What should you do in the first hour of a Broadcom audit?

Acknowledge receipt, name a single point of contact, and say nothing about your deployment. The first communication should confirm only that you have the notice and will respond through one channel. Do not confirm products, capacity, or LPAR counts, and do not let an engineer answer a tooling question directly to the vendor. Everything Broadcom learns in the first hours becomes the frame for the finding, so the goal of hour one is to slow the clock and route all contact through one controlled point while you read the audit clause in your own contract.

What is Broadcom commonly looking for in a CA mainframe audit?

The recurring pattern is full capacity exposure on products deployed beyond their entitled capacity, and bundled product families that are installed but no longer used. Broadcom mainframe pricing is capacity based, MIPS migrating to MSU, so the review commonly turns on the gap between the capacity a product is entitled to and the capacity of the LPARs it actually runs on. Sub capacity reporting gaps are a frequent trigger for a full capacity assertion. The finding is built from the vendor's reading of your deployment and presented as settled. It is an opening position until you have validated the capacity figures and reconstructed entitlement yourself.

Should you give Broadcom raw system data right away?

No. Agree the scope in writing before any data changes hands, and share only what the contractual audit clause actually requires. Raw, unfiltered deployment and capacity data handed over early lets the vendor build the largest possible claim and define the scope for you. Confirm what the audit right in your specific contract permits, agree the products and systems in scope, and provide validated data against that agreed scope only. The buyer who controls the data controls the finding; the buyer who floods the vendor with everything negotiates against a number built from their own systems.

The First 48 Hours of a Broadcom Audit

№ 01

Why the first 48 hours matter

CapacityFull capacity riskBundles

Broadcom (CA) mainframe pricing is capacity based, with products moving from a MIPS basis to MSU under Broadcom Mainframe Consumption Licensing. Two patterns drive most CA audit findings. The first is full capacity exposure: a product entitled to a given capacity is found running on LPARs that now carry more, and the gap is asserted at full capacity. The second is the idle family inside a bundle, where products installed years ago and never retired are counted as deployed. Neither is settled fact. Both are built from the vendor's reading of your estate, and both are reduced by evidence you control.

The reason the first 48 hours matter is simple. Everything the vendor learns early becomes the frame for the claim. An engineer who answers a casual question about which tools are installed, a capacity figure shared before it is validated, a scope accepted without reading the audit clause: each one raises the ceiling. The work of the first two days is to slow the clock, route all contact through one point, and read your own contract before the vendor reads your systems.

№ 02

The 48 hour timeline

Hour by hourSlow the clockLock the scope

What to do, and when

Window	The vendor wants	What you do
Hour 0 to 1	A fast, informal confirmation of your estate	Acknowledge receipt only. Name one point of contact. Confirm nothing about products, capacity, or LPARs.
Hour 1 to 4	Engineers answering tooling questions directly	Brief the technical team to route every vendor contact through the single point. No direct answers.
Hour 4 to 12	To work from its own entitlement record	Pull your contracts. Read the exact audit clause: what it permits, what data, what notice, what scope.
Hour 12 to 24	Unfiltered deployment and capacity data	Begin reconstructing entitlement from original CA paper and amendments. Inventory what is actually installed and used.
Hour 24 to 36	A broad, undefined scope	Propose the scope in writing: named products, named systems, the data the clause requires and no more.
Hour 36 to 48	To set the timetable and the framing	Lock the scope and the process in writing. Agree validated data only, against agreed scope, on your timetable.

The non negotiables of the first two days

One point of contact. Every vendor question, every answer, through one channel.
No raw data before scope is agreed in writing. Share only what the audit clause requires.
Read the audit right in your own contract before you accept any process the vendor proposes.
Validate every capacity figure against your own records before it is confirmed to the vendor.

№ 03

From the 48 hours to the settlement

A controlled first 48 hours buys the thing that wins the audit: time to validate before you respond. Once the scope is locked and the data is yours, the finding becomes negotiable. Misread capacity scope, idle bundled families that should exit rather than settle, entitlements the vendor record overlooks, and sub capacity positions defended with evidence are all routine reductions. The settlement is also the moment to fix the contract that let the exposure build, with caps on capacity growth, a clean audit clause, and a defined consumption baseline written into the close. This is the discipline of our mainframe audit defense work, where the response and the renewal are run as one engagement. For the longer arc beyond the first two days, see the Broadcom audit notice response protocol.

② Frequently asked

Q1

What do you do in the first hour?

Acknowledge receipt, name one point of contact, and say nothing about your deployment. Confirm only that you have the notice and will respond through one channel. Slow the clock and read your audit clause.

Q2

What is Broadcom looking for?

Full capacity exposure where products run on more capacity than entitled, and idle bundled families counted as deployed. Sub capacity gaps are a frequent trigger. See defending your sub capacity position.

Q3

Should we hand over raw data?

No. Agree scope in writing first and share only what the audit clause requires. Raw early data lets the vendor build the largest possible claim and define the scope for you.

Q4

Can the finding be reduced?

Commonly, yes. Findings are opening positions. Misread capacity, idle bundles, overlooked entitlements, and defended sub capacity positions are routine reductions, and the close is a chance to write in caps.

③ Related

All guides →

→

The first 48 hours decide the number. Spend them controlling the frame.

Why the first 48 hours matter

The 48 hour timeline

From the 48 hours to the settlement

What do you do in the first hour?

What is Broadcom looking for?

Should we hand over raw data?

Can the finding be reduced?

Broadcom (CA) mainframe licensing

Responding to a Broadcom renewal uplift

Mainframe audit defense

Broadcom audit notice just landed? The first 48 hours start now.