Broadcom Audit Timeline: How Long It Takes

A Broadcom audit is rarely a short event, but customers consistently overestimate how short it is. The notice arrives with a proposed kickoff in two weeks, the auditor's first project plan shows a ninety-day timeline to findings, and customers conclude that the engagement will be over in a quarter. It almost never is. Most audits run between four and nine months from notice to settlement, with another month or two of contractual cleanup at the end.

This article walks through the realistic timeline phase by phase, with median durations from our engagement data, the fast paths that compress timelines, and the slow paths that extend them. Understanding which phase you are in, and how long it is supposed to last, is the simplest defence against an auditor's attempt to compress timelines artificially in their favour.

Phase 0 — Pre-audit signals: 3 to 9 months

Most audits begin well before the audit notice. Pre-audit signals — unusual account-team interest in deployment data, lapsed SnS escalations, sudden delays on routine transfer requests, account-team replacements without explanation — typically precede the notice by three to nine months. The customer's own preparation window opens here and closes when the notice arrives. Customers who use this window well shorten every subsequent phase; customers who ignore it lengthen them.

Phase 1 — Audit notice and response: 10 to 30 days

The audit notice is the formal start of the audit. The notice typically gives the customer ten to fifteen business days to acknowledge, and proposes a kickoff within the same window. The customer's response letter is due in this period, and is usually the first procedural artifact in the audit record. Customers who respond on the auditor's proposed timeline have a thinner response letter; customers who negotiate an additional one to two weeks consistently produce a tighter response that benefits them throughout fieldwork.

Phase 2 — Kickoff and scoping: 2 to 6 weeks

The kickoff meeting itself is one event of sixty to ninety minutes. The scoping work around it takes two to six weeks. This includes scope-memo negotiation, data-handling protocol negotiation, designation of points of contact, and confirmation of the audit period. Customers should not rush this phase. Scoping decisions made in week three constrain findings made in week thirty. The kickoff phase ends when both parties have a written scope agreement and a signed data-handling protocol.

Phase 3 — Data request negotiation: 3 to 8 weeks

The first data request usually arrives at kickoff. Negotiating the request takes three to eight weeks for a typical mid-sized enterprise audit. The negotiation covers field-by-field scope, data formats, delivery schedule, and handling. Customers who accept the auditor's data request as-is skip this phase and pay for it later. Customers who negotiate substantively here produce datasets that fit the agreed scope and the agreed methodology, which makes fieldwork much shorter and findings much narrower.

Phase 4 — Data delivery and validation: 4 to 10 weeks

Data delivery is rarely a single event. A typical audit involves three to six discrete data deliveries, each separated by one to three weeks. Between deliveries, both parties validate the data — the customer confirms that what was sent matches what was agreed, and the auditor confirms that the data is sufficient to test compliance. Discrepancies surface here. Mismatches between the customer's entitlement records and Broadcom's internal records usually surface in this phase; addressing them now saves time in findings.

Why delivery takes longer than auditors propose

Auditors propose two-to-three-week delivery windows that assume the customer's environment is fully instrumented for compliance reporting. Most environments are not. Reasonable validation requires the customer to confirm host configurations, virtual-machine inventories, and entitlement-to-deployment mappings before delivery. That validation work cannot be compressed without producing errors that the auditor will then weaponise. Hold to a realistic delivery schedule and document the rationale.

Phase 5 — Fieldwork: 6 to 16 weeks

Fieldwork is where the auditor applies methodology to the data and produces a draft findings document. The duration depends on the size of the environment, the complexity of the licensing model, and the depth of the methodology challenges raised by the customer. A clean per-CPU vSphere audit at a mid-sized customer can finish fieldwork in six weeks; a multi-product VCF, vSAN, NSX, and Aria audit at a large customer can take sixteen weeks or more.

