Broadcom Audit Letter: How to Respond

An audit letter from Broadcom does not feel like an emergency when you open it. The tone is professional and even friendly. It asks for cooperation, references the standard audit clause in your master agreement, and proposes a sensible-sounding timeline of thirty to sixty days for the initial data exchange. Almost everything about the first letter is designed to make a measured, cooperative, in-house response feel like the appropriate reaction.

It is the wrong reaction. The first letter is the most important document in the entire audit, because the way you respond to it sets the procedural ground rules for everything that follows. The customers who lose the most money in Broadcom audits are not the customers who deployed the most software without licensing — they are the customers who responded to the first letter without advice.

This article is a practical guide to handling the first letter. It is written for whoever in your organisation is going to be on the receiving end: the CIO, the IT asset manager, the procurement director, or the general counsel. Read it before the letter arrives if you can. If the letter is already on your desk, read the next four sections first.

The first 24 hours

Whatever your usual response cadence is for vendor correspondence, slow it down for this letter. Most Broadcom audit letters specify a response deadline of ten to fifteen business days. That is plenty of time to respond properly. It is not enough time to respond instinctively and then walk it back.

In the first 24 hours, do exactly four things.

Acknowledge receipt, nothing more. A one-line email from the named contact in the letter, confirming that the letter has been received and that a substantive response will follow by the deadline, is appropriate. Do not commit to a timeline more aggressive than the letter requires. Do not engage on substance. Do not name a project lead or auditor. Do not agree to a call.

Lock down internal communication. Any internal email, Slack message, or ticket that discusses the audit becomes potentially discoverable. Brief the people who need to know that the audit is in progress and that they should not discuss it in writing on internal systems without legal review. This is not paranoia — it is standard practice for any commercial dispute.

Pull the contract. The audit clause in your master agreement is the most important document for the next ninety days. Find it. Read it. Note the notice period, the scope language, the auditor identity, the data-handling provisions, the dispute mechanism, and the cure period. Most enterprise VMware contracts negotiated before 2022 contain audit clauses substantially more favourable to the customer than Broadcom's current default position.

Engage independent counsel and an independent licensing advisor. The two roles are separate and complementary. Counsel manages the procedural and contractual response. The licensing advisor manages the substantive analysis of entitlement, deployment, and methodology. Engaging either one alone is suboptimal. Engaging both costs less than the avoidable exposure on a single mid-sized cluster.

What not to do — and why

The following actions feel reasonable in the first week of an audit. They are not. Each one costs customers money in ways that are not obvious until much later.

Do not run the scripts

Broadcom audit letters frequently include scripts — PowerCLI exports, RVTools batches, vCenter inventory dumps, "self-assessment" tools — that the customer is asked to run and return. The scripts collect more data than the audit clause requires, and the data, once submitted, becomes the basis for the auditor's claim. We have not seen a single Broadcom audit where running the scripts produced a better outcome than withholding them pending a negotiated data-exchange protocol.

Do not engage on substance in writing without review

Auditors are trained to draw out admissions in casual email. A line such as "yes, we run DRS in our DR cluster" — accurate, helpful, said in good faith — becomes evidence in the findings report. Substantive communication should be routed through counsel or your licensing advisor and reviewed before it leaves the network.

Do not schedule a kickoff call before you have your position

The first call sets expectations. If your team turns up unprepared and Broadcom turns up with a 40-page methodology deck and an auditor on the line, the entire engagement will be framed by their material. Push the first call out by two weeks. Use the time to prepare a counter-framing.

Do not assume the auditor is independent

Broadcom audits are increasingly conducted by Broadcom's in-house Global Software Asset Compliance team rather than a Big Four firm. Even when a Big Four firm is appointed, the firm is paid by Broadcom and reports to Broadcom. The auditor is not your friend, your advisor, or a neutral arbiter.

The structure of a proper response letter

The response letter you send by the deadline is not a substantive engagement on the audit findings — that comes later. It is a procedural document that establishes the ground rules. A properly structured response includes the following elements.

Acknowledgement and reservation of rights. Confirm receipt of the audit notice. Reserve all rights under the master agreement and applicable law. Do not waive any procedural protections.

Identification of the contract. Reference the specific master agreement, order forms, and amendments that govern the audit. If the audit letter cites a different contractual basis than you believe applies, correct the record now rather than later.

Designation of representatives. Name a single point of contact for the audit. Route all auditor communication through that contact. The named contact should be a counsel or advisor, not the CIO or an IT lead.

Proposed data-exchange protocol. Propose specific, narrow data deliverables that match the contractual scope. If the contract permits the auditor to verify deployment of specifically identified products, propose to deliver data for exactly those products and no others.

Confidentiality and data-handling requirements. Specify how the data will be handled: encryption in transit and at rest, return or destruction at the conclusion of the audit, restriction on use outside the audit scope, exclusion of personally identifiable information, exclusion of regulated data.

Schedule. Propose a schedule that allows for proper preparation. Two to four weeks for entitlement reconstruction, four to six weeks for data preparation and validation, two to four weeks for review and rebuttal of findings. Do not commit to the auditor's aggressive default timeline.

The contractual levers you have on day one

Most enterprise customers underestimate the procedural protections in their existing VMware contracts. The following levers are present in almost every pre-2022 enterprise agreement and many post-acquisition agreements.

Notice and timing

Audit clauses typically require thirty days' written notice and limit audit frequency to once per calendar year. If Broadcom has issued an audit within the last twelve months — including a soft audit, self-assessment, or compliance review — the new notice may be procedurally defective.

