You are on page 1of 18

Audit rights under IT contracts - Lexology

Pgina 1 de 3

We use cookies to customise content for your subscription and for analytics.
If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further
information please read our Cookie Policy.

APPROVED

Register now for your free, tailored, daily legal newsfeed service.
Questions? Please contact customerservices@lexology.com

Register

Audit rights under IT contracts

RPC
United Kingdom

April 23 2013

Introduction
Facts
Decision
Comment

Introduction
Audit rights are commonly included in IT contracts in order to allow one party to access information held by the
other party in relation to the agreement between them. Although dealing with the construction industry, a recent
High Court decision (Transport for Greater Manchester v Thales Transport & Security Ltd) nonetheless provides
useful guidance for parties to IT contracts on which information or documents are likely to be disclosable under
such a clause and which information or documents may be withheld.
The audit rights clause will sensibly address the following issues:

who is permitted to access which information;


the permitted reasons for carrying out an audit;
the frequency with which audits can occur;
timescales and notice requirements; and
allocation of costs incurred by each of the parties in connection with the audit.
In addition, audit rights will usually be supplemented by an obligation to maintain certain records.
Facts

http://www.lexology.com/library/detail.aspx?g=c980ada7-24ad-4747-86cd-77435ed9... 11/12/2015

Audit rights under IT contracts - Lexology

Pgina 2 de 3

Thales contracted with Transport for Greater Manchester (TGM) to supply a new tram operating system for
Manchester Metrolink. A dispute arose over additional costs relating to the tram system. TGM requested wideranging documents from Thales under the audit rights clause of the contract. When Thales refused to provide
the documents under the clause, TGM applied to the court for an order requiring Thales to do so.
The court granted specific performance in respect of the majority of the documents that TGM had requested
Thales to provide. The audit rights clause permitted TGM to request documents "relating to the carrying out of
any of the Supplier's obligations" or in order to "audit" any of the information that Thales had provided to TGM.
Decision
The court decided that the wording of the clause was broad enough to cover documents relating to contractual
non-performance, as well as where the contract had been properly performed. It also held that the term 'audit' in
this context simply meant "to check or verify" and was not limited to financial records.
The following documents were found to be within the scope of the rights granted by the audit clause:

board meeting minutes (including those of other group companies);


reports produced by external advisers;
Uyhj

internal reviews of the contract and its issues;


sensitive commercial information; and
documents that reviewed the obligations long after the problems occurred.
Specific performance was refused and Thales therefore was not required to disclose documents where:

the categories of document were too imprecise;


the documents were covered by legal privilege; or
the court felt that there was danger of the clause being used to carry out a "fishing expedition".
Comment
From the perspective of an IT service purchaser seeking to rely on the audit rights clause, it should be
remembered that specific performance (as ordered by the court in this case) is an equitable remedy and, therefore,
will not always be available. The court will consider the context of an audit request, not merely the contractual
interpretation of the audit rights clause itself. Any specific performance request requires precision and care
should be taken to ensure as much clarity as possible in formulating a request for documents.
From the perspective of an IT service provider likely to be on the receiving end of an audit rights request, this
case raises a number of key points for consideration:

It is important to be clear about the purposes for which audit rights may be invoked and to
ensure that these are as narrow as possible.
The clause should specifically restrict access beyond the agreed audit purposes.
Access should be restricted to specific categories of document.
Consider audit rights in subcontracts and ensure that they are sufficient to enable a flow-down
of audit rights where necessary.

http://www.lexology.com/library/detail.aspx?g=c980ada7-24ad-4747-86cd-77435ed9... 11/12/2015

Audit rights under IT contracts - Lexology

Pgina 3 de 3

Include a specific right to redact information provided in the course of an audit.


Include an explicit carve-out for both legal advice privilege and litigation privilege.
Consider whether the instruction of experts to examine a problem and their reports should be
outside of the audit rights.
Ensure that confidentiality provisions offer adequate protection for information disclosed under
audit rights.
Ensure that significant costs incurred in complying with an audit request are recoverable and
priced fairly.
For further information on this topic please contact Peter Lumley-Savile or Sanjay Pritam at RPC by telephone
(+44 20 3060 6000 ), fax (+44 20 3060 7000 ) or email (peter.lumley-savile@rpc.co.uk or
sanjay.pritam@rpc.co.uk)
This article was first published by the International Law Office, a premium online legal update service for major
companies and law firms worldwide. Register for a free subscription.

