The Broadcom Audit Process Explained, Step by Step

A Broadcom audit is not a single event. It is a structured, multi-phase process that typically runs ninety to one hundred and eighty days from initial notice to settlement, and an additional thirty to sixty days for contractual cleanup. Customers who treat it as a single event — and prepare for it as a single event — consistently lose more than customers who understand the phase structure and prepare for each phase distinctly.

This guide walks through every phase of a Broadcom audit in the order they actually occur, with realistic timelines, the artifacts produced at each phase, the leverage points available to the customer, and the mistakes that compound across phases. It is written from the perspective of the customer, not the auditor. The auditor's playbook is publicly available in fragments; the customer's playbook is harder to find, which is part of why audit outcomes vary so widely.

Phase 0: Pre-audit signals

Most customers can see an audit coming three to nine months in advance if they know what to look for. The signals are not subtle, but they are quiet — the auditor does not announce its intentions, and the signals come from the commercial side of Broadcom rather than the compliance side.

The most reliable pre-audit signal is unusual outreach from the named account team about VCF migration, particularly outreach that includes a deployment data request framed as a "renewal preparation exercise" or "subscription readiness assessment". The data requested at this stage is the same data the audit will request later. Customers who provide it pre-audit have effectively run their own pre-audit and handed the results to Broadcom.

Other pre-audit signals include: lapsed SnS reminders that escalate to executive sponsorship within Broadcom; sudden interest from Broadcom legal in a long-standing contract; a delay or refusal on a routine entitlement transfer request; or the appearance of a new "customer success" contact who replaces an established relationship without explanation.

The right response to a pre-audit signal is not to engage more deeply with the account team. It is to use the time to prepare: reconstruct your entitlement position, validate your deployment baseline, review your contract, and identify the methodology challenges you would want to mount if a formal audit arrived. Customers who do this work in advance enter the formal audit in a substantially stronger position.

Phase 1: The audit notice

The audit notice is a written letter, typically delivered by email with a physical follow-up, from Broadcom's Global Software Asset Compliance organisation. It invokes the audit clause in the master agreement, identifies the audit period (most commonly the trailing twelve to thirty-six months), and proposes a kickoff schedule.

The notice frequently includes: the identity of the appointed auditor (Broadcom in-house or a Big Four firm), a draft confidentiality agreement, a draft data-handling protocol, an initial data request, and a proposed kickoff call within ten to fifteen business days.

This is the procedural phase. The outputs of this phase are a properly structured response letter (covered in our companion article on responding to the audit letter), a negotiated data-exchange protocol, a designated point of contact, and a confirmed kickoff date. Customers who race through this phase to "get to the substance" consistently lose procedural ground that costs them money in later phases.

Phase 2: Kickoff and scoping

The kickoff meeting is typically a sixty-to-ninety minute call between the auditor, the Broadcom account team, the customer's designated point of contact, and the customer's counsel and licensing advisor. The auditor will present a methodology deck, walk through the data request, propose a timeline, and ask scoping questions.

The kickoff is the first substantive opportunity to shape the audit. Three things should happen at every kickoff. First, the customer should explicitly identify the contractual basis for the audit and confirm the agreed scope. Second, the customer should challenge any methodology assumption that exceeds the contractual scope. Third, the customer should establish that the agreed data exchange will follow the negotiated protocol, not the auditor's default.

The kickoff is also where the audit team will frequently propose to expand scope informally. Phrases such as "we should also look at" and "while we have you" are scope-expansion attempts that should be politely declined. Scope expansion in the kickoff is rarely supported by contract and is best refused at the point of proposal.

Phase 3: Entitlement reconstruction

Entitlement reconstruction is the customer's most underused leverage. Most customers do not have a complete, accurate, current inventory of their VMware entitlements. Entitlements purchased through different resellers, acquired with subsidiaries, transferred through divestitures, and upgraded through cumulative trade-ins frequently produce a contractual position that is more favourable than the customer's own records suggest.

A proper entitlement reconstruction works through every original purchase order, every order form, every renewal, every cumulative upgrade, every transfer letter, and every acquisition or divestiture amendment, and produces a single consolidated entitlement statement that lists, by SKU, the units owned, the date of acquisition, the contractual basis, the upgrade rights, and any restrictions.

The reconstruction typically takes three to six weeks for a mid-market enterprise and six to twelve weeks for a large enterprise with M&A history. It is best run by an independent advisor with experience in the VMware SKU catalogue. The output of the reconstruction is the customer's authoritative entitlement position — the document the audit will eventually settle against.

Phase 4: Deployment data collection

The auditor will request deployment data. The form, scope, and volume of the request is negotiable.

The auditor's default is to request a comprehensive deployment snapshot covering vCenter inventories, ESXi host configurations, cluster topology, vSAN deployment details, NSX configurations, and telemetry from any other VMware product in use. The customer's preferred protocol is a narrower, time-bound, targeted data exchange that delivers only the data required to verify deployment of specifically licensed products.

Two specific data-collection practices are worth flagging. First, the customer should always collect the data itself rather than allowing the auditor to run scripts on customer infrastructure. Auditor-run scripts collect more data than the contract permits and frequently capture sensitive information that should remain inside the customer's network. Second, the customer should validate every dataset before delivery. Snapshots include test VMs that were deleted but not garbage-collected, decommissioned hosts that remained in vCenter inventory, cluster migrations captured mid-move, and many other artifacts that inflate the apparent deployment. Cleaning the data before delivery prevents the auditor from building a claim on artifacts.

Phase 5: Methodology and analysis

The auditor will apply a methodology to convert the deployment data into a licensing claim. The methodology is a set of choices: how to count cores, how to attribute features to clusters, how to interpret "production use", how to apply the 16-core minimum, how to handle sub-capacity, how to recognise hard partitions, how to treat decommissioned-but-not-deleted resources.

