Broadcom Soft Audit vs Formal Audit

There are two kinds of Broadcom audits, and most customers do not know the difference until it is too late to use it to their advantage. The first is the formal audit — the one with a written notice, an appointed auditor, and a contract clause invoked by name. The second is the soft audit — the one that does not call itself an audit at all. It is variously labelled a "self-assessment", a "compliance review", a "licensing health check", a "renewal preparation exercise", a "subscription readiness assessment", or a "VCF migration planning session". Whatever the label, the underlying activity is the same: Broadcom collects deployment data, compares it to its record of your entitlement, and prepares a position on what additional license fees you owe.

The distinction matters because the procedural protections you have, the leverage you have, and the consequences of giving ground are all different between the two formats. This article explains the difference and the implications for how you should respond to each.

What a formal audit looks like

A formal audit is initiated by a written notice from Broadcom's Global Software Asset Compliance organisation. The notice explicitly invokes the audit clause in your master agreement, identifies the audit period, and names the appointed auditor. The audit clause defines a fixed set of procedural rights and obligations: notice periods, scope, auditor identity, data-handling, dispute resolution, cost allocation, and cure periods. Both parties operate within the four corners of the clause for the duration of the audit.

Formal audits typically arrive at a customer no more than once per twelve-month period, often after a triggering event such as a lapsed SnS renewal, an acquisition, or a refusal to engage with Broadcom's commercial outreach. They run four to eight months from notice to settlement and conclude with a formal settlement document that releases the customer from claims for the audit period.

The defining characteristic of the formal audit is the contractual frame. Every action by both parties is justified by reference to the contract. The customer can decline a request that exceeds the contractual scope. The auditor can compel a response that falls within it. The dispute mechanism in the contract is available if the parties cannot agree.

What a soft audit looks like

A soft audit looks nothing like an audit. It typically arrives as friendly outreach from the named account team, framed as a customer service gesture. The exact framing varies, but the patterns are recognisable.

One common framing is the "VCF readiness assessment". The account executive proposes a workshop in which Broadcom will analyse the customer's current VMware deployment and produce a recommended migration path to VCF. The workshop requires the customer to provide deployment data — typically a vCenter inventory export, RVTools output, or PowerCLI script output.

A second common framing is the "renewal preparation review". The account executive proposes a deployment review ahead of the upcoming SnS renewal or contract anniversary, ostensibly to ensure that the renewal is correctly sized.

A third common framing is the "self-assessment". The customer is asked to complete a questionnaire and submit deployment data through a Broadcom portal, with the suggestion that doing so is a routine part of the relationship and will pre-empt any future audit activity.

The defining characteristic of the soft audit is the absence of a contractual frame. There is no notice, no scope, no procedural protection, no dispute mechanism, no cost allocation rule, and no settlement document. The data is collected, the analysis is performed, the position is taken — and the customer has no procedural recourse if the position is incorrect, overreaching, or simply opportunistic.

The myth that the soft audit is "less serious"

Many customers we work with initially believed that the soft audit was a less serious process and therefore an appropriate context for cooperative engagement. This belief is wrong, and it costs customers materially.

The soft audit is, in practical terms, more serious for the customer than the formal audit. The data submitted in a soft audit is the same data that would be requested in a formal audit, but it arrives at Broadcom without the procedural protections that a formal audit would have provided. Once Broadcom has the data, it can use it as the basis for a formal audit, a commercial demand, or a sales-led conversion to VCF — none of which require Broadcom to follow audit-clause procedures because the audit clause was never invoked.

We have seen multiple cases where a customer cooperated with a soft audit in good faith, submitted comprehensive deployment data, and then received a formal audit notice three to six months later in which the formal audit was based substantially on the data the customer had already provided through the soft channel. The customer's response options in the formal audit were materially constrained because the data was already in Broadcom's possession.

The signs that a soft audit is in progress

The soft audit does not announce itself. The signs are recognisable if you know what to look for.

The first sign is unusual data requests from the named account team that go beyond what is required for routine commercial conversations. A renewal quote does not require a full vCenter inventory. A pricing discussion does not require RVTools output. If you are asked for deployment-level data in a sales conversation, the conversation has shifted from sales to compliance.

The second sign is the appearance of new participants in commercial meetings. A "customer success manager", "licensing specialist", "value engineer", or "compliance representative" appearing in a routine renewal or upsell conversation is frequently the audit team in commercial clothing.

The third sign is the proposal of a workshop, assessment, or review that includes Broadcom-led analysis of the customer's environment. The workshop format provides a contractual fig-leaf — the customer "voluntarily" participated — for what is functionally an audit.

The fourth sign is the use of words that imply a compliance frame without using the word "audit". "Entitlement reconciliation", "true-up calculation", "compliance baseline", "subscription right-sizing" are all phrases that signal compliance activity in a non-audit wrapper.

What protection you have in a soft audit

The first answer is: less than you have in a formal audit. The audit clause does not apply. The procedural protections do not apply. The cost allocation does not apply. The dispute mechanism does not apply.

