The Changing Audit Landscape Post-Acquisition
VMware, under its pre-Broadcom ownership, was not a particularly aggressive auditor by enterprise software standards. The company's commercial model was built around partner relationships and enterprise account management — adversarial audit activity was relatively rare and typically reserved for egregious non-compliance situations.
Broadcom's approach to its software portfolio — which includes Symantec and CA Technologies alongside VMware — is more structured around licence compliance as a revenue mechanism. Since the acquisition, the frequency and formality of compliance reviews directed at VMware customers has increased. Enterprises in legacy perpetual positions who have not yet transitioned to subscription are the primary target population.
This change in posture is part of the broader commercial transformation covered in our Broadcom VMware Licensing Guide. Understanding it is essential context before exploring the specifics of audit defence.
Free Guide
Broadcom VMware Licensing Guide
Navigate Broadcom's VMware pricing overhaul: VCF bundles, subscription mandates, and migration options.
Risk Alert: Legacy perpetual VMware licences were typically scoped to specific hardware environments and use cases. With virtualisation sprawl, VM migrations, and DR environments, many enterprises have inadvertently exceeded the scope of their original perpetual licences — without any malicious intent. These gaps are the primary source of audit exposure.
What Triggers a VMware Audit
Broadcom does not need a reason to audit — audit rights are contractually established in the VMware licence agreements and typically permit Broadcom to conduct compliance reviews on reasonable notice. In practice, audits are triggered by a combination of factors.
Commercial Triggers
- Renewal resistance: If you have declined, delayed, or pushed back aggressively on Broadcom's renewal proposals, a compliance review may follow. This is a commercial pressure tactic.
- Lapsed support: Perpetual licences whose support has lapsed create a compliance conversation opportunity, as Broadcom uses these engagements to accelerate subscription transitions.
- Significant estate growth: If Broadcom's data sources (telemetry, channel intelligence, third-party data) indicate your vSphere estate has grown materially since your last licence purchase, that growth creates an audit trigger.
Technical Triggers
- Unlicensed product versions: Running vSphere 7 or 8 on licences purchased for vSphere 5 or 6 without upgrade entitlements is a common compliance gap.
- DR and test environments: VMware DR environments and test/dev clusters are often deployed informally without considering licence requirements. Perpetual licences do not typically include unlimited DR rights.
- VDI without appropriate licences: Virtual desktop deployments have historically required specific vSphere Desktop licences. VDI environments deployed under standard vSphere licences create compliance exposure.
- vSAN and NSX without licences: If you are running vSAN or NSX software on hosts that are not licensed for these components, this is a material compliance exposure.
Responding to an Audit Notice: The First 30 Days
The most important thing to understand about an audit notice is that your initial response shapes the entire process. A cooperative but carefully managed response is the right posture — not compliance or resistance, but controlled engagement.
Do Not Respond Immediately
Acknowledge receipt and request clarification on scope and timeline. You have a contractual right to understand exactly what is being audited before you provide any data. Use this time to organise your response team — typically including IT, legal, and procurement.
Stay Ahead of Vendors
Get Negotiation Intel in Your Inbox
Monthly briefings on vendor pricing changes, audit trends, and contract tactics. Unsubscribe any time.
No spam. No vendor affiliations. Buyer-side only.
Assemble Your Licence Position
Pull all VMware licence documentation: purchase orders, licence agreements, email confirmations of licence grants, support contracts. Establish what you own and what rights are associated with each licence. This is your baseline defence document.
Conduct a Self-Assessment
Run your own internal compliance review before sharing anything with Broadcom. Use vCenter inventory data to document your actual deployment against your licence entitlements. Identify any genuine gaps — knowing your exposure before Broadcom does is a significant advantage.
Engage Specialist Counsel or Advisory
VMware licence audits under Broadcom are commercial negotiations, not legal proceedings — but having appropriate advisory support from the outset changes the dynamic. Broadcom's audit teams are experienced. Enterprises that engage them without equivalent expertise are at a structural disadvantage.
Common VMware Compliance Gaps and How to Address Them
Version Coverage Gaps
Legacy perpetual licences purchased for vSphere 5 or 6 may or may not include perpetual rights to run later versions, depending on the specific licence agreement and whether support was maintained. Active support contracts typically include the right to run current versions. Lapsed support contracts do not. If you are running vSphere 7 or 8 on expired support licences, this is a genuine gap that needs to be addressed.
The resolution here is typically to negotiate a subscription transition that acknowledges the lapse period rather than paying full back-licence fees. An experienced adviser knows what Broadcom has accepted in comparable situations.
DR Environment Exposure
Disaster recovery environments are a consistent source of audit exposure. Most perpetual vSphere licences require production and DR instances to be licensed separately unless the licence specifically includes DR rights. Organisations that deployed vSphere DR sites as "just another cluster" without separate licences are exposed.
Broadcom has acknowledged this issue in its subscription model — VCF/VVF subscriptions typically include DR deployment rights within the subscription scope. The audit negotiation here often involves converting to subscription as part of resolving the DR gap.
VDI and Specialised Use Cases
VDI deployments require vSphere Desktop licences or a VDI-specific product bundle. Standard vSphere Enterprise Plus licences do not cover VDI use cases. If you are running VDI on standard vSphere licences, this is a material exposure. The current commercial resolution in a subscription model context typically involves assessing the actual VDI seat count and the applicable subscription tier.
Negotiating the Audit Resolution
An audit claim from Broadcom is a commercial opening position, not a final demand. The initial claim typically reflects list-price calculations on alleged shortfalls — which is the worst possible commercial outcome. Every audit resolution has room to negotiate, and the outcome depends heavily on how the negotiation is conducted.
- Challenge the methodology: Verify that Broadcom's calculation of the shortfall is accurate. Errors in licence counting, incorrect version assumptions, and failure to account for applicable rights are common in initial audit claims.
- Apply your full entitlements: Ensure all existing licence entitlements — including any previously purchased but unused licences, SA rights, and version coverage — are credited against the alleged shortfall before any financial settlement is calculated.
- Bundle the resolution with the renewal: The most commercially efficient audit resolution usually involves settling the historical gap as part of a forward-looking subscription agreement. This gives Broadcom the subscription revenue they want and gives you the opportunity to negotiate the future terms alongside the settlement amount.
- Negotiate settlement at market, not list: Any catch-up payment should be calculated at market rates (reflecting applicable volume discounts and current pricing benchmarks), not at Broadcom list price. The difference is substantial.
Outcome Context: In our experience, enterprises that engage specialist advisory support at the start of a VMware audit process achieve settlement outcomes 30–60% lower than initial Broadcom claims. The initial claim is an anchor, not a floor. Challenge it systematically.
Proactive Compliance Management: Avoiding the Audit
The best audit defence is a clean licence position that eliminates the exposure before Broadcom raises it. For enterprises that have not yet received an audit notice, a proactive compliance review is a wise investment — particularly given Broadcom's increased audit activity.
A proactive review should cover: all deployed vSphere, vSAN, and NSX instances versus current licence entitlements; version coverage across all deployed hosts; DR and test environment licensing status; and VDI or specialised use case coverage. The result is either peace of mind or an early warning that allows you to address gaps on your terms rather than Broadcom's.
IT Negotiations provides VMware licence position reviews as part of our Broadcom VMware advisory service. We work independently of Broadcom — everything you share with us is protected by the engagement relationship, not disclosed to the vendor. Request a free initial consultation to understand your exposure level. For additional context on the broader Broadcom commercial landscape, our articles on Broadcom negotiation tactics and vSphere core licensing changes are useful companion reading.