IBM IASP & CVA: No Audits in Exchange for Permanent Transparency

 As an alternative to traditional audit practices, IBM now offers two programs that promise audit exemption: The IBM Authorized SAM Provider Program (IASP) and the Client Value Acceleration Program (CVA). Both approaches promise audit exemption through proactive compliance evidence, but come with specific advantages and disadvantages that decision-makers should carefully consider.

IBM has supplemented traditional audit practices with two cooperative programs. IASP operates through IBM-authorized third parties who act as Software Asset Management Providers and create regular compliance reports together with the customer. CVA extends the IASP approach with additional dashboard functionalities. Both programs aim to transform compliance monitoring from a reactive to a proactive process. Companies can also include only parts of their IT environment in these programs, while non-included areas remain subject to traditional audit rights.

The IBM Authorized SAM Provider Program was introduced in 2019 and aims to improve Software Asset Management and reduce audit and compliance risks. The program operates through one of (currently) four IBM-authorized SAM providers who implement continuous, cyclical monitoring of IBM software assets. These providers evaluate IBM software usage, identify potential compliance issues, and offer recommendations for addressing license gaps. As long as these reports are submitted on time and an authorized provider remains engaged, customers are exempt from the risk of unexpected audit announcements. Participation is by IBM invitation only, though interested companies can apply for inclusion.

The Client Value Acceleration Program (CVA) positions itself as IASP's successor with an expanded approach to software license transparency, budgeting, and compliance. Unlike IASP, participants receive access to special dashboards that provide detailed license usage overviews and are available exclusively in combination with the CVA program.

Both programs prove particularly relevant for companies using sub-capacity licensing. This licensing form enables calculating license requirements based on virtual machines rather than entire physical server capacity, which can enable significant license and cost savings but makes IBM license management considerably more complex. Proper configuration and monitoring of virtual environments requires continuous expertise and appropriate controls. Unlike mainframe software, where regular reporting obligations already exist and additional benefits are correspondingly limited, sub-capacity licensing for Open Systems IBM software poses particularly high compliance risks with potentially costly back-payments.

Both programs are offered free of charge by IBM itself but involve costs for the mandatory SAM provider. These costs vary depending on the chosen scope of services and should be considered by decision-makers in their calculations. This contrasts with traditional audits, where IBM bears the costs for the auditor. The programs unlock their cost-avoidance potential primarily in environments with substantial under-licensing risks, where privileged purchase conditions enable significant savings compared to the list prices typically applied for audit findings.

The decisive financial advantage of both programs lies in handling compliance deviations. When under-licensing is identified during initial baseline creation or in later reports, these can be balanced through agreed purchase conditions from existing bundle contracts. This differs significantly from traditional audit findings, where list prices are typically applied. However, it should be noted that many configuration problems or technical discrepancies that could often be clarified and resolved uncomplicated must be reported to IBM immediately within the framework of the programs.

An often underestimated aspect of both programs lies in the internal perception of compliance deviations. Costs arising from findings in IASP or CVA may be evaluated differently within the company than traditional audit results. Proactive participation in a compliance program may be interpreted as responsible risk management, while audit findings are often perceived as organizational failure. These perception differences can become relevant in internal budgeting and justification of license expenses.

The structure of both programs could raise questions about the objectivity of compliance monitoring. Since IBM has selected the authorized SAM providers and these are active in both audits and alternative programs, conflicts of interest could arise. This dual role could be perceived as problematic, even though IBM and the providers naturally emphasize clear separation of different roles. Companies should always evaluate their SAM providers' recommendations themselves and obtain independent second opinions when appropriate.

A fundamental aspect concerns liability distribution. Despite the involvement of specialized SAM providers, complete license responsibility remains with the customer. While the provider acts supportively, the company continues to bear full risk for compliance violations and their financial consequences.

The programs require direct information transmission to IBM, which can improve planning security, for example when creating Active Use Reports (evidence of active usage, e.g., for product retirement or enterprise licenses). However, this increased transparency can also play a role in strategic considerations. When companies plan medium-term optimization goals for specific IBM products, continuous insight into actual usage provides IBM with a high degree of transparency that one might not want to grant to a provider. This can weaken negotiating positions for follow-up contracts when the provider can draw upon detailed usage data.

Both programs offer monthly cancellation options, so companies are not bound long-term. After exit, however, IBM's standard audit provisions apply again. The possibility of including only selected areas of the IT landscape in the programs enables companies to proceed strategically and specifically address particular areas.

For companies with established SAM processes and clear oversight of their IBM license usage, the described programs grant IBM a high degree of transparency without generating significant added value for the customer. Organizations that professionally manage their software portfolios and can demonstrate transparent license usage often have little to fear from traditional audits.

Many of the stated advantages of IBM programs are based on proven SAM practices that can be realized without specific IBM program structures. An experienced, independent SAM provider can implement the same optimizations and compliance safeguards without companies having to grant comprehensive transparency to IBM.

IASP and CVA certainly offer practical advantages, particularly for companies with complex sub-capacity environments or limited internal SAM expertise. The programs can create planning security and offer financial advantages through privileged purchase conditions for compliance deviations.

However, understanding the underlying exchange relationship is crucial: companies trade autonomy for compliance security. While IBM-authorized providers may operate in a tension field between customer interests and manufacturer specifications, collaboration with an independent SAM provider enables exclusively customer-oriented interest alignment without potential dependencies on the software manufacturer.

The decision ultimately depends on individual risk tolerance, IBM landscape complexity, and existing SAM competence.