The CIO guide to Broadcom audit defence.

A Broadcom audit reaches every part of an enterprise IT estate. It begins with a letter, sometimes a phone call, and within weeks it can put the CIO's organisation in the middle of a multi-million-dollar commercial dispute that touches engineering, operations, legal, procurement, and finance simultaneously. This pillar-length guide is written for the CIO who needs to understand the full picture: what audits actually look like in 2026, what they cost when they go badly, what good defence looks like, and how the role of the CIO specifically shapes the outcome.

The guide is not a checklist or a technical playbook. It is a strategic orientation: how to think about Broadcom audits as a CIO, where the leverage points sit, and how to organise the response so the audit produces a manageable settlement rather than an existential commercial event. If you are a CIO facing an audit notice, an open enquiry, or simply preparing for the audit posture you know is coming, this is the framework worth understanding before you do anything else.

The audit landscape in 2026

Broadcom's audit programme since the VMware acquisition has been more aggressive, more systematic, and more financially consequential than the audit programmes that preceded it under VMware. Three specific shifts shape the current landscape.

Scope expansion. Broadcom audits read across the entire Broadcom product portfolio at the customer — VMware, Symantec, CA Technologies, Carbon Black — rather than being limited to a single product line. Where a customer holds entitlements across multiple Broadcom families, the audit aggregates exposure across all of them. This means the audit surface is larger than most customers expect, and the settlement claims are correspondingly larger.

Methodology rigour. The audit team uses sophisticated discovery tooling and quantitative methodology to build the entitlement-versus-deployment picture. The output of a Broadcom audit is typically a detailed spreadsheet with thousands of rows, defensible at the line-item level if the customer does not push back. The customer who cannot match this methodological rigour ends up settling the audit team's numbers.

Commercial integration. Audit findings are increasingly integrated into the renewal conversation. A customer with an open audit during a renewal cycle is in a materially weaker negotiating position than a customer with audits closed before renewal. Broadcom's sales and audit functions coordinate in ways that previous vendors typically did not, and the customer needs to be aware of this coordination.

What an audit actually costs when it goes wrong

For enterprises that approach Broadcom audits without specialist support and without a defined defence posture, the typical outcomes fall in a few characteristic patterns.

Initial claim inflation. The audit team's opening claim is typically 2x to 5x the defensible exposure. Customers who treat the opening claim as a serious number — rather than as a negotiating position — over-settle by orders of magnitude.

Methodology under-challenge. The audit team's deployment counting methodology has known issues that produce systematic over-counting. Customers without the technical depth to challenge the methodology accept inflated numbers that a competent defence would reduce by 30% to 60%.

Contract under-utilisation. Customer contracts contain protections — scope limitations, dispute resolution mechanisms, settlement caps — that customers frequently fail to invoke. The audit team is not obliged to remind the customer of contractual protections, and most customers leave significant defensible ground unused.

Renewal contamination. Open audits get folded into renewal negotiations as leverage. Customers who settle the audit before the renewal and the customers who let the audit drag into the renewal arrive at very different commercial outcomes.

The financial impact of a poorly defended Broadcom audit in 2026 routinely runs into seven or eight figures. The financial impact of a well-defended one is usually a small fraction of that, sometimes resolving to no settlement at all. The difference is preparation, methodology, and posture — not the underlying compliance situation.

The CIO's role in audit response

The CIO sits at a specific intersection in the audit response: senior enough to commit organisational resources to the defence, technically literate enough to direct the engineering work, and commercially aware enough to manage the procurement and legal dimensions. The CIO's role is not to run the audit defence day-to-day; it is to architect the response and own the outcome.

Three specific responsibilities anchor the CIO's audit-response role.

Establishing posture. The CIO decides whether the organisation treats the audit as a routine procurement exercise (which produces bad outcomes) or as a serious commercial defence (which produces good ones). The posture is set in the first 48 hours after the audit notice and shapes everything that follows.

Aligning stakeholders. A Broadcom audit involves engineering, operations, legal, finance, and procurement. These functions have different incentives, different risk tolerances, and different vocabularies. The CIO is the one who can align them on a common defence strategy. Without that alignment, the audit team exploits the gaps between functions.

