Locations

Resources

Careers

Contact

Contact us

Broadcom Audits

Broadcom vs VMware Audits: What’s the Difference and How to Prepare

Broadcom vs VMware Audits

Broadcom vs VMware Audits

Introduction – Two Audit Cultures, One Parent

Under Broadcom’s ownership, two different audit cultures have collided. Broadcom’s software division (from CA Technologies and Symantec) is known for formal, frequent audits and a strict compliance mindset.

VMware historically had a lighter-touch approach, relying more on trust and self-reporting than aggressive enforcement. Now, however, VMware’s audit frequency and rigor are rising under Broadcom.

This guide compares Broadcom and VMware audit practices, covering preparation, key metrics, evidence, and strategies.

For a complete overview, read our ultimate guide – Broadcom Audit Defense 101: Strategies to Handle Broadcom/VMware/CA/Symantec License Audits.

How Broadcom (CA/Symantec) Audits Differ from VMware

Broadcom (CA/Symantec) audits are strict, regular (typically conducted every 1–2 years), and usually handled by third-party firms that conduct detailed data reviews. Broadcom treats audits as an enforcement tool to catch any license shortfall.

VMware rarely audited in the past, preferring to resolve compliance during sales cycles. Under Broadcom, however, VMware is adopting a similar hard-line stance – formal audit notices are being issued, and audits are becoming routine.

In short, the historically relaxed VMware audit approach is aligning with Broadcom’s aggressive style.

What Each Portfolio Looks For (Metrics & Evidence)

Each Broadcom product family has unique audit focus areas:

  • Mainframe (CA): Metric: Mainframe capacity (MIPS/MSUs). Auditors check peak MSU usage (via IBM SCRT reports) against your licensed MSU cap. Evidence: SCRT output files, LPAR capacity settings, and any sub-capacity or DR documentation. Be prepared to demonstrate that each CA product’s usage remains within your licensed capacity.
  • Symantec (Security): Metric: Count of protected endpoints or users. Auditors request console reports that show active devices/users versus the licenses owned. Evidence: Exports from Symantec admin consoles (SEP, DLP, etc.), lists of deployed agents, and license keys/files. Clean up inactive accounts/devices beforehand so reported counts match your entitlements.
  • VMware: Metric: Number of hosts and CPU cores (plus features like vSAN/NSX). Auditors use vCenter to tally all ESXi hosts/cores and see if any premium features are unlicensed. Evidence: vCenter inventory/licensing reports, license key listings, and feature usage logs. Demonstrate that your VMware licenses or subscriptions fully cover the total number of cores and any feature usage.

Comparison Table – At a Glance

AspectBroadcom (CA/Symantec)VMware (before vs. now)
Audit PostureEnforcement-focused, strictLenient historically; now stricter
FrequencyRegular (e.g. every 1–2 years)Rare before; rising now
AuditorsExternal firms lead auditsInternal team before; external now
License MetricsMainframe MSUs; security users/devicesHosts/cores; add-on features
Data RequestedSCRT reports, console exportsvCenter reports, license keys
Common IssuesOver-capacity, extra users, unlicensed featuresUnlicensed hosts/cores, unlicensed features
SettlementBack fees & penalties; new contracts pushedTrue-ups at renewal; getting tougher

Pre-Audit Preparation – Tailored Hygiene

Keep license usage clean and documented:

  • Mainframe (CA): Save monthly SCRT reports and ensure peak MSUs stay under licensed limits. Map each CA product to its LPAR, noting capacity used vs. licensed (including DR/test instances).
  • Symantec (Security): Regularly reconcile console-reported user/device counts to your purchased licenses. Remove stale entries and resolve any issues related to overuse before auditors discover them.
  • VMware: Quarterly, use vCenter to verify all hosts and cores against their respective licenses. Verify vSAN, NSX, etc., are licensed on every cluster they’re used (or disabled if not).

Responding to an Audit Notice – Scope and Control

When an audit notice arrives, take control early:

  • Confirm scope: Get the audit scope (products, period) in writing and stick to it.
  • Ensure confidentiality: Have auditors sign NDA clauses so your data and findings stay confidential.
  • Control tools: Only allow agreed-upon scripts or tools, and execute them yourself to protect your environment and verify output.
  • Schedule wisely: Arrange audit activities to minimize disruption (e.g., off-peak data gathering).
  • Document everything: Keep a written log of all auditor requests and your responses.

Read about CA mainframe audits, CA Mainframe Audits Under Broadcom: A Practical Defense Playbook.