The second answer is: more than you might think. The contract still defines what Broadcom is entitled to receive from you outside of a formal audit, and that entitlement is materially narrower than what the audit clause permits. Routine commercial conversations do not entitle Broadcom to deployment-level data. The confidentiality provisions in the contract apply to any data you do share. The implied covenants of good faith and fair dealing apply to any settlement reached.

The most effective protection in a soft audit is the simplest: do not share data that the contract does not require you to share. If Broadcom proposes a "self-assessment", the customer can decline and require that any compliance verification follow the formal audit clause. If Broadcom proposes a "VCF readiness assessment", the customer can participate at a level that does not require deployment data — for example, by sharing aggregate environment statistics without per-host or per-cluster detail.

How to convert a soft audit into a managed engagement

The objective when you recognise a soft audit in progress is not to refuse engagement. Outright refusal frequently triggers a formal audit notice in short order. The objective is to convert the engagement from an open-ended data collection into a structured commercial conversation that you control.

The standard approach is to engage with the commercial topic — VCF migration, renewal sizing, future entitlement planning — without engaging with the compliance topic. Aggregate environment data, business requirements, and forward-looking architecture are appropriate inputs to a commercial conversation. Per-cluster deployment data, host configurations, and feature activation records are not.

When Broadcom requests data that crosses the line from commercial to compliance, the customer should explicitly identify the request as compliance and require that it follow the formal audit clause. This typically causes Broadcom to either drop the request or escalate to a formal audit — both of which are better outcomes for the customer than continued unprotected data sharing.

The tactical use of the soft audit by Broadcom

Understanding why Broadcom uses the soft audit format helps customers respond to it more effectively.

For Broadcom, the soft audit has three commercial advantages over the formal audit. First, it generates the same data without the procedural cost. Second, it produces commercial conversion opportunities without the legal overhead of a formal audit. Third, it preserves the formal audit as a future escalation tool if the commercial conversion does not occur.

The customer's strategic response is to make the soft audit unattractive to Broadcom by declining to provide deployment data outside the audit clause and by routing all compliance-adjacent conversations through counsel. Soft audits that produce no usable data do not produce commercial conversions, and Broadcom rapidly de-prioritises the soft channel for customers who consistently refuse to engage on those terms.

The "self-assessment" trap

The most aggressive variant of the soft audit is the "self-assessment", in which the customer is asked to complete an assessment of its own deployment and submit the results to Broadcom. The self-assessment is framed as a low-friction, cooperative alternative to a formal audit.

It is not. The self-assessment is the worst possible format from the customer's perspective for three reasons. First, the customer does the auditor's work — at the customer's expense — and produces a document that is admissible against the customer in any subsequent formal audit. Second, the self-assessment is typically conducted with reference to Broadcom's interpretation of the licensing rules, which is the most aggressive interpretation available. Third, the self-assessment produces an admission against interest — the customer's own statement of its compliance position — which is materially harder to walk back than data interpreted by an external auditor.

Customers should decline self-assessment requests. If Broadcom requires a compliance verification, it should be conducted under the formal audit clause with the procedural protections that the clause provides.

When the soft audit is actually OK

There are limited circumstances in which engaging with a soft audit is appropriate. The most common is when the customer has high confidence in its compliance position, a complete and accurate entitlement reconstruction, and a defensible deployment baseline — and is using the soft audit as an opportunity to demonstrate compliance pre-emptively and to negotiate favourable commercial terms.

Even in this scenario, the engagement should be carefully structured. Data sharing should follow a written protocol. Aggregate data should be preferred over detailed data. Commercial terms should be negotiated as part of the engagement rather than left to a subsequent conversation. Counsel should review any document that flows back to Broadcom.

For most customers, this scenario does not apply. The default response to a soft audit should be to decline detailed data sharing and to require that any compliance verification follow the formal audit clause.

The cost difference between soft and formal audits

The cost of a soft audit to the customer is typically lower in the short term and higher in the long term. The short-term cost is the time spent providing data and participating in workshops — often less than a formal audit, because there is no procedural overhead. The long-term cost is the commercial conversion that the soft audit was designed to produce: typically a VCF subscription priced at Broadcom's preferred terms because the customer had no negotiating leverage at the point of conversion.

The cost of a formal audit to the customer is typically higher in the short term — advisor fees, counsel fees, internal time — and lower in the long term, because the customer retains negotiating leverage through every phase of the audit and settles on terms that reflect that leverage.

Across the 280+ engagements we have handled, the average customer who cooperated with a soft audit and then converted to VCF subscription paid 2-3x more, over a five-year horizon, than the average customer who declined the soft audit, engaged formally, and negotiated a settlement.

The bottom line

The soft audit is not a less serious version of the formal audit. It is a different format with different incentives and different consequences for the customer. The defining difference is the procedural frame: the formal audit operates inside the audit clause with the protections the clause provides; the soft audit operates outside the audit clause with no protections at all.

The right default response to a soft audit is to decline detailed data sharing and to require that any compliance verification follow the formal audit clause. The right default response to a formal audit is to engage seriously, follow the clause carefully, and use the procedural protections aggressively. Customers who reverse these defaults — cooperating with the soft audit and resisting the formal one — consistently produce the worst outcomes.

For a confidential review of any Broadcom outreach you have received, whether formal or soft, Contact us →.