Professional Documents
Culture Documents
Pgina 1 de 3
We use cookies to customise content for your subscription and for analytics.
If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further
information please read our Cookie Policy.
APPROVED
Register now for your free, tailored, daily legal newsfeed service.
Questions? Please contact customerservices@lexology.com
Register
RPC
United Kingdom
April 23 2013
Introduction
Facts
Decision
Comment
Introduction
Audit rights are commonly included in IT contracts in order to allow one party to access information held by the
other party in relation to the agreement between them. Although dealing with the construction industry, a recent
High Court decision (Transport for Greater Manchester v Thales Transport & Security Ltd) nonetheless provides
useful guidance for parties to IT contracts on which information or documents are likely to be disclosable under
such a clause and which information or documents may be withheld.
The audit rights clause will sensibly address the following issues:
http://www.lexology.com/library/detail.aspx?g=c980ada7-24ad-4747-86cd-77435ed9... 11/12/2015
Pgina 2 de 3
Thales contracted with Transport for Greater Manchester (TGM) to supply a new tram operating system for
Manchester Metrolink. A dispute arose over additional costs relating to the tram system. TGM requested wideranging documents from Thales under the audit rights clause of the contract. When Thales refused to provide
the documents under the clause, TGM applied to the court for an order requiring Thales to do so.
The court granted specific performance in respect of the majority of the documents that TGM had requested
Thales to provide. The audit rights clause permitted TGM to request documents "relating to the carrying out of
any of the Supplier's obligations" or in order to "audit" any of the information that Thales had provided to TGM.
Decision
The court decided that the wording of the clause was broad enough to cover documents relating to contractual
non-performance, as well as where the contract had been properly performed. It also held that the term 'audit' in
this context simply meant "to check or verify" and was not limited to financial records.
The following documents were found to be within the scope of the rights granted by the audit clause:
It is important to be clear about the purposes for which audit rights may be invoked and to
ensure that these are as narrow as possible.
The clause should specifically restrict access beyond the agreed audit purposes.
Access should be restricted to specific categories of document.
Consider audit rights in subcontracts and ensure that they are sufficient to enable a flow-down
of audit rights where necessary.
http://www.lexology.com/library/detail.aspx?g=c980ada7-24ad-4747-86cd-77435ed9... 11/12/2015
Pgina 3 de 3
http://www.lexology.com/library/detail.aspx?g=c980ada7-24ad-4747-86cd-77435ed9... 11/12/2015
Pgina 1 de 3
SUBSCRIBE TO OUR
MAILING LIST
http://www.secureworldexpo.com/blog/why-you-should-use-a-right-to-audit-clause
11/12/2015
Pgina 2 de 3
164.502 (e)(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business
associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the
covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the
information.
An audit is one good way to obtain such satisfactory assurance. (More are listed below.)
#3 A right to audit strengthens security and privacy controls
When organizations know they could be audited at any time it will provide the motivation for them to then ensure their information security
and privacy controls are as effective as possible, and that they meet all their compliance requirements. Ive seen this firsthand, in dozens of
organizations.
When you are thinking about the areas where you want to audit your business partners, you will also ultimately realize areas within your own
organization where you should also check on security and privacy controls. Ive also seen this firsthand. In each of my clients where I
performed third party audits on their behalf, as I was going over the findings with them they all became more aware of similar issues within
their own business practices and then worked to address them.
Including the right to audit clause also keeps options open for you if you ever suspect, or hear of, any information security or privacy concerns
within any of your BAs or other types of business partners.
Other options for business partner oversight
There are other good, effective ways in which you can provide additional satisfactory assurance that your business partners are not putting
your information at unnecessary risk. I will probably elaborate upon some of these in upcoming blog posts based upon feedback and/or
requests readers provide, but for now here is a list of additional actions for you to consider. You can require your business partners to:
Complete monthly information security and privacy attestations. I include a short information security and privacy quiz, which is
different every month, in the ones I create for my clients.
Provide a copy of their most recent independent information security and/or privacy audit.
Maintain a third party security or privacy seal on their site. This is of particular value for cloud service providers.
Allow your organization to occasionally review business partner information security and privacy policies.
Understand that your organization will regularly check online reports to discover when business partners have been involved in
incidents, breaches, or frauds for which they did not provide any notification.
And, you should always include detailed safeguard requirements within the business partner agreement/contract, not just a simple, vague
statement indicating the need for information security controls.
Right to audit myths
Ive heard some interesting reasons and myths for why an organization shouldnt provide a right to audit clause. Let me dispel a couple of
them:
1) If you include a right to audit clause then you are obligated to actually perform an audit. False!
A right to audit clause is just that; you are reserving your right to audit if you should ever determine there is a need to do so. When worded
properly it does not establish any obligation on your part to actually perform an audit. A right to audit clause is a fail-safe to reserve that
option if the need should arise.