Owning the commercial outcome. The settlement number is a commercial outcome that the CIO needs to own. This is not a procurement decision to be delegated; it is a multi-million-dollar commitment that shapes the IT budget for years. The CIO who treats settlement as a procurement matter consistently produces worse outcomes than the CIO who owns it as a strategic decision.

The first 48 hours

The first 48 hours after an audit notice arrives are disproportionately important to the eventual outcome. Several specific actions matter.

Stop talking to the audit team

The CIO's first internal action should be a clear directive that no member of the IT organisation responds to the audit team without coordination through a designated point of contact. The audit team's initial outreach is typically a conversation with whoever they can reach — a vSphere administrator, a procurement contact, a security analyst. These conversations produce admissions, deployment information, and contractual positions that can be used later. The discipline of routing all communication through a single trained point of contact pays back from the first hour onward.

Confirm the contractual basis

Before responding to the audit team, the legal and procurement functions need to confirm precisely which contract the audit is being conducted under, what the audit clause actually says, and what scope and process limitations apply. Many audits are conducted with looser scope than the underlying contract supports; identifying this early gives the customer leverage throughout the engagement.

Build the internal team

The audit response team typically includes engineering leadership for the affected product domains (VMware, Symantec, CA, as applicable), procurement leadership for the commercial dimension, legal counsel familiar with software audit defence, and the CIO as overall owner. For larger audits, external specialist advisory support is added. The team should be assembled within the first 48 hours, even if the formal audit response timeline allows longer.

Establish the record

The customer's defensible entitlement and deployment picture is the foundation of the defence. Establishing this picture — what entitlements the customer holds, what is deployed where, what audit-defensible records exist — needs to begin immediately. Waiting until the audit team's data requests arrive cedes the framing of the engagement to the audit team.

The mechanics of the audit engagement

A typical Broadcom audit unfolds over 4 to 9 months and follows a recognisable sequence.

Phase one: data request. The audit team issues a formal data request asking for entitlement records, deployment information, and usage logs over a defined audit period. The breadth and depth of the data request frequently exceed the contractually supported scope; pushing back appropriately at this stage shapes the entire downstream engagement.

Phase two: deployment discovery. The audit team analyses the customer's deployment using a combination of customer-provided data, their own discovery tooling (run on the customer's infrastructure with customer cooperation), and inferences drawn from telemetry and support records. The output is a deployment count that becomes the basis for the exposure calculation.

Phase three: initial findings. The audit team produces an initial findings report, comparing entitlement to deployment and quantifying the gap. The initial findings typically include all the optimistic interpretations from the audit team's perspective: aggressive counting, broad scope, full list pricing on the exposure.

Phase four: customer response. The customer responds to the initial findings, challenging methodology, scope, and pricing. This is where the bulk of the defensible work happens. Customers who do not respond substantively to the initial findings end up settling the audit team's numbers.

Phase five: negotiation. The customer and the audit team work toward a settlement number. The negotiation involves not just the headline exposure figure but the structure of the settlement — cash payment versus subscription credit, term commitment, audit-credit application, contractual protections going forward.

Phase six: settlement. The settlement is documented in a closing agreement. The closing agreement language matters as much as the headline number; sloppy closing language leaves the customer exposed to repeated audit on the same issues, while careful closing language creates a defensible position for future engagement.

Where the leverage points sit

Effective audit defence is not about resisting the audit; it is about applying leverage at the points where it matters. Several specific leverage points deserve attention.

Scope

The audit clause in the underlying contract defines the scope. Audits frequently expand beyond the contractual scope — covering more products, longer periods, more affiliated entities — without the customer pushing back. The first leverage point is to insist that the audit operate within its contractual scope. This alone often reduces the audit team's reach by 20% to 40%.

Methodology

The audit team's counting methodology has specific weaknesses. The use of telemetry from indirect sources (support tickets, beta enrolment, feature usage data) to infer deployment is contestable. The treatment of HA secondary sites, non-production environments, and decommissioned hosts is contestable. The application of full list pricing to historical exposure (rather than the negotiated pricing the customer would have paid) is contestable. Each of these challenges, properly made, reduces the exposure materially.

