Broadcom Audit Communication with Legal

A Broadcom audit notice almost always arrives addressed to IT or procurement. The temptation is to keep it there — work the technical response, prepare the data, manage the auditor relationship — and only involve legal if things escalate. This is a mistake, and one of the most common mistakes we see in audit defence engagements. A Broadcom audit is a contractual matter being executed under legal authority granted in a software licence agreement. Every substantive interaction with the auditor has legal implications. The right discipline is to involve legal early, structure the communication with attention to privilege and disclosure, and treat the response as the legal-and-technical product it actually is.

Why legal needs to be involved from day one

Four reasons:

Contractual interpretation. Most audit disputes turn on contract language — what the licence entitles, what scope it covers, what reporting requirements apply, what the customer's response obligations are. Legal is the function with authority to interpret contract language. Technical teams can identify deployment facts; legal must interpret what those facts mean against the contract.

Privilege protection. Communications between technical teams and the auditor are not privileged. Internal analyses that quantify exposure, identify gaps, or recommend remediation strategies can become discoverable in a contested audit if they are not produced under privilege. The standard mechanism — engaging legal counsel to direct the analysis — preserves privilege over the most sensitive parts of the defence preparation.

Communication discipline. Statements made to the auditor become part of the record. Casual technical statements about deployment, configuration, or intent can be cited in subsequent claims. Legal-controlled communication maintains discipline about what is said, in what form, and with what qualifications.

Settlement authority. Audit findings typically resolve through settlement. The settlement is a legal agreement that may have implications beyond the immediate audit — release language, future audit rights, ongoing reporting obligations, contractual amendments. These are matters that require legal review before signature.

Internal versus external legal

Most enterprises have internal legal departments — general counsel, contracts counsel, employment counsel — but few have internal counsel with software-licensing audit expertise. The natural division for Broadcom audits:

Internal legal handles the day-to-day relationship with the audit, the internal sign-off processes, the alignment with company policy, and the privilege framework. They are accountable for the company's response.

External counsel brings the specialised audit-defence expertise. They have seen many Broadcom audits, understand the auditor's playbook, and can advise on settlement strategy. They are typically engaged via the internal legal team to maintain privilege.

The combination matters. Internal counsel without external specialist support typically underestimates the complexity and is over-conservative in settlement positioning. External counsel without internal anchoring can drive responses that don't align with the company's broader business interests. The model that works is collaboration.

Privilege — what it covers and what it doesn't

Attorney-client privilege protects communications between the client (the company) and its attorneys (internal or external) made for the purpose of obtaining legal advice. Several practical implications for audit defence:

Privileged: conversations with counsel about contract interpretation, settlement strategy, exposure analysis, and risk assessment. Memos and emails between technical teams and counsel that are clearly framed as legal-advice requests. Reports prepared by external advisors at the direction of counsel for the purpose of supporting legal advice.

Not privileged: communications with the auditor. Internal communications between technical teams not involving counsel. Reports prepared by external advisors engaged directly by IT or procurement without legal direction.

Conditional: communications with external advisors are privileged if structured through legal (the Kovel doctrine for accounting-style work; analogous principles for compliance consulting). The structure matters — the engagement letter, the chain of direction, the framing of deliverables all need to support the privilege.

The practical implication: external advisory work on Broadcom audit defence should typically be engaged by legal, directed by legal, and produced as work-product supporting legal advice. This preserves privilege over the most sensitive analyses (which always include things the customer would prefer the auditor not see).

The early-stage communication structure

When an audit notice arrives, the recommended first-72-hours response includes:

1. Acknowledge receipt formally, in writing, within the timeframe specified in the notice. Do not engage on substance beyond confirming receipt.
2. Convene the response team — internal legal, IT executive sponsor, contracts/procurement, and the technical lead. Brief on the audit notice and the contractual basis.
3. Engage external counsel if not already on retainer for software-licensing matters. Structure the engagement to support privilege over defence preparation.
4. Designate a single point of contact for the auditor — typically legal or procurement, never the technical lead. All auditor communication routes through the designated POC.
5. Issue internal communication discipline — no one in the organisation communicates directly with the auditor or makes substantive statements about deployment, intent, or compliance position without legal approval.

This structure may feel heavy for what initially looks like a routine compliance check. It is appropriate. Audit notices that look routine routinely escalate.

The data-request response — legal review of every submission

Broadcom audit data requests typically arrive in waves — initial scope-setting, detailed deployment data, follow-up clarifications, on-site or remote verification. Every submission to the auditor should be reviewed by legal before release. The review covers:

• Scope — are we providing only what the contract requires us to provide, not more
• Accuracy — are the technical claims in the submission verifiable and consistent with our position
• Characterisation — are deployments described in language that supports our entitlement position, not concessions to the auditor's interpretation
• Documentation — are accompanying narratives carefully scoped so they don't make admissions or concessions

The technical team produces the data. Legal reviews the characterisation. This division consistently produces better-positioned submissions than letting either function operate alone.

Communication style with the auditor

The communication style that works best in Broadcom audits is formal, factual, and disciplined:

Formal: all substantive communication in writing, with clear references to contract language and prior correspondence. Meetings are scheduled, agenda-driven, and minuted. Casual conversations and verbal commitments are avoided.

Factual: statements are limited to what the customer can substantiate. Speculation about deployment, intent, or future state is avoided. When the customer doesn't know, the customer says so and commits to investigate, rather than guessing.

Disciplined: the same talking points are used by everyone who interacts with the auditor. The position is consistent across submissions, calls, and meetings. Off-message statements are corrected in writing if they occur.

The opposite pattern — relaxed, conversational, technical team chatting directly with the auditor — produces statements that hurt the customer in subsequent negotiation. The auditor is courteous and apparently helpful; the customer team relaxes; concessions get made in conversation that the customer cannot retract.

The internal-communication discipline

Within the customer organisation, communication about the audit needs comparable discipline:

Limit the circle. The number of people who know about the audit, see internal analyses, or have access to draft submissions should be small. Information that doesn't need to be widely known shouldn't be.

Mark privileged communications appropriately. Privileged emails should be labelled (e.g., "Privileged & Confidential: Attorney-Client Communication"). Distribution should be controlled.

Avoid casual internal speculation in writing. Internal team discussions about exposure ("we're probably going to take a $X million hit on this") that are not properly framed as legal-advice requests can become discoverable. Either route the discussion through counsel or keep it verbal.

Train the technical team on what not to say. The technical team often has informal communication channels with the auditor or with peer technical contacts at Broadcom. These channels need to be wound down for the duration of the audit. Brief the team explicitly.

Escalation triggers

Several events during an audit should trigger escalation to the most senior legal authority (general counsel, sometimes board legal counsel):

• Initial findings that exceed a pre-defined materiality threshold
• Auditor demands for data the customer believes are outside the contractual scope
• Auditor positions that are inconsistent with prior contract communication
• Settlement proposals exceeding pre-defined approval thresholds
• Indications that the matter may proceed to litigation
• Requests for site access or interview access that raise privilege concerns

Pre-defined escalation thresholds let the response team move quickly without bottlenecking on senior authority for routine matters. Without defined thresholds, the team either over-escalates (consuming senior bandwidth on routine items) or under-escalates (allowing material developments to go unreviewed).

Settlement negotiation — the role of legal

Settlement of an audit finding is a contractual transaction. Several elements typically need legal review and authority:

The release. What claims does the settlement release? Does it cover only the identified findings, or does it broadly release the customer from prior compliance claims? Customers want broad release language; vendors typically grant narrow release.

Future audit rights. Does the settlement modify the contractual audit rights going forward? Some settlements include "no audit for X years" provisions; others reaffirm full audit rights immediately.

Reporting obligations. Does the settlement create ongoing reporting requirements — periodic deployment reports, attestations, certifications? These obligations can be operationally burdensome.

Contractual amendments. Does the settlement amend the underlying licence contract — changing metrics, scope, pricing, terms? Amendments can have implications beyond the immediate audit.

Payment structure. One-time payment, instalment plan, true-up subscription, trade-up to a larger entitlement? The structure affects accounting treatment and cash flow.

Each of these requires legal review and, typically, sign-off by an authority appropriate to the materiality.

When to involve litigation counsel

Most Broadcom audits settle without litigation. Some don't. Indicators that litigation counsel should be brought in early:

• Initial findings substantially exceed the customer's view of the licensed entitlement
• The auditor's positions are inconsistent with the contract on its face
• The customer believes the audit was triggered for retaliatory or punitive reasons
• Settlement positions are far apart and not converging
• The vendor has taken pre-litigation actions (formal notice of breach, suspension of support, public statements)

Litigation counsel doesn't mean the matter will go to court — most matters settle even after litigation counsel is involved — but it does mean preparation is appropriate. Engagement of litigation counsel also strengthens the customer's negotiating posture by signalling readiness to defend.

Common communication mistakes

Letting IT respond directly to the audit notice

The initial response sets the tone and the procedural framework. IT alone tends to over-promise on data delivery and under-protect on scope.

Engaging external advisors without legal direction

The analyses are valuable but become discoverable. Restructure the engagement through legal to restore privilege if possible.

Allowing technical team to chat with the auditor

Casual statements become record statements. All substantive interaction goes through the legal-designated POC.

Settling without legal review

The settlement is a contract. Contracts get legal review before signature, including audit settlements.

Failing to brief executive leadership

The CEO and CFO are eventually involved in any material audit. Brief them early so they're not surprised by escalation.

Frequently asked questions

Should we engage external counsel for every Broadcom audit notice?

For audits of any material scale, yes. The cost of external counsel is small relative to the cost of a poorly defended audit. For very minor audits with low potential exposure, internal legal may be sufficient.

How do we structure external advisory work to preserve privilege?

Engage the external advisor through legal counsel (internal or external), with the engagement letter framing the work as supporting legal advice. Direct deliverables to counsel. Label work-product appropriately.

What if the auditor wants to interview our technical team directly?

Interview requests should be controlled — legal present, scope agreed in advance, follow-up confirmations in writing. Technical team members should be briefed before any interview about what to say and what not to say.

Are settlement terms confidential?

Typically yes, by the terms of the settlement itself. Customers should not discuss settlement details publicly or with industry peers in ways that could violate the confidentiality provision.

Does Broadcom respect attorney-client privilege?

Broadcom, like any large enterprise, operates within legal norms. Privilege is respected; demands for clearly privileged material would face legal pushback. The risk is not Broadcom violating privilege; it's the customer failing to establish privilege in the first place.

What about insurance coverage for audit settlements?

Some cyber and E&O policies include limited coverage for software-licensing matters; most do not. Check your insurance position with legal and the broker; coverage exclusions for known compliance gaps are common.