Can You Refuse a Broadcom Audit?

The short answer is no, you cannot simply refuse a Broadcom audit. The audit clause in your master agreement is a binding contractual obligation, and outright refusal exposes the customer to breach of contract claims, termination of licences for cause, and (in extreme cases) injunctive relief. The longer and more useful answer is that the right to audit is bounded by the terms of the clause, and customers have substantially more procedural latitude to limit, slow, and shape the audit than the word "refuse" implies.

This article walks through the legal and practical reality of declining or limiting a Broadcom audit, the situations in which partial refusal is defensible, the situations in which it is not, and the alternatives that produce better outcomes than outright refusal in almost every case.

What the contract actually requires

The audit clause in a typical VMware or Broadcom contract grants Broadcom a right to verify compliance with the agreement subject to specified conditions. The right is contractually enforceable, which means that if the customer refuses to engage at all, Broadcom can sue to compel compliance, and a court will generally grant specific performance of the audit obligation.

The customer's contractual obligation is to permit verification of compliance subject to the procedural protections in the clause. It is not an obligation to: provide any data Broadcom requests regardless of scope; cooperate with auditors of Broadcom's choosing regardless of contractual auditor identity requirements; respond on any timeline Broadcom proposes regardless of contractual notice provisions; or accept findings without dispute regardless of contractual cure and dispute mechanisms.

The distinction between "refusing the audit" and "limiting the audit to its contractual scope" is the entire ballgame. The former is breach. The latter is contract enforcement.

When partial refusal is defensible

Customers can — and should — decline to provide data or perform actions that exceed the contractual scope of the audit. The following are common refusals that are defensible under standard VMware and Broadcom audit clauses.

Refusing to run vendor-provided scripts

The audit clause does not typically require the customer to run scripts on its own infrastructure on Broadcom's behalf. It typically requires the customer to permit Broadcom (or the appointed auditor) to verify deployment. The customer can decline to run scripts and propose an alternative protocol — typically the customer extracts the data itself using its own tooling, validates the data, and provides it to the auditor under a negotiated data-exchange protocol.

Refusing to provide data outside the contractual scope

The audit clause defines the scope of verification. If the clause limits audit to specifically identified products, the customer can decline to provide data for products outside the scope. If the clause limits audit to production use, the customer can decline to provide data for non-production environments. If the clause limits audit to the contracting entity, the customer can decline to provide data for affiliates or subsidiaries outside the scope.

Refusing to provide data containing PII or regulated data

Most audit clauses exclude PII from the audit scope or require special handling. Customers in regulated industries (healthcare, financial services, federal contracts) frequently have regulatory obligations that override contractual data-sharing provisions. Where regulated data is implicated, the customer can decline to share the data in raw form and propose alternative protocols (redaction, aggregation, in-place inspection under supervision).

Refusing in-house Broadcom auditors where contract requires independence

Many legacy VMware ELAs require that the auditor be an independent third party, with a list of acceptable firms. Where the contract requires an independent auditor, the customer can decline to engage with Broadcom's in-house compliance team and require that an independent firm be appointed.

Refusing accelerated timelines

The audit clause typically specifies notice periods, response timelines, and cure periods. The customer can decline to operate on a faster timeline than the clause specifies. Where Broadcom requests an accelerated kickoff or compressed data-exchange schedule, the customer can require the contractually specified timeline instead.

When refusal is not defensible

The following refusals will produce escalation rather than de-escalation, and customers should not pursue them without specialist legal advice and a clear strategic reason.

Refusing to engage at all

Ignoring the audit notice is breach of contract. The audit clause requires the customer to permit verification. Ignoring it permits Broadcom to escalate to legal action, breach of contract notice, or termination of the underlying licences. This is the most expensive possible response.

Refusing within scope

If the contractual scope of the audit includes the data Broadcom is requesting, the customer cannot refuse it. The customer can negotiate the protocol, the timing, and the handling, but not the obligation. Attempting to refuse within-scope data is breach and will be treated as such.

Refusing after agreement

If the customer has agreed (in writing or by conduct) to a particular protocol — for example, by participating in a kickoff call and accepting a data-collection schedule — refusing to follow through is breach. Customers should be cautious about agreeing to anything in early audit communications until the procedural posture is fully thought through.