Entitlement reconstruction

Customers frequently hold entitlements they have forgotten about — from acquired companies, from older contracts, from bundle inclusions. A thorough entitlement reconstruction effort often reveals additional defensible entitlement that the audit team has not credited. The reconstruction work is non-trivial but produces material reduction in the apparent exposure.

Contractual protections

Customer contracts contain protections — caps on liability, requirements for notice, dispute resolution processes, settlement-form preferences — that the audit team is not obliged to highlight. Invoking these protections precisely changes the dynamic of the engagement. Customers who do not invoke them, leave them on the table.

Commercial leverage

Even in mid-audit, the customer's broader commercial relationship with Broadcom is a real source of leverage. The renewal pipeline, the strategic-2,000 status, the credibility of migration alternatives — all of these affect how aggressively Broadcom pursues the audit and how willing they are to settle. Linking the audit explicitly to the broader commercial relationship is part of skilled defence.

The cost of getting this wrong

To make the stakes concrete, it is worth working through what a poorly defended Broadcom audit actually looks like in practice.

Consider a representative case: a financial services company with approximately 2,000 vSphere hosts, mixed perpetual and subscription entitlement, some Symantec exposure from a 2017 acquisition, and a modest VMware Cloud on AWS footprint. The customer receives an audit notice. Without specialist defence, the audit unfolds along these lines:

Months 1-2: Customer responds to the data request with broad disclosure, including environments the audit team would not otherwise have visibility into. Engineering teams cooperate with the audit team's discovery tooling without coordinated direction. Internal positions are formed across multiple functions with limited alignment.

Months 3-4: Audit team produces initial findings: $14M exposure across the entire estate, including aggressive counting of HA secondary sites, full list pricing on historical exposure, scope-expansive Symantec findings from the 2017 acquisition, and double-counting of VMware Cloud on AWS workloads.

Months 5-6: Customer pushes back on selected items but accepts the methodology framework. Settlement negotiation produces a $9M outcome, structured as a 60% cash payment and 40% conversion to a 3-year VCF subscription commitment.

Outcome: $9M settled, plus an undisclosed but material increase in the renewal subscription pricing because the open audit weakened the customer's position in the parallel renewal conversation.

Now consider the same customer with effective defence:

Months 1-2: Customer responds to the data request with carefully scoped disclosure aligned to the contractual audit scope. Designated point of contact handles all audit-team interaction. Engineering teams contribute to the response through the designated channel only. External specialist advisory support is engaged.

Months 3-4: Audit team produces initial findings: $14M. Customer's defence team challenges the findings comprehensively — scope challenge on the Symantec exposure, methodology challenge on HA secondary counting, contractual challenge on full list pricing application, entitlement reconstruction surfaces forgotten 2019 bundle entitlement.

Months 5-7: Multiple rounds of negotiation reduce the exposure to $4M defensible, with audit-credit application converting a portion of the settlement into forward subscription value. The settlement is structured as a clean closing agreement with future-audit protections.

Outcome: $2.8M settled, plus a clean position for the renewal negotiation that produces approximately equivalent pricing rather than an audit-driven increase.

The difference between the two scenarios is approximately $6M on the audit settlement plus a multi-million-dollar difference in renewal pricing. The cost of the specialist defence engagement is a fraction of that difference. The math on retaining specialist support is straightforward, but customers without prior audit experience routinely under-invest in defence and over-settle as a result.

The functions involved in audit defence

Effective audit defence draws on multiple functions inside the customer organisation, plus selected external support. Each function plays a specific role.

Engineering

Engineering is the source of the deployment truth. The deployment-side of the audit picture — what is running, where, with what configuration — comes from engineering. Engineering also evaluates the audit team's methodology, identifies the technical errors in the counting, and supports the defence with documented evidence.

The CIO needs to direct engineering on what to share with the audit team and what to challenge. Engineering teams that operate without that direction will generally cooperate too freely with the audit team's requests, producing avoidable exposure.

Procurement and vendor management

Procurement holds the entitlement record — the contract documents, the licence quantities, the historical purchases. Procurement also typically owns the commercial relationship with Broadcom and is the natural point of contact for the renewal coordination.

