VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer-SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom Inc.
Strategy & Negotiation

What to do in the first 21 days after a multi vendor Broadcom audit notice.

A multi vendor audit notice is a different instrument than a single product notice. The first 21 days set the perimeter that the rest of the process will be argued inside. Here is the schedule we run.
By The Negotiation Desk · Strategy & Negotiation · Archetype: The Audit
Published 19 Oct 2024

A Broadcom audit notice that lists more than one product line is not a larger version of a single product notice. It is a different instrument. The compliance function inside Broadcom uses the multi product letter when the buyer's deployment footprint touches enough of the post acquisition portfolio that a single product scope would leave material exposure on the table. The notice reads administratively but the consequences are not administrative. The first 21 days after receipt set the perimeter the rest of the process will be argued inside. Buyers who use the 21 days well preserve options that buyers who use them badly cannot recover later. This article documents the schedule the Desk runs across the first three weeks of a multi vendor engagement.

The starting assumption is that the notice itself is calibrated. The product list, the scope statement, the timing window, and the cooperation language are all the result of a deliberate choice by the auditor. Treating the notice as boilerplate is the most common mistake in the first week, and it is a mistake that compounds. Every paragraph is doing work for the auditor. The buyer's first job is to read the notice as carefully as it was drafted.

Days 1 to 3: read the notice, do not respond

The single most important rule for the first three days is that nothing substantive goes back to the auditor. Acknowledge receipt within 24 hours, in writing, in a single sentence that confirms the notice has been received and that a response will follow within the cooperation window the notice specifies. That is the entire communication. No commitments. No promises of cooperation. No requests for clarification. No questions about scope. The acknowledgement is a procedural courtesy. It is not a position.

Inside the buyer's organisation, days 1 to 3 are spent reading. Three people read the notice independently. The procurement lead, the security or compliance lead, and a sponsor at the level above both. Each of them produces an independent set of notes on what the notice says, what it implies, and what it does not say. The three sets of notes are reconciled at the end of day 3 in a single working session. The output is a one page summary of the notice as it actually reads, separated from how it sounds on first reading.

Days 4 to 7: pull the contract paper and the deployment data

By the end of day 7, three artefacts must be sitting on the engagement file. The current master agreement and all relevant schedules for every product line named in the notice. A complete deployment inventory for each named product, drawn from internal data the buyer already has and not from any new collection effort that would be observable to the auditor. And a clause level reading of the audit cooperation provision in the master agreement, with particular attention to the definition of relevant records, the scope of permitted inquiries, and any limitations on the auditor's authority.

The deployment inventory is the most time sensitive piece. The buyer is going to be asked, eventually, what is deployed. The buyer's answer should reflect data the buyer compiled on the buyer's own initiative, not data compiled in response to the auditor's questions. The distinction matters. Data compiled in response to an auditor's question can be characterised as cooperation under the cooperation clause. Data the buyer already had can be characterised as the buyer's normal operating record. The framing affects what the auditor can later assert about the completeness of the buyer's evidence.

"The contract paper is the perimeter inside which the audit will be argued. The deployment data is the evidence the buyer brings to that perimeter. Both have to exist on day 7. Either being missing breaks the schedule."Audit Defense Lead, The Desk

Days 8 to 14: model the exposure on the buyer's terms

The second week is the modelling week. The exposure the auditor will eventually assert is going to be calculated against the auditor's preferred measurement frame. The buyer's exposure model is calculated against the contract language as written, supported by the deployment inventory compiled in week one. The two models will differ. The size of the difference is what the negotiation will be argued over. The buyer's model needs to exist before the auditor's model is presented, not after, because reactive modelling against the auditor's number anchors the conversation against that number.