RPC -< br /> Peter Lumley-Savile, Sanjay Pritam

http://www.lexology.com/library/detail.aspx?g=c980ada7-24ad-4747-86cd-77435ed9... 11/12/2015

Why You Should Use a Right to Audit Clause | SecureWorld

Pgina 1 de 3

SUBSCRIBE TO OUR
MAILING LIST

Why You Should Use a Right to Audit Clause


Author:Rebecca Herold

A Tale of Two Viewpoints


When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990s I had
literally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access to
our client and customer information. Add to that several hundred agents and, scarier still because they were not exclusively selling our
products, brokers, and you can probably imagine the angst I felt when thinking about the ways in which all those other organizations were
putting our information at risk. The contracts with them had a very brief requirement to provide appropriate security controls for the
information, but that did not alleviate my worries. But, since at that time there were no data protection regulations in effect, the lawyers said
this simple clause was enough. And then one of the outsourced entities had an incident resulting from lack of controls which allowed a hacker
to enter our network.
Ultimately, after the breach response concluded, I did an audit of the offending business partner to ensure he had made, and kept, changes to
keep the same type of security incident from happening again. And then I once again asked the lawyers to beef up the contracts with our
various types of business partners, including, among other specifics, a right to audit clause. I wanted to audit not just after a breach, but at
any time when I thought necessary to protect our information assets. This time the viewpoint of the legal office had changed. They agreed that
it was a good idea, and from that point forward we included a right to audit clause within all contracts with business partners that accessed or
possessed our information assets in any way. Such a clause is a good idea for all types of organizations, of all sizes, not only as a way to
demonstrate due care, about also to to be proactive in preventing privacy breaches and security incidents. Here are three compelling reasons
why you should have right to audit clauses within business partner contracts.
#1 A right to audit allows for identification of risky business partners
Several years ago I performed over 100 business associate (BA) information security and privacy program audits for a large healthcare
insurer. They actually had identified over 450 BAs, but they had identified the 100 that I audited as their highest risk BAs. Throughout the
delivery of my audit reports four of the business unit VPs, and numerous other managers, told me of their concerns about some of the specific
BAs, and that their concerns were validated by my audit results. As a result of the audits they were able to get many of the BAs to strengthen
their safeguards, and they also terminated their relationships with around half a dozen of the BAs.
By reserving the right to audit all their BAs, they were able to perform audits within those that they determined to be of highest risk, and they
were able to then eliminate those who refused to alter their business actions, and they were able to improve their security, and mitigate
associated liability, by having other BAs to improve their security programs. I then performed other audits for them in BAs that they had not
identified as high risk, but that some of the managers had concerns with.
#2 A right to audit supports compliance
When information processing or storage is outsourced to another entity, the organization that gives their BA, or any other type of business
partner, access to their information does *not* also outsource their liability for the protection of that information (even though some try
really hard to do so through all sorts of complicated liability absolution contract language). The recently released HIPAA Omnibus Final
Mega Rule (https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf) makes this clear by stating:
(c) Violation attributed to a covered entity or business associate. (1) A covered entity is liable, in accordance with the Federal common
law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a
workforce member or business associate, acting within the scope of the agency.
The healthcare industry is not the only one where this type of BA liability will be shared with the CE. And, when considering organizations
that accept credit card payments, an organization that must comply with PCI DSS
(https://www.pcisecuritystandards.org/security_standards/) will still likely bear some liability in the event one of their outsourced business
partners experiences a breach involving credit card information.
The HIPAA Omnibus Final Rule also makes clear that CEs must take actions to help ensure their BAs will have appropriate safeguards in
place, as it states:

http://www.secureworldexpo.com/blog/why-you-should-use-a-right-to-audit-clause

11/12/2015

Why You Should Use a Right to Audit Clause | SecureWorld

Pgina 2 de 3

164.502 (e)(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business
associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the
covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the
information.
An audit is one good way to obtain such satisfactory assurance. (More are listed below.)
#3 A right to audit strengthens security and privacy controls
When organizations know they could be audited at any time it will provide the motivation for them to then ensure their information security
and privacy controls are as effective as possible, and that they meet all their compliance requirements. Ive seen this firsthand, in dozens of
organizations.
When you are thinking about the areas where you want to audit your business partners, you will also ultimately realize areas within your own
organization where you should also check on security and privacy controls. Ive also seen this firsthand. In each of my clients where I
performed third party audits on their behalf, as I was going over the findings with them they all became more aware of similar issues within
their own business practices and then worked to address them.
Including the right to audit clause also keeps options open for you if you ever suspect, or hear of, any information security or privacy concerns
within any of your BAs or other types of business partners.
Other options for business partner oversight
There are other good, effective ways in which you can provide additional satisfactory assurance that your business partners are not putting
your information at unnecessary risk. I will probably elaborate upon some of these in upcoming blog posts based upon feedback and/or
requests readers provide, but for now here is a list of additional actions for you to consider. You can require your business partners to:
Complete monthly information security and privacy attestations. I include a short information security and privacy quiz, which is
different every month, in the ones I create for my clients.
Provide a copy of their most recent independent information security and/or privacy audit.
Maintain a third party security or privacy seal on their site. This is of particular value for cloud service providers.
Allow your organization to occasionally review business partner information security and privacy policies.
Understand that your organization will regularly check online reports to discover when business partners have been involved in
incidents, breaches, or frauds for which they did not provide any notification.
And, you should always include detailed safeguard requirements within the business partner agreement/contract, not just a simple, vague
statement indicating the need for information security controls.
Right to audit myths
Ive heard some interesting reasons and myths for why an organization shouldnt provide a right to audit clause. Let me dispel a couple of
them:
1) If you include a right to audit clause then you are obligated to actually perform an audit. False!
A right to audit clause is just that; you are reserving your right to audit if you should ever determine there is a need to do so. When worded
properly it does not establish any obligation on your part to actually perform an audit. A right to audit clause is a fail-safe to reserve that
option if the need should arise.
2) You should only include a right to audit clause within the contracts for BAs and other business associates that are considered to be high
risk. False!
Relationships with business partners often quickly change. A very low risk relationship with a business partner can quickly become high risk
when they start doing different types of services for you, when they start using new technologies such as smartphones, social media, and
cloud services, and so on. Also, organizations often are not aware of risks within their business partners that would have made them a highrisk proposition.
Bottom line for all organizations, from the largest to the smallest: Trust but verify is an old Russian proverb that Ronald Reagan
quoted often during his presidency (http://www.youtube.com/watch?v=As6y5eI01XE). And with good reason; in a wide range of life
situations you need to validate something is as promised. When it comes to information security and privacy, you need to be able to validate
the third parties youve entrusted with your organizations information have appropriate controls in place. If you dont have a right to audit
clause within your business partner contracts you could be shutting off your ability to have such an audit performed whenever the need arises.

http://www.secureworldexpo.com/blog/why-you-should-use-a-right-to-audit-clause

11/12/2015

Why You Should Use a Right to Audit Clause | SecureWorld

Pgina 3 de 3

Psst, hey outsourced entities, make sure you are prepared to meet such requests.
Additional information about using a right to audit clause
Here are some additional sources of information related to the need to include a right to audit clause within business partner contracts:
FFIEC examination procedures handbook with includes directives to check for right to audit clauses (https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ved=0CFwQFjAF&url=http%3A%2F%2Fithandbook.ffiec.gov%2Fmedia%
2F152569%
2F03_12_2012_outsourcing_cloud_workrogram_final_03_12_2012.docx&ei=iKb9UJHOH8b62gXF54CYAg&usg=AFQjCNEs7spk5RYJoRxMBmKI4M6PgUo3A&bvm=bv.41248874,d.b2U)
IIA presentation includes recommendations to use right to audit clauses, Identifying and Managing Risk in Outsourcing/Off-shoring
Arrangements (https://na.theiia.org/training/eLearning/members/Member%20Documents/112008_Viewer_slides.pdf)
FFIEC outsourcing booklet recommends the use of right to audit clauses
(http://community.mis.temple.edu/mis5205sec001f12/files/2012/10/Outsourcing_Booklet.pdf)
Annex A of ISO/IEC 27001: A12.5.5 Outsourced software development recommends using right to audit clauses
(http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=42103)
Cloud computing security concerns: How to audit cloud computing (http://searchcloudsecurity.techtarget.com/tip/Cloud-computingsecurity-concerns-How-to-audit-cloud-computing) includes recommendations for right to audit clauses
20 steps to an iron-clad SaaS contract
(http://blogs.computerworld.com/19733/20_steps_to_an_iron_clad_saas_contract) recommends using right to audit clauses
I provide a sample right-to-audit clause as part of my Compliance Helper (http://www.compliancehelper.com/)library of
customizable forms, policies and procedures.

