Broadcom audit for managed service providers.

Managed service providers occupy one of the most exposed positions in the current Broadcom audit landscape. The MSP's licensing posture has to cover not only the MSP's own infrastructure but also the workloads the MSP runs on behalf of customers, the multi-tenant constructs the MSP uses to scale, and the contractual relationships through which compliance responsibility flows between the MSP and the customer. Broadcom's 2026 audit posture treats MSP environments with particular scrutiny because the licensing complexity creates both genuine compliance gaps and audit-attractive negotiation surface. This piece consolidates the MSP-specific audit dynamics, the contractual constructs that govern compliance responsibility, and the defensive posture that produces the best outcomes when an audit notice arrives at an MSP.

The dynamics described apply across the Broadcom-acquired portfolio — VMware, Symantec, CA Technologies, Carbon Black — though the MSP licensing constructs vary by product family. The defensive framework is consistent.

Why MSPs are audit-attractive

Multi-tenant licensing complexity

MSPs operate environments that mix the MSP's own infrastructure entitlement with customer-dedicated entitlement and with multi-tenant constructs that serve multiple customers from shared infrastructure. The complexity creates compliance gaps in three places: at the boundary between MSP-owned and customer-owned entitlement, in the allocation of multi-tenant infrastructure to customer workloads, and in the tracking of customer-provided entitlement that the MSP operates on the customer's behalf.

Service-provider licensing programmes

Broadcom inherited and modified the VMware Cloud Provider Programme (VCPP) and equivalent constructs for the Symantec and CA portfolios. These programmes have specific reporting cadence, usage-measurement, and entitlement-allocation rules that differ from standard enterprise licensing. MSPs that operate under VCPP or its equivalents face compliance requirements that are denser and more frequently audited than standard enterprise customers.

Customer churn and entitlement transfer

MSP customer churn creates entitlement-transfer complexity. When a customer ends a managed-service engagement, the licensing entitlements that supported the customer's workloads have to be either decommissioned, retained on the MSP's books for re-use, or transferred to the customer's direct ownership. The mechanics of each path are different, and the audit-relevant trail is rarely as clean as the MSP's commercial team assumes.

The audit constructs MSPs face

Direct audit of the MSP entity

The most straightforward audit construct is a direct audit of the MSP entity, in which Broadcom's compliance team asserts the MSP's right to operate under the VCPP or equivalent programme and reconciles reported usage against actual deployment. The data requests in this construct are typically broader than enterprise audits because the MSP environment is by nature more complex.

Customer audit that traces into the MSP

An increasingly common construct is an audit of an MSP's customer that traces into the MSP environment. The customer audit identifies workloads running on MSP infrastructure that may not be properly entitled, and the resulting compliance question becomes a three-way conversation among the customer, the MSP, and Broadcom. The contractual allocation of compliance responsibility between the customer and the MSP becomes the central question.

VCPP programme review

A VCPP programme review — sometimes framed operationally rather than as a formal audit — examines the MSP's compliance with the programme's specific rules around usage reporting, deployment classification, and entitlement allocation. These reviews can identify reporting gaps that translate into material commercial outcomes even where there is no actual deployment shortfall against entitlement.

Contractual constructs between MSP and customer

Bring-your-own-licence (BYOL) constructs

Under BYOL, the customer brings its own entitlement and the MSP operates against the customer-provided licences. The contractual responsibility for compliance typically rests with the customer, but the operational reality — the MSP operates the environment and produces the usage data that would be reconciled in an audit — means the MSP retains material exposure. The MSP service contract should explicitly address audit cooperation, data provision, and compliance-finding responsibility.

Provider-provided-licence (PPL) constructs

Under PPL, the MSP provides the licensing entitlement and includes the cost in the managed-service fee. The contractual responsibility for compliance rests with the MSP, but the operational reality — the customer's workload behaviour drives usage — means the MSP needs visibility and control over usage growth. The service contract should give the MSP the right to require operational changes to keep usage within entitlement.

Hybrid constructs

Many MSP engagements use hybrid constructs — some entitlement BYOL, some PPL, some shared. The audit-relevant trail across hybrid constructs is the most complex and most frequently produces ambiguity in audit scenarios. MSPs operating hybrid constructs should maintain explicit per-component allocation documentation and should validate the allocation at every service-contract anniversary.

The audit-response playbook for MSPs

Centralise the response immediately

An audit notice to an MSP — direct or traced from a customer — should immediately trigger response centralisation. The MSP's licensing lead, legal counsel, and engaged defence advisor should hold all auditor communication. Distributed response across operations, customer-success, and finance functions produces inconsistencies that the audit team will exploit.

Validate the audit's contractual basis

The contractual basis for the audit varies by construct. Direct MSP audits operate under the VCPP or equivalent programme agreement; customer-traced audits operate under the customer's contractual relationship with Broadcom and the MSP's contractual relationship with the customer. The validation should establish which contract is the basis for which auditor request, and which requests fall within the contractual scope.

Scope the response across customer estates carefully

An audit that traces from a single customer into the MSP environment should not be allowed to expand into a broader review of the MSP's other customers without explicit scope justification. The defensive posture is to keep the audit response narrowly scoped to the originating audit's contractual basis.

Maintain separation between MSP entitlement and customer entitlement

The audit response should explicitly distinguish between MSP-owned entitlement (the MSP's own infrastructure and platform) and customer-owned or customer-allocated entitlement. Conflating the two produces audit findings that overstate the MSP's compliance exposure and create commercial friction with customers whose entitlement gets pulled into the MSP's audit response.

