Broadcom Audit Legal Response Guide: A Counsel-First Framework

A Broadcom audit letter arrives by certified mail or by an attached PDF in a corporate email, and within minutes of opening it the customer's general counsel becomes the most important person in the room. This guide walks through the legal response to a Broadcom audit from the moment of receipt to the moment of settlement, and it is written for the in-house counsel and the IT directors who will work with counsel through the process.

We do not provide legal advice. We are an independent licensing advisory that has supported more than 280 Broadcom and VMware audit defences in close partnership with in-house legal teams, external counsel, and the procurement organisations responsible for executing settlements. What we describe here is the procedural posture, the contractual mechanics, and the negotiation dynamics that consistently shape favourable outcomes. The lawyer in your room is responsible for advising you on the legal merits.

Why the first written response sets the tone

The first written response to a Broadcom audit notice is referenced, quoted, and litigated against for the remainder of the engagement. It is also the document that most customers get wrong, because it is drafted in the first 72 hours by people who have not yet read their own master agreement and have not yet performed any factual investigation of their deployment. Once a response is on the record, it cannot be quietly retracted; subsequent positions inconsistent with the first response will be treated by Broadcom counsel as concessions.

The first response should do four things and only four things. It should acknowledge receipt of the audit notice without conceding the legitimacy of the audit. It should request a copy of the contractual provisions Broadcom is relying on to invoke the audit right, along with any supporting documentation. It should propose a reasonable timeline for the customer's response that is consistent with the customer's contractual notice rights. And it should designate a single point of contact for all subsequent correspondence, who should not be the IT director or the systems engineer who knows the deployment intimately.

What the first response should not do

It should not concede the audit period, the scope of products in scope, the auditor's identity, or the data Broadcom is entitled to receive. It should not provide any factual statement about the customer's deployment, entitlement position, or compliance posture. It should not include any factual statement that might later prove inconvenient. Every customer who has ever lost a Broadcom audit at the negotiation table started by giving Broadcom a fact in the first response that became the anchor of the eventual claim.

The contractual basis for the audit

Broadcom invokes its audit right under a contractual provision. The provision varies by contract vintage and by product family. VMware perpetual EULAs from the pre-acquisition era contain a relatively narrow audit clause, typically restricted to verifying compliance with named products and limited in frequency. Enterprise Licence Agreements (ELAs) signed in the last five years of VMware's independence contain broader audit clauses that include sub-capacity reporting obligations, telemetry sharing, and verification of cluster topology. Broadcom-era subscription contracts (VCF, VVF) contain telemetry-driven audit provisions that effectively run continuously.

The first job of in-house counsel is to identify which contract Broadcom is relying on. If Broadcom does not identify the contract, the customer should request it in writing. If Broadcom identifies a contract the customer cannot locate, the customer should refuse to proceed until both parties agree on the operative document. The vast majority of Broadcom audits we have supported involved at least one contractual instrument that Broadcom had on file and the customer did not, and several involved contracts Broadcom had assumed transferred with a corporate acquisition where transfer was contractually questionable.

Auditing the audit clause

Once the operative contract is identified, counsel should read the audit clause word by word. The following questions matter, and the answers vary by contract:

• How much notice is required before an audit may commence?
• How often may Broadcom audit (typically once per twelve months, but sometimes broader)?
• What products are within the audit scope?
• Who is permitted to conduct the audit (Broadcom directly, an independent third party, or both)?
• What data is the auditor entitled to receive, and in what form?
• Where may the audit take place, and during what hours?
• Who pays for the audit, and under what conditions does the customer bear cost?
• How are findings disputed, and what is the procedure before findings become binding?
• Is there a confidentiality regime that binds Broadcom and the auditor with respect to the customer's data?

Each of these answers becomes a negotiation lever. Broadcom audit teams will often request more than the contract permits; that overreach is a routine source of leverage for counsel to push back on scope.

The audit protocol agreement

No data should leave the customer's environment until an audit protocol agreement is in place. The protocol is a written document, signed by both parties, that governs what data will be collected, how it will be collected, who will collect it, how it will be transmitted, where it will be stored, how long it will be retained, who will have access to it, and how it will be destroyed at the conclusion of the audit. Without a protocol, the customer is exposing itself to data privacy, intellectual property, and competitive information risks that go well beyond the licensing question.

