Contract Management

 View Only
  • 1.  "Right to Audit" clause

    Posted 01-13-2020 11:03 AM
    Does everyone include a "right to audit" clause in vendor contracts? (we don't currently but it's in the works). We have a decentralized system here where contracts are signed and then the business unit (usually) lets TPRM know that the services/vendors are schedule to start (usually within a week). Not a lot of time but we deal with it. We do have the occasional vendor who will balk at completing the due diligence questionnaire, stating that they're either 1) too small, 2) don't have time now, or 3) we don't "do" those". If we had the proper language in the contract that the vendor just signed, we could point to that and inform them that they actually have to complete the questionnaire. I'm hoping that would work.
    Do others have the same experiences?


  • 2.  RE: "Right to Audit" clause

    Posted 01-13-2020 12:44 PM
    Hi.  We have an "audit" section in our standard agreements.  Mostly helps us with obtaining SOC Reports and Cyber Security onsites.  Vendor selection and onboarding is where we focus on third party management process and completion of initial and ongoing due diligence/monitoring.  Yes, we do have third parties who respond similarly to what you described.

    Hope this helps.



  • 3.  RE: "Right to Audit" clause

    Posted 10-30-2020 09:37 AM
    Yes. The Right to Audit clause should be an essential part of any vendor contact.


  • 4.  RE: "Right to Audit" clause

    Posted 10-30-2020 09:50 AM
    Hi Paul,

    Here is an example of a clause you may find helpful.   

    Vendor Management: (a) To meet the mandates associated with third party vendors, the Client may request annually from the Company the following information: Annual Financial Statements; Insurance Coverage/Certificate; SSAE16 report inclusive of User Entity controls; External Penetration Testing results; Data Encryption procedures, Business Resumption Plans and Disaster Recovery testing results. The Company shall provide all such Information within thirty (30) days of receiving a written request for it. Additional vendor due diligence requirements not addressed in this Agreement and required by federal regulation will be provided within ninety (90) days of a written request for it. Failure to provide such information will be grounds for termination of the Agreement.  (b) As specifically permitted by law or regulation, the Client shall be permitted to audit the Company's performance under this Agreement during normal business. 




  • 5.  RE: "Right to Audit" clause

    Posted 10-30-2020 10:26 AM
    Rather than insert our "Right to Audit" clause. I am going to second Heather's. Just because it says the right things. 
    1. It asks for due diligence documentation up front. This is important for supplier performance measures. The updated certifications will tell us whether the most recent audit requirements were met. Just an attestation that these were complete says a lot about the supplier's ability to meet the control requirements. 
    2. All attestation documents are referenced.  
    3. If the supplier is unable to deliver these documents, the supplier is on notice that you will exercise your right to audit. 
    4. There is also language to say that you have expectations for an annual review. The audit is more of a last resort should the supplier not be able to meet the control requirements in the agreement. 
    This ticks the boxes for me and is an essential part of any supplier agreement. Not just the "Right to Audit" but the idea of continuous performance review.


  • 6.  RE: "Right to Audit" clause

    Posted 10-30-2020 10:28 AM

    Thanks ever so much for sharing your "Right to Audit" clause.

     

    In my examination of the clause against our subcontract I noted that SSAE 16 (with which I was unfamiliar) says online it has been superseded by SSAE No. 18 and as of 5/1/2017 the report is referred to as SOC 1. Not my area of expertise so please validate.

     

    All the best,

     

    Cathy

     

    Cathleen "Cathy" Strabala

    Senior Director, Quality, Ethics & Compliance

    Chenega Corporation
    chenega.com

     

     






  • 7.  RE: "Right to Audit" clause

    Posted 10-30-2020 11:36 AM
    Hi Cathy,

    You are correct that the SSAE 18 supersedes the SSAE 16.  I keep a collection of provisions that I use as examples and should update that in my file.  We often review contracts prior to the 2017 change and even see some older that refer to  SAS 70.  Since SSAE 18 refers to many different types of attestation reports,  using "SOC 1 or SOC 2 report" instead may be better, as SSAE 18 does make it less specific  versus the SSAE 16, as 16 referred just to SOC 1/2.