Broadcom CA Audit Process

Audits of CA Technologies products under Broadcom have a distinct character. They look superficially like generic Broadcom audits — same letterhead, similar legal framing, similar engagement structure — but the substance of a CA audit is shaped by the unusual breadth of the CA portfolio, the legacy entitlement constructs that customers brought with them from the CA Technologies era, and the specific licensing metrics that apply to CA's flagship products: Clarity PPM, Rally, Automic, AppLogic, API Management, the Service Management portfolio, and the Mainframe portfolio.

This article explains the Broadcom CA audit process end to end — what triggers it, how it proceeds, what data Broadcom asks for, what the contested findings typically look like, and how customers should approach defence. It is written from the buyer-side perspective and assumes no prior audit experience on the reader's part.

What triggers a Broadcom CA audit

CA audits do not arrive at random. The principal triggers, in approximate order of frequency:

• Approaching renewal of a material CA contract. Audits initiated 9-15 months before the renewal date are increasingly common and shape the renewal economics directly.
• Acquisition or divestiture activity. M&A activity that changes the customer's entitlement basis — particularly enterprise agreements with named-entity restrictions — routinely triggers compliance review.
• Significant infrastructure change. Datacentre migration, cloud migration, or major architectural shifts that affect product deployment often surface in usage telemetry and trigger review.
• Long renewal absence. Customers who have not engaged commercially with Broadcom in two or more years are statistically over-represented in audit selection.
• Discrepancy signals from sales. Where the sales team's account-management activity surfaces likely under-licensing — for example, growth in customer headcount inconsistent with reported Clarity user count — audit may follow.
• Programmatic audit cadence. Some large customers are on a programmatic audit cadence (every 2-3 years) regardless of other signals.

The audit notification

The CA audit process formally begins with an audit notification letter. The letter is typically signed by Broadcom's Software Compliance group or by an external audit firm engaged by Broadcom (commonly one of the Big Four professional services firms). The notification includes:

• The contractual basis for the audit (the audit-rights clause in the customer's master agreement).
• The scope of the audit by product family.
• The scope by entity and geography (whether the audit covers the parent entity only, named subsidiaries, or the wider corporate group).
• The proposed timeline (typically 60-120 days to first deliverable).
• An initial data request list.
• The proposed engagement contacts.

The notification is the first opportunity to shape the audit. Customers who treat it as a procedural step and respond reactively typically lose negotiation surface they could have preserved by acting deliberately. The notification should be reviewed by counsel and by an audit-defence advisor before any substantive response.

The data request

The initial CA audit data request is typically broad. Common categories include:

Clarity PPM data

• Full user list with status (active/inactive), user-type classification, and module access.
• Module-usage reports for the contract period.
• Integration-account inventory.
• NUX deployment status.
• Deployment topology (on-premises versus SaaS).

Rally (CA Agile Central) data

• Full user list with edition assignment and user-type classification.
• Last-login data for all users.
• Edition feature usage reports.
• Integration inventory.

Automic Automation data

• Agent inventory by managed system.
• Object counts (jobs, schedules, calendars).
• Workflow execution counts.
• Topology (Automation Engine, agents, gateway).

API Management (Layer 7) data

• Gateway inventory and processor counts.
• Policy counts and execution telemetry.
• API-call volumes.

Service Management data

• Analyst counts and self-service user counts.
• Module deployment inventory.
• Knowledge-base usage data.

Mainframe data

• LPAR inventory with MSU/MIPS capacity ratings.
• Product deployment by LPAR.
• SCRT reports for the audit period.

The data-request scope frequently exceeds what the customer is contractually obliged to provide. The customer's response should be calibrated to the contractual obligation, not to the request as drafted.

Scoping the audit

The audit scope is one of the most important early-stage levers. Customers should:

• Verify the contractual basis for the audit and the scope it actually permits.
• Define the geographic and entity scope precisely. Many customers' contracts limit audit scope to the contracting entity; audits that include subsidiaries or affiliates by default may exceed that scope.
• Define the temporal scope. Audits typically cover a specified review period; data outside that period should not be provided.
• Define the product scope. The audit should be limited to the products actually licensed and in scope; broader product discovery often exceeds contractual basis.

Scope discipline at the start of the audit prevents scope creep later and constrains the customer's data-provision burden.

The audit fieldwork

Fieldwork typically combines:

• Customer-provided data: extracts from Clarity, Rally, Automic, SCRT, and other product administrative tools.
• Auditor-conducted reviews: workshops with customer technical staff to confirm deployment topology, integration architecture, and usage patterns.
• Sample testing: drill-downs into specific user populations, specific LPARs, or specific applications.
• Where contractually permitted, telemetry or measurement-tool deployment.

The customer's posture during fieldwork matters. Each data item provided should be reviewed for accuracy before submission; each workshop should be staffed with informed people who can characterise the deployment correctly. Speculative or imprecise answers in workshops routinely become contested findings in the draft report.

The preliminary findings

After fieldwork, Broadcom or the audit firm issues preliminary findings. The preliminary findings document is the customer's first opportunity to engage substantively with the audit conclusions. Typical findings categories:

• Quantity findings: usage in excess of licensed quantity (e.g., 1,400 Rally users found, 1,200 licensed).
• Edition or tier findings: usage of higher-edition features without corresponding entitlement (e.g., Programme-edition features used on Team-edition licences).
• Module findings: usage of modules without corresponding entitlement.
• Classification findings: users licensed at a restricted tier who have used full-tier features.
• Topology findings: deployments outside the licensed topology (e.g., additional agents, additional gateways).
• Mainframe MSU findings: peak MSU consumption above the licensed level.