Common Findings and How to Defuse Them

Be ready to address these frequent audit issues:

  • Over-deployment: Using more licenses than purchased. Fix: Uninstall or procure licenses for excess usage. Cross-check the auditor’s counts with your records (they may include retired systems) and provide any necessary corrections.
  • Metric misinterpretation: Miscounting due to unclear definitions (e.g., user vs. account). Fix: Point to contract definitions and show your calculation. If the rules are ambiguous, negotiate a fair resolution rather than a penalty.
  • DR/Test usage: Non-production systems counted as full use. Fix: Show that they are on standby or in test mode (documentation, diagrams). Remind auditors of any DR rights in your contract. If none, propose licensing DR systems in the future rather than paying a fine.
  • Expired support use: Using software after the support or subscription has lapsed. Fix: If you have a perpetual license, please note that you still retain the right to use the latest version. Offer to renew support moving forward instead of paying backdated fees.
  • Unlicensed cloud instances: Deployments in cloud (AWS/Azure) not covered by on-prem licenses. Fix: Quickly assign available licenses to those instances or shut them down. Discuss proper licensing for cloud deployments in the future to prevent repeat issues.

Settlement Paths – Broadcom vs. VMware

Audit settlements often differ in style:

  • Broadcom (CA/Symantec): Broadcom may initially demand payment for past non-compliance (missing licenses plus back maintenance). Don’t accept without negotiation. They often convert penalties into a deal – for example, you commit to a new multi-year license or subscription, and they waive some or all back fees. Aim to pay for future value (new licenses) rather than just past penalties.
  • VMware: Historically, VMware would allow you to purchase the shortfall licenses in the future with no significant penalties. Now, they might lean stricter at first, but you should push for the classic VMware approach: true-up with a normal purchase or renewal. Involve your account rep and frame it as a sales opportunity (buying what you need) rather than a fine. This typically results in a more favorable outcome.

Contract Hardeners – Clauses That Save You Later

In your contracts, add clauses to tame future audits:

  • Limit frequency: e.g., “No more than one audit every 2 years.”
  • Advance notice: e.g., “At least 60 days written notice before audit.”
  • Tool approval: e.g., “Audit tools/scripts require customer approval.”
  • Confidentiality: e.g., “Audit findings are confidential.”
  • Remediation window: e.g., “60 days to cure any license gap before penalties.”
  • Self-audit option: e.g, “Customer may annually certify compliance instead of an audit.”

Even one or two of these can make audits much more manageable.

Global Considerations

For multinational audits, plan globally:

  • Central coordination: Manage the audit through a central team. Provide consistent data across regions and negotiate as a unified company, rather than separately for each country.
  • Legal & privacy compliance: Respect GDPR and local laws when sharing data. Anonymize personal data as needed, and adjust the audit process to comply with any country-specific legal requirements (for example, on-site reviews in regions that prohibit sending data abroad).

Checklists – What to Prep Per Portfolio

Have these ready in advance for each area:

Mainframe (CA) Checklist:

  • SCRT reports are generated for each month, noting the peak MSUs versus licensed MSUs.
  • Mapping of CA products to LPARs with allocated vs. licensed capacity (include DR LPARs).
  • All CA license contracts/certificates, with any special terms (sub-capacity rules, DR rights) on hand.

Symantec (Security) Checklist:

  • Current active user/device counts from each Symantec console (with outdated entries removed).
  • List of licenses owned per product and the corresponding current usage counts.
  • License keys/files for all Symantec products, and their support renewal dates.

VMware Checklist:

  • vCenter report of all ESXi hosts, CPUs/cores, and licenses assigned.
  • Inventory of VMware license keys and contracts, including entitlements (cores or instances covered) and support status.
  • List of all in-use VMware features (vSAN, NSX, etc.) with confirmation you have licenses for each; disable any feature you aren’t licensed for.

FAQs

Q: Are VMware audits now as aggressive as CA’s?
A: Yes – VMware is auditing customers with similar frequency and rigor as CA/Symantec.

Q: What data will auditors ask for?
A: Proof of usage versus licenses. Expect to provide items such as SCRT mainframe reports, Symantec console user/device counts, VMware vCenter host and core counts, and your purchase records.

Q: Can we limit an audit’s scope?
A: You can negotiate scope and get it defined in writing (focus on certain products or timeframes). You can’t refuse an audit, but you can contain it to what is contractually relevant.

Q: How to challenge incorrect findings?
A: Present your own data and the contract. Show where the auditor’s numbers are wrong (e.g., including decommissioned systems) or how your usage fits the agreement. Use hard evidence and don’t hesitate to escalate within Broadcom if needed.

Five Tactical Recommendations

  1. Keep license proof ready: Continuously maintain an accurate inventory of deployed Broadcom/VMware software and matching entitlements for quick compliance evidence.
  2. Negotiate audit guardrails: Add audit frequency limits, notice periods, and tool approvals to your contracts now to constrain future audits.
  3. Leverage audits in negotiations: If an audit finds a shortfall, treat it as leverage to negotiate a better deal (like a discounted license true-up or favorable renewal) instead of just paying penalties.
  4. Centralize audit management by assigning a single team or executive to handle all audits across the organization, ensuring a consistent and controlled response.
  5. Self-audit and remediate: Conduct periodic internal compliance audits. Find and fix any licensing issues yourself – it’s far cheaper and easier than waiting for Broadcom to find them.

Read about our Broadcom Audit Defense Service.

Broadcom Audit Defense 101: How to Handle CA & Symantec License Audits

Do you want to know more about our Broadcom Audit Defense Services?

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts