Locations

Resources

Careers

Contact

Contact us

Broadcom Audits

Broadcom Audit Defense 101: Strategies to Handle Broadcom/VMware/CA/Symantec License Audits

Broadcom Audit Defense 101

Broadcom Audit Defense 101 Strategies to Handle Broadcom

Introduction – Broadcom’s Audit Playbook

Broadcom has earned a reputation for enforcing strict software licenses.

After acquiring CA Technologies (known for aggressive audits) and Symantec’s enterprise software portfolio, Broadcom continues a legacy of frequent audits as a revenue driver.

Enterprises, large and small, are finding that audits are not rare events, but rather a predictable part of owning Broadcom, CA, or Symantec software.

With Broadcom’s acquisition of VMware, many expect this audit culture to extend into VMware’s products as well.

The stakes are high – non-compliance findings can result in substantial back-charges, forced purchases, or penalty fees. If your organization is unprepared, a Broadcom audit can quickly become costly and disruptive.

This guide provides practical steps to defend against Broadcom audits across CA, Symantec, and VMware products, helping you stay in control.

Audit Triggers

Broadcom (and the legacy vendors it has acquired) typically includes standard audit clauses in its contracts.

Understanding what triggers an audit can help you anticipate and possibly avoid being targeted.

Common audit triggers include:

  • Routine Clause Activations: Most Broadcom/CA/Symantec contracts allow for an audit once every 12–24 months, provided advance notice is given. Even without wrongdoing, Broadcom may exercise this right periodically.
  • Mergers & Acquisitions (M&A): If your company merges with another, acquires a business, or divests a division, this change often draws an audit. Vendors assume licensing might slip through the cracks during corporate changes.
  • Usage Growth or Anomalies: A sudden increase in usage can raise flags. For example, if support tickets or license key requests suggest that you’ve deployed more than you have purchased, Broadcom might initiate a compliance check. Any visible spike in capacity (new servers, more endpoints, higher mainframe usage) could trigger scrutiny.
  • Industry Sweeps: Broadcom periodically focuses on specific industries or product lines. If they conduct an “industry-wide sweep” of compliance (for instance, auditing many financial institutions in one quarter), you could be caught in that net.
  • End-of-Quarter Revenue Goals: Although not officially stated, vendors often push audits when sales targets are looming. If Broadcom’s sales team is behind on revenue, audits can be used to generate additional license sales via compliance findings.

Key Point: Assume that any significant change or growth in your IT environment is noticed. Maintaining excellent records and proactively communicating license needs during expansions can help reduce the likelihood of an unexpected audit notice.

Pre-Audit Preparation

The best defense is a good offense – in licensing terms, that means self-auditing and preparation before any vendor audit occurs.

Treat Broadcom like an “audit-prone” vendor (akin to Oracle or Microsoft) and fortify your Software Asset Management practices.

Steps to prepare include:

  • Run Regular Internal Compliance Checks: Conduct an internal audit at least once a year. Inventory all Broadcom/CA/Symantec/VMware software deployments and compare them to your entitlements (what you’ve purchased). Identify any over-deployment or usage beyond license terms.
  • Collect Entitlement Documentation: Gather all relevant contracts, license certificates, purchase orders, and maintenance renewal records. Keep these organized in a central repository. If an audit occurs, you’ll need to prove ownership. For legacy CA or Symantec products, preserve old license agreements and any proofs-of-purchase – these are your defense against claims.
  • Gather Usage Reports by Product: Proactively collect usage data for major Broadcom software categories:
    • Mainframe (CA) Products: Run IBM’s Sub-Capacity Reporting Tool (SCRT) or similar to document your Mainframe MSU/MIPS usage for CA mainframe software. This is often what auditors will request for mainframe licensing verification.
    • Symantec Endpoint/Security: Export logs or management console reports showing the number of protected endpoints or users. For Data Loss Prevention (DLP), document the number of servers/agents deployed. Ensure you understand how Symantec defines “users” or “devices” under your license.
    • VMware Products: Use vCenter and ESXi reports to capture the number of hosts, CPUs (sockets/cores), and VMs running VMware software. For example, if you have vSphere licenses per CPU, note how many CPUs are in use on each cluster. Also, document any disaster recovery or test environments.
  • Fix Easy Issues Now: If your self-audit finds obvious compliance gaps (e.g., 50 more endpoints using Symantec than you have licenses for, or an extra vSphere host deployed without a license), remediate immediately. Uninstall or decommission unused software, reclaim and reallocate licenses as needed, or purchase additional licenses if necessary. It’s far cheaper and cleaner to address it yourself than to be charged in an audit.
  • Document Remediation Efforts: Keep a log of any compliance issues you found and how you resolved them. This can demonstrate good faith. For instance, if you discovered a test server running an unlicensed instance of a CA tool and removed it, note the date and action. If questioned later, you can demonstrate that you took proactive steps.