Every methodology choice is contestable. The customer's licensing advisor should produce a written methodology challenge that itemises each assumption the auditor has made, requests the contractual basis for the assumption, and proposes an alternative. The methodology challenge is the single highest-leverage document in the audit. A well-constructed methodology challenge typically reduces the eventual claim by 25-50% on its own.

The methodology challenge should be exchanged before the auditor produces its findings report. If the customer waits until the findings report is published, the auditor has anchored its position and is much less willing to revise methodology.

Phase 6: Findings report

The auditor will produce a findings report. The findings report is not a final invoice — it is an opening position. The findings report typically includes: a summary of the audit, the auditor's interpretation of the customer's entitlement, the auditor's analysis of the customer's deployment, the gap between entitlement and deployment, and a proposed remediation.

The proposed remediation will almost always be a VCF subscription purchase sized to the customer's entire VMware footprint. This is the most expensive possible remediation for the customer and is rarely the appropriate outcome.

The customer's response to the findings report is the formal rebuttal. The rebuttal addresses each line item of the findings: the entitlement interpretation, the deployment data, the methodology choices, and the remediation proposal. The rebuttal is written in formal language because it becomes part of the evidentiary record if the audit moves to dispute resolution.

The rebuttal is iterative. The first rebuttal is met with a revised findings report; the revised findings report is met with a second rebuttal; and so on. Two to four iterations is typical. The gap between the initial findings and the eventual settled position typically narrows by 15-30% per iteration.

Phase 7: Settlement negotiation

Once the licensing position has stabilised, the negotiation shifts to commercial terms. The customer's settlement options typically include: a cash payment for the historical under-licensing, a forward-looking subscription purchase that includes the historical exposure, a hybrid arrangement that extends perpetual entitlement, or (in some cases) a no-cost settlement with a forward-looking compliance commitment.

The commercial terms matter as much as the licensing position. List price is the opening position on any subscription remediation; achievable discounts are 30-60% depending on deal size, term length, and customer leverage. Term length is negotiable; three-to-five-year terms with price protection materially reduce total cost of ownership compared with one-year terms.

The settlement should also include: a written release covering the audit period, an updated entitlement statement, a confirmed go-forward compliance protocol, and (where applicable) credits for incumbent perpetual entitlements that retain residual value.

Phase 8: Documentation and closeout

The audit is not finished when the settlement is signed. The closeout phase produces the artifacts that protect the customer from the next audit: a settlement agreement with appropriate release language, an updated master agreement or order form reflecting the new entitlement position, a documented compliance baseline that becomes the reference point for future audits, and an internal post-audit review that captures the lessons learned.

The post-audit review is frequently skipped and is one of the most valuable artifacts the customer can produce. Documenting what worked, what did not, which arguments succeeded, and which were rejected, produces an institutional memory that materially improves the response to the next audit — and there will be a next audit.

Timeline summary

The end-to-end timeline for a typical Broadcom audit looks like this. Phase 0 (pre-audit signals) runs three to nine months ahead of the audit notice. Phase 1 (notice and response) runs two to four weeks. Phase 2 (kickoff and scoping) runs two to four weeks. Phase 3 (entitlement reconstruction) runs three to twelve weeks and overlaps with Phase 4. Phase 4 (deployment data collection) runs four to eight weeks. Phase 5 (methodology and analysis) runs four to six weeks. Phase 6 (findings and rebuttal) runs eight to twelve weeks across two to four iterations. Phase 7 (settlement negotiation) runs four to eight weeks. Phase 8 (closeout) runs two to four weeks.

Total elapsed time from notice to closeout is typically four to eight months. Total elapsed time including pre-audit preparation can be twelve to eighteen months. Customers who treat the audit as a four-week sprint consistently lose; customers who treat it as a six-to-nine-month structured engagement consistently win.

Who does what on the customer side

The customer's audit team typically includes the following roles. The designated point of contact is the single named representative through whom all auditor communication flows. The licensing advisor is the independent specialist who reconstructs entitlement, validates deployment, mounts the methodology challenge, and drafts the findings rebuttals. Counsel manages the procedural and contractual response, reviews all auditor communication, and represents the customer in dispute resolution if it occurs. The internal IT lead supports data collection and infrastructure questions. The procurement or vendor management lead supports the commercial negotiation. The CFO or finance lead approves the settlement parameters.

For a mid-market enterprise, the customer-side team typically commits the equivalent of two to four full-time-equivalents across the audit period. For a large enterprise, the commitment can be six to ten FTE. The cost of independent advisors is materially less than the avoidable exposure on a single cluster for almost any audit.

Who does what on the Broadcom side

The Broadcom audit team typically includes: the compliance manager who owns the audit relationship; the auditor (Broadcom in-house or a Big Four firm) who executes the analysis; the account executive who manages the commercial relationship; the deal desk who structures the remediation; and Broadcom legal who reviews the settlement. Each of these roles has different incentives, and effective customer negotiation works the differences between them.

The bottom line

The Broadcom audit process is structured, predictable, and contestable. Each phase has its own leverage points, its own deliverables, and its own mistakes. Customers who understand the phase structure and prepare for each phase distinctly consistently produce settlements 60-75% below the initial findings claim. Customers who do not consistently produce settlements at or near the initial claim.

The single highest-leverage action a customer can take is to engage independent advisors early — ideally at the pre-audit signal phase, but no later than the audit notice. Every day of delay after the notice compresses the time available for entitlement reconstruction and methodology preparation, and reduces the customer's negotiating leverage.

For a confidential assessment of your audit phase and the leverage points available to you, Contact us →.