Symantec Software Audits Under Broadcom
Broadcom’s acquisition of Symantec’s enterprise software business has brought a new era of aggressive license audits for Symantec products.
Following Broadcom’s tradition (seen with CA mainframe and, more recently, VMware), Symantec customers are experiencing stricter compliance enforcement.
These audits leverage Symantec’s telemetry-heavy tools and detailed usage data, making it more likely for any overuse of licenses or features to be discovered.
Don’t panic: A Symantec audit can be managed and negotiated with the right approach. This guide provides a step-by-step playbook for IT security managers, SAM teams, and procurement/legal leads to defend against Symantec license audits under Broadcom.
We’ll cover what the audits focus on, how to prepare in advance, how to respond effectively, negotiation tactics, and ways to prevent future issues.
The goal is to minimize compliance risks and turn a potentially stressful audit into a manageable, even routine, process.
For a complete overview, read our ultimate guide – Broadcom Audit Defense 101: Strategies to Handle Broadcom/VMware/CA/Symantec License Audits.
What Symantec Audits Focus On
Broadcom’s Symantec audits typically zero in on a few key compliance areas. Understanding these focus points helps you prepare the right data and defenses:
- User and Device Counts: Most Symantec software (like Symantec Endpoint Protection or Email Security) is licensed per endpoint or per user. Auditors will compare the number of protected devices/users in your environment to what you purchased. For example, if you bought 5,000 endpoint licenses but have 6,000 devices actually protected, that overage is a compliance gap they will flag.
- Server and Appliance Instances: Products such as Data Loss Prevention (DLP) servers, Messaging Security gateways, or Blue Coat/ProxySG appliances are often licensed per instance or capacity. An audit will verify the number of servers or appliances you have deployed against your entitlements. If you stood up extra DLP detection servers or proxy appliances beyond your license count, expect that to be a finding.
- Feature/Module Usage: Symantec suites often bundle multiple features, but you might only be licensed for a subset. Auditors will scrutinize whether you’re using any modules or advanced features not covered by your license. For instance, you might have a license for Symantec DLP Endpoint only, but if the Network DLP module was enabled or tested, that’s technically unlicensed usage. Similarly, some Symantec Endpoint Protection deployments inadvertently activate features (such as device control or encryption) that were not included in the purchased edition.
- Geographic or Affiliate Scope: Broadcom will verify if your deployment scope aligns with your contract. If your Symantec licenses are contracted for use in North America. Still, if your IT team rolled out the software in overseas offices or subsidiary companies, the audit may claim you’re out of compliance. They look for usage outside the agreed entity or region. Ensuring you have global use rights (if needed) is critical, as multi-site or affiliate usage can trigger findings if not covered in the contract.
In short, Symantec audits under Broadcom focus on counts (users, devices, and servers) and any discrepancies between what’s enabled and what’s licensed.
Even relatively small over-deployments or feature misuses can be identified, so vigilance in these areas is crucial.
Pre-Audit Checklist: Preparing Before You Get Audited
The best defense is preparation. Long before an audit notice arrives, implement these proactive steps to ensure you’re ready and to reduce potential exposure:
- Verify Entitlements vs. Actual Use: Maintain an up-to-date inventory of all Symantec licenses you own (entitlements) and compare it regularly against actual deployment numbers. Know exactly how many seats, users, or instances you are entitled to for each product, and track how many are actively in use. Keep records of purchase orders and license certificates organized.
- Run Internal Usage Reports: Use Symantec’s management consoles and reporting tools to your advantage. For example, run reports from the Symantec Endpoint Protection Manager or cloud portal to see current active endpoints, or from the DLP console to list active agents/servers. These internal reports provide a precise view of what the vendor’s software sees in terms of deployment. Running them monthly or quarterly helps catch any over-deployment issues early, allowing you to correct them (e.g., by purchasing additional licenses or removing unused installations).
- Clean Up Stale Accounts and Devices: A common audit pitfall is “phantom” usage from old accounts or devices. Before an audit, audit your own Active Directory and Symantec consoles. Remove or deactivate user accounts that are no longer in use with the company, and uninstall agents from decommissioned machines. Ensure the Symantec systems aren’t counting retired laptops, test VMs, or ex-employees. This cleanup can significantly reduce apparent usage counts.
- Check Enabled Features vs. Licenses: Review your Symantec product configurations to ensure you haven’t enabled features you didn’t purchase. For example, if you’re licensed only for basic endpoint protection, make sure fancy add-ons (like endpoint EDR, encryption, or cloud discovery modules) are turned off if they’re not covered. Similarly, for DLP, verify that only the licensed modules (such as endpoint monitoring) are active, and not other components like network prevention or cloud SOC integrations, unless you have the necessary rights to them. Document which features are enabled for each deployment and match them to your license entitlements.
