① Licensing concept · Audit and compliance
An audit is not a fishing trip. It tests a specific set of things: reports, capping, versions, environments, deployment. Knowing exactly what gets checked, and where the gaps commonly sit, is how you defend the position instead of conceding it.
An audit measures usage against entitlement. The gap is the bill.
Mainframe license compliance is the state of your measured software usage matching what your contracts entitle you to run. An audit is the vendor's test of that match. It is not open ended: it examines a defined set of evidence and looks for usage that exceeds entitlement, then prices the difference. The categories are consistent across publishers even where the metrics differ, because they follow how the software is licensed: sub-capacity reporting, capping enforcement, version migration, the products actually deployed, and how non production environments are covered.
The buyer side point is that most of these tests can be prepared for, and several can be challenged on the contract terms rather than conceded to the vendor's tool output. A late or missing sub-capacity report commonly defaults toward full capacity charging, but a current, reconciled report removes that exposure entirely. The checklist below is what the audit tests and where the gaps commonly appear, so the position can be defended from your own validated data instead of assembled under pressure after the notice lands.
What gets examined, the gap that commonly appears, and the buyer defense. Exact tests vary by publisher and contract; this is the recurring pattern, not a single vendor's procedure.
| What is tested | Common gap | Buyer defense |
|---|---|---|
| Sub-capacity reports | Reports late, missing, or not reconciled to configuration | Current, on time, reconciled SCRT output removes the full capacity default |
| Capping enforcement | Capping claimed but not consistently in place | Evidence that defined capacity and group limits were enforced as stated |
| Version migration | Old and new versions co-running past a single version charging window | Migration completed within the window, or documented coverage |
| Deployed vs licensed | Products installed or active that are not entitled | An inventory reconciled to entitlements before the vendor builds one |
| Dev, test, and DR | Non production environments not covered as the contract requires | Contract terms on dev, test, and disaster recovery mapped to actual use |
| Metric and territory | Usage outside the licensed metric, territory, or entity scope | Scope read from the agreement, not assumed from the deployment |
| Effective license position | Vendor ELP built from tool output, unfavorable by default | An independent ELP built from your own validated data |
A single product where two reporting months were submitted late. Rate R is an illustrative placeholder; actual rates are negotiated and are not stated here. The mechanic is how a missing report defaults the charge from sub-capacity to full capacity.
| Measure | With valid reports | With the reporting gap |
|---|---|---|
| Machine full capacity (MSU) | 1200 | 1200 |
| Measured sub-capacity peak (MSU) | 540 | 540 |
| Basis the audit applies | Sub-capacity 540 | Full capacity 1200 |
| Billable MSU for those months | 540 × R | 1200 × R |
| Exposure created by the gap | None | 660 × R |
The machine ran the same workload either way. With valid, on time reports the charge follows the measured 540 MSU peak. With the reporting gap the audit can default those months to full capacity, more than doubling the billable figure for no change in actual use. This is why the reporting discipline is itself the compliance position: the gap, not the usage, creates the exposure, and the gap is preventable.
A late or absent sub-capacity report commonly moves the charge from the measured peak to full machine capacity for that period. The exposure comes from the reporting gap, not the workload, and it is entirely preventable.
Running an old and a new version together past a single version charging window can trigger charges for both. The deadline passes without an alarm, so migration timing is a compliance item, not just a technical one.
Dev, test, and disaster recovery environments are governed by specific contract terms, and the rules for hot, warm, and cold DR sites differ. Environments assumed to be covered, but not, are a frequent finding.
If the effective license position is built from the vendor's tool output, it starts unfavorable. An independent position built from your own validated data is what turns the audit from a one sided calculation into a negotiation.
Keep the reports current, the versions clean, the environments mapped.
Audit readiness is a standing discipline, not an emergency response. Keep SCRT reports generated, reconciled, and submitted on time, because that single habit removes the most expensive default in the test. Track version migration against any single version charging window so deadlines do not expire unnoticed. Map dev, test, and disaster recovery use to the actual contract terms, and keep an inventory of deployed products reconciled to entitlements so you, not the vendor, hold the first version of the effective license position.
When a notice arrives, the response is governed by the agreement, so read what audit clauses allow before sharing anything, and validate your own data first. The same baseline discipline that wins a renewal on the 18 month runway is what defends an audit. When a vendor opens a review, our mainframe audit defense team builds the independent position and our license negotiation team holds it at the table.
Whether measured usage matches entitlement: sub-capacity reports against contracted capacity, capping enforcement, version migration within any single version charging window, products deployed versus licensed, and how dev, test, and DR environments are covered.
Auditors confirm the SCRT reports were produced and submitted on time, that claimed capping was in place, and that peaks reconcile with the configuration. Late or unreconciled reports commonly default toward full capacity charging.
Products installed but not licensed, version migration that overran a window, dev, test, and DR not covered correctly, capping claimed but not enforced, and reports submitted late. Several can be challenged on the contract rather than conceded.
Respond fast and control scope. Confirm what the contract entitles the vendor to examine, validate your own data before sharing, and frame the response around the agreement. Readiness is built before the notice, not after.