The strategic alternative: slow and shape

The right strategy for almost every Broadcom audit is not to refuse but to slow and shape the audit. Slowing the audit means using every contractually permitted timing protection: full notice periods, contractually specified response windows, business-hours-only data exchange, contractually permitted cure periods. Shaping the audit means using procedural protections to channel the audit into formats favourable to the customer: customer-extracted data rather than auditor-extracted, negotiated data-exchange protocols rather than open-ended discovery, formal written exchanges rather than informal verbal admissions.

The combination of slow and shape consistently produces better outcomes than either outright refusal or full cooperation. The audit still happens — the customer meets its contractual obligation — but on terms that materially advantage the customer.

The consequences of refusal — what Broadcom can actually do

Customers contemplating refusal should understand what Broadcom can actually do in response. The escalation ladder is recognisable.

Step 1: Escalation within Broadcom. The first response to refusal is escalation within Broadcom — from the named auditor to compliance leadership, from the account team to senior sales leadership, and from sales to legal.

Step 2: Formal breach notice. Broadcom can issue a formal breach notice citing the customer's failure to permit audit. The breach notice typically demands cure within thirty days and reserves Broadcom's right to escalate further if cure does not occur.

Step 3: Termination for cause. The master agreement typically permits Broadcom to terminate the agreement and the underlying licences for material breach if cure does not occur. Termination of perpetual licences is a severe consequence — the customer loses the right to use the software and must remove it from production.

Step 4: Litigation. Broadcom can sue for breach of the audit obligation, for damages from the underlying under-licensing (if proven), and for injunctive relief compelling audit cooperation. Federal courts have generally ordered audit cooperation in software licence disputes; the customer's litigation position is weak.

Step 5: Counter-narrative. Beyond the legal escalation, Broadcom can use the customer's refusal as a sales narrative — referenced in pitches to other customers, used to justify aggressive audit posture industry-wide, and (in extreme cases) referenced publicly. Reputational considerations apply.

The legal posture: where customers have actually prevailed

Customers have prevailed against software vendor audit demands in limited circumstances, none of which involve outright refusal. The successful precedents typically involve: scope challenges (where the audit demand exceeded the contractual scope), auditor independence challenges (where the contract required an independent auditor and the vendor appointed an aligned one), confidentiality breaches (where the auditor used data outside the audit scope), and procedural defects (where the vendor failed to follow contractually required notice or protocol provisions).

These are partial refusals or procedural challenges, not refusals of the underlying audit obligation. Customers contemplating any form of refusal should structure it as a procedural or scope challenge rather than as outright refusal, and should obtain specialist legal advice before doing so.

Special cases where refusal looks more appealing

The customer is exiting Broadcom entirely

A customer that has firm migration plans away from VMware and Broadcom products may consider refusing the audit on the basis that the underlying licences will be discontinued. This is rarely the right strategy. The audit covers historical use, not future use, and discontinuing future use does not extinguish the historical obligation. A customer in migration should engage the audit, settle the historical position, and use the migration as commercial leverage to settle favourably.

The customer believes the audit is retaliatory

Some customers believe their audit is retaliation for refusing a commercial proposal (VCF migration, subscription conversion, expanded purchase). Retaliatory audits are real and frustrating, but they are not contractually defective. The audit clause does not require Broadcom to have a non-commercial motive. The customer's response should be the same as for any other audit: engage procedurally, defend substantively, and settle commercially.

The customer is in active litigation with Broadcom

Where the customer is in active litigation with Broadcom on related matters, the audit may overlap with discovery in the litigation. Specialist litigation counsel should manage the interaction between the audit obligation and the litigation discovery process; the customer should not unilaterally refuse the audit on litigation grounds.

The bottom line

You cannot refuse a Broadcom audit. You can — and should — refuse data requests that exceed the contractual scope, decline auditors that do not meet contractual independence requirements, require the contractually specified timing protections, and route all communication through counsel. The combination of these procedural limits consistently produces audit outcomes that are 40-70% better than outright cooperation, and substantially better than the alternative of refusal followed by breach.

The instinct to refuse is understandable. Audits are intrusive, expensive, and frequently feel arbitrary. The right response to that instinct is not to refuse the audit but to mount an aggressive procedural and substantive defence within the audit. Customers who do this win. Customers who refuse outright lose, often catastrophically.

If you are considering refusing or limiting a Broadcom audit and want a confidential assessment of the procedural latitude actually available to you under your specific contract, Contact us →.