Broadcom Audit Rights: What Your Contract Says
The audit clause is the most important document in any Broadcom audit dispute. Customers who know their clause well consistently produce settlements 40-60% below customers who do not.
The audit clause in your Broadcom or VMware master agreement is the single most important document in any audit dispute. It defines what Broadcom is entitled to demand from you, what you are entitled to refuse, what procedural protections apply, and what happens if the two sides disagree. Customers who do not know what their audit clause says routinely concede ground they were not contractually required to concede. Customers who know their clause well — and use it precisely — consistently produce settlements 40-60% below customers who do not.
This article walks through the audit clauses most commonly found in VMware and Broadcom contracts, identifies the provisions that materially affect customer leverage, and explains how to read your specific clause to find the protections you have. It is not a substitute for legal advice on your specific contract, but it will help you ask the right questions of your counsel.
Where to find the audit clause
The audit clause is rarely in a section labelled "Audit". It is usually in a section labelled something like "Compliance Verification", "Records and Inspection", "Verification of Use", "Licence Verification", or simply "Compliance". The clause is typically two to four paragraphs long and is structured as a grant of right (Broadcom may verify) followed by limitations on the right (subject to the following conditions).
Your master agreement may be: a VMware Enterprise Licence Agreement (ELA) negotiated before 2023; a VMware End User Licence Agreement (EULA) for non-negotiated purchases; a Broadcom master subscription agreement post-acquisition; a public-sector framework agreement (federal GSA schedule, state cooperative agreement); or a reseller agreement that incorporates VMware or Broadcom terms by reference. The audit clause varies materially across these formats, and you should locate the specific document that governs your purchase before reading further.
The grant of right
The grant of right typically reads something like: "Vendor may, no more than once per [twelve months / calendar year], upon [thirty / sixty] days' prior written notice, audit Customer's use of the Software to verify Customer's compliance with this Agreement." Several elements of the grant are negotiable and may have been negotiated more favourably in your specific contract.
Frequency. The default in VMware contracts is once per twelve months. Some negotiated ELAs limit audit frequency to once per twenty-four or thirty-six months. If Broadcom has audited you (formally or through a soft audit) within the contractual cooling-off period, the new audit may be procedurally defective.
Notice period. The default is thirty days. Some negotiated agreements require sixty or ninety days. The notice period is your first preparation window — it should be used for entitlement reconstruction and counsel engagement, not for waiting.
Trigger. Some audit clauses require a reasonable basis or specific trigger for the audit ("upon reasonable belief of non-compliance"). Many do not. If your clause requires a trigger, the customer can demand that Broadcom articulate the trigger as a precondition to engagement.
Auditor identity. The default in modern Broadcom contracts is that Broadcom may appoint the auditor, including its in-house compliance team. Many older ELAs require an independent third-party auditor, often with a list of acceptable firms (typically the Big Four). Where your contract requires an independent auditor, you can decline to engage with Broadcom's in-house team.
Scope limitations
Scope is the most important and most negotiable element of the audit clause. The default scope in modern Broadcom contracts is broad: any and all use of any Broadcom or VMware software, with no temporal limitation. Most negotiated ELAs and many older VMware EULAs contain materially narrower scopes.
Product scope. A negotiated clause may limit audit to specifically identified products (those purchased under the agreement). This is a meaningful limitation if you have acquired other VMware products through acquisitions, separate purchases, or pre-existing entitlements that pre-date the audited contract.
Use scope. A clause may limit audit to verification of production use only, excluding development, test, staging, or evaluation use. Where this limitation exists, the customer can decline data requests for non-production environments.
Temporal scope. A clause may limit audit to the current or prior twelve months only. A scope of "since the inception of the agreement" is broader and more onerous. Where your clause has a temporal limit, the customer can decline data requests for periods outside the limit.
Entity scope. A clause may limit audit to the contracting entity only, excluding affiliates, subsidiaries, or acquired companies. Where your clause has an entity limit, the customer can decline to provide data for entities outside the scope — and where Broadcom has acquired entitlements through M&A activity, the entity scope can substantially limit audit reach.
Procedural protections
Even within scope, the audit clause typically specifies procedural protections that limit how the audit may be conducted. These protections are often under-used by customers who treat them as boilerplate.
Business hours. Audits must typically be conducted during normal business hours of the customer. This limits the auditor's ability to demand real-time data extracts, after-hours access, or weekend work.
Minimal disruption. Audits must typically be conducted with minimal disruption to the customer's business operations. This is a real limitation on intrusive data-collection protocols.
Confidentiality. Audit data is confidential to the customer. The auditor may not use the data outside the audit, may not share it with third parties without the customer's consent, and must return or destroy it at the conclusion of the audit. The confidentiality provision applies to the auditor and, by extension, to Broadcom.
Data handling. Many clauses require specific data-handling protocols: encryption in transit, secure transmission, restricted storage, return or destruction on conclusion. The customer can require that the auditor sign a confirming data-handling agreement before any data exchange.