The procurement team's role in the audit is to assemble the entitlement reconstruction, to support the contractual position with documented evidence, and to coordinate the audit response with the broader commercial relationship.

Legal

Legal interpretation of the audit clause, the underlying contract, and the closing agreement language is critical. Sloppy legal work at any of these points produces material customer disadvantage. Legal counsel familiar with software audit defence specifically — not just general commercial law — is required; the area has enough specialised practice that generalist counsel routinely miss leverage points.

Finance

The settlement is a financial commitment that needs Finance approval and CFO sign-off. Finance also models the trade-offs between cash settlement and subscription-conversion structures, and surfaces the cash-flow implications of the settlement.

External specialist advisory

For audits of any meaningful size, external specialist advisory support is high-leverage. The specialist firms with genuine Broadcom audit experience — there are not many — bring methodology, contractual knowledge, and negotiating posture that no individual customer has internally. The cost of engaging specialist support is typically a small fraction of the savings it produces.

How CIOs frame the audit for the board

A Broadcom audit will frequently surface to the board, either because of the financial materiality or because of the broader vendor management implications. The CIO who frames this well for the board produces better outcomes than the CIO who treats it as routine.

The framing that works is to position the audit as a commercial defence engagement, not as a compliance problem. The board needs to understand that the audit is a negotiation, that the defensible exposure is substantially smaller than the audit team's claim, and that the organisation is investing in defence specifically to manage the commercial outcome.

The framing that does not work is to position the audit as a compliance failure that needs to be settled. This framing concedes the audit team's methodology, undermines the defence posture internally, and produces premature settlement decisions that cost the organisation significantly.

The boards we see handle this well treat the audit response as a strategic project with defined milestones, regular reporting, and a clear-eyed view of the cost-benefit of defence investment versus settlement acceptance. The boards we see handle this poorly treat it as a one-time procurement event to be resolved as quickly as possible.

Audit preparation for organisations not currently under audit

For CIOs whose organisations are not currently under audit, the question is what preparation work pays back when the audit notice eventually arrives. Several specific investments produce durable benefit.

Entitlement record discipline. The single highest-leverage investment is a clean, authoritative entitlement record. This means documented contracts, documented quantities, documented historical purchases, including acquisitions. Organisations that have not maintained this discipline routinely cannot reconstruct their own entitlement position when an audit begins.

Deployment visibility. The corresponding investment on the deployment side is having a clear, accurate picture of what is deployed where, with what configuration, against what entitlement. This is FinOps territory in the cloud and traditional CMDB territory on-premises; either way, having the picture established before an audit changes the defensive dynamic completely.

Contract review. Customers who have not had specialist counsel review their Broadcom contracts in the last two years are operating with a poor understanding of their own position. The audit clauses, the scope language, the dispute resolution provisions, the change-of-control implications — all of these have evolved through the Broadcom transition and deserve fresh review.

Vendor management capability. Building the internal vendor management capability — people, process, tooling — that can engage a Broadcom audit effectively takes time. Organisations that invest in this capability ahead of the audit handle the audit more effectively when it arrives. Organisations that try to build the capability under audit pressure produce worse outcomes.

The renewal-audit relationship

A specific dynamic that CIOs need to understand is the relationship between Broadcom audits and Broadcom subscription renewals. The two are coordinated by Broadcom in ways that customers often do not recognise.

The pattern Broadcom employs is to time audit findings to land before or during major renewal conversations. An open audit during a renewal weakens the customer's position because the audit settlement becomes a negotiating chip. Broadcom can offer to convert the audit settlement into forward subscription commitment, which produces a larger renewal than would otherwise be negotiated.

The customer's response is to manage the timing actively. Where possible, audits should be closed before renewals begin. Where this is not possible, the customer should structure the renewal negotiation to treat the audit settlement as a separate matter, not as a leverage point. This requires discipline and skilled negotiation, but it materially affects the eventual commercial outcome.

The role of alternatives

Throughout the audit defence and the broader commercial relationship, the credibility of the customer's alternative paths matters. Broadcom assesses how likely the customer is to migrate workloads off VMware, to consolidate the estate, to repatriate cloud workloads, or to negotiate harder at renewal. The audit posture adjusts accordingly.