http://www.secureworldexpo.com/blog/why-you-should-use-a-right-to-audit-clause

11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 1 de 10

Home

About Us
Services
Industries
News
Resources
Contact Us

Professionals
Site Map

McGovern & Greene llp


Using the Right to Audit
Clause to Detect
Procurement Fraud
by: Craig L. Greene, CPA/CFF, CFE, MAFF, CCEP, MCJ

Introduction
In 1997, the Institute of Management and Administration surveyed the
readers of their newsletters and other professionals on the use of the Right
to Audit Clauses for vendors. The survey found the participants believed that
these clauses were a good idea, citing their use when:

Purchasers want to ensure sound financial management.


Companies must respond to a dynamic and changing environment
such as outsourcing, downsizing and ISO 9000.
Industry practices include subcontracting.

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 2 de 10

Further, by carrying out regular audits of vendors there tends to be greater


trust in the relationship.It also sends a message that the Company will be
monitoring the vendor to ensure that the:

Vendor is complying with the Company's Ethics or Business


Standards and that the
Vendor is complying with the contractual relationship between
buyer and seller.

When the right to audit is exercised, the internal auditor may be looking for
fraud by vendors and violations of company ethics policies such as:

Fictitious "shell companies" setup by employees or others that may


or may not provide goods or services;
Faulty or inferior quality of goods, such as substitution ofmaterial
schemes;
Short shipments or goods not delivered;
Services allegedly performed that weren't needed in the first place,
such as equipment repairs, or services never performed at all;
High prices when the goods can be bought directly or less
expensively from the same or another vendor;
Corruption schemes including improper:

Payments and kickbacks;


Conflicts of interest.
Gifts and gratuities to company employees;
Commissions to brokers and others;

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 3 de 10

Right to Audit Clauses


The buyer usually obtains the right to examine records of a vendor to
determine if a fraud or a violation of company policy has occurred through
the following methods:

Right-to-audit agreement: The agreement can be printed on the back of a


purchase order, or other procurement form. The clause could be worded as
follows on a purchase order: "Seller shall establish a reasonable accounting
system, which enables ready identification of seller's cost of goods and use
of funds. Buyer may audit seller's records anytime before three years after
final payment to verify buyer's payment obligation and use of buyer's funds.
This right to audit shall include subcontractors in which goods or services
are subcontracted by seller. Seller shall insure buyer has these rights with
subcontractor(s)."

Right to Audit Clause in a Contract: If a buyer inserts a right-to-audit clause


in a contract, he has a much greater chance to expand definitions and
include other compliance provisions for the vendor.

Other options for obtaining the right to audit may include:

Inserting a specific provision into a contract that's normally entered


into betweenbuyer and vendor, e.g., construction contract or supply
contract in addition to the basic right-to-audit clause included in the
purchase order;
An audit provision included within a special document (such as a
vendor survey mailed to all new or proposed additions
to the vendor master file) that's completed and signed by vendors.
And finally, the least desirable option is a civil lawsuit in which
documents and records are subpoenaed.

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 4 de 10

Share

VISIT THE ARCHIVES

Procurement Fraud Schemes and Detection

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 5 de 10

Shell Company Schemes

Vendor Overcharges and/or Material Substitution Schemes

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 6 de 10

Employee Corruption Schemes

Audit Procedures

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 7 de 10

Vendor Questionnaire
Model Corporate Policy

CONTACT US

Expert Forensic
Accounting Services
Chicago | Las Vegas

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 8 de 10

Litigation Support
& Damages Analysis
Expert Witness Testimony
Economic Damage Analysis
Intellectual Property Damages
Lost Personal Earnings
Contracts Consulting
Government Contract Accounting
Business Valuations
Mergers & Acquisitions
Construction Claims & Project Audits

Corporate and
Internal Investigations
Corporate Internal Investigations
Fraud Examinations
Asset Recovery Services
Dispute Advisory Services
Due Diligence Reviews
Fraud Prevention Seminars & Training

