CA Mainframe Audits Under Broadcom
Why Mainframe Audits Bite Hard
Mainframe software audits conducted under Broadcom (formerly CA Technologies) are notoriously rigorous and data-driven.
They often hinge on IBM’s Sub-Capacity Reporting Tool (SCRT) data and Rolling 4-Hour Average (R4HA) usage peaks, meaning even a small usage oversight can balloon into a significant compliance cost.
The good news is that with the right preparation and strategy, you can stay in control of the process and avoid unwelcome surprises.
For a complete overview, read our ultimate guide – Broadcom Audit Defense 101: Strategies to Handle Broadcom/VMware/CA/Symantec License Audits.
Know the Auditor’s Playbook
Broadcom (CA) typically reserves the right to conduct audits with prior notice (e.g., 30 days) and at a limited frequency (no more than once per year).
Be aware of these limits. When an audit happens, expect requests for data such as:
- SCRT Usage Reports: Monthly IBM SCRT reports showing peak MSU usage (R4HA) for each licensed product and LPAR.
- LPAR Topology & Capacity: A map of your logical partitions, their capacities (with any capping settings), and which Broadcom/CA products run on each.
- Sub-Capacity Proof: Evidence that you meet IBM’s sub-capacity criteria (for example, SMF data collection, SCRT reports, and running only supported OS on mainframes). If any prerequisite was not met, auditors may use it to push for full-capacity licensing.
- Software Inventory & Environments: A full list of Broadcom/CA mainframe products installed (with usage logs like SMF records) and details of any disaster recovery or test LPARs. This helps determine what should be counted and what might be excluded or treated differently.
Pre-Audit Preparation (Self-Audit)
Don’t wait for Broadcom to find issues – audit yourself first:
- Run Your Own SCRT: Regularly run SCRT reports and identify each product’s peak MSUs. Compare these against your entitlements.
- Reconcile Licenses to Usage: Ensure every Broadcom/CA product installed corresponds to a valid license. Remove or correct any software running on LPARs that isn’t licensed or required.
- Verify Sub-Cap Compliance: Confirm you follow IBM’s sub-capacity rules (collect SMF data, submit reports on time, run supported OS). Fix any gaps immediately.
- Prepare an Evidence File: Maintain a repository of key data – SCRT outputs, LPAR configurations, entitlement documents, and SMF logs. This ready-to-go evidence pack lets you quickly answer questions and verify auditor findings.
Sub-Capacity vs. Full-Capacity Risks
If you don’t meet IBM’s sub-capacity prerequisites, Broadcom can insist on licensing at full machine capacity instead of actual usage – a devastating jump in cost. Prevent this by strictly following IBM’s rules.
Keep proof that you meet all requirements (e.g., SCRT submissions, correct LPAR setups, etc.).
If Broadcom pushes for full-capacity charges, counter with your compliance evidence. A one-time slip that you fixed shouldn’t justify full-cap licensing if you push back.
Read how VMWare audits differ post VMware acquisition, Broadcom vs VMware Audits: What’s the Difference and How to Prepare.
Peak Management (Ethical Smoothing)
Be smart about managing your peak usage, but keep it ethical:
- Smooth Out Spikes: When possible, schedule heavy batch jobs or workloads in off-peak hours so they don’t all stack up into a huge simultaneous peak. Spreading out processing lowers your highest MSU consumption.
- Use Capping Wisely: Implement reasonable capacity caps (e.g., defined capacity on certain LPARs) to prevent usage above what you planned, especially on non-production systems. Document the rationale for any cap – it should be for efficiency, not just to game licensing.
Read about Symantec audits, Symantec Software Audits Under Broadcom: Compliance Risks & Defense Tactics.
Common Audit Findings & How to Counter Them
Auditors often zero in on a few familiar issues. Here’s how to counter each:
- Peak MSUs Over Entitlement: The audit reveals a usage peak exceeding the licensed amount. Defense: Verify the data. If the peak was a one-off anomaly (e.g., a DR test or special batch job), explain that context. Show that normal operations stay within your entitlement.
- Product on Unlicensed LPAR: A Broadcom product was found running on an LPAR with no license. Defense: Uninstall or disable it immediately, and show that it was a mistake or never used. Emphasize that it has now been removed and no production use occurred on that LPAR.