- Confirm Contract Scope (Sites/Entities): Double-check your Symantec license agreements for any restrictions on use. Are the licenses enterprise-wide, or tied to specific business units or geographies? If you operate globally, ensure you have contractual language allowing global use or include all relevant affiliates. If not, consider addressing this at renewal before an audit happens. It’s easier to negotiate a proper scope upfront than to explain an out-of-scope usage during an audit.
By following this pre-audit checklist, you’ll create a solid foundation of compliance. It’s much easier to face an auditor when you already have a clear internal picture of your Symantec software usage and have cleaned up any obvious issues.
Read about CA mainframe audits, CA Mainframe Audits Under Broadcom: A Practical Defense Playbook.
Responding to a Symantec Audit
When Broadcom initiates a Symantec license audit, a calm and methodical response is critical.
Here’s how to handle the audit process once you receive that dreaded notification:
- Engage Formally and Define the Scope: Once you get an audit notice, respond in writing, acknowledging the audit and requesting clarity on the scope. Confirm which products and what time period the audit will cover. This prevents scope creep. It’s also wise to designate a single point of contact in your organization (e.g., a SAM manager or compliance officer) to communicate with the auditor. All correspondence should go through this central person or team to ensure consistency.
- Insist on an NDA: Before sharing any data, insist that Broadcom (and any third-party auditors they use) sign a Non-Disclosure Agreement. This NDA should ensure that any information you provide – such as detailed network topology, security logs, or employee counts – will be kept confidential and used solely for compliance purposes. Broadcom audits often involve sensitive data (especially with security software deployments), so you want legal assurance that it won’t be misused or exposed.
- Provide Data Systematically, Not Ad-Hoc: Prepare the required usage data carefully and deliver it in a structured format. For instance, if they request the number of endpoint installations, you might generate an official report from the Symantec console and share that as a PDF or spreadsheet. Avoid giving raw database access or unfiltered screenshots that include extraneous information. Never hand over more data than necessary. If they want certain logs, provide just those logs, nothing more. This controlled approach prevents misunderstandings and limits exposure to unrelated information.
- Keep Communication Professional and Documented: Treat the audit like a formal project. Keep a log of all requests from the auditors and your responses. If the auditors hold meetings or calls, follow up with an email summarizing the key points discussed and agreed upon. This creates an audit trail of the process, ensuring that there is no “he said/she said” confusion later. Professional, factual communication also signals to Broadcom that you’re serious and organized – possibly discouraging overly aggressive tactics.
- Cross-Verify the Findings: When the auditor presents preliminary findings (for example, claiming you are 500 licenses short on Endpoint Protection, or that you enabled an unlicensed DLP module), don’t accept them at face value. Cross-check every claim against your own records and data. Perhaps their script counted dormant devices that you removed, or double-counted a user who appears in two systems. It’s common to find discrepancies. Engage in a dialogue to reconcile numbers – provide evidence from your side to show accurate counts or explain any anomalies. By politely challenging the findings with data, you ensure that you’re not over-penalized for incorrect or outdated information.
By responding to the audit in this structured manner – with a clear scope, robust legal protections, controlled data sharing, and meticulous verification – you maintain control of the narrative. You transform the audit from a fishing expedition into a well-defined review, and you put yourself in a stronger position to resolve any issues on favorable terms.
Read how to negotiate Broadcom audit settlements, Negotiating Audit Settlements with Broadcom: Turning Findings into Commercial Deals.
Typical Audit Findings & How to Handle Them
Even with good preparation, audits often surface some compliance gaps.
Here are common Symantec audit findings under Broadcom, and strategies to handle each:
- Stale “Phantom” Users or Devices: Auditors often find more users/devices in the system than you thought you had, because old accounts or decommissioned devices were never fully removed. If the audit reports, say, 10% more endpoints than your active employee count, explain that these are stale entries. Provide evidence: for example, a list of users identified as non-active (with termination dates), or device logs showing last check-in was over 90 days ago. Demonstrate that a process is in place to purge or archive these, and request that only active, current assets be included in the count. In many cases, auditors will concede that those aren’t real usage if you document it well.
