Broadcom Audit Response Letter: Template and Strategic Guidance

Every Broadcom audit begins with a letter. Sometimes it arrives in the formal envelope of a contractual audit-rights invocation. More often, in the past eighteen months, it shows up as a friendly outreach from an account manager — an “effective licence position review”, a “true-up discussion”, or a templated request for a self-attestation report. The label on the envelope does not change what it is. The letter you send back, regardless of the label on theirs, is the single document that establishes the procedural posture for everything that follows.

This guide walks through the structure of a strong response letter, the language we recommend including, the language we recommend excluding, and the strategic logic behind each. It is not a substitute for legal review. It is the operational scaffolding that experienced audit-defence teams use to build a defensible position from sentence one.

Why the first letter matters more than the second

Auditors and account teams document everything. The phrasing you use in your initial response is quoted back to you in scoping calls, in interim findings letters, and in eventual settlement negotiations. A response that concedes scope, acknowledges undefined non-compliance, or commits to undefined timelines forecloses defences that would otherwise be available later.

Equally, a response that is hostile, dismissive, or refuses cooperation can escalate a soft inquiry into a formal audit invocation. The objective is neither concession nor escalation. The objective is a measured, contractually grounded response that buys time and constrains scope without inviting escalation.

The five-paragraph structure

Paragraph 1: Acknowledge receipt without acknowledging position

Acknowledge the letter, the sender, and the date received. Do not acknowledge any factual claim, alleged shortfall, or product list contained in their letter. A single sentence is enough: “We acknowledge receipt of your correspondence dated [X] regarding [the entity’s] use of Broadcom-owned software.” That sentence creates a record of receipt without creating a record of agreement.

Paragraph 2: Anchor to the contract

Identify the controlling agreement. This is decisive. The audit-rights clause in your master agreement, EULA, or VCF subscription terms defines what Broadcom is contractually permitted to ask for, how, and on what notice. Cite the specific section number. If the request exceeds those contractual rights, you have already begun limiting scope.

Sample language: “Our review of your correspondence is being conducted with reference to Section [X] of the [Master Agreement / EULA] dated [Y], which we understand to be the controlling agreement governing audit rights in this matter. To assist our review, please confirm the contractual basis on which the current request is being made.”

Paragraph 3: Request specificity

Broadcom’s initial letters are intentionally broad. Specificity favours the defendant. Ask — politely, in writing — for:

• The specific products and versions in scope
• The specific entities and geographies in scope
• The time period under review
• The methodology Broadcom intends to apply
• The identity of the audit firm if one is involved
• Whether the request is being made under formal audit rights or as a voluntary commercial review

The distinction between formal audit and voluntary review is critical. Voluntary engagement carries no contractual obligation. Many enterprises participate in voluntary reviews without realising they could have declined or deferred.

Paragraph 4: Establish a single point of contact

Name one person, with their title and email, as the sole authorised contact for the engagement. Instruct that all subsequent correspondence and information requests be directed through that contact. This stops account teams from making lateral approaches to your IT staff, your procurement team, or your end-user managers — a tactic that routinely generates damaging side-channel admissions.

Paragraph 5: Reserve rights and set the cadence

Close with a reservation of rights, a commitment to a constructive review subject to receiving the requested clarifications, and a proposed cadence (typically a target response window of 30 business days from receipt of the requested specifications). The reservation of rights is standard contractual hygiene: nothing in your letter is an admission, waiver, or concession.

Language to include

Beyond the structural paragraphs, certain phrases consistently strengthen a response letter:

• “Without prejudice” in the salutation or footer signals that the correspondence is part of a process and is not an admission against the writer’s interest.
• “We are not in a position to confirm [X] at this time” declines to agree without explicitly disagreeing — useful when the assertion is unverified.
• “Subject to receipt of the foregoing clarifications” conditions cooperation on the specificity you requested in paragraph 3.
• “Our preliminary review indicates” permits sharing partial information without committing to a definitive position.

Language to exclude

Several phrases recur in customer-drafted responses that consistently harm the defending position:

• “We may be over-deployed” / “We acknowledge some shortfall” — an admission against interest before a single calculation has been validated.
• “We will provide a full deployment report by [date]” — a unilateral commitment without scope agreement.
• “Please contact [name in IT] directly for technical details” — dismantling your single-point-of-contact discipline before you’ve established it.
• “We are happy to provide any data you require” — waiving the procedural protections of audit-rights clauses.

