Broadcom Audit Notification Template: A Line-by-Line Analysis

Since the Broadcom acquisition closed in late 2023, the standard VMware audit notification letter has been rewritten four times. The latest version, in circulation since the first quarter of 2026, runs to roughly two pages of body text and one page of appendices. To a CIO or general counsel receiving it for the first time, it reads as polite, procedural, and unobjectionable. To anyone who has handled a Broadcom audit before, it reads very differently: every paragraph is a carefully drafted instrument with a specific operational purpose.

This article walks through the current notification template clause by clause. The wording quoted below is a generalised composite drawn from notifications received by Broadcom customers between January and May 2026. Specific letters vary in detail, but the structural elements are highly consistent across geographies and customer segments.

The opening paragraph

A typical opening reads as follows.

Three things to note. First, the letter invokes the master agreement that VMware signed, not Broadcom — and treats the novation of that agreement to Broadcom as a given. Many customers' master agreements contain assignment restrictions that were not properly observed in the acquisition; whether those restrictions are still enforceable is a live legal question.

Second, the phrase "ongoing commitment to software license compliance" is not a statement of fact; it is a framing device. It positions the audit as a routine governance activity rather than a commercial revenue event. Treat the framing as marketing copy, not a legal characterisation.

Third, "Broadcom is exercising its right" assumes the existence of an audit right under the operative contract. Verify that the cited contract is in fact the operative one, that the audit clause is active (some clauses have notice or frequency limits), and that the named entity is the contracting party.

The scope statement

The scope paragraph typically reads:

This is the most aggressive clause in the letter. The phrase "all VMware software products, including but not limited to" extends the requested scope to every product Broadcom can identify in the portfolio, regardless of whether the customer has ever licensed them. The phrase "worldwide IT environment" extends scope to every geography in which the customer operates, regardless of where the master agreement was signed.

Compare this to the typical contractual scope language in a VMware enterprise agreement signed before 2022: "verification of deployment of the Software licensed under this Agreement". The contractual scope is the products licensed; the audit letter scope is the entire portfolio. The difference is the audit team hoping you do not notice the expansion.

The proper response is to narrow scope back to what the contract permits, in writing, in the first response letter. Do not provide data for products outside the contractual scope.

The auditor identity clause

Auditor identification typically reads:

Many enterprise VMware agreements signed before 2022 require that the auditor be a "mutually agreed independent third party". Broadcom's in-house compliance team is not an independent third party, and customers have not "mutually agreed" to its appointment. Where the contract requires an independent auditor, the notification is procedurally defective and the customer can decline to engage with the in-house team until an independent firm is appointed.

Where a Big Four firm is named, the firm is paid by Broadcom and reports to Broadcom. Its "independence" is professional rather than commercial. The customer can still require that the firm sign a non-disclosure agreement with the customer directly, that the firm's working papers be made available to the customer, and that the firm's findings be subject to challenge before they are finalised.

The data request

Data requests in the current template typically span half a page and include the following categories: vCenter inventory exports, host hardware inventories, license keys deployed, RVTools or PowerCLI script outputs, support contract numbers, virtual machine inventories with vCPU and vRAM allocation, cluster configurations, distributed switch configurations, NSX manager exports, vSAN cluster configurations, Aria Operations inventories, Horizon environment exports, and "any other data the auditor may reasonably request in the course of the verification."

The catch-all phrase at the end of the list is the most important part. It establishes an open-ended data request that the auditor will use throughout the engagement. The proper response is to negotiate a specific, finite data deliverable in the first response letter and to refuse to expand it without a written justification tied to the contractual audit scope.

The scripts deserve specific attention. PowerCLI and RVTools scripts collect substantially more data than the contractual audit scope requires. They harvest configuration data, performance data, and usage data that the auditor then uses to construct a maximised compliance claim. Running the scripts as requested is the single most expensive mistake a customer can make in the first month of the audit.

The timeline

The timeline paragraph typically reads:

Each of these intervals is shorter than the typical contractual minimum. Many VMware audit clauses entitle the customer to a reasonable period for data preparation (typically interpreted as 60-90 days), require a reasonable opportunity to respond to findings (typically 30-45 business days), and require the parties to engage in good-faith negotiation before any escalation. The notification's compressed timeline is a negotiating position, not a contractual obligation.

Customers should respond by acknowledging receipt within the stated deadline, then proposing a counter-schedule that aligns with the contractual minimums. The auditor will not refuse a reasonable counter-schedule — but if you do not propose one, the aggressive default sticks.

The confidentiality clause

A standard confidentiality clause reads:

Two problems with this drafting. First, customer-provided data should be classified as the customer's confidential information, not Broadcom's. The customer owns the operational data of its environment; Broadcom is merely receiving it under audit rights. The classification matters because it controls Broadcom's downstream use of the data.

Second, "used solely for the purpose of the verification" is too broad in practice. Audit data has been observed flowing from Broadcom's compliance team to its sales team, where it is used to construct VCF subscription proposals sized to the customer's actual deployment. The customer should require explicit contractual restrictions on the use of audit data outside the audit itself, return or certified destruction of the data at the conclusion of the audit, and exclusion of personally identifiable information and regulated data from the production set.

