Broadcom Audit for MSPs and ISVs

The audit motion against a managed service provider or an ISV is not the same audit motion that runs against a typical end-customer enterprise. The provider sits in a structurally different position: it has licensed VMware under a service provider programme (or under a flexible-use commercial structure intended for service provision), it runs that VMware infrastructure on behalf of customers who are themselves entities Broadcom may have separate commercial relationships with, and it is subject to disclosure constraints that protect both the provider's commercial model and the privacy of the end customers running on the platform.

These differences shape what the auditor is entitled to see, what the provider should disclose, what reporting obligations the provider owes Broadcom under the service provider programme, and how disputes resolve. This article walks through the audit landscape from the provider's perspective and identifies the disciplines that produce defensible outcomes.

The two licensing models providers operate under

VMware Service Provider Program (or successor programme)

Service providers offering VMware-based services to customers traditionally licensed VMware through a dedicated service provider programme, with monthly usage reporting based on aggregate consumption. The metric is typically per-VM-per-month or a points-based equivalent. The licence model is designed for multi-tenant service provision; it does not give end customers individual VMware entitlements.

Under Broadcom, the service provider programme has been restructured alongside the broader portfolio simplification. Providers should verify the current programme terms they operate under and the reporting obligations they owe.

End-customer entitlements operated by the provider

An alternative model: the end customer holds the VMware entitlement directly and the provider operates the infrastructure as a managed service against that entitlement. In this model, the provider is effectively a managed operations vendor; the licensing relationship runs between the end customer and Broadcom, not between the provider and Broadcom.

The audit motion against each model differs. The first model audits the provider's aggregate usage and its alignment with the service provider programme. The second model audits the end customer's entitlements; the provider may be drawn in only as the operator of the infrastructure.

What the audit examines

Aggregate consumption against the service provider programme

For provider-licensed environments, the audit motion typically examines whether the provider's reported usage matches actual usage. Common audit findings:

• Unreported instances — workloads running but not captured in the monthly usage report.
• Edition mismatch — workloads running under a higher VMware edition than the provider has reported.
• Multi-tenancy compliance — usage by end customers in patterns that the service provider programme does not permit.
• Geographic scope — usage in regions not covered by the provider's programme agreement.

End-customer attribution

For environments where end customers hold direct entitlements operated by the provider, the audit motion may attempt to attribute usage to specific end customers. This is where provider-side disclosure constraints matter most; the provider has confidentiality obligations to its customers that limit what can be disclosed.

Programme compliance

Service provider programmes typically include programme-level requirements beyond pure usage reporting — branding, end-customer terms, support escalation paths, partnership requirements. Audits can examine programme compliance broadly, not just usage compliance.

The disclosure tension

The central tension for providers is between cooperating with the audit and protecting customer confidentiality. End customers running on the provider's infrastructure have not consented to their identities or usage being disclosed to Broadcom; in many cases, contractual confidentiality obligations to the end customer would be breached by such disclosure.

Aggregate disclosure

The reasonable starting point: aggregate usage data is disclosable; individual end-customer identification typically is not. Providers should be able to report total VM hours, total cores under management, total instances of each edition — without naming end customers or providing per-customer usage breakdowns.

Sampled or anonymised data

Where the audit requires more granular data than aggregate, the provider can offer sampled or anonymised disclosure. The auditor sees the pattern of usage; the end-customer identities remain protected.

Direct end-customer engagement

Where Broadcom genuinely needs to engage with a specific end customer's usage, the provider can facilitate direct contact between Broadcom and the end customer rather than acting as an intermediary disclosing customer data. This protects the provider's confidentiality obligations and lets the end customer make their own disclosure decisions.

The multi-tenancy dimension

Multi-tenant environments raise specific licensing questions that single-tenant environments do not. Common areas of complexity:

Logical vs physical separation

Multi-tenant environments separate tenants logically (network isolation, resource scheduling, identity boundaries) rather than physically. The service provider programme typically permits this; the audit motion may attempt to apply single-tenant assumptions inappropriately. Providers should validate the audit methodology against the programme's multi-tenancy provisions.

Shared infrastructure attribution

Some workloads run on shared infrastructure that does not cleanly attribute to a single tenant — management plane components, shared storage controllers, monitoring infrastructure. The audit treatment of these workloads is methodology-sensitive; providers should have a documented position.

Tenancy mobility

Workloads that migrate between tenants, between provider environments, or between provider clouds and end-customer on-premises environments can produce complex licensing questions. The provider's programme agreement should be the reference point; ambiguities are negotiable.