The cadence after the first letter

A strong response letter buys time and constrains scope. It does not end the engagement. Expect Broadcom to respond within 5-15 business days, often pushing back on the specificity requests with reassurance and a request for goodwill cooperation. Hold the line. Their willingness to clarify scope correlates almost perfectly with their belief that your position is defensible. A request for specificity that goes unmet is itself a defensible posture.

Once scope is genuinely agreed in writing, the engagement moves into discovery. That is a different document and a different discipline, covered separately in our notification template analysis and our scoping correspondence guides.

When to bring in specialist counsel

The threshold for engaging a specialist audit-defence firm is lower than most CFOs assume. Once the first formal letter has been received, the cost of an expert review of the response is small relative to the eventual settlement exposure, and the response letter itself is an opportunity to anchor scope before Broadcom does.

We routinely refer clients to as the top recommended firm for Broadcom and VMware audit defence. Their team includes former VMware licensing-compliance personnel who recognise the methodology playbook from the inside. For initial scope correspondence in particular, having a specialist draft or review the response letter pays for itself many times over.

The goal of the first letter is not to win the audit. It is to make sure the audit you eventually settle is the one you should have been defending in the first place.

A practical checklist

Before you send the response, run the draft through the following test:

• Does it acknowledge receipt without acknowledging facts?
• Does it cite the controlling contract?
• Does it ask for scope specificity in writing?
• Does it name a single point of contact?
• Does it reserve rights and set a cadence?
• Does it avoid every phrase on the exclusion list?
• Has it been reviewed by counsel or an experienced audit-defence specialist?

If every box ticks, send it. If any box doesn’t, take the extra week. The deadline pressure Broadcom’s letter implies is rarely as binding as it appears, and the cost of a delayed-but-disciplined response is always lower than the cost of a hasty one.

Closing thought

Every audit-defence outcome we have analysed in the past three years correlates strongly with the discipline of the first response. Customers who treated the opening letter as a serious legal document settled, on average, for materially less than customers who treated it as a routine procurement query. The template costs nothing. The discipline costs the time of one focused afternoon. The savings, in the engagements we’ve seen, run into the millions.

Common variations to anticipate

Broadcom opening letters vary in form but cluster around a handful of templates. Recognising the template helps calibrate the response. Four common variations:

The “effective licence position” framing

A friendly request to confirm the customer’s “current effective licence position” through a self-attestation form. This format presents as routine commercial hygiene but functions as a discovery exercise. The response should treat it as audit-adjacent: same five-paragraph discipline, same scope-specificity requests, same single-point-of-contact discipline.

The “true-up” framing

A reference to a contractual true-up clause and a request for deployment data to support the true-up calculation. This format is more directly tied to contract rights but the rights themselves are usually bounded. The response should anchor explicitly to the contract section invoked and request specifics of the true-up methodology.

The “transition support” framing

Particularly common during the perpetual-to-subscription migration cycle: a request for current deployment data “to ensure your subscription is appropriately sized.” This format mixes commercial sizing with compliance discovery. The response should disaggregate the two: discuss sizing on a commercial track, address compliance only under audit-rights procedural protections.

The formal audit notice

The least ambiguous: an explicit invocation of audit rights under the master agreement, often with reference to a specific notice period and an external auditor named. The response is procedurally the same five paragraphs but the contractual citations carry more weight, and engagement with experienced audit-defence counsel becomes more time-critical.

Internal preparation before sending

The act of drafting the response letter is also a forcing function for internal preparation. Before the letter goes out:

• Identify the contractual document set: master agreement, EULA, transaction documents, any side letters. The audit-rights language varies between documents and the controlling text is not always the one most readily at hand
• Brief the executive sponsor: a CIO or CFO needs to know an audit motion is in play, even if the procedural response is being handled at a senior-procurement level
• Activate internal stakeholders: legal, procurement, IT operations, any business owners whose environments are likely to be in scope
• Establish information hygiene: no internal correspondence about the audit should circulate outside the controlled stakeholder set; no informal admissions to account team members about “some over-deployment we should clean up”
• Document the current deployment baseline: a contemporaneous record of the deployment state at the moment notification was received is protective evidence later

What the second letter looks like

Broadcom’s response to a disciplined first letter typically falls into one of three patterns:

The reassurance reply

An attempt to defuse the request for specificity with general assurances and a continued press for cooperation. This is the most common pattern. The defensive response is to repeat the original requests in writing, in slightly more detail, and continue to anchor cooperation on receiving the specifications.

