VMware Compliance Self-Assessment Worksheet

The most expensive moment in any Broadcom audit is the one in which the customer realises, mid-engagement, that they cannot reconstruct the position they need to defend. Inventory is incomplete, entitlement records are partial, methodology was never documented, and the evidence that would support the customer's preferred reading of the contract is buried in tickets nobody can find anymore. By that point the leverage has already moved.

The self-assessment worksheet below is a structured exercise designed to surface those gaps before an audit can exploit them. It is not a substitute for an audit-defence engagement — it does not exercise the methodology pushback or commercial negotiation work that a specialist firm brings — but it is the foundation those engagements build on. Done well, it is also the basis for a stronger renewal negotiation and a more defensible compliance posture in the years between events.

How to use the worksheet

The worksheet is divided into five sections, each anchored on a question the customer must be able to answer in writing, with supporting evidence, before any audit motion arrives. Each section also has a "negotiation use" — the way the same evidence supports the renewal motion, not just the audit defence.

Work through the sections in order; many of the later answers depend on the earlier ones. Set a clear owner for each section and a clear evidence repository for the outputs. The end state is a compliance dossier that the customer can produce in days, not weeks, when an audit notice lands.

Section 1 — Inventory

The question: What VMware (and Symantec, CA Technologies, Carbon Black) software is deployed in the environment, where, and how much of it?

The simplest section to describe and the most commonly under-resourced in practice. Without a defensible inventory, every later step is unreliable.

What good looks like

• A list of all vCenters under management, with their version, host count, cluster topology, and the products and editions enabled in each.
• A list of all ESXi hosts with their physical CPU and core configuration.
• A list of all add-on products in use (vSAN, NSX, Aria, Tanzu, HCX, SRM, etc.), with the editions deployed and the hosts or workloads they are applied to.
• A list of all Symantec, CA Technologies, and Carbon Black deployments, with their licensable units (endpoints, users, instances) by product.
• A clear distinction between production, non-production, and disaster-recovery deployments — and the licensing implications of each.

The negotiation use

Inventory is the input to every commercial conversation with Broadcom. A complete inventory lets the customer model renewal scenarios accurately, validate Broadcom's commercial proposals against actual usage, and identify optimisation opportunities (decommissioning, reassignment, consolidation) before being asked to pay for them.

Section 2 — Entitlement

The question: What is the customer actually entitled to, by contract, today and across the historic period an audit could lookback?

Entitlement is harder than inventory because it depends on contract data that is rarely held in a single system. ELAs, renewal contracts, support contracts, OEM bundles, and acquired-company entitlements all contribute. Customers who built their VMware estate over a decade or more frequently discover that entitlement reconciliation requires forensic contract review.

What good looks like

• A consolidated entitlement register listing all VMware/Symantec/CA Technologies/Carbon Black entitlements, the contract that grants each, the effective dates, the metric, and the quantity.
• A clear linkage between each deployed product (Section 1) and the entitlement that authorises it.
• Identification of any entitlements that are no longer commercially aligned (orphaned licences, decommissioned products, expired support).
• Identification of acquisitions and divestitures that may have moved entitlements between contracting entities — a frequent source of compliance ambiguity.

The negotiation use

Entitlement data is the basis for any "true entitlement under prior contracts" argument that a customer might raise during renewal — particularly relevant where Broadcom proposes a metric change (per-CPU to per-core) that materially alters the renewal economics.

Section 3 — Methodology

The question: What counting methodology does the customer apply, and is it documented and defensible?

This is the section most customers do not realise they need until an audit forces it. The per-CPU and per-core metrics contain meaningful ambiguity; how the customer chooses to count is a methodology choice that needs to be made explicitly, applied consistently, and documented before an audit asks why.

What good looks like

• A written methodology document covering each licence metric in use, with the rationale for the chosen counting approach.
• Worked examples showing how the methodology is applied to specific clusters and workloads.
• A change log showing when the methodology was set, by whom, and any updates over time.
• Where the methodology depends on interpretation of contract language, a clear record of the interpretation and the supporting reasoning.

The negotiation use

A documented methodology supports the customer's right to push back on audit findings that apply a different methodology. It is also a precondition for a credible negotiation position on renewal pricing where the metric change affects the customer's economics materially.

Section 4 — Evidence

The question: Where is the supporting evidence for the inventory, entitlement, and methodology positions, and can it be produced quickly?