Personally identifiable information. Many clauses exclude PII from the audit scope. Where your clause excludes PII, the customer can redact or withhold data containing employee names, contact information, or other PII.
Regulated data. Customers in regulated industries (healthcare under HIPAA, financial services under GLBA or FFIEC, federal contractors under FAR/DFARS, EU customers under GDPR) may have additional protections that override the contractual audit clause. Where regulated data is involved, the data-handling protocol must comply with the regulatory regime regardless of what the contract says.
Cost allocation
The audit clause typically allocates the cost of the audit between the parties based on the outcome. The standard formulation is: each party bears its own costs, except that if the audit reveals material under-licensing (typically defined as more than 5% of the licensed quantity), the customer bears Broadcom's reasonable audit costs.
The cost allocation matters for two reasons. First, it caps Broadcom's incentive to run aggressive audits — Broadcom bears its own cost if the audit produces no material finding. Second, the "material under-licensing" threshold is itself a negotiable point. A finding just below the threshold produces materially different cost consequences than a finding just above it, and the threshold is a useful reference point in settlement negotiation.
Cure periods
The audit clause typically provides a cure period after the audit findings are delivered: the customer has thirty to ninety days to remediate any under-licensing identified. Remediation is typically defined as purchasing additional licences to cover the shortfall. The cure period matters because it limits Broadcom's ability to demand immediate payment or to escalate to breach of contract before the cure period has run.
The cure period is also a leverage point. The customer can use the cure period to negotiate the form of remediation (cash payment vs subscription purchase, term length, pricing) rather than accepting Broadcom's initial proposal. Where the cure period is short, the customer can negotiate an extension to allow proper remediation analysis.
Dispute resolution
The audit clause typically incorporates the dispute resolution provisions of the master agreement. These typically include: escalation to senior executives within a defined period; mediation as an optional or required step; arbitration or litigation as the final step. The dispute resolution provisions matter because they define the customer's procedural options if the parties cannot agree on findings or remediation.
In practice, formal dispute resolution is rare in Broadcom audits — most disputes settle commercially before reaching mediation or arbitration. But the credible availability of dispute resolution is itself a settlement lever. A customer who has prepared a defensible position and is willing to invoke dispute resolution typically settles on better terms than a customer who is not.
What modern Broadcom clauses look like
Post-acquisition Broadcom subscription agreements have audit clauses that are materially less protective of customers than legacy VMware ELAs. The typical Broadcom audit clause grants Broadcom the right to audit at any time on thirty days' notice, with Broadcom's choice of auditor (including in-house), with broad scope, and with cure periods measured in days rather than weeks.
If you are operating under a post-acquisition Broadcom agreement, the audit clause is materially worse for you than if you are operating under a legacy VMware ELA. Where you have a legacy ELA, the audit clause typically continues to apply for the term of the ELA, regardless of any Broadcom communications suggesting otherwise. Insist on the legacy clause where it applies.
What to do if your contract is silent or unclear
If your master agreement does not contain an explicit audit clause — which is increasingly common with click-through purchases — the rules default to the EULA in effect at the time of purchase. The EULA almost always contains an audit clause, and you should locate it.
If your audit clause is ambiguous on a specific point, the ambiguity should be resolved in the customer's favour under the principle of contra proferentem (ambiguity is construed against the drafter). Since Broadcom drafted the agreement, ambiguity favours the customer. This is a legal principle, not a commercial one, and it applies most effectively when invoked through counsel.
The three clauses every customer should read first
If you have time to read only three clauses in your master agreement, read these in order.
The audit clause itself — to understand your procedural rights and Broadcom's procedural obligations. Find it under the headings listed at the start of this article.
The confidentiality clause — to understand how audit data must be handled and what restrictions apply to Broadcom's use of the data. The confidentiality clause typically applies to all information exchanged under the agreement, including audit data.
The transfer and assignment clause — to understand how your entitlements are affected by M&A activity and what consent (if any) is required from Broadcom for transfers. Many customers' best leverage in an audit comes from entitlements acquired with acquisitions; the transfer clause determines whether those entitlements are recognised.
The bottom line
Your audit rights are defined by your contract. Read it. Negotiated VMware ELAs from before 2023 frequently contain protections that materially advantage the customer in an audit, and those protections continue to apply for the term of the ELA regardless of any post-acquisition communications from Broadcom. Post-acquisition Broadcom subscription agreements typically have weaker protections, and customers operating under those agreements should engage independent advisors earlier in any audit conversation.
The single most valuable action a customer can take before an audit arrives is to locate, read, and brief counsel on the audit clause in their specific master agreement. The clause-level preparation typically takes a few hours and produces a procedural posture that materially improves the audit outcome.
For a confidential review of the audit clause in your specific Broadcom or VMware agreement, Contact us →.