Justice Akenhead noted that the word “verification” in the contract was comparable to “examination” or “examination”. By reserving the right to audit all of their BAs, they could conduct audits of those they deemed the riskiest, and they could then eliminate those who refused to change their business operations, and they could improve their security and mitigate the liability associated with it by having other BAs to improve their security programs. I then conducted further audits for them in the BAs that they had not identified as high risk, but with which some managers had concerns. Contractors should carefully consider audit clauses during contract negotiations. Suppose two parties agree on a 50/50 revenue share – Company A provides Company B with a proprietary engine solution for a racing car that sells Company B. Company B sells five versions of racing cars, all with the same engine solution, from a base model to a luxury model, with the price increasing accordingly. If five cars are sold during the review period, revenue sharing support records can show a table of five engines sold with a revenue share of $125,000 for each engine and an example of a bill for a race car sold for $250,000. A contractor bound by an audit clause similar to sections 27 and 28 can expect to store only “primary” or “source” documents such as the relevant contract, supplier invoices, etc. and deliver them upon request. If you think about where you want to audit your business partners, you`ll also end up identifying areas within your own organization where you should also look at security and privacy controls. I`ve seen this first-hand too. With each of my clients where I conducted third-party/vendor audits on their behalf, when I reviewed the results with them, they all became aware of similar issues in their own business practices and then worked to resolve them.
If you include an audit clause, you are obliged to perform an audit. FALSE! A clause on the right to verification is just that; You reserve the right to check whether you ever need to determine that this is necessary. Well formulated, it does not create any obligation on your part to actually carry out an audit. An audit clause is a resiliency to reserve this option if necessary. Including the right to audit clause, you also have open options if you suspect or hear about information security or privacy issues within one of your BAs or other types of business partners. Knowing that companies can be audited at any time is the motivation for them to ensure that their information security and privacy controls are as effective as possible and that they meet all their compliance requirements. I have seen this with my own eyes, in dozens of organizations. An audit clause is essentially an agreement to provide documents.
Typically, it gives a principal the right to “verify” a contractor`s books and records with respect to compliance with the contractor`s obligations under a contract. For most auditees, record keeping is the final step in the contracting process. This requires both parties to maintain and organize all documents, files, invoices, rate increases, etc. that are relevant to the activities surrounding the contract. These records may be in a spreadsheet or invoice, but it is important to remember that they may not provide a complete picture to support assumptions or decisions that have been made in the amount, increase, or change throughout the contractual context. When I was responsible for information security and privacy in a large financial and healthcare organization in the 1990s, I had literally hundreds of business partner and supplier organizations to whom we outsourced various types of activities where everyone had access to our employees, customers and customer information. Add to that several hundred agents of our company and, even more frightening because they did not exclusively sell our products, brokers, and you can probably imagine the anxiety I felt when I thought about how all these other organizations were putting our information at risk. The contracts with them generally all had a very brief requirement to provide “adequate security controls” for the information, but that didn`t alleviate my concerns. However, as there were no data protection regulations at the time, the lawyers said that this simple clause was sufficient. And then one of the outsourced entities had an incident due to a lack of controls that allowed a hacker to break into our network. The legal aspect of contracts, such as procurement, negotiation and drafting, is only the beginning of contract design. Once the pen has been put on paper and the agreement begins, steps must be taken to ensure that the terms of the contract are met as stated.
This process is called contract compliance verification or contract audit. Often, the review of the contract is just as important as the contract itself. 27.1 The Supplier shall, for a period of at least 12 years, keep accurate, up-to-date and complete records of their obligations under this Agreement (“Records”) (in a form appropriate for inspection under clause 28) with respect to the performance of their obligations under this Agreement, including: In addition, the verification clause generally states that each party must “keep records” to support compliance obligations. In TGM, however, the files that fell within the scope of the review clause were much broader. This included a record of the hours worked by a team of designers and, perhaps even more surprisingly, documents created months later, including internal reports or audits conducted by Thales to find out why the project exceeded time and budget. The scope of the documents covered by clause 28 is subject to certain limitations, including: It is important that you fully understand each agreement before signing it and that you seek legal advice if necessary. The very first step in any contractual compliance audit is to determine if the contract contains an audit clause. .