- DR/Test Usage Counted as Prod: The auditors counted MSUs from disaster recovery or test LPARs as if they were production. Defense: Identify those systems and provide evidence that they’re not active in daily production. Argue that truly idle DR systems and isolated test environments should be excluded or at least heavily discounted in the calculations.
- Retroactive Charges: Auditors claim you were under-licensed in past years and want back fees. Defense: Push back. Unless your contract explicitly allows retroactive billing, focus on fixing the issue now. You can often get them to waive or reduce back charges if you agree to true-up going forward.
Responding to an Audit Notice
When an audit notice arrives, step-by-step control is essential:
- Acknowledge & Set Terms: Reply in writing, confirming cooperation and citing your audit clause limits (including notice and frequency). Clarify the audit’s scope and timeframe, and ensure an NDA is in place to protect any data you share.
- Assemble Your Team & Info: Form an internal audit response team (mainframe experts, SAM/licensing, procurement, legal). Assign one lead to communicate with Broadcom’s auditors. Gather the relevant data (SCRT reports, LPAR lists, etc.) in advance.
- Controlled Communication: Provide exactly what’s requested and nothing more. Keep a log of every file you send. Funnel all communication through your single point of contact – no side conversations. After any phone discussions, email a summary to have a written record.
Negotiating the Settlement
If the audit uncovers compliance gaps, don’t just accept a huge bill – negotiate a fair resolution:
- Future-Focused Deal: Shift the discussion away from penalties and toward a solution. Propose covering any shortfall by acquiring the necessary licenses or MSUs (possibly folded into a new or expanded agreement) instead of paying a fine.
- No Pure Penalty: Don’t pay a lump sum for past usage with nothing in return. Insist that any settlement cost gives you something tangible – like credit toward new licenses or support – rather than just a fee.
When to Involve IBM
IBM’s rules are the foundation of sub-capacity licensing, so IBM can sometimes help your case:
- Sub-Capacity Disputes: If Broadcom questions your sub-capacity compliance, have IBM confirm your status. An official note from IBM stating that you followed their sub-cap rules can effectively shut down a full-capacity argument.
- Data Verification: If SCRT calculations or other technical details are in question, consult IBM for clarification. Use IBM’s help only for factual verification – they won’t negotiate money matters, but their input on technical facts or policy can back you up.
Contract Hardening for the Future
To prevent audit dramas, strengthen your contract language next time you negotiate:
- Limit Frequency & Notice: Limit audits to no more than once every X months/years, with at least Y days’ advance notice.
- Agreed Tools Only: Require use of standard measurement tools (e.g., IBM SCRT and your SMF data); no unapproved software on your systems.
- Ensure Confidentiality: Specify that audit information is confidential and only used for license compliance purposes.
- Include a Cure Period: Give yourself a grace period (say 60 days) to remedy any compliance issues before any penalties apply.
- Clarify DR/Test Exclusions: Define how disaster recovery and test environments are handled (for example, exclude idle DR LPARs from charges, or count test LPARs at reduced capacity).
FAQs
Q: Will one mistake with IBM’s rules trigger full-capacity charges?
A: Broadcom may threaten full-capacity licensing if you slip on IBM’s sub-cap rules, but if you fix it quickly, you can stay on sub-capacity pricing.
Q: How far back can Broadcom audit usage?
A: They might review a year or two of data. However, you should negotiate to limit the scope to the current term rather than past years.
Q: Do DR or test LPARs count toward licensing?
A: By default, yes – all active LPARs count. But you should negotiate (in the audit or contract) to exclude idle DR systems and non-production test LPARs.
Q: Should we involve IBM during a Broadcom audit?
A: Only for technical clarity. IBM can confirm if you followed sub-capacity rules or if SCRT data is accurate, but IBM won’t negotiate financial terms with Broadcom.
5 Tactical Recommendations
- Run SCRT Reports First: Know your own usage and compliance status before the auditors do.
- Document Sub-Cap Compliance: Keep proof that you follow IBM’s sub-capacity rules so Broadcom can’t flip you to full-capacity licensing.
- Set Audit Ground Rules: Agree on the audit scope, tools, and treatment of DR/test systems upfront to avoid surprises.
- Negotiate, Don’t Surrender: If an issue is found, turn it into a deal (buy needed licenses on fair terms) instead of just paying penalties.
- Fortify Future Contracts: Add audit clause protections (limits on frequency, notice, confidentiality, cure period, DR exclusions) to protect yourself next time.
Read about our Broadcom Audit Defense Service.