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 9 de 10

Regulatory Investigations
Data Mining & Electronic Discovery
Corporate Compliance Monitorships
Fraud and Compliance Seminars & Training

Individual & Corporate


Tax Accounting
Individual, Trust, and Estate
S-Corp & C-Corp, Partnership
Year-end Tax Planning and Estimated Tax
Taxation of Executive Compensation
Reasonable Compensation Estimates
Retirement Savings Planning
Employer Retirement Plan Development

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accoun... Pgina 10 de 10

McGovern & Greene llp


Have questions or need assistance?
Contact Us

SIGN UP to receive Litigation and Fraud Alert News

Chicago Office | 200 W. Jackson Boulevard Suite 2325 Chicago IL 60606 | PH:
312.692.1000
Las Vegas Office | 2831 St. Rose Parkway Suite 227 Henderson NV 89052 | PH:
702.818.1168
2015 McGovern & Greene LLP All rights reserved.

http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015

Sample Right-to-Audit Clause


Below is a sample right to audit clause that organizations may use to develop their own clause, or to
update an existing clause. The sample language, however, is not intended to represent legal advice.
Consult with appropriate legal counsel before utilizing this information.
In the sample righttoaudit clause below, the term Contractor is used to describe signatories to
contracts, grants, and agreements with the [Company] and must be changed to reflect the
relationship with the Company (e.g., contractor, licensee, supplier, vendor, consultant, etc.).
Right to Audit.
[Contractor] shall establish and maintain a reasonable accounting system that enables [Company] to
readily identify [Contractor]s assets, expenses, costs of goods, and use of funds. [Company] and its
authorized representatives shall have the right to audit, to examine, and to make copies of or
extracts from all financial and related records (in whatever form they may be kept, whether written,
electronic, or other) relating to or pertaining to this [Contract or Agreement] kept by or under the
control of the [Contractor], including, but not limited to those kept by the [Contractor], its
employees, agents, assigns, successors, and subcontractors. Such records shall include, but not be
limited to, accounting records, written policies and procedures; subcontract files (including
proposals of successful and unsuccessful bidders, bid recaps, etc.); all paid vouchers including those
for outofpocket expenses; other reimbursement supported by invoices; ledgers; cancelled checks;
deposit slips; bank statements; journals; original estimates; estimating work sheets; contract
amendments and change order files; backcharge logs and supporting documentation; insurance
documents; payroll documents; timesheets; memoranda; and correspondence.
[Contractor] shall, at all times during the term of this [Contract or Agreement] and for a period of
ten years after the completion of this [Contract or Agreement], maintain such records, together with
such supporting or underlying documents and materials. The [Contractor] shall at any time
requested by [Company], whether during or after completion of this [Contract or Agreement], and at
[Contractor]s own expense make such records available for inspection and audit (including copies
and extracts of records as required) by [Company]. Such records shall be made available to
[Company] during normal business hours at the [Contractor]s office or place of business and
[subject to a three day written notice/without prior notice]. In the event that no such location is
available, then the financial records, together with the supporting or underlying documents and
records, shall be made available for audit at a time and location that is convenient for [Company].

[Contractor] shall ensure [Company] has these rights with [Contractor]s employees, agents, assigns,
successors, and subcontractors, and the obligations of these rights shall be explicitly included in any
subcontracts or agreements formed between the [Contractor] and any subcontractors to the extent
that those subcontracts or agreements relate to fulfillment of the [Contractor]s obligations to
[Company].
Costs of any audits conducted under the authority of this right to audit and not addressed elsewhere
will be borne by [Company] unless certain exemption criteria are met. If the audit identifies
overpricing or overcharges (of any nature) by the [Contractor] to [Company] in excess of onehalf of
one percent (.5%) of the total contract billings, the [Contractor] shall reimburse [Company] for the
total costs of the audit. If the audit discovers substantive findings related to fraud,
misrepresentation, or nonperformance, [Company] may recoup the costs of the audit work from
the [Contractor]. Any adjustments and/or payments that must be made as a result of any such audit
or inspection of the [Contractor]s invoices and/or records shall be made within a reasonable
amount of time (not to exceed 90 days) from presentation of [Company]s findings to [Contractor].
2012 Association of Certified Fraud Examiners, Inc.

You might also like