- Unlicensed Feature/Module Use: Perhaps the audit shows you using a Symantec feature that wasn’t in your license. For instance, an advanced reporting module or a specific DLP detection capability might have been inadvertently enabled or used for trial purposes. A good defense is to demonstrate a lack of intentional misuse. Explain that the feature was enabled inadvertently or only for a short evaluation, and that it has now been disabled once you realized it wasn’t covered. If possible, provide screenshots or config exports showing it’s turned off now. This paves the way for negotiating a solution (perhaps licensing it moving forward or simply removing it) rather than incurring a heavy penalty.
- Usage Outside Contract Scope: If Broadcom points out that some subsidiaries or regions not listed in the contract are using the software, you must handle the situation diplomatically. First, review your contracts to ensure they’re correct – sometimes enterprise agreements allow broader use, but auditors may not have the full context. If you have truly extended usage beyond the formal scope, acknowledge it and have a plan. Perhaps that overseas office was acquired recently, and you’re in the process of consolidating contracts. Emphasize that you’re willing to address the gap by purchasing additional licenses for that entity or adjusting the contract scope in the future. Essentially, treat it as a paperwork fix – you align the contract with reality (possibly involving some costs) rather than as a license violation deserving penalties.
- Back-Maintenance or Lapsed Support Claims: Broadcom auditors may identify instances that you have deployed, not covered by current maintenance/support agreements (for example, using a Symantec product on a server where support was not renewed). Their typical stance is to demand you pay “back maintenance” for the lapsed period or penalties for using software without support. This can be a huge financial hit if they look back several years. Your tactic here should be firm: negotiate this as part of a new purchase or renewal rather than writing a check purely for back fees. Argue that the value to Broadcom is in moving forward with proper licensing and support – you’re ready to correct the issue by renewing support or migrating to a subscription. Still, you expect a waiver or significant reduction of retroactive charges. Often, if you commit to a new deal, Broadcom will relent on punitive back-billing.
Throughout these scenarios, maintaining a cooperative but assertive tone is key. Acknowledge genuine mistakes, show how you’re remediating them, but also stand your ground against unfair or excessive claims.
Every finding can usually be resolved by either adjusting your usage (disabling or removing excess) or by purchasing the needed licenses – it’s just a matter of negotiation, not blame.
Negotiating Audit Outcomes
Once the audit findings are on the table, the focus shifts to resolving any compliance gaps that have been identified.
This is where you turn a potentially scary result (such as a significant license shortfall) into a manageable commercial discussion.
Keep these negotiation strategies in mind:
- Steer Toward a Commercial Settlement: Always drive the conversation away from “You violated terms, pay penalties” and towards “Let’s reach a business solution.” In practice, this means framing the outcome as a true-up sale or contract adjustment, not a fine. Remind Broadcom that you want to be a compliant customer and are willing to invest in the proper licenses – but in a fair way that benefits both parties.
- True-Up Small Overages at a Discount: If the audit finds only a minor overuse (e.g., 5% more endpoints than licensed), propose a straightforward true-up: you’ll purchase the additional licenses to cover the excess, ideally at a discounted rate given the circumstances. Broadcom’s sales team actually likes this outcome (it’s easy revenue), so leverage that by asking for a reasonable price. Often, they’ll agree to sell you the needed licenses without any punitive fees, especially if it’s not a massive gap.
- Roll Big Gaps into a Renewal or New Deal: For larger compliance issues (such as being 30% under-licensed or using an entire module without a license), a good tactic is to incorporate them into your next renewal or a new multi-year agreement. For example, if your Symantec software renewal is due in 6 months, consider addressing the shortfall by renewing early or expanding the contract to include the extra usage (and the previously unlicensed features) for the future. In return, you ask Broadcom to waive or heavily reduce any retroactive charges. This forward-looking approach turns a painful audit bill into part of a negotiated investment in the relationship. Broadcom may be more amenable because it locks you in as a customer for a longer period under a new contract.
- Push for Penalty Waivers: Be upfront in seeking a “no penalties” resolution, especially if this is a first-time audit issue. Emphasize that the compliance gaps were not the result of willful piracy, but rather operational oversights that you are correcting. If you’ve been a long-time customer or just committed to a large purchase (like other Broadcom products or even VMware solutions), mention that goodwill. Broadcom often positions audits as compliance checks, not revenue generators, so politely insist that punitive back-charges don’t foster a good partnership. Even if they don’t waive 100% of penalties initially, this sets the stage to negotiate them down significantly as part of the final settlement.
- Highlight Future Compliance Controls: When requesting leniency, strengthen your case by demonstrating that you’ve learned from this incident and are implementing more robust controls. For instance, explain that you’ve put in place a monthly internal audit, or integrated license monitoring into your ITSM processes, or that you will be consolidating all Symantec usage under one global contract to avoid confusion. Demonstrating these improvements gives Broadcom confidence that you won’t repeat the issue, which helps justify them giving you a break now.