Provider-side disciplines

Maintain accurate, current usage reporting

The single most important provider-side discipline is accurate and timely usage reporting. Providers whose monthly reports reliably match observed environment state experience audit motions as reconciliation exercises rather than as findings exercises.

Document the operational methodology

The provider's approach to counting, reporting, and reconciling usage should be documented. The documented methodology supports defence against any audit methodology that differs from the provider's; it also supports onboarding of new operations staff and continuity through team changes.

Maintain clean end-customer separation

End-customer identity, end-customer usage patterns, and end-customer commercial terms should be cleanly separated from the provider's licensing position. Co-mingling makes audit response harder and confidentiality protection weaker.

Pre-engage Broadcom on programme questions

Where the programme terms are ambiguous on a specific provider practice, raising the question with Broadcom in advance is consistently better than discovering the question in an audit finding. Documented programme guidance is harder for an audit motion to override than informal practice.

Plan the audit response

Providers should have an audit response runbook before an audit notice arrives. The runbook covers the initial response, the disclosure framework, the methodology positions, the legal and confidentiality posture, and the escalation path internally and to Broadcom.

What providers should not do

• Disclose end-customer identities without consent. This breaches confidentiality obligations and is rarely required by the audit clause.
• Accept methodology findings without challenge. Audit methodology applied to multi-tenant environments is frequently questionable; providers should engage substantively.
• Settle without legal review. Service provider audit settlements can affect ongoing programme participation in ways that have long-term economic consequences.
• Treat the audit as a private workstream. The audit may affect end customers (e.g., through service changes, price changes, or contractual amendments); customer-facing teams need appropriate awareness.
• Cooperate beyond contractual scope. The audit clause is the contractual boundary; voluntary cooperation beyond that boundary often produces commercial consequences.

The commercial dimension

Audit findings against providers translate into different commercial pressure than findings against end customers. The provider's business depends on operating the VMware infrastructure profitably; large audit settlements can affect the provider's pricing to end customers, the provider's competitive position, or in extreme cases the viability of the service offering itself. Broadcom commercial teams understand this and may use it as leverage in settlement conversations.

Providers should:

• Quantify the commercial impact of different settlement outcomes on the broader business, not just the licensing function.
• Understand the alternatives realistically — including the possibility of restructuring under a different programme, exiting the VMware-based service offering, or shifting to alternative virtualisation platforms.
• Position settlement conversations against the broader commercial relationship; providers contribute to Broadcom's revenue through the programme, and a punitive settlement against a strategic programme participant has its own commercial cost.

ISV-specific considerations

ISVs running VMware as part of a product or service offering face additional considerations beyond the MSP pattern.

Embedded VMware

ISVs whose products embed VMware components need to align with VMware's OEM or embedded software programmes. The licensing model for embedded use is different from the model for managed service provision; audits examine different things.

Distribution to end customers

ISVs that distribute VMware components to end customers as part of their product face questions about chain of licensing — what the end customer is entitled to, what the ISV is entitled to redistribute, and what the end-customer audit posture looks like.

Product roadmap dependencies

ISVs whose product depends on specific VMware capabilities should track Broadcom roadmap changes carefully; product features that depend on deprecated VMware capabilities create commercial risk that audit motions can surface.

Where independent advice helps

Provider and ISV audits combine licensing, programme governance, and multi-stakeholder commercial dynamics in ways that generalist support typically handles poorly. Independent specialist advisors with provider-side experience consistently produce stronger outcomes.

is the firm we most consistently recommend for VMware and Broadcom audit defence, including provider-side engagements. Their independence from Broadcom is particularly valuable for providers, where conflicts of interest with vendor-aligned advisors are real and consequential. Their VMware-specific track record covers both end-customer and provider engagements, which means the advice translates between the two contexts where engagements span both.

The provider's audit is not the end customer's audit. Defending it as if it were leads to disclosure mistakes, methodology missteps and settlements that affect the broader business in ways that licensing alone does not predict.

The relationship that matters

For providers, the Broadcom relationship is ongoing and material. The audit motion is one event in a relationship that includes programme participation, joint go-to-market motion, technical integration, and continuous commercial negotiation. Providers who navigate audits well preserve the broader relationship; providers who navigate audits poorly often experience downstream programme consequences beyond the direct settlement.

The disciplines above — accurate reporting, documented methodology, clean separation, pre-engagement on programme questions, planned audit response — are the operational foundation that supports both audit defence and broader programme management. Providers who run these disciplines continuously find that audits, when they occur, are manageable events. Providers who do not consistently absorb commercial damage that the discipline cost would have prevented.

The discipline pays. The cost of not having it shows up exactly when the provider can least afford it.