By preparing in advance, you not only reduce the chances of a negative audit outcome but also gain confidence in your license position.

Being organized and informed is itself a deterrent – if Broadcom does audit you, you’ll be ready to respond with facts and perhaps even show them that you have things under control.

Responding to an Audit Notice

The moment an official audit notice arrives from Broadcom (or their third-party auditor), do not panic – but do not ignore it.

How you respond in the first days sets the tone. Here’s how to handle an audit notice strategically:

  • Acknowledge Formally and Promptly: Always respond within the timeframe given (or sooner) with a brief, professional acknowledgment. Thank them for the notice, express your intention to cooperate as required under the contract, and indicate you will coordinate a schedule. Never ignore an audit request – lack of response can escalate the issue or even lead to breach of contract claims.
  • Review Your Contract and Rights: As soon as an audit notice is received, review the relevant license agreements. Examine the audit clause: How often can they audit? How much notice must they give? What information are you obligated to provide? Knowing the exact contract language will help you effectively push back on any requests that exceed it. For example, if the contract states that audits require 60 days’ notice, you can insist on that timeline if they provided less.
  • Negotiate Scope and Timeline: You have the right to manage the audit process. Engage with Broadcom to set boundaries:
    • Scope: Clarify which products and what time period the audit will cover. If the notice is broad (“all Broadcom software usage”), try to narrow it: for instance, to specific product families or business units that are relevant. If you recently underwent an audit for Symantec products, you might argue against including those again so soon.
    • Timeline: If the default is 30 days’ notice, but you need more time to gather data, request an extension. Propose a reasonable schedule for data collection and meetings. Auditors often agree to extensions, especially if you show a cooperative attitude.
  • Insist on an NDA: Treat an audit like any confidential business process. Ensure Broadcom and any outside audit firm sign a Non-Disclosure Agreement (or that the existing contract’s confidentiality terms cover audit data). This means any data you provide or results from the audit cannot be shared or used outside of the audit resolution. This is critical if you’ll be sharing sensitive information (e.g., security software logs or network architecture for VMware deployments).
  • Assemble an Internal Audit Response Team: Don’t handle this alone. Form a team that includes:
    • License/Asset Manager: Someone who knows your entitlements and can pull records.
    • IT Operations: People who can run the required tools and gather usage data from systems (mainframe team, VMware admins, endpoint/security admins, etc., depending on scope).
    • Legal Counsel: In-house legal or external licensing counsel to review communications and protect your rights. All correspondence might be funneled through or reviewed by legal to ensure wording doesn’t imply unintended admissions.
    • Procurement/Finance: If the audit could lead to financial settlement, involve procurement or finance to strategize on budgets and negotiation tactics.
    • Executive Sponsor: A senior IT or procurement executive who can escalate issues to Broadcom management if needed and has the authority to approve settlements.
  • Centralize Communications: Designate a single point of contact to interface with the auditors (often the licensing manager or a specific legal counsel). This ensures a consistent message. All communication with Broadcom should ideally be in writing (via email or letters). If calls or meetings occur, follow up with written summaries. Keeping a paper trail prevents “he said, she said” situations and ensures you have a record of what was agreed upon.

By promptly acknowledging and setting ground rules, you demonstrate professionalism and control.

Remember, an audit is not a criminal investigation; it’s a contractual process. You have the right to protect your interests while complying with reasonable audit requirements.

During the Audit – Defensive Practices

Once the audit is underway, it’s important to cooperate thoughtfully and defensively.

Your goal is to fulfill your contractual obligations without volunteering unnecessary information or allowing misunderstandings.

Here are key defensive practices during the audit:

  • Provide Only Required Information: Stick strictly to what the contract and the agreed-upon scope require. If the auditors request data outside the scope or not mandated, you can politely decline or ask why it’s needed. For example, if the audit is for Symantec Endpoint Protection licenses, they shouldn’t need unrelated software inventories. Don’t hand over raw data dumps of your entire network unless required – filter and provide the data relevant to the products under audit.
  • Verify Data Before Sharing: Double-check every piece of information you give the auditors. Ensure that reports are accurate and up-to-date. If you’re providing an export from a tool (such as a VMware licensing report or a mainframe usage file), verify that it reflects the correct environment. Cleansing the data is fair game: remove decommissioned servers or outdated entries if they’re no longer in use. In short, make sure you’re not accidentally overstating your usage.
  • Keep Communication in Writing: Maintain a written record of all interactions via email. If an auditor calls with questions, answer if you can, but always follow up with an email confirming what was discussed. This keeps everyone honest and ensures there’s no confusion later about what was said or promised.
  • Observe and Challenge Ambiguities: When the auditors present preliminary findings, scrutinize them:
    • Are they counting users or devices that are inactive? For instance, if a Symantec report shows 5,000 user accounts but you know 500 are dormant accounts or ex-employees, flag that and provide evidence (like last login dates or account disable dates).
    • Are they counting backup, disaster recovery, or test systems as full production usage? If your contract allows non-production use without a full license, ensure that these are excluded or properly categorized.
    • For mainframe metrics, if they use a peak MSU number from a one-time spike (maybe during a load test or a disaster recovery drill), provide context. You might argue that it’s not representative usage or falls under a special provision.
    • For VMware, ensure they’re not double-counting clusters or assuming every installed product is actively used. Perhaps vCenter lists a host that has been retired – point it out.
  • Stay Professional and Firm: Auditors might sometimes make sweeping statements like “it appears you’re out of compliance on X.” Do not concede on the spot. A good response is: “We will review these findings internally and get back to you.” This buys time to analyze and avoids any inadvertent admission of non-compliance before you’re sure of the facts.
  • Manage Access Carefully: If auditors need to run a script or tool in your environment (sometimes Broadcom provides scripts for data collection), closely monitor that process. Run it in a test environment first if possible, or supervise the execution. You want to know exactly what data is being collected. Ideally, run any audit tools yourself and just send the results, rather than giving auditors live access to your systems.

During the audit, remember that you are in control of your environment.

You have every right to understand and verify the data being collected. Being cooperative doesn’t mean being passive – it means being a vigilant partner in the process to ensure accuracy and fairness.

Common Findings & Vendor Tactics

Broadcom’s audit teams (including legacy CA/Symantec auditors) know where to look for compliance gaps.

Being aware of common findings and the tactics vendors use can help you preempt and rebut issues.

