What to do in the first 48 hours of an IBM audit notice.

Stop the data.

The single most expensive mistake is returning deployment data before you have validated it. The deployment data collection tool reports what is installed, not what you are entitled to run, and once that raw output is in IBM hands it becomes the baseline for every finding. Acknowledge the notice, but send nothing until the request is scoped and curated.

Preserve the evidence.

Lock down the records that prove your position: ILMT quarterly reports, Proof of Entitlement documents, and your Passport Advantage history. Sub-capacity rights depend on ILMT being installed within 90 days, scanning continuously, and the quarterly reports being retained for two years. If that evidence exists, it is your strongest asset, so secure it before anything changes.

Set the room.

Decide who speaks to IBM and who does not. A single well meaning engineer answering a scope question directly can widen the audit. Route all contact through one controlled channel, and bring procurement and legal in early rather than after the findings.

Read the notice.

Identify the products actually named, the deadline, and the data being requested. The named scope is the boundary, and requests that drift beyond it can be declined. Note the notice date, because the clock that matters runs from there.

What this means under audit.

The first 48 hours are about containment, not calculation. Contain the request, preserve the evidence, control the room, and you preserve the option to build your own compliance position before IBM completes its draft. That is the difference between negotiating from your numbers and reacting to theirs.