US organisations facing an IBM review deal with audits delivered through appointed firms (often Deloitte or KPMG), where missing or stale ILMT and PVU sub-capacity gaps are the most common and most expensive findings. This page lists the firms covering IBM in the United States with balanced pros and cons, then sets out the local legal context and how IBM findings tend to resolve — a directory, not a ranking.
Last reviewed: 5 June 2026 · Reviewed quarterly · A directory, not a ranking. This page is information, not legal advice.
IBM audits rarely arrive labelled as an "audit." They often begin as a compliance or IASP review delivered by an appointed firm such as Deloitte or KPMG, asking you to confirm your Passport Advantage deployment and provide ILMT reports. Treat that request as the start of a formal process, because it is.
Do not submit ILMT exports or sign a data-collection agreement before counsel and an adviser have scoped the request. In the US the bigger risk is litigation and discovery, so preserve privilege and route the data exchange through counsel from the outset.
US software licences are governed by state contract law rather than a single national code, and the agreement's choice-of-law clause — frequently New York — usually controls. The statute of limitations for written-contract claims varies by state (six years in New York, four in California, for example), which bounds how far back a claim can reach. The litigation environment is more discovery-driven and adversarial than most jurisdictions, so preserving privilege matters. Data-protection duties are sectoral and state-by-state — there is no single federal law; regimes such as California's CCPA / CPRA may apply depending on the data and the entity. This is information, not legal advice.
The firms below are listed alphabetically, not ranked. Read the pros and cons, and weigh independence against a vendor relationship for yourself: a buyer-side independent has no incentive to expand your spend, while a firm appointed by IBM to run audits, or one that also resells, carries a potential conflict of interest with buyer-side defense.
Listed alphabetically with pros and cons — a directory, not a ranking.
Big Four professional-services firm with a multi-vendor software-advisory practice and deep US delivery capacity.
Independent boutique of ex-vendor auditors covering Oracle, SAP, IBM and Microsoft, working with US enterprises.
Independent multi-vendor licensing practice covering IBM, Microsoft, Oracle, SAP and Tier-2 publishers, with a stated 100% impartial, buyer-side model.
Big Four professional-services firm with a multi-vendor software-advisory practice and large US delivery.
Buyer-side US licensing boutique pairing advisory with the ArxPlatform monitoring tool and a contractual protection model across Oracle, Microsoft, IBM and VMware.
Independent US-based IBM specialist focused on ILMT and PVU sub-capacity compliance, with no IBM partnership or reseller relationship.
Independent US boutique with strong IBM and VMware/Broadcom review depth and broader multi-vendor coverage.
Independent North American licensing boutique covering IBM, Microsoft, Oracle, SAP, Adobe and VMware, with a data-led approach to entitlement reconciliation.
Buyer-side independent licensing advisory with one of the broadest multi-vendor footprints, with a US base in Florida.
Independent US licensing boutique covering Oracle, Microsoft, IBM, Quest, VMware, Red Hat and SAP, working buyer-side.
DEMO — listings are compiled from public information and labelled demo until the verified registry is live. Firms are listed alphabetically, never ranked. Independence is shown as a pro; reseller, Big-4 or vendor-side audit ties are shown as a con — each a factual trade-off for you to weigh.
IBM findings in the United States resolve the way they do elsewhere: the headline number from an appointed firm is an opening position, not a settled bill. What moves it is re-measurement (correcting PVU and sub-capacity math), demonstrating that ILMT was deployed and reporting where that is true, contesting how bundles and components were counted, and re-timing the resolution against IBM's own Software Subscription & Support renewal calendar — with the added US dimension that credible litigation readiness can itself be leverage.
Independent advisers report that the gap between the initial claim and the final settlement is frequently substantial, but every figure is case-specific and self-reported — treat any percentage as indicative until independently verified. Around 62% of companies reported a major-vendor audit in the last 12 months and roughly 42% have been audited by IBM at least once (2025 surveys; LicenseFortress / Block64), with about 52% of buyers now bringing in outside help. Figures are survey-reported for the years shown.
Oracle's local climate and legal context →
Microsoft's local climate and legal context →
SAP's local climate and legal context →
Post-acquisition enforcement locally →
If sub-capacity licensing was claimed but the IBM License Metric Tool was not deployed and reporting within the required window, IBM can charge at full capacity rather than sub-capacity — often a large multiple of real exposure. Whether the requirement was met, and how it is evidenced, is frequently where a US defense begins.
IBM audits are typically delivered through appointed firms — frequently Deloitte or KPMG — alongside IBM's licensing teams. Because those firms work for IBM in that role, a buyer-side adviser is engaged separately to represent your interests.
Reporting gaps can be charged retroactively, and the limit depends on the contract's governing state law: the statute of limitations for written-contract claims is, for example, six years in New York and four in California. Which state's law applies, and the resulting period, is a legal question for qualified US counsel, not something the directory determines.
No. The US has no single federal data-protection law; duties are sectoral and vary by state (for example California's CCPA / CPRA). What you can disclose, and on what conditions, depends on the data and the jurisdiction, so a prepared buyer scopes the request rather than exporting raw data. This is information, not advice.
Red Hat is owned by IBM, and Red Hat subscription compliance can be examined alongside IBM Passport Advantage exposure. The metrics differ — Red Hat is subscription-based — so the two are assessed separately even when raised together.
Yes. The directory and matching are free for buyers, including in the United States. We take no money from software publishers, add no markup, and no vendor ever sees your brief. We publish no prices; fees are agreed directly with the firm.
Tell us your situation and we route your brief to firms covering IBM in United States. The directory and matching are free for buyers — no markup, no referral pressure, and no firm is recommended over another.
Our weekly dispatch on vendor audit programs, regional developments and one buyer move. Subscribe to The Licensing Radar.