Customers should not be passive during fieldwork. Methodology challenges raised early — typically in weeks two through six of fieldwork — are taken into the auditor's working position as the findings are constructed. Challenges raised later have to overturn a written finding, which is procedurally harder. The right cadence is a weekly status meeting during fieldwork, with the customer raising methodology points and the auditor responding in writing.

Phase 6 — Draft findings: 2 to 6 weeks

The draft findings document is the auditor's written compliance assessment. It usually arrives two to four weeks before the auditor would like to close the audit. The customer's response to the draft findings is the most important written artifact in the audit, and it should not be hurried. A two-to-six-week customer response period is appropriate. Anything shorter favours the auditor; anything longer is rarely necessary.

The customer's response should challenge each finding on three dimensions: factual accuracy (is the underlying data correct), methodology (is the methodology applied correctly and consistently with the contract), and remedy (if the finding stands, what is the appropriate remedy under the contract). Every finding accepted at this stage becomes part of the settlement; every finding challenged becomes a negotiation point.

Phase 7 — Findings dispute and reconciliation: 4 to 12 weeks

The findings dispute is the negotiated reconciliation between the customer's response and the auditor's draft. Most engagements take four to twelve weeks here. Each disputed finding is examined separately. Some are sustained, some are dropped, some are revised. The customer's leverage in this phase comes from the methodology record built in earlier phases — disputes raised at fieldwork can be sustained in dispute; disputes raised for the first time at dispute often cannot.

Phase 8 — Settlement negotiation: 4 to 12 weeks

Settlement negotiation begins when both parties have a reconciled findings position. This is the commercial negotiation: how the remaining findings are remediated, what licenses are purchased, at what price, and on what terms. The settlement is rarely a simple cheque. In current Broadcom practice, settlements are usually structured as a VCF subscription conversion, a discounted true-up purchase, a multi-year subscription commitment, or some combination. Each structure has different cash, commitment, and flexibility implications.

The settlement phase is where the difference between a customer with a strong methodology record and a customer without one shows up most clearly. Strong records produce settlements in the thirty-to-fifty per cent range of the initial finding; weaker records produce settlements in the seventy-to-ninety per cent range.

Phase 9 — Contractual cleanup: 4 to 8 weeks

After settlement, the contractual cleanup phase produces the final purchase orders, signed amendments, and revised entitlement records. This phase looks like administrative tidying but it is not. Errors in cleanup documents have produced disputes that persisted for years. Confirm in writing that the settlement closes the audit, that the new entitlements supersede prior records, that audit data is destroyed per the protocol, and that no further audit will run for a defined exclusion period.

Fast paths and slow paths

The fastest realistic audit runs about sixteen weeks from notice to settlement, and another four weeks to closeout. This is unusual. It happens when the environment is genuinely simple, the customer has a clean compliance position, the auditor is well-resourced, and the scope is narrow. Customers should not aim for this path unless their position genuinely supports it.

The slowest realistic audit runs about eighteen months from notice to settlement. This happens when scope is contested, methodology is disputed, the customer raises substantive procedural challenges to audit standing, multiple acquired entities create entity-scope complexity, or the customer is willing to litigate one or more findings. Slow paths are not necessarily worse for the customer. In our engagement data, audits in the nine-to-eighteen-month range produce better outcomes than audits in the three-to-six-month range, holding environment complexity constant.

What never finishes on the auditor's proposed timeline

Three categories of audit never finish on the auditor's proposed timeline. Multi-entity audits, particularly those involving recently acquired companies. Multi-product audits, particularly those spanning VMware and Symantec, or VMware and CA Technologies. And methodology-contested audits, where the customer has raised at least one substantive methodology challenge.

If your audit falls into one of these categories, expect the realistic timeline to extend by thirty to sixty per cent over the auditor's proposal. Plan staffing accordingly; over-resourcing in the early phases is much cheaper than under-resourcing in the late phases.

Related reading

Our companion guides cover the audit process phase by phase, scope limitation, and data request negotiation. Together they describe the events that take place inside the timeline this article frames.