Customers who maintain credible, costed alternative paths — including ones they may not actually execute — get materially better audit outcomes than customers who do not. The work to develop and maintain these alternative paths is real but bounded, and it produces durable leverage across the commercial relationship.

The CIO's role here is to ensure that the alternative paths are real, not theoretical. Engineering work to validate migration feasibility, financial work to cost the alternatives, and procurement work to develop the supplier relationships that would support the alternatives — all of these contribute to the credibility of the position. Without them, the alternative-path lever does not work.

Building the long-term posture

Beyond individual audit engagements, CIOs need to build a long-term posture toward Broadcom that produces durable advantage. Several specific elements of this posture matter.

Active commercial management. The Broadcom relationship is not a procurement matter to be managed reactively. It is an ongoing commercial engagement that needs active management, regular review, and strategic positioning. CIOs who treat it this way get materially better terms over multi-year horizons.

Workload rationalisation. The size and shape of the VMware estate is a strategic variable that should be managed actively. Workloads that no longer need to be on VMware should be migrated. New workloads should be placed on the right platform, not defaulted to VMware. The total estate should be sized to the realistic forward need, not to historical accident.

Contract discipline. Each Broadcom contract negotiation is an opportunity to improve the customer's contractual position. Audit clauses can be tightened. Scope language can be made more precise. Dispute resolution can be improved. These contractual improvements compound over time.

Capability investment. The internal capability to manage the Broadcom relationship — vendor management, contract knowledge, FinOps, engineering depth — should be invested in deliberately. This capability is a strategic asset that pays back across multiple audit and renewal cycles.

What to do now

If you are not currently under audit

Build the preparation foundation: entitlement record, deployment visibility, contract review, vendor management capability. Establish a relationship with specialist advisory support before you need it. Develop the alternative-path posture that gives you commercial leverage. The work is bounded and the payoff is substantial when the audit eventually arrives.

If you have just received an audit notice

The first 48 hours are critical. Establish single-point-of-contact discipline immediately. Confirm the contractual basis. Build the internal team. Engage specialist support before the data request is responded to. Treat the audit as a serious commercial defence engagement from day one.

If you are in the middle of an audit

Step back from the tactical engagement and assess the broader strategic position. Is the methodology being challenged effectively? Is the scope being defended? Are the contractual protections being invoked? Is the relationship to the renewal being managed actively? If any of these are weak, course-correct now before settlement.

If you are negotiating a settlement

The settlement number matters less than the settlement structure. The closing agreement language, the audit-credit conversion, the future-audit protections, the relationship to the next renewal — all of these compound. Skilled settlement negotiation produces materially better outcomes than focusing on the headline number alone.

The strategic bottom line

A Broadcom audit is the most consequential commercial engagement most CIOs will have with a software vendor. The financial stakes are routinely in seven or eight figures. The strategic implications shape the IT budget for years. The downstream effects on the broader Broadcom relationship are durable.

The CIO who treats this as a strategic defence engagement — with appropriate preparation, alignment, specialist support, and ownership — produces materially better outcomes than the CIO who treats it as a procurement event to be resolved expediently. The difference is not measured in modest percentages; it is routinely measured in multiples of the eventual settlement.

For most enterprises, the right posture toward Broadcom audits in 2026 is: assume the audit is coming, prepare deliberately, engage seriously when it arrives, defend rigorously, and use the audit engagement to strengthen the broader commercial relationship going forward. CIOs who establish this posture early get the best outcomes. CIOs who establish it after the first audit notice arrives get worse outcomes than they could have. CIOs who never establish it consistently pay the worst price.

The work to do this well is real but bounded. The investment pays back many times over across the life of the Broadcom relationship. The CIO who owns this work, drives the organisation to do it well, and builds the long-term capability to sustain it produces durable advantage in one of the most consequential vendor relationships in the modern enterprise IT estate. The CIO who does not, surrenders that advantage and pays for it for years.

This is not, in the end, an audit defence problem. It is a strategic vendor management problem with audit defence as one of its highest-stakes components. The CIO who frames it that way — and organises the response accordingly — is the one who produces outcomes that the headline numbers around Broadcom commercial pressure suggest are not possible. They are possible; they require deliberate work; and that work is unambiguously the right call.