Common audit findings in MSP environments

Multi-tenant allocation gaps

The most common audit finding in MSP environments is that multi-tenant infrastructure is allocated to customer workloads in a way that does not match the per-tenant entitlement assumption underlying the VCPP report. The gap can be commercial fiction — accurate workload allocation that the reporting model did not capture — or genuine compliance shortfall. Distinguishing one from the other is the first step in compressing the audit finding.

BYOL-PPL boundary disputes

Audit findings frequently turn on disputes about whether a specific workload is operating under BYOL entitlement (customer's licensing) or PPL entitlement (MSP's licensing). The contractual allocation typically exists but the operational mapping does not always match. Strengthening the operational mapping reduces both the audit finding and the commercial friction with affected customers.

Decommissioned-customer residue

Workloads that should have been decommissioned at the end of a customer engagement but were not fully removed frequently surface as audit findings. The MSP-side discipline around customer-offboarding directly affects audit exposure.

Test and development environments

Test and development environments are frequently under-tracked relative to production environments, and the entitlement gap is a common audit finding. MSPs should maintain test/dev tracking with the same rigour as production tracking.

The MSP customer-relationship implications

Customer communication during an audit

An audit that traces from a customer into the MSP environment requires careful customer communication. The MSP should communicate the situation transparently to the affected customer, agree the joint response approach, and avoid commercial actions that would compromise the customer's own contractual position. Mishandled customer communication during an MSP audit produces customer-relationship damage that materially outlasts the audit itself.

Service-contract clauses that protect the relationship

MSP service contracts should explicitly address audit cooperation, compliance-finding allocation, and commercial-impact handling. Contracts that leave these questions ambiguous produce the worst commercial outcomes when an audit lands and force renegotiation in the middle of an audit response.

Joint defence engagement

Where an audit affects both the MSP and a customer materially, joint engagement of buyer-side defence advisory often produces better outcomes than separate engagement. The defence advisor can coordinate the contractual-position validation across both contracts and avoid commercial conflicts between the MSP and the customer that the audit team would otherwise exploit.

Preventative posture between audits

Quarterly compliance review

MSPs should operate a quarterly internal compliance review that reconciles deployment against entitlement, validates VCPP reporting integrity, and identifies emerging compliance gaps before they accumulate. The cadence sounds expensive but is consistently less expensive than a poorly handled audit response.

Customer-offboarding discipline

The MSP's customer-offboarding process should explicitly include compliance-relevant steps — decommissioning of customer-allocated entitlement, retention or transfer decisions, audit-trail documentation. Discipline at the offboarding boundary directly reduces audit exposure.

Test and development tracking

Test and development environments should be tracked with the same rigour as production environments. The audit exposure created by under-tracked test/dev is consistently disproportionate to the operational value the under-tracking creates.

The 2026 outlook for MSP audit exposure

Broadcom's 2026 audit posture treats MSP environments with particular scrutiny. Customers running workloads on MSP infrastructure are increasingly subject to audits that trace into the MSP environment, and MSP-direct audits under the VCPP and equivalent programmes have become more frequent. The trend is unlikely to reverse over the rest of 2026. MSPs that operate disciplined preventative compliance posture, maintain clear contractual allocation with customers, and engage experienced defence support when audit notices arrive will land materially better outcomes than MSPs that treat each audit as an isolated operational event.

Closing

MSP audit exposure is structurally higher than standard enterprise audit exposure because the licensing complexity is higher and the contractual relationships are more layered. The defensive posture that produces the best outcomes for MSPs is the same posture that produces good outcomes in any audit environment — contractual clarity, scope discipline, methodology rigour, experienced defence support engaged early — applied with attention to the multi-tenant, multi-customer dimensions that distinguish MSP environments. The MSPs that build this posture as an operating discipline rather than an audit-time response land better outcomes for themselves and their customers across the full 2026 audit wave.

The VCPP-specific compliance dimension

Monthly usage reporting

VCPP requires monthly usage reporting against contracted entitlement. The reporting cadence is operationally demanding and a frequent source of compliance gaps — missed reporting periods, methodology inconsistency between reporting periods, and category misallocation that surfaces under audit. MSPs should treat the monthly reporting discipline as a defined operational practice rather than a back-office task.

Contract-period reconciliation

VCPP contract periods include a reconciliation that compares actual usage against contracted commitment. Material under-reporting against actual usage produces compliance findings; material over-reporting against actual usage produces commercial waste. Both surfaces are routinely audit-relevant.

Programme tier transitions

VCPP tier transitions — typically driven by growth in committed volume — produce compliance dynamics that should be anticipated. The tier the MSP qualifies for affects the discount available, the reporting cadence, and the audit-relevant trail. Tier transitions should be planned commercially rather than allowed to surface as audit findings.

Operational practices that scale with MSP growth

MSP audit exposure scales with MSP growth, and the operational practices that contain exposure at small scale do not always scale to large MSP environments. Practices to revisit as MSP scale grows include the inventory-management toolchain (which needs to handle multi-tenant complexity at increasing scale), the customer-offboarding process (which becomes the largest single source of compliance residue), and the licensing-allocation documentation (which becomes the institutional memory that survives staff transitions).

Closing on MSP audit posture

The MSPs that fare best in the 2026 audit environment are the ones who treat compliance as a service-delivery competency rather than a compliance-team activity, who invest in inventory and allocation discipline ahead of growth rather than after compliance gaps surface, and who engage experienced defence support proactively when audit-relevant contact arrives. The defensive framework is mature; the execution discipline is what distinguishes good outcomes from poor ones.