For multi vendor notices, the modelling is run product by product, with explicit attention to areas where the deployment topology spans entitlement boundaries. The most common shape we see is that some portion of the deployment sits in a configuration the original entitlement language did not anticipate. The auditor's default in those cases is to apply the most expensive interpretation. The buyer's default should be the most defensible interpretation supported by the contract language, regardless of whether it is the cheapest. Defensibility is what survives the working session. Cheapness is what does not.

The modelling work is documented in an internal calculation sheet that lives in the engagement file. The sheet is signed by the procurement lead and the security or compliance lead at the end of day 14. The signature is not ceremonial. It is the record that both functions have agreed on the buyer's counter exposure model. The sheet is the artefact the buyer will defend in every subsequent interaction with the auditor.

Days 15 to 18: build the response letter

The response letter is drafted in week three, not week one. The reason for the delay is that the letter must reflect the deployment data, the clause reading, and the counter exposure model produced in the first two weeks. A response letter drafted on day 5 cannot reflect any of those because none of them exist on day 5. The letter that arrives at the auditor's desk on day 19 is the buyer's first substantive communication and it must be done correctly.

The letter has three sections. A statement of cooperation that confirms the buyer's intention to engage with the audit process within the bounds of the cooperation clause. A clause level reading of the cooperation provision that identifies the limits of what the auditor is entitled to under the master agreement. And a request for a working session to reconcile the measurement frame the auditor intends to use against the contract language as written. The letter does not contain the buyer's exposure model. The model is held back until the working session.

Days 19 to 21: send the letter, prepare for the working session

Median ratio of auditor's first asserted exposure to settled exposure on multi vendor audits2.4x
Median time from audit notice to settled exposure when the 21 day schedule is run14 weeks
Median time when the schedule is not run29 weeks
Average exposure reduction when buyer's counter model precedes auditor's model38% to 56%

The letter is sent on day 19 by the buyer's external advisor where one is engaged, or by the buyer's general counsel where one is not. The sender matters. A letter from external counsel or external audit defense advisor signals to the auditor that the buyer has formal representation. The signal changes the auditor's tone in the working session that follows. It does not change the substance of the dispute, but it changes the shape of the conversation.

Days 20 and 21 are spent preparing for the working session. The buyer's lead for the session should be the individual who signed the counter exposure model on day 14, supported by the procurement lead and external advisor. The session agenda is set by the auditor's response to the buyer's letter and cannot be planned in detail before that response arrives. What can be planned is the buyer's posture, the order in which the buyer's positions will be presented, and the boundaries of what the buyer is willing to discuss inside the working session as opposed to outside it.

What happens after day 21

The 21 day schedule ends with the buyer in possession of a settled perimeter. The contract has been read. The deployment data is in hand. The counter exposure model exists and is signed. The response letter has been sent. The next phase, which typically runs from week four to week ten or twelve, is the working session sequence in which the two exposure models are reconciled against the contract language. That phase is its own discipline and its own article. What the first 21 days produce is the precondition for that phase to be run on the buyer's terms rather than the auditor's. Without the precondition, the working sessions are run on the auditor's terms by default.

The takeaway

  • Acknowledge the notice in writing within 24 hours and say nothing substantive for the first three days. The first response other than acknowledgement is the response letter sent on day 19, not before.
  • Build the deployment inventory and the counter exposure model in weeks one and two, before the auditor's exposure model arrives. The buyer's model must precede the auditor's. Reactive modelling anchors against the wrong number.
  • The response letter is drafted in week three, sent by external counsel or external audit defense advisor on day 19, and requests a working session to reconcile measurement frames. It does not contain the exposure model.
Working through a Broadcom renewal, audit notice or portfolio review right now? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Strategy · The Audit
The first seven days after a Broadcom audit notice
Strategy · The Audit
The first fourteen days after a portfolio audit notice
Outcomes · Case
A regional bank cut its Symantec audit exposure by 81 percent

Service & practice

Service
Audit Defense
Practice
Symantec Enterprise
Outcomes · Case
An insurance group settled a multi product compliance review
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer-side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.