical rhythm. Enough time has to pass for an estate to drift: new deployments, virtualization changes, staff turnover, and renewals all accumulate. Three years is roughly how long it takes for the gap between entitlement and deployment to widen enough to be worth a vendor's effort, which is why it shows up so often as the spacing between reviews of the same account.
What else moves you up the queue
Time is one signal among several, and they compound. Non-renewal of support and subscription, heavy use of high-risk products such as WebSphere, Db2, Cognos, MQ, Maximo, and Tivoli, requesting support for a product that does not appear in your entitlements, and bundling misuse all raise the profile of an account. A renewal negotiation can itself surface the deployment data that prompts a review. The three year interval is the baseline; these factors decide which overdue accounts get picked first.
- Three or more years since the last audit is a baseline trigger
- Support or subscription non-renewal signals a changing relationship
- Heavy use of high-risk products raises audit probability
- Requesting support for an unlicensed product is a visible flag
- Renewal discussions can expose the deployment picture
Using the interval to prepare
The value of understanding the cycle is timing. If your last audit closed about three years ago, you are in the window, and that is the moment to run an internal reconciliation rather than wait for a letter. Verify ILMT coverage and reports, confirm metrics per entitlement, and resolve any deployment that has outgrown its license while it is still an internal task. A gap you find yourself is a remediation; the same gap found by IBM arrives already priced.
From reactive to scheduled
Mature IBM estates stop treating audits as events and start treating readiness as a calendar item tied to the cycle. Knowing roughly when you are due lets you align an internal review with the interval, so that when a notice does arrive your position is already built. That is the buyer side posture: the audit timing is not a secret to fear but a schedule to work against.
The three year interval makes the audit a date, not a surprise. If your last review closed roughly three years ago you are in the window, so an internal reconciliation of ILMT, metrics, and deployments now means the notice arrives to a position you already built rather than one IBM gets to price.
Coming up on three years since your last audit?
Our Audit Defense engagement runs the internal reconciliation while it is still your timeline, so when the notice arrives your compliance position is already built and evidenced.
See Audit Defense →The IBM Audit Brief
Audit triggers, ILMT pitfalls, and settlement tactics for IBM software buyers.
Independent, buyer side IBM software audit defense and negotiation. Not affiliated with IBM Corporation.