Broadcom Audit FAQ: 25 Questions Answered

What follows are the twenty-five questions we hear most often from customers in the first call after a Broadcom audit notice arrives. The answers are short on purpose. Each links into one of our longer guides when more detail is needed. Together they form a practical orientation for the first thirty days of a Broadcom audit, regardless of which product family is in scope.

The notice and the first thirty days

Q1What does a Broadcom audit notice actually look like?

It is a written letter from Broadcom's Global Software Asset Compliance organisation, typically delivered by email with a physical follow-up. It invokes the audit clause in the master agreement, identifies the audit period, names the appointed auditor (in-house or a Big Four firm), proposes a kickoff date inside two to three weeks, and includes an initial data request and a draft confidentiality agreement. The letter is procedurally serious and should be treated as such.

Q2How quickly do I have to respond?

The notice typically requires acknowledgement within ten to fifteen business days. The contractual minimum is sometimes shorter, sometimes longer — read your master agreement. Customers consistently benefit from negotiating an additional one to two weeks to produce a tighter response letter rather than rushing to meet the proposed kickoff.

Q3Can I refuse the audit?

Almost never, if the audit clause in the master agreement is valid and the notice complies with its terms. Refusal is a material breach in most VMware enterprise agreements and creates exposure greater than the audit itself. There are narrow exceptions — discussed in our refusal guide — but the default answer is that the audit will run and the question is how to run it on the most favourable possible terms.

Q4Who should I tell internally first?

Legal counsel, the executive responsible for IT, and the licensing or asset-management lead. Avoid widespread internal disclosure for the first week — the audit team will be a small group, and information control matters. Procurement and finance should be briefed inside the first two to three weeks, before the kickoff meeting.

Q5Should I tell my account team?

The account team usually already knows. Audit notices typically arrive after months of internal preparation inside Broadcom that include the account team. Brief communications with the account team are appropriate; substantive discussions about the audit itself should be routed through the auditor, not the account team.

Scope, products, and entities

Q6What does the auditor get to examine?

The audit clause defines the scope. In practice, the answer covers four dimensions: products under the agreement being audited, entities covered by the master agreement, deployments inside the agreed environment, and the audit period defined in the notice. Anything outside those dimensions is not in scope — see our scope-limitation guide for the detailed framework.

Q7Are my subsidiaries automatically in scope?

Not automatically. The master agreement names the contracting party. Wholly owned subsidiaries are often covered; recently acquired entities, joint ventures, and divested entities frequently are not. Each entity question should be analysed against the master agreement language and any subsequent assignments.

Q8What if I have multiple master agreements?

Each agreement is a separate scope question. An audit invoked under one master agreement does not automatically extend to deployments licensed under a different master agreement, even if both are with the same Broadcom legal entity. Map your deployment to your agreements and confirm which agreement governs which deployment in writing during kickoff.

Q9How far back can the auditor look?

The audit period is defined in the master agreement, most commonly thirty-six months from the audit notice date. Some agreements limit it to twelve or twenty-four months. The auditor's proposed period in the notice is the starting position; the contractually permitted period is the ceiling.

Q10What about my disaster recovery environment?

Disaster recovery is governed by specific contractual language in most VMware enterprise agreements. Cold-standby and warm-standby deployments often qualify for licensing exceptions that auditors disregard unless raised explicitly. Read the disaster-recovery clause in your master agreement before the kickoff and identify any environments that should be treated under it.

Data, methodology, and findings

Q11What data am I required to provide?

The audit clause typically requires "such records and information as are reasonably necessary to verify compliance". That is narrower than the auditor's initial data request usually is. Provide existing business records that map to the agreed scope. Do not construct data the auditor needs but you do not currently capture — see our data-request guide.

Q12Can the auditor install software on my systems?

The auditor's right to install scanning software is governed by the audit clause. Most clauses do not grant a direct installation right — they grant a right to receive data, which the customer produces. Negotiate the data-handling protocol carefully if the auditor proposes scanning software; in most environments, customer-produced exports are a better path than auditor-installed tools.

