The Importance of Audit Rights in Vendor Contracts

Well-written contacts are the best way to ensure vendor compliance. When a vendor is critical to your operation, there is a continuing need for transparency throughout the relationship. Including a right to audit clause in your contract obligates your vendors to disclose data and to report with your organization on request.

This data can be requested during any part of the third-party risk management lifecycle, but most often is requested to complete as a part of vendor due diligence and ongoing monitoring. A right to audit clause entitles your organization to review your vendor’s work product and reporting which may include self-assessments, third-party audits and other, official documents detailing the sufficiency of internal systems and controls.

Commonly Reviewed Vendor Data and Reporting

Let’s review what types of data and reporting are commonly reviewed under a right to audit clause:

1. SOC Reports. Otherwise known as Service and Operating Controls, these reports detail audits conducted by independent third-party auditors who provide an expert assessment of the control environment and any gaps they find.
   There are three types of SOC reporting:
   • SOC 1: Examines the effectiveness of internal financial controls at a service organization. As mandated by SSAE 18, SOC 1 audits a third-party vendor’s accounting and financial controls.
   • SOC 2: This evaluates a vendor’s internal controls on one or more of the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). Type I confirms that controls are in place and Type II confirms that the controls are in place and working.
   • SOC 3: A SOC 3 report is a public option that can be freely distributed but is less detailed than a SOC 1 or SOC 2 which can only be read by the direct users of an organization’s services.
2. SLA Reports. In a contract, service level agreements (SLAs) represent the acceptable limits of service or quality, as agreed on by both parties. When those SLAs aren’t met, there is typically some sort of penalty for the vendor. To confirm that SLAs are being met, the vendor must provide reporting that validates the acceptable level of performance.
3. Compliance Reporting. This may include overall compliance policies, such as a compliance training policy, fair lending or Equal Credit Opportunity Act (ECOA) policy or Telephone Consumer Protection Act (TCPA) policy, which only applies to vendors making phone calls or sending texts. Also, consider a marketing/CAN-SPAM policy, which only applies to vendors involved in marketing activities and the Fair Debt Collections Practices Act (FDCPA), which only applies to collections vendors.
4. Data Privacy and Confidentiality Policy. This may need to be requested separately if not provided with compliance or information security documentation.
5. Payment Card Industry (PCI) Compliance Reports. PCI compliance reporting can include data such as vulnerability scans or other methods used to validate compliance.
6. Financial Statements. Audited financials, internally prepared financials and the organization’s annual tax filing can be important components in a right to audit clause.
7. Insurance. Current insurance certificates and policy references should be thoroughly reviewed and may include general liability, professional errors and omissions or cybersecurity coverage types.
8. Business Continuity and Disaster Recovery Reports. All plans, testing scenarios, test results and mitigation plans are essential to review to ensure that your critical vendors are prepared for a business impacting event. Plans should include the following:
   • Departments included in the program and their RTO
   • Business continuity exercise types, scenarios and findings
   • Report of the last activation outside of a drill with root cause analysis
   • Emergency management documentation that basic OSHA requirements are met (annual fire drill, etc.)
   • Facility (location) risk/hazard assessment
   • Evacuation & shelter in place procedures
   • Active threat plan
9. Information security. Attestations/certifications for controls around security, processing integrity, confidentiality and privacy of a system, including but not limited to:
   • SSAE 18 SOC reporting (type II reports should be included in the ’03 - independent third-party audits’ document request)
   • ISO/IEC27001 certification
   • PCI ROC and/or penetration test reports
   • Technical and procedural measures for network protection through a firewall
   • Secure server configuration
   • Vulnerability identification and patching reports
   • Physical and logical access controls
   • Data security policy (See elements of documentation below):
     • Data classification and encryption methodologies, data loss prevention, password hashing, data retention and destruction
   • Documented incident response policy, standards and processes (See elements of documentation below):
     • Data security and confidentiality protections against threats or hazards
   • Data privacy and confidentiality policy
   • Facility (location) risk/hazard assessment
   • Disaster recovery exercise scope and schedule
   • Report of the last activation outside of a drill with root cause analysis
10. Fourth parties. Your fourth party’s third-party risk management policy, risk rating methodologies, vendor inventory, critical vendor list, due diligence documents, ongoing monitoring schedule and critical contracts should all be reviewed.
11. On-Site Audit. An on-site audit is typically performed on a vendor performing critical services to a client and is done to ensure the vendor is adhering to their stated policies and practices surrounding the client’s customers. These audits would generally review financial and operational activity, including the vendor’s internal controls, information systems and security, business resumption and adherence to internal policies and procedures. While this audit is primarily performed on site, it can be done remotely.
12. Billing Audit. Many clients will want the right to audit the vendor’s billing statements – especially when the vendor is providing transaction services. The contract could include some language to assess penalties if any billing errors, specifically overcharging, are discovered.
13. Subcontractor Audit. For any or all of the audit rights that is included in the contract for the vendor, a client could also require the same audit of any subcontractor performing activities on the vendor’s behalf in support of the client.
14. Other Miscellaneous Audits. An audit clause might also require the vendor to perform regular testing or monitoring of other significant security controls such as application and network penetration testing, non-intrusive network audits or more intrusive network and physical audits, and to audit for compliance with applicable laws and regulations.

Contract management is a key element in managing risk in your critical vendor relationships. Download the eBook.