Auditor identity

Many enterprise contracts require that the auditor be a mutually agreed independent third party. "In-house Broadcom compliance team" is not a mutually agreed independent third party. Where the contract requires an independent auditor, customers can decline to engage with a Broadcom-internal team and demand the appointment of an independent firm.

Scope limitation

Audit clauses typically limit the audit to verification of deployment against entitlement for the licensed products. The scope is not "all VMware software the customer has ever installed". Customers can decline to provide data for products that are not within the contractual scope.

Business hours and minimal disruption

Most clauses require that audits be conducted during normal business hours and with minimal disruption to the customer's operations. This is a real limitation on the speed and intensity of data collection.

Confidentiality

Audit data is confidential to the customer and may be used only for the audit. This is a real limitation on Broadcom's ability to repurpose the data for sales targeting, internal reporting, or referrals.

Cost allocation

Audit clauses typically require that the customer bears the cost of the audit only if a material under-licensing is found, with "material" specifically defined. Where no material under-licensing is found, Broadcom bears its own audit costs.

The conversation you have with internal stakeholders

Beyond the procedural response, the first week is when you align internal stakeholders on what an audit means, what it is going to cost, and how the organisation is going to respond. A few principles make this conversation easier.

Frame it as a commercial dispute, not a compliance failure. Most under-licensing positions are not failures of governance — they are differences of interpretation between what the customer believes it bought and what Broadcom now claims it sold. Internal framing matters because it shapes how aggressively the response is resourced.

Resist the impulse to "make it go away" by buying VCF. The fastest way to close a Broadcom audit is to sign the proposed remediation. It is also the most expensive way. Resist any internal pressure to "just sort it out commercially" before the substance has been properly examined.

Brief the CFO early. The CFO will hear about the audit eventually. Hearing about it from you, with a defensible cost range and a defence plan, is much better than hearing about it from Broadcom's account executive with a settlement number attached.

Brief the board only when the position is clear. Audit exposure does not need to be reported to the board on day one. Premature board reporting frequently locks the response into an expensive trajectory.

What the auditor expects from you

Auditors are professionals. They have seen hundreds of customer responses and they have an internal calibration for what a "compliant" customer looks like. Knowing what they expect — and selectively meeting some expectations while declining others — produces a more productive engagement.

Auditors expect that you will respond to the letter within the stated deadline. They expect that the response will be substantively engaged rather than dismissive. They expect that you will eventually provide data. They expect that the data will be incomplete and that they will need to chase it. They expect that you will engage counsel. They expect that you will negotiate the settlement.

They do not expect that you will run their scripts on day three. They do not expect that you will accept their methodology without challenge. They do not expect that you will accept the first findings report as final. Every one of these "not expected" outcomes is achievable.

The relationship with your account team

One of the more difficult dynamics in a Broadcom audit is the relationship between the audit team and your Broadcom account team. The audit team will tell you they are independent of sales. The account executive will offer to "help" you navigate the audit. Both are partially true and partially misleading.

In practice, the account team has strong commercial incentives in the outcome of the audit. A successful audit closes with a multi-year VCF subscription, which the account team books as new ACV. The account team will frequently propose to "make the audit go away" through an expanded subscription deal. This is not a neutral offer — it is the commercial mechanism through which the audit converts to revenue.

The right way to handle this is to keep the audit track and the commercial track separate. The audit determines the customer's licensing position. The commercial conversation determines what (if anything) the customer chooses to buy in light of that position. Letting the two tracks merge benefits Broadcom and disadvantages the customer.

Common questions in the first week

"Should we tell Broadcom we are engaging an independent advisor?"

Yes. Naming your representatives in the response letter is standard. There is no advantage to concealing it, and concealing it complicates communication.

"Should we engage our reseller?"

Generally no. The reseller has commercial incentives aligned with Broadcom, not with you. The reseller can be a useful source of historical purchase data, but should not be the lead on audit response.

"What if we miss the response deadline?"

Missing the deadline gives Broadcom grounds to escalate the audit posture and, in some cases, to declare a contractual breach. If you have missed the deadline, the priority is to engage immediately and acknowledge receipt with a substantive response promised within a defined short window — typically five business days.

"Can we just stop using VMware and avoid the audit?"

No. Discontinuing use does not eliminate the audit obligation for historical use. It does, however, change the commercial calculation for both sides — a customer who has demonstrably migrated to alternatives is a much weaker target for an aggressive remediation proposal.

"Will engaging counsel make Broadcom more aggressive?"

No. Engaging counsel is universal among well-managed customers and is expected by auditors. The audit posture does not become more aggressive because counsel is engaged; it becomes more aggressive when the customer responds in ways that suggest weakness.

The bottom line

The audit letter is not the audit. The audit is the structured negotiation that follows. The letter is the procedural opening move, and your response to it sets the rules for the rest of the game. Take the time to respond properly. Acknowledge receipt fast, but engage on substance slowly. Pull the contract, engage counsel and an independent licensing advisor, and craft a response that establishes the data-exchange protocol on terms favourable to you.

Done well, the first week of audit response is the highest-leverage week in the entire engagement. Customers who handle the first week well typically settle for 30-40% of the initial claim. Customers who handle the first week poorly typically settle for 80-90% of it. The difference is not the technology, the data, or the contract — it is the procedural posture established in the first response letter.

For a confidential review of a Broadcom audit letter you have received, Contact us →. We provide an initial assessment of the letter and your contractual position within one business day at no cost.