Typical audit findings and vendor tactics include:

  • Over-Deployment of Licenses: This is the classic case – you’re found using more licenses than you purchased. Examples: more Symantec endpoint installations than you have licenses for, or more VMware vSphere hosts running than you have vSphere licenses. Often, this happens gradually as companies scale up their hardware or onboard new employees without updating their licenses. Risk: The vendor will demand you purchase the excess, often retroactively covering back support fees. Defense: Track deployments closely and uninstall or purchase before a significant delta occurs.
  • Unlicensed Environments (Improper Use): Auditors will flag installations in disaster recovery (DR), test, or development environments that aren’t properly licensed. Perhaps you thought your license covers non-production use, but not all contracts do. Risk: Broadcom claims you need to license those servers or users as if they were production. Defense: Review contract terms for development and disaster recovery (DR) use. You might be able to negotiate cheaper coverage for DR or demonstrate that DR systems are cold standby (not running simultaneously, which some contracts allow without an additional license).
  • Expired Support or Lapsed Maintenance: If you have perpetual licenses but decided not to renew maintenance, using the software is usually still allowed – but you may not be entitled to the latest versions or patches. Auditors might find that you upgraded software or applied updates after support expired. Risk: They’ll assert you’re not entitled to those versions and demand you pay back support or re-subscribe. Defense: Maintain a clear timeline of what versions you have and when support ended. If you upgraded without entitlement, you may be able to negotiate paying maintenance from the lapse date rather than purchasing new licenses.
  • License Metric Misinterpretation: Broadcom’s portfolio includes complex metrics:
    • CA mainframe products are measured in MSUs/MIPS or by processor tiers. Symantec products might be licensed per user, per endpoint, per CPU, or even per data volume (DLP). Miscounting these (e.g., treating a “user” as an AD account versus an actual person, or failing to account for multi-device users) leads to discrepancies.VMware products historically licensed per CPU socket (with a core limit in newer versions) or per VM in some cases. If you moved to newer multi-core CPUs, you might exceed the core limits of older licenses.
    Risk: Auditors will apply the strict definition of the metric. If you interpreted it more liberally, that gap becomes a finding. Defense: Push back with business reasoning. For instance, if 100 user accounts were generic service accounts, not actual people, argue that they shouldn’t count as “users” for licensing. Provide documentation for any agreed-upon interpretations you had with the vendor in the past.
  • “Shelfware” and Bundle Issues: Sometimes an audit uncovers products that you installed but never fully utilized (shelfware). Ironically, vendors may still consider these as non-compliant if they are installed without a license. Or, if you have a bundle, using one component beyond its terms (e.g., using a Symantec suite component in a manner not covered) can be flagged. Risk: They require you to license that component separately. Defense: If it’s truly unused software sitting idle, uninstall it and show evidence that it was never active in production use.
  • Pressure and Scare Tactics: Beyond findings, be prepared for the tone of vendor tactics. Auditors or sales reps might:
    • Claim that the deadline to settle is looming very soon (to rush you).Suggest that Broadcom leadership is aware and considering “escalation” (implying legal action) if you don’t quickly comply.Drop names of other companies that paid huge penalties (to frighten you into thinking that’s normal).
    Defense: Remain calm and follow your process. Deadlines can be extended through negotiation, and vendors rarely jump straight to lawsuits if you are engaging in good faith. Don’t let aggressive posturing bully you into a poor settlement.

Understanding these common issues helps you stay one step ahead. Many findings are negotiable or defensible if you have data and patience. The key is not to accept the auditor’s numbers at face value without verifying them yourself and providing context.

Settlement & Negotiation Strategies

When the audit wraps up, Broadcom will present an audit report with compliance gaps and a bill to “resolve” them.

This is where you shift from audit mode to negotiation mode. Treat the outcome like a commercial negotiation – you have leverage and options.

Strategies for the settlement phase include:

  • Don’t view it as just a “Penalty”. It’s a Deal: Broadcom often frames the resolution as buying the shortfall licenses (often with back-dated maintenance fees, and sometimes penalties or interest). Instead of just signing the check, approach it as you would a renewal or new purchase negotiation. This is an opportunity to get something in return for your spending.
  • Bundle the Settlement with Future Needs: One effective tactic is to fold the compliance purchase into a larger deal. For example, if you plan to renew or expand some Broadcom/VMware products soon, consider negotiating a combined agreement. “We’ll purchase these additional licenses (to cure compliance) as part of a three-year renewal of our broader contract.” This gives Broadcom sales an incentive to offer discounts or concessions because it transforms a penalty into a revenue opportunity with a longer commitment.
  • Push for Waivers or Reductions: Broadcom’s initial demand might include back maintenance fees (e.g., “since you were using these 100 extra licenses for 2 years, pay 2 years of support for them, plus buy support going forward”). You can negotiate these down. If you’re willing to sign a new multi-year contract or expand your usage legitimately, ask for a waiver of back maintenance or penalties. Vendors often relent on punitive fees if they see a substantial future deal – they’d rather secure your loyalty (and money) long-term.
  • Use Evidence to Challenge Overstated Findings: By now, you should have gathered internal evidence to counter any inflated counts. Present your case in the negotiation:
    • If the auditor stated that you need 100 extra licenses, but you proved that only 60 were actually in active use, bring that 60 number to the table.
    • If they count a DR server, remind them it was not running concurrently, and check if the contract allows for a free DR instance.
    • Basically, negotiate the numbers. The final resolution can be smaller than the initial finding if you make a solid case.
  • Involve Broadcom Account Management: Often, the audit might have been handled by a separate compliance team or third-party firm. As you discuss spending money, loop in your Broadcom sales/account manager or even higher-level executives. Sales teams have a stake in maintaining the relationship and may advocate internally for a more reasonable settlement (especially if they fear you might otherwise defect to competitors). Shifting the conversation to a sales context can soften the compliance stance.
  • Consider Third-Party Advisors or Legal Counsel: If the sums are huge, don’t hesitate to get expert help. Some companies hire software licensing consultants or law firms specializing in audit defense to lead or support negotiations. They might identify defense angles you missed and will be aware of Broadcom’s usual tactics. This can level the playing field if Broadcom is being particularly intransigent.
  • Frame Commitments Carefully: If you agree to purchase licenses as settlement, ensure you get proper value:
    • Get the latest version or an upgrade as part of it (so you’re not paying for old versions).
    • Ensure the maintenance/support start date is current (not overly back-dated unless necessary).
    • If you commit to a multi-year deal, negotiate price protections (such as caps on increases) and improved terms (like added audit protections moving forward).
  • Everything is Negotiable: Remember that an audit report is not a final verdict. Broadcom wants revenue, and it wants to be smooth. You have negotiation leverage – perhaps you’re a big account they want to keep happy, or maybe you have alternatives (e.g., considering moving off Symantec to another security product, which you can mention to spur a better offer). Use that leverage politely but firmly.

Ultimately, strive for a settlement that your organization can afford both financially and operationally.

Ideally, you turn a painful audit into a path forward: you true-up licenses in a way that aligns with future needs, and you insert better terms into your agreements to prevent a repeat scenario.

Preventing Future Audits

After resolving one audit, the last thing you want is to go through it again the next year. While you cannot prevent a vendor from exercising audit rights, you can reduce your likelihood of being targeted and minimize the pain if it happens.

Build audit defense into your ongoing operations:

  • Annual Self-Audits: Make internal license compliance review a routine (at least once a year, if not semi-annually). Consider it a “fire drill” – assume an audit could happen, and see if you would pass. This way, any minor non-compliance issue can be identified and addressed quietly. Document these self-audits; they can demonstrate to Broadcom that you take compliance seriously, which might make them less aggressive.
  • Strengthen License Governance: Implement a robust Software Asset Management (SAM) program for Broadcom portfolio products:
    • Maintain a central license inventory that tracks every Broadcom/CA/Symantec/VMware entitlement you own.
    • Track deployments via automation if possible (tools that scan for installations or monitor usage).
    • Have clear internal processes for deploying new software – require that a license allocation is confirmed before any Broadcom product is rolled out on a new system.
    • Train IT staff about license limits. For example, VMware administrators should be aware that adding a new host requires a license key; mainframe teams should understand that using extra MSUs may incur additional costs.
  • Negotiate Audit Terms in Contracts: If you have any leverage during a renewal or new purchase, try to insert audit-friendly clauses. For instance:
    • Frequency Limit: “Audits shall occur no more than once every 24 months” – so you’re not audited every year.
    • Notice Period: “with at least 60 days’ written notice” – giving you more time to prepare than a standard 30-day clause.
    • Mutual Agreement on Tools: “Audit findings must be based on mutually agreed measurement tools or methods.” This prevents Broadcom from unilaterally deciding how to measure usage in a way that might disadvantage you.
    • Confidentiality: “All audit results will remain confidential and will not be disclosed except to the customer and Broadcom personnel necessary to address compliance.” This protects you from any publicity or internal Broadcom gossip about your audit.
    • Remediation Period: You might even negotiate a clause that if an audit finds non-compliance, you have X days to acquire necessary licenses without penalty. Not all vendors agree to this, but it’s worth trying.
  • Improve Record-Keeping: Keep all proof of license purchases and communications with Broadcom in a safe, organized place. If you ever negotiate special terms or exceptions (for example, an email where a Broadcom rep said you can use a license in DR for free), archive that. These can be golden evidence in future audits or discussions.
  • Consider Alternative Support or Products: As a strategic long-term angle, evaluate whether staying with Broadcom’s model is optimal. Some companies, frustrated by repeated audits and rising costs, consider moving some software to alternative solutions:
    • Third-Party Support: For certain legacy products (especially CA mainframe software or Symantec suites), third-party support providers might offer maintenance at lower cost and with no vendor audits (once you leave Broadcom support, their audit rights may be contractually limited). Be careful to understand license terms, though – you can usually use a perpetual license without vendor support, but audit clauses might still survive in some agreements.
    • Product Migration: If a product line becomes too high-risk (e.g., Symantec Endpoint Protection getting too expensive or VMware licensing changes under Broadcom), it might be worth comparing the costs of switching to a competitor. Even if you don’t switch, having a credible plan B gives you leverage in negotiations (“we might not renew this product if terms don’t improve”).
  • Centralize Audit Response Globally: For multinational companies, coordinate audit management centrally to ensure a consistent approach across all locations. Broadcom might approach regional offices separately and insist that any audit undergoes a global process. This prevents divide-and-conquer tactics and ensures consistent data is provided. Additionally, a central team can better handle data from multiple regions, aligning it with local privacy laws (for example, if audit data contains personal information of employees, ensure GDPR compliance in Europe by anonymizing the data).

By institutionalizing these practices, you create a culture of compliance and readiness.

Broadcom auditors often focus on customers who appear disorganized or unaware. If you demonstrate strong control over your licensing, you may be seen as a lower-priority target in the future.

And if you are audited again, it will be far less painful because you’re essentially always ready.

Checklist – Audit Defense Steps

Use this quick checklist to ensure you’ve covered all bases in defending against a Broadcom audit:

  • ✅ Regular Self-Audits Conducted: You perform internal license true-ups for Broadcom/CA/Symantec/VMware software at least annually and resolve any discrepancies.
  • ✅ Entitlements Documented: All contracts, license keys, proof-of-purchase, and maintenance agreements are organized and accessible. You know exactly what you’re entitled to use.
  • ✅ Usage Data Ready: Up-to-date deployment and usage reports for all relevant software are prepared (mainframe MSUs, endpoint counts, VMware host/CPU counts, etc.).
  • ✅ Audit Notice Acknowledged: If an audit notice arrives, you respond within the required time, formally agreeing to cooperate and citing any initial concerns or requests (e.g., NDA, scheduling a discussion).
  • ✅ NDA/Security in Place: An NDA or confidentiality arrangement protects any data you share during the audit. Sensitive information is safeguarded.
  • ✅ Internal Team Assembled: You have a cross-functional team (IT, licensing, legal, procurement, exec sponsor) ready to handle the audit. Roles and responsibilities are clear.
  • ✅ Scope and Timeline Agreed: The audit’s scope is defined in writing – you know which products or business units are being audited – and you have a timeline that gives you reasonable preparation time.
  • ✅ Data Validated: Before sending any data to Broadcom, you’ve verified its accuracy, removed redundancies or errors, and ensured it reflects only what is necessary.
  • ✅ Communications Logged: All audit-related communications are in writing or logged. You have an email trail of deliverables and decisions for reference.
  • ✅ Findings Reviewed Internally: You have received the audit findings and cross-checked each point against your own records. Any disagreement or ambiguity is documented.
  • ✅ Negotiation Strategy Prepared: Before settlement discussions, you’ve decided your approach – whether to combine the settlement with upcoming renewals, how to present your counter-evidence, and what concessions to seek (discounts, penalty waivers, etc.).
  • ✅ Management Briefed: Your leadership is aware of the situation, potential financial impact, and the proposed settlement plan. No surprises for the C-suite.
  • ✅ Future Protections Identified: As part of settlement or renewal, you aim to include better audit clause terms or other protections to avoid a rinse-and-repeat next year.
  • ✅ Post-Audit Review: After closure, a lessons-learned session is scheduled. You update internal processes (and maybe team training) to prevent the same pain points from recurring.

This checklist can serve as a quick reference for anyone in your organization tasked with software compliance. In an intense audit situation, having a checklist ensures you don’t overlook a critical step amidst the urgency.

Related articles

FAQs

Q: What penalties does Broadcom typically seek in audits?
A: Broadcom’s audit “penalties” usually come in the form of financial true-ups. Rather than a straightforward fine, they will demand you purchase the licenses for any shortfall in usage, often retroactively. This can include paying back-dated maintenance fees for the period you were out of compliance and ensuring those licenses are now under support. In some cases, they might threaten list-price purchases or add interest/penalty fees if the gap was severe or intentional. However, outright punitive fines (cash paid with no license received) are less common – Broadcom prefers you put that money into buying more of their software or services. Everything here is negotiable; companies often negotiate these demands down by committing to future spend or finding errors in the audit findings.

Q: Can I refuse or ignore a Broadcom audit request?
A: If your contract contains an audit clause (and most Broadcom/CA/Symantec contracts do), you are contractually obligated to comply within reason. Refusing or ignoring the request outright can put you in breach of contract, which may allow Broadcom to terminate your licenses or take legal action. That said, you have the right to manage how the audit is conducted (scope, timing, NDA, etc., as discussed above). If Broadcom’s request is not contractually compliant (e.g., a second audit too soon), you can push back, citing the contract. But in general, it’s best not to refuse – instead, engage and control the process. If you truly have no audit clause (which is rare with these vendors), you have more leeway; however, Broadcom might then leverage your support renewal as a pressure point. In summary: Don’t ignore it; respond and negotiate the terms of engagement.

Q: How long does a Broadcom software audit usually take?
A: The duration can vary widely based on the scope and complexity, but expect several months from start to finish for an enterprise-level audit. The initial data collection phase might be a few weeks to a month (gathering logs, running scripts, delivering info). Then the auditors analyze it – another few weeks – and present findings. Negotiating the settlement or resolution can take another few weeks or even a few months if there’s significant back-and-forth. In total, a straightforward audit might be resolved in 2-3 months. More complicated or contested audits can drag on for 6 months or more, especially if you and Broadcom are far apart on the findings and in active negotiation. It’s rare for an audit to be truly “over” in under a month, and you should be prepared for periodic bursts of activity (data requests, meetings) followed by waiting periods. The key is to use the time wisely – don’t rush to closure if doing so leaves you at a disadvantage. It’s better to extend the timeline through negotiation than to agree to an unfavorable outcome just to get it over with.

Read about our Broadcom Audit Defense Service.

Broadcom Audit Defense 101: How to Handle CA & Symantec License Audits

Do you want to know more about our Broadcom Audit Defense Services?

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts