2artigo - right to audit clause - ler e aplicar

7/25/2019 2Artigo - Right to Audit Clause - Ler e Aplicar

1/18

We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For furtherinformation please read our Cookie olicy.

RPC

United Kingdom !pril "# "$%#

Audit rights under IT contracts

IntroductionFactsDecisionComment

IntroductionAudit rights are commonly included in IT contracts in order to allow one party to access information held by theother party in relation to the agreement between them. Although dealing with the construction industry, a recentHigh Court decision ( Transport for Greater Manchester v Thales Transport & Security Ltd ) nonetheless providesuseful guidance for parties to IT contracts on which information or documents are li ely to be disclosable undersuch a clause and which information or documents may be withheld.

The audit rights clause will sensibly address the following issues!

" who is permitted to access which information#

" the permitted reasons for carrying out an audit #

" the fre$uency with which audits can occur#

" timescales and notice re$uirements# and

" allocation of costs incurred by each of the parties in connection with the audit .

In addition, audit rights will usually be supplemented by an obligation to maintain certain records.

Facts

Register now for your free, tailored, daily legal newsfeed service.

&uestions' lease contact customerservices(lexology.com )egister

%&gina ' de Audit rights under IT contracts *e+ology

APPROVED


2/18

Thales contracted with Transport for 7reater 8anchester (T78) to supply a new tram operating system for8anchester 8etrolin . A dispute arose over additional costs relating to the tram system. T78 re$uested wideranging documents from Thales under the audit rights clause of the contract . 9hen Thales refused to providethe documents under the clause, T78 applied to the court for an order re$uiring Thales to do so.

The court granted specific performance in respect of the ma:ority of the documents that T78 had re$uestedThales to provide. The audit rights clause permitted T78 to re$uest documents ;relating to< the carrying out ofany of the =upplier>s obligations; or in order to ; audit ; any of the information that Thales had provided to T78.

Decision

The court decided that the wording of the clause was broad enough to cover documents relating to contractualnon performance, as well as where the contract had been properly performed. It also held that the term > audit > inthis conte+t simply meant ;to chec or verify; and was not limited to financial records.

The following documents were found to be within the scope of the rights granted by the audit clause!

" board meeting minutes (including those of other group companies)#

" reports produced by e+ternal advisers#

" internal reviews of the contract and its issues#

" sensitive commercial information# and

" documents that reviewed the obligations long after the problems occurred.

=pecific performance was refused and Thales therefore was not re$uired to disclose documents where!

" the categories of document were too imprecise#

" the documents were covered by legal privilege# or

" the court felt that there was danger of the clause being used to carry out a ;fishing e+pedition;.

Comment

?rom the perspective of an IT service purchaser see ing to rely on the audit rights clause, it should beremembered that specific performance (as ordered by the court in this case) is an e$uitable remedy and, therefore,will not always be available. The court will consider the conte+t of an audit re$uest, not merely the contractualinterpretation of the audit rights clause itself. Any specific performance re$uest re$uires precision and careshould be ta en to ensure as much clarity as possible in formulating a re$uest for documents.

?rom the perspective of an IT service provider li ely to be on the receiving end of an audit rights re$uest, thiscase raises a number of ey points for consideration!

" It is important to be clear about the purposes for which audit rights may be invo ed and to

ensure that these are as narrow as possible.

" The clause should specifically restrict access beyond the agreed audit purposes.

" Access should be restricted to specific categories of document.

" Consider audit rights in subcontracts and ensure that they are sufficient to enable a flow downof audit rights where necessary.

%&gina - de Audit rights under IT contracts *e+ology

Uyhj


3/18

RPC *+ br - eter Lumley* avile, an/ay ritam

" Include a specific right to redact information provided in the course of an audit .

" Include an e+plicit carve out for both legal advice privilege and litigation privilege.

" Consider whether the instruction of e+perts to e+amine a problem and their reports should be

outside of the audit rights .

" @nsure that confidentiality provisions offer ade$uate protection for information disclosed under

audit rights .

" @nsure that significant costs incurred in complying with an audit re$uest are recoverable and

priced fairly.

For further information on this topic please contact Peter Lumley-Savile or Sanjay Pritam at RPC y telephone!"## $% %'% '%%% () fa* !"## $% %'% +%%% ( or email !peter,lumley-savile rpc,co,u. or

sanjay,pritam rpc,co,u.(

This article /as first pu lished y the 0nternational La/ 1ffice) a premium online le2al update service for majorcompanies and la/ firms /orld/ide, Re2ister for a free su scription,

%&gina de Audit rights under IT contracts *e+ology


4/18

S SUBSCRIBE TO OUR MAILING LIST

Author: Rebecca Herold

Why You Should Use a Right to Audit Clause

A Tale of Two Viewpoints

When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990s I hadliterally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access toour client and customer information. dd to that several hundred agents and! scarier still because they were not e"clusively selling ourproducts! bro#ers! and you can probably imagine the angst I felt when thin#ing about the ways in which all those other organizations wereputting our information at ris#. $he contracts with them had a very brief requirement to %provide appropriate security controls& for theinformation! but that did not alleviate my worries. 'ut! since at that time there were no data protection regulations in effect! the lawyers saidthis simple clause was enough. nd then one of the outsourced entities had an incident resulting from lac# of controls which allowed a hac#erto enter our networ#.

(ltimately! after the breach response concluded! I did an audit of the offending business partner to ensure he had made! and #ept! changes to#eep the same type of security incident from happening again. nd then I once again as#ed the lawyers to beef up the contracts with our various types of business partners! including! among other specifics! a right to audit clause. I wanted to audit not )ust after a breach! but atany time when I thought necessary to protect our information assets. $his time the viewpoint of the legal office had changed. $hey agreed thatit was a good idea! and from that point forward we included a right to audit clause within all contracts with business partners that accessed orpossessed our information assets in any way. *uch a clause is a good idea for all types of organizations! of all sizes! not only as a way todemonstrate due care! about also to to be proactive in preventing privacy breaches and security incidents. +ere are three compelling reasons why you should have right to audit clauses within business partner contracts.

#1 A right to audit allows for identification of risky business partners

*everal years ago I performed over 100 business associate ,' - information security and privacy program audits for a large healthcareinsurer. $hey actually had identified over /0 ' s! but they had identified the 100 that I audited as their highest ris# ' s. $hroughout thedelivery of my audit reports four of the business unit s! and numerous other managers! told me of their concerns about some of the specific' s! and that their concerns were validated by my audit results. s a result of the audits they were able to get many of the ' s to strengthentheir safeguards! and they also terminated their relationships with around half a dozen of the ' s.

'y reserving the right to audit all their ' s! they were able to perform audits within those that they determined to be of highest ris#! and they were able to then eliminate those who refused to alter their business actions! and they were able to improve their security! and mitigateassociated liability! by having other ' s to improve their security programs. I then performed other audits for them in ' s that they had notidentified as high ris#! but that some of the managers had concerns with.

2 2 A right to audit supports compliance

When information processing or storage is outsourced to another entity! the organization that gives their ' ! or any other type of businesspartner! access to their information does 3not3 also outsource their liability for the protection of that information ,even though some tryreally hard to do so through all sorts of complicated liability absolution contract language-. $he recently released +I 4mnibus 5inal%6ega& 7ule ,https8 s:.amazonaws.com public;inspection.federalregister.gov


5/18

1!".#$% (e)(1) &tandard' isclosures to business associates. (i) covered entity may disclose protected health information to a businessassociate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if thecovered entity obtains satisfactory assurance that the business associate will appropriately safeguard theinformation .

n audit is one good way to obtain such satisfactory assurance. ,6ore are listed below.-

#3 A right to audit strengthens security and privacy controls

When organizations #now they could be audited at any time it will provide the motivation for them to then ensure their information securityand privacy controls are as effective as possible! and that they meet all their compliance requirements. Ive seen this firsthand! in dozens oforganizations.

When you are thin#ing about the areas where you want to audit your business partners! you will also ultimately realize areas within your ownorganization where you should also chec# on security and privacy controls. Ive also seen this firsthand. In each of my clients where Iperformed third party audits on their behalf! as I was going over the findings with them they all became more aware of similar issues withintheir own business practices and then wor#ed to address them.

Including the right to audit clause also #eeps options open for you if you ever suspect! or hear of! any information security or privacy concerns within any of your ' s or other types of business partners.

Other options for business partner oversight

$here are other good! effective ways in which you can provide additional satisfactory assurance that your business partners are not putting your information at unnecessary ris#. I will probably elaborate upon some of these in upcoming blog posts based upon feedbac# and orrequests readers provide! but for now here is a list of additional actions for you to consider. Bou can require your business partners to8

>omplete monthly information security and privacy attestations. I include a short information security and privacy quiz! which isdifferent every month! in the ones I create for my clients.

rovide a copy of their most recent independent information security and or privacy audit. 6aintain a third party security or privacy seal on their site. $his is of particular value for cloud service providers. llow your organization to occasionally review business partner information security and privacy policies. (nderstand that your organization will regularly chec# online reports to discover when business partners have been involved in

incidents! breaches! or frauds for which they did not provide any notification.

nd! you should always include detailed safeguard requirements within the business partner agreement contract! not )ust a simple! vaguestatement indicating the need for information security controls.

ight to audit myths

Ive heard some interesting reasons and myths for why an organization shouldnt provide a right to audit clause. Cet me dispel a couple ofthem8

1- If you include a right to audit clause then you are obligated to actually perform an audit. False!

right to audit clause is )ust thatD you are reserving your right to audit if you should ever determine there is a need to do so. When worded

properly it does not establish any obligation on your part to actually perform an audit. right to audit clause is a fail;safe to reserve thatoption if the need should arise.


6/18

sst! hey outsourced entities! ma#e sure you are prepared to meet such requests.

Additional information about using a right to audit clause

+ere are some additional sources of information related to the need to include a right to audit clause within business partner contracts8

55I?> e"amination procedures handboo# with includes directives to chec# for right to audit clauses ,https8 www.google.com urlEsaFt rctF) qF esrcFs sourceFweb cdFG cadFr)a vedF0>5wJ5) 5 urlFhttpK: K


7/18

Using the Right to AuditClause to DetectProcurement Fraudby: Craig L. Greene, CPA/CFF, CF , !AFF, CC P, !C"

#ntroductionIn 1997, the Institute of Management and Administration surveyed the

readers of their newsletters and other professionals on the use of the Right

to Audit Clauses for vendors. The survey found the parti ipants !elieved that

these lauses were a good idea, iting their use when"

# $ur hasers want to ensure sound finan ial management.

# Companies must respond to a dynami and hanging environment

su h as outsour ing, downsi%ing and I&' 9(((.

# Industry pra ti es in lude su! ontra ting.

!cGo$ern % Greene ll&

)ome A!out *s &ervi es Industries $rofessionals+ews Resour es Conta t *s &ite Map

Pgina 1 de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


8/18

urther, !y arrying out regular audits of vendors there tends to !e greater

trust in the relationship. It also sends a message that the Company will !e

monitoring the vendor to ensure that the"

# endor is omplying with the Company/s 0thi s or 1usiness

&tandards and that the

# endor is omplying with the ontra tual relationship !etween

!uyer and seller.

2hen the right to audit is e3er ised, the internal auditor may !e loo4ing forfraud !y vendors and violations of ompany ethi s poli ies su h as"

# i titious 5shell ompanies5 setup !y employees or others that may

or may not provide goods or servi es6

# aulty or inferior 7uality of goods, su h as su!stitution of material

s hemes6# &hort shipments or goods not delivered6

# &ervi es allegedly performed that weren/t needed in the first pla e,

su h as e7uipment repairs, or servi es never performed at all6

# )igh pri es when the goods an !e !ought dire tly or less

e3pensively from the same or another vendor6

# Corruption s hemes in luding improper"

8 $ayments and 4i 4!a 4s6

8 Confli ts of interest.

8 ifts and gratuities to ompany employees6

8 Commissions to !ro4ers and others6

Pgina ! de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


9/18

Right to Audit ClausesThe !uyer usually o!tains the right to e3amine re ords of a vendor to

determine if a fraud or a violation of ompany poli y has o urred through

the following methods"

Right'to'audit agreement: The agreement an !e printed on the !a 4 of a

pur hase order, or other pro urement form. The lause ould !e worded as

follows on a pur hase order" 5&eller shall esta!lish a reasona!le a ounting

system, whi h ena!les ready identifi ation of seller/s ost of goods and use

of funds. uyer may audit seller/s re ords anytime !efore three years after

final payment to verify !uyer/s payment o!ligation and use of !uyer/s funds.This right to audit shall in lude su! ontra tors in whi h goods or servi es

are su! ontra ted !y seller. &eller shall insure !uyer has these rights with

su! ontra tor:s;.5

Right to Audit Clause in a Contract: If a !uyer inserts a right


10/18

&hare

Procurement Fraud *chemes and Detection

I&IT T)0 ARC)I 0&

Pgina ) de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


11/18

*hell Com&any *chemes

+endor ($ercharges and/or !aterial *ubstitution *chemes

Pgina " de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


12/18

Employee Corruption Schemes

Audit Procedures

Pgina * de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


13/18

Vendor Questionnaire

Model Corporate Policy

Expert ForensicAccounting Services

Chicago | Las Vegas

CONTACT US

Pgina + de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


14/18

Litigation Support& Damages Analysis

Expert Witness Testi ony

Econo ic !a age Analysis

"ntellect#al Property !a ages

Lost Personal Earnings

Contracts Cons#lting

$o%ern ent Contract Acco#ntingsiness Val#ations

Mergers ' Ac(#isitions

Constr#ction Clai s ' Pro)ect A#dits

Corporate andnternal nvestigations

Corporate "nternal "n%estigations

*ra#d Exa inations

Asset +eco%ery Ser%ices

!isp#te Ad%isory Ser%ices

!#e !iligence +e%ie,s

d

Pgina de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


15/18

+eg#latory "n%estigations

!ata Mining ' Electronic !isco%ery

Corporate Co pliance Monitorships

*ra#d and Co pliance Se inars ' Training

ndividual & Corporate!ax Accounting

"ndi%id#al- Tr#st- and Estate

S.Corp ' C.Corp- Partnership

/ear.end Tax Planning and Esti ated Tax

Taxation o0 Exec#ti%e Co pensation

+easona1le Co pensation Esti ates

+etire ent Sa%ings Planning

E ployer +etire ent Plan !e%elop ent

Pgina de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta...


16/18

"c#overn & #reene llp

2a%e (#estions or need assistance3

Contact Us

S"$N UP to recei%e Litigation and *ra#d Alert Ne,s

Chicago Office | 200 W. Jackson Boulevard Suite 2325 Chicago I !0!0! | "#$

3%2.!&2.%000

as 'egas Office | 2(3% St. )ose "ark*a+ Suite 22, #enderson -' (&052 | "#$

,02.(%(.%%!(

20%5 /c overn 1 reene " ll rights reserved.

Pgina 10 de 10Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accoun...


17/18

Sample Right-to-Audit Clause

Below is a sample right to audit clause that organizations may use to develop their own clause, or toupdate an existing clause. The sample language, however, is not intended to represent legal advice.

Consult with appropriate legal counsel before utilizing this information.

In the sample right toaudit clause below, the term Contractor is used to describe signatories tocontracts, grants, and agreements with the [Company] and must be changed to reflect therelationship with the Company (e.g., contractor, licensee, supplier, vendor, consultant, etc.).

Right to Audit.

[Contractor] shall establish and maintain a reasonable accounting system that enables [Company] toreadily identify [Contractor]s assets, expenses, costs of goods, and use of funds. [Company] and itsauthorized representatives shall have the right to audit, to examine, and to make copies of orextracts from all financial and related records (in whatever form they may be kept, whether written,electronic, or other) relating to or pertaining to this [Contract or Agreement] kept by or under thecontrol of the [Contractor], including, but not limited to those kept by the [Contractor], itsemployees, agents, assigns, successors, and subcontractors. Such records shall include, but not belimited to, accounting records, written policies and procedures; subcontract files (includingproposals of successful and unsuccessful bidders, bid recaps, etc.); all paid vouchers including those

for out of pocket expenses; other reimbursement supported by invoices; ledgers; cancelled checks;deposit slips; bank statements; journals; original estimates; estimating work sheets; contractamendments and change order files; backcharge logs and supporting documentation; insurancedocuments; payroll documents; timesheets; memoranda; and correspondence.

[Contractor] shall, at all times during the term of this [Contract or Agreement] and for a period often years after the completion of this [Contract or Agreement], maintain such records, together withsuch supporting or underlying documents and materials. The [Contractor] shall at any timerequested by [Company], whether during or after completion of this [Contract or Agreement], and at[Contractor]s own expense make such records available for inspection and audit (including copiesand extracts of records as required) by [Company]. Such records shall be made available to[Company] during normal business hours at the [Contractor]s office or place of business and[subject to a three day written notice/without prior notice]. In the event that no such location isavailable, then the financial records, together with the supporting or underlying documents andrecords, shall be made available for audit at a time and location that is convenient for [Company].


18/18

[Contractor] shall ensure [Company] has these rights with [Contractor]s employees, agents, assigns,successors, and subcontractors, and the obligations of these rights shall be explicitly included in anysubcontracts or agreements formed between the [Contractor] and any subcontractors to the extent

that those subcontracts or agreements relate to fulfillment of the [Contractor]s obligations to[Company].

Costs of any audits conducted under the authority of this right to audit and not addressed elsewhere will be borne by [Company] unless certain exemption criteria are met. If the audit identifiesoverpricing or overcharges (of any nature) by the [Contractor] to [Company] in excess of one half ofone percent (.5%) of the total contract billings, the [Contractor] shall reimburse [Company] for thetotal costs of the audit. If the audit discovers substantive findings related to fraud,misrepresentation, or non performance, [Company] may recoup the costs of the audit work fromthe [Contractor]. Any adjustments and/or payments that must be made as a result of any such auditor inspection of the [Contractor]s invoices and/or records shall be made within a reasonableamount of time (not to exceed 90 days) from presentation of [Company]s findings to [Contractor].

2012 Association of Certified Fraud Examiners, Inc.

2artigo - right to audit clause - ler e aplicar

Documents