Each finding carries a proposed financial exposure: the calculated shortfall multiplied by list price, often with a multiplier (1.5x to 2x) and frequently with backdated maintenance.

Responding to findings

The response to preliminary findings is the most consequential stage of the audit. The structured response addresses each finding on three dimensions:

Factual

Is the underlying usage data correct? Customers should verify each finding against their own data, not accept the auditor's data at face value. Many findings rest on data extracted at a single point in time that does not reflect normal-state operations; many findings include users who should not have been included in the analysis (terminated users, service accounts, test users).

Contractual

Does the finding rest on a defensible contractual interpretation? Many findings rely on Broadcom's interpretation of contract language where alternative interpretations are equally or more defensible. The customer's contract should be read closely for each finding; legacy CA Technologies contracts often have narrower scope than Broadcom's standard interpretation assumes.

Financial

Is the financial calculation correct? Audit calculations often rest on current list price; many customers' actual entitlement was acquired at lower historical rates. Calculations involving multipliers and backdated maintenance should be challenged on contractual basis.

Negotiating the settlement

Following the response, the audit enters a negotiation phase. Settlement structures typically combine:

• Acceptance of some findings as valid (with reduced financial exposure after factual or contractual correction).
• Rejection of other findings as not supported.
• A go-forward purchase commitment that often includes new product or capacity to close the audit.
• Contractual reset of audit terms, price-lock provisions, and entitlement clarifications.

The settlement frequently includes commercial elements that shift value forward (new product purchase, extended commitment) rather than purely settling the audit claim. Customers should evaluate the commercial settlement on its standalone economics, not as part of the audit dispute.

Common CA audit defence mistakes

1. Treating the notification as routine. The notification is the first negotiation move and should be responded to deliberately, with counsel and advisor input.
2. Providing data without scope discipline. Data provision should be calibrated to contractual obligation, not to the request as drafted.
3. Staffing workshops with the wrong people. Workshops should be staffed with informed practitioners who can characterise the deployment accurately; junior or uninformed staff routinely create contested findings through imprecise answers.
4. Accepting preliminary findings at face value. Findings should be verified against customer data and challenged on factual, contractual, and financial dimensions before acceptance.
5. Negotiating the settlement before the findings are resolved. Commercial negotiation should follow technical resolution, not precede it.
6. Failing to engage independent expertise. CA audits are technically and contractually nuanced; the cost of independent expertise is consistently lower than the cost of unrebutted findings.

Timeline expectations

A typical CA portfolio audit runs:

• Notification to data submission: 30-60 days.
• Fieldwork: 45-90 days.
• Preliminary findings: 30-45 days after fieldwork.
• Response and negotiation: 60-180 days.
• Settlement: typically by month 9-12.

Audits compressed into a renewal cycle can run faster; complex multi-product audits can run longer. The customer's pacing posture matters: rushing increases exposure, while sustained discipline preserves it.

The post-audit posture

The audit's conclusion should produce more than a settlement. The customer should leave with:

• An accurate baseline of entitlement-versus-usage across the CA portfolio.
• A defined cadence for compliance monitoring going forward.
• Contractual clarifications that close interpretive ambiguity.
• A renewal posture informed by the audit experience.

Customers who treat the audit as a one-time event repeat the same exposures at subsequent audits or renewals. Customers who use the audit to build durable compliance discipline reduce future exposure materially.

Final word

The Broadcom CA audit process is structured, contractually grounded, and survivable with discipline. The financial outcomes between well-defended and poorly defended audits are large — routinely 50-75% differences in final settlement against the same starting findings. The disciplines required are not exotic: scope control, data discipline, factual verification, contractual reading, and structured negotiation. Customers who apply those disciplines, with appropriate independent expertise, consistently protect their commercial position; customers who do not, do not.

Broadcom CA audit — frequently asked questions

How much warning will we get before a CA audit begins?

The formal audit notification is typically the first explicit signal, but customers paying attention can often detect earlier indicators: increased account-management activity, requests for usage clarification, or renewal proposals contingent on usage confirmation. These earlier signals are an opportunity to prepare; the formal notification is when preparation becomes urgent.

Can we refuse to participate in the audit?

Refusal generally is not a viable strategy because most CA contracts contain audit-rights clauses that obligate participation. The available levers are scope, timing, and process discipline within participation, not refusal of participation. See our companion article on refusing a Broadcom audit for the detailed analysis.

Should we use external defence advisors or handle the audit internally?

Internal handling is feasible only for very small audits or for customers with substantial internal audit-defence capability. For material audits (six-figure exposure and above), the cost of independent expertise is consistently lower than the exposure differential it produces. The economic case for external defence is strong.

What is the typical financial outcome of a CA audit?

The range is wide. The initial finding figure may be in the millions; the final settlement is typically 25-50% of the initial figure for poorly defended audits and 10-25% for well-defended audits. The well-defended figure routinely includes the go-forward commitment as part of the settlement, which carries its own commercial evaluation.

How does a CA audit interact with our renewal?

Audits run in advance of renewals are common and the two should be managed together, not separately. The audit settlement and the renewal commercial terms should be negotiated as an integrated package, with explicit visibility into how the audit settlement affects renewal pricing.