ibm audit defence strategies: eric chiu - fisher it asset consulting (itam review us annual...

The ITAM Review US Conference 2016 The ITAM Review US Conference 2016

The ITAM Review US Conference 2016

IBM Audit Defense Eric Chiu

Managing Director Fisher IT Asset Consulting


Who we are

Introducing Fisher IT Asset Consulting §  Part of HW Fisher & Company §  London | Europe, US and Australia §  Poacher-turned-Gamekeeper §  IBM+ Services

•  Licence Compliance & Optimization •  Deloitte/KPMG Audit Defense •  ILMT Readiness & Certification •  LMO Readiness & Certification •  Mainframe Compliance & Optimization


Agenda

What are we covering today §  Why IBM is auditing its loyal customers §  Case Study - value of audit defense §  IBM Audit Lifecycle & Defense Tactics §  Top IBM Compliance Risks §  Best defense – proactive management §  License Management Options


Why IBM Audits

Desperate times, desperate measures •  Oct 2014 – IBM drops Earning Per Share Target ($20) •  Feb 2016 – IBM announces Reorganization of business •  July 2016 – IBM faced 17th consecutive quarter of decline

Revenue Generation Software business contributes

nearly 50% of group profit, over 20% of software revenue is from

compliance

Forced New Business Compliance settlement figures

are often ‘offsetted’ by commitments toward new

product purchases or Enterprise Agreements


Part # Product OWNED DEPLOYED UNDER-LICENSED OVER-LICENSED

D55MRLL Domino Utility Server 2 600 1 200

D17BALL

Cognos BI

Analytics

Admin 5 210

D175DLL Expl. 40 0

D17BGLL User 175 0

D56FELL TSM 44 880 44 880

D55WJLL WAS

Network Deployment

8 800 28 000

175 User

205 users

19 200 PVU

1 400 PVU

! OWNED VS DEPLOYED

40 User

Audit without Defense


11 200 PVU

Product OWNED DEPLOYED NEEDED MISSING SURPLUS Domino

Utility Server 2 600 1 200 800

Cognos BI

Analytics

Admin 5 210 10

Expl. 40 0 0

User 175 0 200

TSM 44 880 44 800 44 800

WAS Network

Deployment 8 800 28 000 20000

5 users

205 users

19 200 PVU

25 Users

OWNED VS DEPLOYED – Post Optimisation

Post-Defense Position


Value of Audit Defense

§  Executed as a Self-Declaration

§  Cash Expenditure reduced from £7.1m to £1.62m

§  Year 2 Renewal reduced from £2m to £1.26m

§  Converted to SSSO from PA

§  “Happy” Customer & IBM


The IBM Audit Lifecycle

How does a typical IBM license audit happen

Selection Notification Scoping & Initiation

Data collection

Data analytics

and validation

Factual accuracy discussion

3-way hand-over

Settlement discussions


Audit Candidate Selection

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Select customers for audit based on risk and rewards

§  Clear internal conflicts and politics

What IBM & Auditors typically do

§  Maintain good relationship with IBM

§  Negotiate audit clause out of the contract

§  Understand the licence models and do NOT sign up to the models that you cannot manage

§  Understand risk indicators (e.g. Sub-capacity, M&A, high-growth etc.) and demonstrate control

What customers can do

SPEND

• Customer’s purchase level with the vendor

ORG

• Organisational structure complexity

CHANGE

• Level of organisational change such as M&A activities

COMPLEXITY

• Complexity of licensing model agreed

PATTERN

• Purchase pattern that does not reflect growth

MATURITY

• SAM maturity intelligence gathered from account team


Audit Notification

§  Send formal audit notification letter to notify customers regarding the audit

§  Specify contact details of IBM compliance manager

§  Specify timeframe and audit partner

§  Chase for a ‘kick-off’ meeting


§  Define a project team to manage the audit, and assign a Single Point of Contact (SPOC)

§  Take ownership of timeline

§  Apply delaying tactics and launch internal audit immediately, if you lack of visibility and confidence in licence compliance


Ask Yourself

  Can you measure non-PVU software usage?

  Do you discover non-windows, test/dev servers?