The contact and escalation block

The closing typically names a Broadcom audit programme manager as the point of contact and directs all communication to that person. This is the auditor's preferred channel because it routes communication through the audit team rather than the account team.

The customer should respond by naming its own single point of contact — typically external counsel or an independent licensing advisor — and require that all auditor communication route through that contact. Direct auditor-to-IT-staff communication should be prohibited.

The appendix: methodology

Recent notification templates include a one-page methodology appendix describing how the auditor will calculate licensing exposure. The methodology typically assumes that any host running ESXi is licensed at the highest applicable VCF tier, that vMotion and DRS clustering imply licensing across all hosts in the cluster, that vSAN configured anywhere implies vSAN licensing across all qualifying hosts, and that any non-production environment running production-class workloads is licensed at production rates.

None of these methodological assumptions has any basis in the master agreement. They are positions the auditor takes because they maximise the calculated exposure. Each one can be challenged on technical grounds (the configuration does not imply the claimed licensing), commercial grounds (the customer never bought the product at that tier), or procedural grounds (the methodology was not agreed in advance).

The methodology appendix is the most important document to challenge in the response letter. Once the methodology is implicitly accepted by silence, the customer is arguing only about deployment data, not about how the deployment data is being interpreted. Most of the leverage in audit defence is in the methodology, not the data.

The appendix: data formats

A second appendix specifies file formats for the data submission: CSV outputs from named PowerCLI scripts, JSON exports from named REST API endpoints, XML exports from named Aria modules. The format specification is technically reasonable but operationally significant — once the customer commits to a format, it has implicitly committed to the underlying data collection method, and the underlying method is the script that collects too much data.

The proper response is to propose alternative formats and alternative collection methods that produce only the data within the contractual scope. The auditor will resist; this is a negotiation, and the negotiation is winnable if engaged in writing in the first response letter.

What the template leaves unsaid

Several things are notably absent from the standard notification, and the absences are deliberate.

The customer's right to challenge the auditor's findings. The notification does not mention that the customer can dispute the findings, escalate to senior Broadcom management, demand a re-examination, or refuse to settle on the proposed terms. These rights exist and should be exercised, but the notification does not advertise them.

The customer's right to limit the auditor's on-site or remote access. The notification requests "reasonable access" to the customer's environment. The customer is not obligated to provide credentials, VPN access, or direct API access to the auditor. All data can be exported, reviewed, redacted, and provided by the customer's own team.

The cost-allocation provision. Most VMware audit clauses provide that audit costs are borne by Broadcom unless a material under-licensing (typically 5% or more) is found. The notification does not mention this provision. Customers should reference it in the response letter.

The good-faith negotiation requirement. Most audit clauses require the parties to negotiate in good faith before any escalation. This means Broadcom cannot move directly from findings to a demand letter; it must engage in substantive negotiation first.

The structural pattern

Read together, the notification template follows a consistent pattern. Each paragraph either expands a contractual right that Broadcom can plausibly invoke, compresses a contractual deadline that the customer can plausibly negotiate, or introduces a methodological assumption that the customer can plausibly challenge. The pattern is not accidental — it is the product of several years of iteration by Broadcom's compliance and legal teams.

The corresponding pattern for customer response is symmetric. Each clause that expands scope should be narrowed back to the contract. Each clause that compresses time should be extended back to the contractual minimum. Each methodological assumption should be challenged in writing before the customer provides data. None of these moves is hostile; all of them are routine in well-managed audit responses.

The template will change again

The notification template is on roughly a six-month revision cycle. The next revision is expected to tighten the data request appendix, add explicit references to "indirect access" (a concept Broadcom is borrowing from SAP's audit practice), and may include language asserting Broadcom's right to use customer audit data for "internal analytical purposes" outside the verification itself. Customers should expect the template to become more aggressive, not less, and should prepare response playbooks that are robust to drafting changes.

The template is also being adapted for Symantec and CA Technologies audits, where Broadcom's compliance team has begun issuing similar notifications under the equivalent master agreements. The structural pattern is the same; the product references and methodology specifics differ. The same line-by-line analytical approach applies.

What to do in the first 24 hours

When the notification arrives, do four things before the end of the next business day. Acknowledge receipt by email — one sentence, no substance. Pull the master agreement and the audit clause from your contract management system. Engage external counsel and an independent licensing advisor. Lock down internal communication about the audit on systems that may be discoverable.

Do not begin drafting the substantive response until counsel and the licensing advisor are in place. The substantive response should be drafted by them, in collaboration with your contract team, with the line-by-line analysis above as the analytical framework. The substantive response is due within the deadline stated in the notification — typically ten to fifteen business days — and is the most important document the customer will produce in the entire audit.

For a confidential review of a Broadcom audit notification you have received, Contact us →. We provide a clause-by-clause analysis and a draft response framework within one business day at no cost.