Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
IBM Audit Defence Strategies: Eric Chiu - Fisher IT Asset Consulting (ITAM Review US Annual Conference 2016)
1. The ITAM Review US Conference 2016The ITAM Review US Conference 2016
2. The ITAM Review US Conference 2016
IBM Audit Defense
Eric Chiu
Managing Director
Fisher IT Asset Consulting
3. The ITAM Review US Conference 2016
Who we are
Introducing Fisher IT Asset Consulting
§ Part of HW Fisher & Company
§ London | Europe, US and Australia
§ Poacher-turned-Gamekeeper
§ IBM+ Services
• Licence Compliance & Optimization
• Deloitte/KPMG Audit Defense
• ILMT Readiness & Certification
• LMO Readiness & Certification
• Mainframe Compliance & Optimization
4. The ITAM Review US Conference 2016
Agenda
What are we covering today
§ Why IBM is auditing its loyal customers
§ Case Study - value of audit defense
§ IBM Audit Lifecycle & Defense Tactics
§ Top IBM Compliance Risks
§ Best defense – proactive management
§ License Management Options
5. The ITAM Review US Conference 2016
Why IBM Audits
Desperate times, desperate measures
• Oct 2014 – IBM drops Earning Per Share Target ($20)
• Feb 2016 – IBM announces Reorganization of business
• July 2016 – IBM faced 17th consecutive quarter of decline
Revenue Generation
Software business contributes
nearly 50% of group profit, over
20% of software revenue is from
compliance
Forced New Business
Compliance settlement figures
are often ‘offsetted’ by
commitments toward new
product purchases or Enterprise
Agreements
6. The ITAM Review US Conference 2016
Part # Product OWNED DEPLOYED UNDER-LICENSED OVER-LICENSED
D55MRLL
Domino
Utility Server
2 600 1 200
D17BALL
Cognos
BI
Analytics
Admin 5 210
D175DLL Expl. 40 0
D17BGLL User 175 0
D56FELL TSM 44 880 44 880
D55WJLL
WAS
Network
Deployment
8 800 28 000
175
User
205
users
19 200
PVU
1 400
PVU
!
OWNED VS DEPLOYED
40
User
Audit without Defense
7. The ITAM Review US Conference 2016
11 200
PVU
Product OWNED DEPLOYED NEEDED MISSING SURPLUS
Domino
Utility Server
2 600 1 200 800
Cognos
BI
Analytics
Admin 5 210 10
Expl. 40 0 0
User 175 0 200
TSM 44 880 44 800 44 800
WAS
Network
Deployment
8 800 28 000 20000
5
users
205
users
19 200
PVU
25
Users
OWNED VS DEPLOYED – Post Optimisation
Post-Defense Position
8. The ITAM Review US Conference 2016
Value of Audit Defense
§ Executed as a Self-Declaration
§ Cash Expenditure reduced from
£7.1m to £1.62m
§ Year 2 Renewal reduced from £2m
to £1.26m
§ Converted to SSSO from PA
§ “Happy” Customer & IBM
9. The ITAM Review US Conference 2016
The IBM Audit Lifecycle
How does a typical IBM license audit happen
Selection Notification
Scoping &
Initiation
Data
collection
Data
analytics
and
validation
Factual
accuracy
discussion
3-way
hand-over
Settlement
discussions
10. The ITAM Review US Conference 2016
Audit Candidate Selection
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
§ Select customers for audit based on risk and rewards
§ Clear internal conflicts and politics
What IBM & Auditors typically do
§ Maintain good relationship with IBM
§ Negotiate audit clause out of the contract
§ Understand the licence models and do NOT sign up to the models that you cannot manage
§ Understand risk indicators (e.g. Sub-capacity, M&A, high-growth etc.) and demonstrate control
What customers can do
SPEND
• Customer’s purchase
level with the vendor
ORG
• Organisational
structure complexity
CHANGE
• Level of organisational
change such as M&A
activities
COMPLEXITY
• Complexity of
licensing model
agreed
PATTERN
• Purchase pattern that
does not reflect
growth
MATURITY
• SAM maturity
intelligence gathered
from account team
11. The ITAM Review US Conference 2016
Audit Notification
§ Send formal audit notification letter to notify customers regarding the audit
§ Specify contact details of IBM compliance manager
§ Specify timeframe and audit partner
§ Chase for a ‘kick-off’ meeting
What IBM & Auditors typically do
§ Define a project team to manage the audit, and
assign a Single Point of Contact (SPOC)
§ Take ownership of timeline
§ Apply delaying tactics and launch internal audit
immediately, if you lack of visibility and confidence
in licence compliance
What customers can do
Ask Yourself
Can you measure non-PVU software usage?
Do you discover non-windows, test/dev servers?
Is your knowledge based on facts or words
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
12. The ITAM Review US Conference 2016
Audit Scoping & Initiation
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
§ Walk you through what will happen in an audit (could be intentionally vague about data requirements)
§ Propose audit scope
§ Propose project plan
What IBM & Auditors typically do
§ Request for NDA
§ Request clarifications and review on data requirements before any commitment
§ Control the scope of audit to your advantage (e.g. expand or limit)
§ Take ownership of the project timeline after data requirements and scope are agreed
What customers can do
13. The ITAM Review US Conference 2016
Data Collection
§ Remote data collection
§ Onsite data collection
What IBM & Auditors typically do
§ Ensure all data collection requests are reviewed by the SPOC
§ Ensure all communications are through the SPOC
§ Limit the scope of scripts to be executed and onsite validation samples
§ Ensure data sets released are of good quality and do not conflict each other
§ Ensure you understand the use and impact of each data set released
What customers can do
Interviews: auditors talk to your staffs and collect information verbally or through
observations
Self-declaration: a guided template for you to supply software usage information
Request existing records: any existing data that you already have from CMDB or tools
In-App reports: generate built-in reports in some applications, such as user or
connection reports.
Execute scripts / tools: run auditor’s bespoke software and hardware inventory scripts
Challenge on
requests that you
are not
comfortable with
!
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
14. The ITAM Review US Conference 2016
Data analytics and validation
§ Consolidate data and generate reports
§ Ask for additional follow-up questions
What IBM & Auditors typically do
§ Use a consistent review and communication protocol as per Data Collection stage
What customers can do
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
15. The ITAM Review US Conference 2016
Factual Accuracy Discussion
§ Present you with a Draft Effective Licence Position Report with initial findings
§ Seek your factual accuracy confirmation (agreement) to the Draft Report
What IBM & Auditors typically do
§ Investigate the compliance issues in detail, on both licence and usage quantities. Involve the team that
provided the data and product owners.
§ Validate auditor’s comments and assumptions documented
§ Seek clarifications for items that you do not fully understand
§ Only to provide ‘agreement’ with heavy caveats
What customers can do
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
16. The ITAM Review US Conference 2016
3-Way Hand-Over
§ Close the ‘fact-finding’ part of the audit, and confirm compliance observations
§ Discuss settlement timeframe
What IBM & Auditors typically do
§ Highlight disagreements on any compliance observations
§ Do not commit to any settlement timeframe proposed
§ Start preparing for settlement negotiation strategies
What customers can do
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
17. The ITAM Review US Conference 2016
Settlement Discussions
§ Send an initial cash quote with very high figures (‘the stick’)
§ Offer concessions and discounts if valid mitigation
circumstances are provided
§ Part-cash, part purchase commitment offers
§ Partial settlement offers
What IBM typically does
§ Create strong mitigation circumstances
§ Request waivers
§ Use time to your advantage
What customers can do
Revenue
Timing
Revenue Target
Future
Revenue
Possibility
Customer
Relationship
Mi#ga#on
Strength
Vendor
Goodwill
Selection Notification
Scoping &
Initiation Data collection
Data analytics
and validation
Factual accuracy
discussion 3-way hand-over
Settlement
discussions
18. The ITAM Review US Conference 2016
Top IBM Software Compliance Risks
Virtualisation
(Sub-capacity)
User role &
access
definition
Server role
definition
Multiplexing
Application
specific
restrictions
3x – 8x
20x – 50x
2x – 5x
50x – 100x
2x – 3x
19. The ITAM Review US Conference 2016
Don’t forget Mainframes
Unlicensed Product & Features
The built-in SCRT report on average only reports
75% of the enabled products and features
Sysplex & Sub-Capacity Violation
Stringent eligible criteria causes incompliance
which often increases licence cost by 10+
times
Complex Licence Calculation
From PSF Printers points to IPLA Value Units,
calculating correct licence count is
challenging
Undeployed Software
You are charged for all entitled MLC titles in
your contract even they are not deployed
Unnecessary Licensed Capacity
The average licensed capacity excess (unused
capacity) is over 20% per mainframe contract
Sub-Capacity Licensing Discounts
Many customers are unaware or unclear of the
platforms and products eligible for sub-
capacity
20. The ITAM Review US Conference 2016
IBM – Proactive Management
Top Down
Bottom up
then
What
we
have
bought
?
PVU
Non-
PVU
ILMT Deployment & Validation
Bundling, coverage & accuracy
Additional Information Required
Design Data
Collection
Methodology
to measure usage
according to charge
metrics
Manual
Calculation
ILMT
Update &
Sign-off
Effective
Usage
i.e.
Licence
Consumpt
ion
21. The ITAM Review US Conference 2016
§ ESSO/NGSA Customers Only
§ Offered at contract renewal or under audit
§ Replacement of audit clause with self-reporting
§ Must be certified first!
Is IBM LMO for You?
License Management Option
22. The ITAM Review US Conference 2016
Questions?
The ITAM Review UK Conference 2016