  Is your knowledge based on facts or words





Audit Scoping & Initiation




§  Walk you through what will happen in an audit (could be intentionally vague about data requirements)

§  Propose audit scope

§  Propose project plan


§  Request for NDA

§  Request clarifications and review on data requirements before any commitment

§  Control the scope of audit to your advantage (e.g. expand or limit)

§  Take ownership of the project timeline after data requirements and scope are agreed



Data Collection

§  Remote data collection

§  Onsite data collection


§  Ensure all data collection requests are reviewed by the SPOC

§  Ensure all communications are through the SPOC

§  Limit the scope of scripts to be executed and onsite validation samples

§  Ensure data sets released are of good quality and do not conflict each other

§  Ensure you understand the use and impact of each data set released


  Interviews: auditors talk to your staffs and collect information verbally or through observations

  Self-declaration: a guided template for you to supply software usage information

  Request existing records: any existing data that you already have from CMDB or tools

  In-App reports: generate built-in reports in some applications, such as user or connection reports.

  Execute scripts / tools: run auditor’s bespoke software and hardware inventory scripts

Challenge on requests that you

are not comfortable with

!





Data analytics and validation

§  Consolidate data and generate reports

§  Ask for additional follow-up questions


§  Use a consistent review and communication protocol as per Data Collection stage






Factual Accuracy Discussion

§  Present you with a Draft Effective Licence Position Report with initial findings

§  Seek your factual accuracy confirmation (agreement) to the Draft Report


§  Investigate the compliance issues in detail, on both licence and usage quantities. Involve the team that provided the data and product owners.

§  Validate auditor’s comments and assumptions documented

§  Seek clarifications for items that you do not fully understand

§  Only to provide ‘agreement’ with heavy caveats






3-Way Hand-Over

§  Close the ‘fact-finding’ part of the audit, and confirm compliance observations

§  Discuss settlement timeframe


§  Highlight disagreements on any compliance observations

§  Do not commit to any settlement timeframe proposed

§  Start preparing for settlement negotiation strategies






Settlement Discussions

§  Send an initial cash quote with very high figures (‘the stick’)

§  Offer concessions and discounts if valid mitigation circumstances are provided

§  Part-cash, part purchase commitment offers

§  Partial settlement offers

What IBM typically does

§  Create strong mitigation circumstances

§  Request waivers

§  Use time to your advantage


Revenue Timing

Revenue Target

Future Revenue Possibility

Customer Relationship

Mi#ga#on Strength

Vendor Goodwill





Top IBM Software Compliance Risks

Virtualisation (Sub-capacity)

User role & access

definition

Server role definition

Multiplexing

Application specific

restrictions

3x – 8x

20x – 50x

2x – 5x

50x – 100x

2x – 3x


Don’t forget Mainframes

Unlicensed Product & Features The built-in SCRT report on average only reports

75% of the enabled products and features

Sysplex & Sub-Capacity Violation Stringent eligible criteria causes incompliance

which often increases licence cost by 10+ times

Complex Licence Calculation From PSF Printers points to IPLA Value Units,

calculating correct licence count is challenging

Undeployed Software You are charged for all entitled MLC titles in your contract even they are not deployed

Unnecessary Licensed Capacity The average licensed capacity excess (unused capacity) is over 20% per mainframe contract

Sub-Capacity Licensing Discounts Many customers are unaware or unclear of the

platforms and products eligible for sub-capacity


IBM – Proactive Management

Top Down

Bottom up then

What we

have bought

?

PVU

Non-PVU

ILMT Deployment & Validation Bundling, coverage & accuracy

Additional Information Required

Design Data Collection

Methodology to measure usage

according to charge metrics

Manual Calculation

ILMT Update & Sign-off

Effective Usage

i.e.

Licence Consumpt

ion


§  ESSO/NGSA Customers Only §  Offered at contract renewal or under audit §  Replacement of audit clause with self-reporting §  Must be certified first!

Is IBM LMO for You?

License Management Option


Questions?

The ITAM Review UK Conference 2016


Thank You

ibm audit defence strategies: eric chiu - fisher it asset consulting (itam review us annual...

Technology