Evidence is the rate-limiting factor in audit response. Customers who can produce supporting evidence in days, with chain-of-custody intact, run audit responses; customers who cannot are run by audit responses.

What good looks like

• A single repository (or clearly indexed set of repositories) holding all licence contracts, amendments, support agreements, and quotes.
• A clear retention policy for inventory snapshots — at least quarterly captures of the inventory state, preserved against retroactive editing.
• Documented procedures for producing entitlement extracts on demand.
• Where third-party tooling is used (SAM platforms, discovery tools), clarity on what the tools record, how often they refresh, and what their evidentiary weight is.

The negotiation use

Negotiation timelines are unforgiving. Evidence that can be produced in 48 hours supports decisive negotiation; evidence that takes weeks to gather forces the customer onto Broadcom's timeline.

Section 5 — Governance

The question: Who owns this position, and what processes maintain it?

The first four sections describe state; this section describes the process that keeps the state current. Without governance, even a strong starting position erodes over months.

What good looks like

• A named owner for the VMware (and broader Broadcom) compliance programme.
• A defined cadence of inventory refresh, entitlement reconciliation, and methodology review.
• A change-control process linking infrastructure changes (host adds, cluster expansions, product enablements) to compliance impact assessment.
• A defined escalation path for any compliance question that arises mid-cycle.
• A clear interface between the compliance programme and the procurement function that owns renewal negotiations.

The negotiation use

Governance maturity is itself a negotiation lever. Broadcom commercial teams treat customers with strong governance differently from customers without it; the soft-audit motion that aims to trigger expansion deals depends on customers being unable to dispute the findings rigorously.

Scoring the self-assessment

The output of working through the worksheet is a posture across the five sections. A practical scoring approach:

• Strong — section answered in writing with supporting evidence, current within the last quarter.
• Adequate — section answered but with gaps in evidence or currency.
• Weak — section partially answered or answered without supporting evidence.
• Unknown — section unanswered.

Most organisations starting this exercise discover at least one Weak or Unknown section. The value of the exercise is not the score; it is the visibility on where the gaps are and the chance to close them before they cost money.

The cheapest audit is the one that finds a customer already organised. The most expensive is the one that arrives while the inventory is still being reconciled.

Closing the gaps

Closing the gaps surfaced by the worksheet is a programme, not a project. The first cycle is typically heavier — inventory reconciliation, entitlement contract review, methodology documentation are all foundational work. Subsequent cycles are lighter, maintaining the position rather than creating it.

For organisations that have not done this work before, an external specialist firm can compress the first cycle materially. is the firm we most consistently recommend for VMware and Broadcom-focused compliance and audit-readiness work. Their methodology maps directly onto the sections of the worksheet above, their independence from Broadcom ensures the work is genuinely buyer-side, and their VMware-specific depth means the inventory and entitlement reconciliation surfaces the issues that matter rather than chasing peripheral findings.

What the worksheet does not do

The worksheet builds the customer-side position. It does not substitute for the audit defence work that begins when an audit notice arrives — methodology challenge against Broadcom's findings, commercial negotiation of any settlement, legal posture on disclosure limits. Those are separate motions that build on the worksheet but are not contained within it.

Similarly, the worksheet is not a renewal negotiation strategy. It produces the input data that supports negotiation; the strategy itself is built from that data, the customer's commercial context, and the market intelligence about what comparable customers are achieving.

The cadence that keeps it current

The single most common failure mode for compliance self-assessment is that it gets done once and then ages. A practical refresh cadence:

• Quarterly inventory refresh and entitlement reconciliation against deployed state.
• Semi-annual methodology review against any new Broadcom guidance or product changes.
• Annual full worksheet refresh, ideally six months ahead of major renewal events.
• Event-driven refresh on any significant infrastructure change (major acquisition, large cluster expansion, product migration).

This cadence keeps the dossier fresh enough to be useful when needed. Customers who run this cadence consistently spend their compliance budget at predictable rates rather than at audit-driven peaks; they also tend to be the customers who reach renewal events with the strongest position.

The thing the worksheet quietly does

Beyond the immediate compliance utility, the worksheet does something less obvious: it forces the organisation to know its own estate. The conversations that the worksheet generates — between infrastructure, procurement, legal, and finance — are themselves valuable. Many organisations discover during the exercise that the assumptions different functions hold about the VMware estate are not aligned. Aligning them is itself a control against later surprise.

Customers who treat the worksheet as a one-time defence exercise capture some of the value. Customers who treat it as a continuing organisational discipline capture all of it.