During negotiations, maintain a respectful but firm stance. It often helps to involve procurement or executive sponsors, who can frame the solution as part of a continued business relationship.
Broadcom’s goal, ultimately, is to keep (and grow) your business – so use that as leverage.
By transforming the audit findings into a renewal discussion or a sales opportunity for Broadcom (on your terms), you can often emerge with minimal damage: just the cost of licenses you truly need, and perhaps even at a volume discount or bundled beneficially.
How to Prevent Repeat Audits (and Findings)
After navigating one Symantec audit, the last thing you want is to go through it again in a year. While you can’t stop Broadcom from exercising its audit rights, you can make future audits uneventful by staying continuously compliant. ‘
Here are prevention best practices:
- Conduct Regular Self-Audits: Don’t wait for Broadcom – perform your own internal license audits at least annually (if not quarterly). Use the Symantec tools and your SAM processes to identify any over-deployment or feature creep early. If you find an issue, fix it (true up or turn off extras) on your own timetable. This way, if an official audit happens, you’ve already cleaned house. Document these self-audits; it shows good faith and can even be shared with auditors to demonstrate your proactive compliance efforts.
- Integrate Joiner/Leaver Processes with License Management: Many compliance issues arise from weak user lifecycle management – e.g., employees leave but their accounts (and software installations) linger, consuming licenses. Collaborate with HR and IT to integrate your identity and access management (IAM) or Active Directory processes with software provisioning. When someone leaves, ensure there’s a step to remove or deactivate their Symantec endpoint agent and any accounts from security systems. Likewise, for new hires, ensure that you allocate licenses properly and track when you’re nearing your limits. A tight joiner-mover-leaver process will prevent “phantom” user inflation over time.
- Monitor Usage by Product Module: Especially for Symantec suites or bundles, track usage at a granular feature level. Keep an inventory of which modules you are entitled to, and periodically verify with your security team which modules are actually in use. Implement internal controls so that if someone wants to enable a new module or feature, they must get approval confirming the license covers it. This prevents well-meaning IT staff from inadvertently activating something that triggers a compliance issue.
- Centralize License Tracking Across Sites: If your organization is large or global, it’s easy for different branches to deploy Symantec software outside of a central view. Combat this by centralizing license management. Use a single portal or SAM tool to track all deployments, or at least require regional IT teams to report their Symantec usage regularly. Ensuring that all usage rolls up to one inventory helps identify if someone in Division X spun up a new instance or if Office Y added 200 new endpoint clients beyond their allocated number. Central oversight prevents unwitting contract scope violations.
- Negotiate Better Audit Terms in Future Contracts: When you renew or sign new agreements with Broadcom for Symantec software, try to embed audit-friendly clauses. For example, limit audit frequency to no more than once every 2 or 3 years, require a 30-day notice before any audit, and specify that audits must be conducted in a manner that minimizes business disruption. You can also clarify that any findings will be discussed and validated jointly before any billing. In some cases, you might negotiate a self-certification clause – where you can provide an annual compliance letter instead of formal audits, as long as no major discrepancies are found. Getting these terms in writing can save headaches later. (See the example audit clause below.)
Example Audit Clause: “Vendor may audit license compliance no more than once in any 12-month period, with at least 30 days written notice. Any audit will be conducted during normal business hours and shall not unreasonably interfere with Customer’s operations. Vendor shall share audit findings with Customer for review and discussion before any invoice or true-up is issued. Customer will only bear audit costs in the event a material license shortfall (e.g., >5% of licenses) is discovered; otherwise, audit costs are borne by Vendor.”
- Stay Informed on Product Changes: Broadcom may change licensing models or bundle entitlements over time (for example, introducing a new suite or retiring a product). Stay in close contact with your Broadcom account manager and regularly review Symantec product documentation. If they change how a product is licensed or introduce a new feature in an update, assess if it impacts your compliance. By staying ahead of changes, you can adjust licenses or usage before it becomes an audit problem.
By implementing these preventive measures, you not only reduce the likelihood of non-compliance, but you also make any future audit a non-event.
Auditors prefer when a customer can quickly produce accurate usage data and has their house in order – in such cases, the audit might close with zero findings.
Moreover, showing a track record of internal compliance diligence can sometimes make Broadcom less inclined to target you frequently, as they realize you’re a low-risk account.