The protocol should also restate the contractual scope of the audit in operational terms. If the contract permits Broadcom to verify vSphere deployment, the protocol should not authorise the collection of NSX, vSAN, or Aria telemetry. If the contract permits verification of production environments, the protocol should explicitly exclude development, test, and disaster recovery environments unless those environments meet the contractual definition of production.

Privilege and the role of external counsel

Audit work product generated under the direction of in-house counsel is generally privileged in most jurisdictions, but the privilege is fragile. Communications that include non-legal personnel, that focus on commercial rather than legal advice, or that are distributed beyond the legal team frequently lose privilege protection. For audits of meaningful size, engaging external counsel to manage the privilege boundary is a sensible investment.

External counsel also performs a structural role that internal counsel cannot. The external firm engages the licensing advisory as a sub-consultant, which extends privilege protection to the advisory's work product. The advisory's analysis of entitlement, deployment, methodology, and remediation options is then protected from discovery in any subsequent dispute. Without that structure, the advisory's analysis is potentially discoverable as a third-party business record.

Responding to findings

The findings report Broadcom issues at the conclusion of the data collection phase is an opening commercial position. It is not a final invoice, and the customer is not obligated to accept it. The findings report typically contains three components: a recitation of the contractual rules Broadcom believes are operative; an analysis of the customer's deployment relative to those rules; and a proposed remediation, almost always a VCF subscription purchase.

The customer's response to the findings report should be a written rebuttal that addresses each of the three components separately. The contractual analysis is contested where the contract supports a different reading. The deployment analysis is contested where the data is inaccurate, the methodology is unsound, or the scope was exceeded. The proposed remediation is contested as a matter of commercial reasonableness, including alternative remediations the customer prefers.

The methodology rebuttal

Methodology is the area where independent advisory adds the most value to a legal response. Broadcom auditors apply methodologies — how to count cores, how to classify environments, how to attribute clusters to entitlements, how to compute vSAN raw capacity — that are not in the contract and are not in the EULA. They are administrative choices the auditor has made, and they are contestable. A methodology rebuttal that itemises each choice, requests the contractual basis, and proposes an alternative consistently reduces the claim by 25-40%.

Settlement structure and release language

Settlement is the conclusion of the audit, and the customer's leverage is highest at settlement. The release language Broadcom proposes will typically be narrow — releasing the customer for the specific products in scope, for the specific audit period, with no representation about future periods. The customer should negotiate broader release language: release of all VMware products for the audit period, release of any pre-acquisition VMware claim, and acknowledgement of the customer's go-forward licensing position based on the settlement.

The settlement document is not the place to capture the commercial deal. The commercial deal — the VCF subscription term, the discount, the price protection, the credits for incumbent perpetual entitlement — belongs in a separate order form negotiated in parallel with the settlement. Bundling the commercial deal into the settlement document creates an inflexible structure that limits the customer's ability to renegotiate any single component.

Documentation for the post-audit period

The conclusion of the audit is not the end of the legal work. Every audit settlement creates documentation obligations for the customer: an updated entitlement record, a go-forward compliance plan, a renewal calendar that tracks the new subscription terms, and a contractual file that includes the audit notice, the protocol, the findings, the rebuttal, the settlement, and the new order form. This documentation becomes the contractual baseline for the next audit, which under most Broadcom contracts may be invoked twelve months from the conclusion of the current one.

What good looks like

A well-defended Broadcom audit reaches settlement within 90 to 120 days of the original notice. The customer pays a remediation amount that is 25-40% of the original findings claim. The remediation is structured as a multi-year subscription with negotiated discounts and price protection, rather than as a one-time penalty payment. The release language covers the full product portfolio for the audit period. The customer's contractual position going forward is documented and clean.

A poorly defended Broadcom audit drags on for nine to eighteen months, generates a settlement at 70-85% of the original claim, and leaves the customer with ambiguous contractual language that becomes the basis for the next audit. The difference between a good outcome and a poor outcome is, in our experience, almost entirely a function of the discipline of the first 30 days. Slow down. Get the protocol right. Engage counsel before you respond. Read the contract Broadcom is invoking. The leverage is in the procedure, not in the engineering.

For a confidential review of an audit letter or a contractual position, Contact us →. We work alongside in-house and external counsel and we never displace the legal advisor in the room.