Q13What methodology does the auditor use?

The auditor will present a methodology deck at kickoff. The methodology is not contractually fixed and is one of the customer's main leverage points. Per-CPU versus per-core treatment, peak versus average usage, VM-level versus host-level entitlement testing, and treatment of disaster recovery are all methodology choices that materially affect findings.

Q14What if I find I am genuinely non-compliant?

Most audits find some level of genuine non-compliance — pure compliance is rare. The relevant question is the size of the gap and the cause. Genuine non-compliance is typically settled at a meaningful discount to list price, particularly in subscription-conversion settlements. Pre-disclose your understanding of your gap internally before fieldwork; do not pre-disclose it to the auditor.

Q15How big are the findings typically?

The auditor's opening finding is often three to ten times the eventual settlement value. The range varies by environment and methodology. Customers who run a disciplined audit defence consistently settle in the thirty-to-forty per cent range of the opening finding; customers who do not consistently settle at sixty to ninety per cent.

Settlement and remediation

Q16Can I settle in cash, or do I have to take a subscription?

Cash settlement is contractually available in almost every case. Broadcom prefers subscription settlement and will price the subscription option attractively to encourage it. Customers should evaluate the option based on their long-term platform strategy, not on the apparent settlement-time discount.

Q17Will the auditor demand a multi-year commitment?

If subscription is part of the settlement, multi-year terms will be on the table. Three-year terms are most common; five-year terms are pushed for larger settlements. Customers should evaluate term length against strategic certainty and against price-protection language for the renewal that follows.

Q18Can I get audit relief in the settlement?

Yes, in most engagements. Two-to-three-year audit-relief commitments are available where customers ask for them and structure them with proper carve-outs. The relief is almost never offered without being requested — see our settlement guide.

Q19What happens if I refuse the settlement Broadcom proposes?

The contractual remedy applies, which is usually a true-up purchase at list price plus potentially back-support. Both are unattractive to Broadcom commercially, which is why settlement negotiation almost always converges. The walk-away option is real but should be supported by counsel's view of the contractual remedy.

Q20Can I be audited again right after settlement?

Without an audit-relief clause in the settlement agreement, yes, technically. With one, no, for the defined period. This is why audit-relief language is one of the most important variables in the settlement negotiation.

The wider context

Q21Why am I being audited now?

The most common triggers are renewal-window timing, lapsed SnS, recent acquisitions or divestitures, and large deployment expansions. Renewal-window timing is the single most consistent trigger we observe — see our renewal-timed audit guide.

Q22Is a soft audit really an audit?

A soft audit is an informal compliance enquiry rather than a formal audit. It is not procedurally an audit, but the data the customer provides can be used to inform a subsequent formal audit. Treat soft audits with substantially more caution than the informal framing suggests.

Q23Should I migrate off VMware to avoid future audits?

Migration is a strategic decision, not an audit-defence decision. Migration during an active audit does not remove the audit; it adds complexity. Migration after settlement is a legitimate strategic option, and customers who genuinely intend to migrate should structure the settlement to support that direction rather than to entrench VMware adoption.

Q24Do I need outside counsel?

Almost always, for any audit with material exposure. The audit is a contractual proceeding with specific procedural and substantive doctrines. Internal counsel can manage smaller audits; substantial audits benefit from counsel who has worked on Broadcom or VMware audits previously.

Q25Who should I engage for audit-defence advisory?

Where to go next

If you have just received an audit notice, the most useful next reads are how to respond to the audit letter, the first 48 hours playbook, and the full process explainer. Together they cover the immediate procedural moves and the structure of what follows.

If you are in fieldwork already, the more useful reads are scope limitation, data request management, and how findings are calculated.

If you are heading to settlement, see our settlement-negotiation guide and audit remediation for the post-audit operational follow-through.