Thanks ever so much for sharing your "Right to Audit" clause.
In my examination of the clause against our subcontract I noted that SSAE 16 (with which I was unfamiliar) says online it has been superseded by SSAE No. 18 and as of 5/1/2017 the report is referred to as SOC 1. Not my area of expertise so please validate.
All the best,
Cathy
Cathleen "Cathy" Strabala
Senior Director, Quality, Ethics & Compliance
Chenega Corporation
chenega.com
Original Message:
Sent: 10/30/2020 9:50:00 AM
From: heather garnett
Subject: RE: "Right to Audit" clause
Hi Paul,
Here is an example of a clause you may find helpful.
Vendor Management: (a) To meet the mandates associated with third party vendors, the Client may request annually from the Company the following information: Annual Financial Statements; Insurance Coverage/Certificate; SSAE16 report inclusive of User Entity controls; External Penetration Testing results; Data Encryption procedures, Business Resumption Plans and Disaster Recovery testing results. The Company shall provide all such Information within thirty (30) days of receiving a written request for it. Additional vendor due diligence requirements not addressed in this Agreement and required by federal regulation will be provided within ninety (90) days of a written request for it. Failure to provide such information will be grounds for termination of the Agreement. (b) As specifically permitted by law or regulation, the Client shall be permitted to audit the Company's performance under this Agreement during normal business.
Original Message:
Sent: 01-13-2020 11:03 AM
From: Paul Lusardi
Subject: "Right to Audit" clause
Does everyone include a "right to audit" clause in vendor contracts? (we don't currently but it's in the works). We have a decentralized system here where contracts are signed and then the business unit (usually) lets TPRM know that the services/vendors are schedule to start (usually within a week). Not a lot of time but we deal with it. We do have the occasional vendor who will balk at completing the due diligence questionnaire, stating that they're either 1) too small, 2) don't have time now, or 3) we don't "do" those". If we had the proper language in the contract that the vendor just signed, we could point to that and inform them that they actually have to complete the questionnaire. I'm hoping that would work.
Do others have the same experiences?