Audit Defense Checklist
To wrap up, here’s a quick-hit checklist you can use to manage Symantec audits under Broadcom from start to finish:
- Before an Audit – Be Prepared:
- Inventory all Symantec software licenses and current usage counts.
- Regularly run internal compliance reports (endpoints protected, users covered, etc.).
- Clean up inactive users/devices from systems.
- Document which features/modules are enabled vs. what’s licensed.
- Ensure contract scope covers all your usage (or know the gaps).
- When Audit Notice Arrives:
- Acknowledge receipt and clarify the scope and timeline of the audit.
- Designate a single internal lead (and team) for audit communications.
- Execute an NDA with Broadcom/auditors to safeguard your data.
- Gather the requested data from your systems (accurate and up-to-date).
- During the Audit:
- Provide data in an organized manner; don’t give more than what is asked.
- Keep detailed notes of all auditor questions and your responses.
- Maintain a single channel of communication – avoid side conversations between IT staff and auditors.
- Monitor the audit progress and address any minor queries promptly to prevent delays.
- After Initial Findings:
- Review the auditor’s findings report carefully against your own data.
- For each issue found, prepare a justification or remediation plan (evidence for stale accounts, plans to true-up licenses, etc.).
- Meet with the auditor (or a Broadcom representative) to review discrepancies and correct any inaccuracies in the findings.
- Negotiating the Settlement:
- Frame the resolution as purchasing necessary licenses or subscriptions, rather than paying fines.
- If compliance gaps are small, consider offering to purchase the shortfall at a discount.
- If gaps are large, discuss folding the resolution into a renewal or new multi-year deal (with incentives for you).
- Push back on any retroactive charges or heavy penalties – negotiate for waivers or reductions.
- Document the final agreement (what you’ll purchase, any waivers, timelines).
- Post-Audit Follow-Up:
- Immediately address the compliance issues (apply new licenses, disable unlicensed features, etc.).
- Implement any promised process improvements (e.g., new monitoring tools or procedures).
- Update internal records to reflect the new license counts or contract terms.
- Debrief internally to identify what went well and what needs improvement for next time.
- Continue periodic self-audits and tighten license management to prevent recurrence.
This checklist can be used as a quick reference anytime you suspect an audit might be forthcoming or are in the midst of one. Adjust it to your organization’s specifics, but the core idea is to stay organized, factual, and proactive at each stage.
FAQs
Does Broadcom use telemetry from Symantec products for audits?
Symantec’s products often collect usage data (telemetry) that Broadcom can access, especially if you’re using cloud-managed services. Broadcom might not openly say “we caught you via telemetry,” but you should assume they have insight into high-level usage (like the number of endpoints reporting in). In short, yes – built-in telemetry and support data can alert Broadcom to potential license overuse, which may prompt an audit. Always assume the vendor has at least some visibility, and maintain honest usage.
Can I refuse a Symantec audit?
Generally, no. Most Symantec enterprise contracts include an audit clause that gives Broadcom the right to audit your usage within certain parameters. Refusing an audit outright would likely be considered a breach of contract, which could result in the termination of licenses or legal action. Instead of refusing, your strategy should be to manage the audit’s scope and ensure it’s conducted fairly (for instance, through the NDA and scope agreement). You can negotiate timing or methodology (e.g., push back if the timing is really bad for your business operations), but you cannot simply decline if you’re contractually obligated.
What’s the biggest Symantec audit risk?
The most common (and costly) audit risk is user or device count creep – essentially having more endpoints protected or users covered than the licenses purchased. This often happens gradually as companies grow or fail to remove old accounts. Another significant risk is feature creep, where you unknowingly utilize additional product modules or advanced features beyond your entitlement. Both scenarios can lead to substantial license gaps. In financial terms, if you’ve been under-licensed for a while, the true-up cost (and potential back maintenance) can be significant. Therefore, closely monitoring those counts and features is vital.
How do I avoid penalties in a Symantec audit?
The best way is proactive compliance. Keep your usage in line and fix issues before an audit (so ideally there are no penalties at all). If you are audited and found non-compliant, avoid penalties by quickly agreeing to remedy the shortfall through purchasing rather than paying fees. Show that you’re acting in good faith to become compliant. When negotiating, push to treat any overuse as a forward-looking sale (you buy what you were missing) instead of a fine for past behavior. Vendors like Broadcom are often willing to waive punitive fees if they get a sales result and a commitment that you’ll stay compliant. Having a solid story – “we’ve addressed the problems and here’s how we’ll prevent them going forward” – goes a long way in convincing them to drop or reduce penalties.
Read about our Broadcom Audit Defense Service.
