Most software suppliers will want to include a provision allowing the conduct of a compliance audit. While the contract may specify the supplier's right to audit, the agency should negotiate more control over the process. The agency’s information security officer should include any agency or Commonwealth security, confidentiality and access restrictions or parameters for any such audit. COV ITRM policies, standards and guidelines (PSGs) for compliance with security audit requirements and restrictions are available at this location: https://www.vita.virginia.gov/it-governance/itrm-policies-standards/. Recommended general contractual language may include and be customized for agency and aligned with any security audit restrictions and any negotiations with supplier:
"Supplier shall provide forty-five (45) days’ written notice to (name of your agency) prior to scheduling any software license audit. The notice shall specify name(s) of individual(s) who will conduct the audit, the duration of the audit and how the audit will be conducted. Further, the Supplier and its representatives, agents and subcontractors shall comply with any access, security and confidentiality requirements and restrictions of (name of your agency). No penalty shall be levied against (name of your agency) or the Commonwealth for unlicensed software found during the course of the audit. If (name of your agency) is determined to be using unlicensed software, the maximum liability to (name of your agency) shall be the cost of licensing the subject software. All costs associated with the audit shall be borne by the Supplier."