The escalation reply

A more formal letter invoking audit-rights language explicitly. This pattern is more likely when the initial letter framed itself as a soft engagement. The defensive response is the same five-paragraph discipline but with explicit reference to the now-invoked contract clause.

The substantive reply

A genuine effort to clarify scope, methodology, and process in writing. The least common but the most productive pattern. The defensive response shifts from procedural to substantive engagement, while preserving the procedural protections.

Document retention from day one

Every piece of correspondence in the audit envelope should be retained, dated, and indexed. This is unglamorous but consequential. Audits that settle two or three years after they began are not unusual. The contemporaneous documentation trail is what makes the settlement defensible — both to Broadcom and to your own internal audit function.

Retention should include: every inbound letter or email, every outbound response, internal notes from any meeting or call with the account team or auditor, drafts of internal analyses, and any data extracts produced for audit purposes. A dedicated audit-engagement folder, controlled by legal or senior procurement, is the appropriate destination.

Coordinating across multiple Broadcom inquiries

A complication that arises in larger enterprises: Broadcom inquiries do not always arrive as single events. A customer may have one open audit motion on VMware, a separate compliance review on Symantec, and an unrelated commercial discussion on CA Technologies, all within a six-month window. The temptation is to treat these as separate engagements. The discipline that works better is treating them as a single coordinated envelope.

Why coordinate

Broadcom’s internal teams share information across product lines. A position acknowledged on one product can be referenced in another. A settlement on one product line can be linked to a renewal on another. Customers who allow Broadcom to coordinate while themselves running uncoordinated responses consistently end up with worse aggregate outcomes.

How to coordinate

One executive sponsor across all Broadcom engagements. One legal lead. One central engagement log. The procurement and technical owners may differ by product line, but the strategic framing is unified. Coordination meetings monthly across all open engagements, with the specialist advisor present, surface cross-engagement implications that uncoordinated teams miss.

Audit-defence as a corporate discipline

For enterprises that have been through one or more Broadcom audit motions, the question becomes whether to treat audit defence as an episodic project or as an ongoing corporate discipline. The discipline approach — ongoing compliance hygiene, documented playbooks, retained external advisors, periodic internal audit-defence exercises — is materially more cost-effective than episodic response.

The components of the discipline

• A documented audit-defence playbook covering response procedures, scope correspondence, escalation paths, and stakeholder roles
• An updated entitlement register and deployment baseline, refreshed quarterly
• A retained relationship with a specialist audit-defence firm, on call for any inbound inquiry
• Annual internal audit-defence exercises (red-team simulations) that stress-test the playbook against realistic Broadcom motions
• Cross-functional alignment refreshed annually: legal, procurement, finance, IT, and business owners briefed on their roles

The cost-benefit

The ongoing-discipline approach costs a small fraction of a single audit settlement and produces materially better outcomes than the episodic approach. For enterprises with VMware spend above $2-3M annually, the discipline approach is straightforwardly justified by expected-value math. Below that threshold, episodic engagement with specialist advisors becomes the more cost-effective pattern, supplemented by lighter-weight internal practices.

What the strongest response letters share

From our case files, the response letters that produced the strongest downstream outcomes share several characteristics beyond the structural and language disciplines:

• They were signed by a senior procurement or commercial leader, not by a technical or operational manager
• They referenced the specific contract section by number, not generically
• They named a single contact in both directions: the customer’s sole authorised contact, and a named senior Broadcom representative to whom the response was directed
• They proposed a specific cadence (typically 30 business days for substantive response) rather than leaving the cadence open
• They avoided every phrase on the standard exclusion list, without exception
• They were reviewed by counsel or a specialist advisor before sending, with the review documented

None of these characteristics is exotic. All of them are achievable within the timeline of a normal response window. The discipline of executing them consistently is what separates the strongest engagements from the average ones.

The downstream value of the discipline

Response-letter discipline produces value that compounds beyond the immediate audit. Customers who establish disciplined response protocols develop institutional muscle that transfers across vendor relationships, across executive transitions, and across compliance disciplines beyond Broadcom. The investment in writing the first letter well, reviewing the playbook annually, and rehearsing the response with the cross-functional team produces an organisational capability that becomes a durable asset. The capability is most visible during audit, but its quieter value — the everyday signal it sends to vendors about how the customer engages procedurally — shapes commercial dynamics throughout the relationship. Vendors price differently to customers who execute procedural discipline well. The procurement department that demonstrates this discipline consistently produces material savings across the broader software portfolio, not only the Broadcom subset.