2) You should only include a right to audit clause within the contracts for BAs and other business associates that are considered to be high
risk. False!
Relationships with business partners often quickly change. A very low risk relationship with a business partner can quickly become high risk
when they start doing different types of services for you, when they start using new technologies such as smartphones, social media, and
cloud services, and so on. Also, organizations often are not aware of risks within their business partners that would have made them a highrisk proposition.
Bottom line for all organizations, from the largest to the smallest: Trust but verify is an old Russian proverb that Ronald Reagan
quoted often during his presidency (http://www.youtube.com/watch?v=As6y5eI01XE). And with good reason; in a wide range of life
situations you need to validate something is as promised. When it comes to information security and privacy, you need to be able to validate
the third parties youve entrusted with your organizations information have appropriate controls in place. If you dont have a right to audit
clause within your business partner contracts you could be shutting off your ability to have such an audit performed whenever the need arises.
http://www.secureworldexpo.com/blog/why-you-should-use-a-right-to-audit-clause
11/12/2015
Pgina 3 de 3
Psst, hey outsourced entities, make sure you are prepared to meet such requests.
Additional information about using a right to audit clause
Here are some additional sources of information related to the need to include a right to audit clause within business partner contracts:
FFIEC examination procedures handbook with includes directives to check for right to audit clauses (https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ved=0CFwQFjAF&url=http%3A%2F%2Fithandbook.ffiec.gov%2Fmedia%
2F152569%
2F03_12_2012_outsourcing_cloud_workrogram_final_03_12_2012.docx&ei=iKb9UJHOH8b62gXF54CYAg&usg=AFQjCNEs7spk5RYJoRxMBmKI4M6PgUo3A&bvm=bv.41248874,d.b2U)
IIA presentation includes recommendations to use right to audit clauses, Identifying and Managing Risk in Outsourcing/Off-shoring
Arrangements (https://na.theiia.org/training/eLearning/members/Member%20Documents/112008_Viewer_slides.pdf)
FFIEC outsourcing booklet recommends the use of right to audit clauses
(http://community.mis.temple.edu/mis5205sec001f12/files/2012/10/Outsourcing_Booklet.pdf)
Annex A of ISO/IEC 27001: A12.5.5 Outsourced software development recommends using right to audit clauses
(http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=42103)
Cloud computing security concerns: How to audit cloud computing (http://searchcloudsecurity.techtarget.com/tip/Cloud-computingsecurity-concerns-How-to-audit-cloud-computing) includes recommendations for right to audit clauses
20 steps to an iron-clad SaaS contract
(http://blogs.computerworld.com/19733/20_steps_to_an_iron_clad_saas_contract) recommends using right to audit clauses
I provide a sample right-to-audit clause as part of my Compliance Helper (http://www.compliancehelper.com/)library of
customizable forms, policies and procedures.
http://www.secureworldexpo.com/blog/why-you-should-use-a-right-to-audit-clause
11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 1 de 10
Home
About Us
Services
Industries
News
Resources
Contact Us
Professionals
Site Map
Introduction
In 1997, the Institute of Management and Administration surveyed the
readers of their newsletters and other professionals on the use of the Right
to Audit Clauses for vendors. The survey found the participants believed that
these clauses were a good idea, citing their use when:
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 2 de 10
When the right to audit is exercised, the internal auditor may be looking for
fraud by vendors and violations of company ethics policies such as:
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 3 de 10
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 4 de 10
Share
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 5 de 10
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 6 de 10
Audit Procedures
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 7 de 10
Vendor Questionnaire
Model Corporate Policy
CONTACT US
Expert Forensic
Accounting Services
Chicago | Las Vegas
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 8 de 10
Litigation Support
& Damages Analysis
Expert Witness Testimony
Economic Damage Analysis
Intellectual Property Damages
Lost Personal Earnings
Contracts Consulting
Government Contract Accounting
Business Valuations
Mergers & Acquisitions
Construction Claims & Project Audits
Corporate and
Internal Investigations
Corporate Internal Investigations
Fraud Examinations
Asset Recovery Services
Dispute Advisory Services
Due Diligence Reviews
Fraud Prevention Seminars & Training
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accounta... Pgina 9 de 10
Regulatory Investigations
Data Mining & Electronic Discovery
Corporate Compliance Monitorships
Fraud and Compliance Seminars & Training
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
Right to Audit Clause - McGovern & Greene LLP Accountants, Forensic Accoun... Pgina 10 de 10
Chicago Office | 200 W. Jackson Boulevard Suite 2325 Chicago IL 60606 | PH:
312.692.1000
Las Vegas Office | 2831 St. Rose Parkway Suite 227 Henderson NV 89052 | PH:
702.818.1168
2015 McGovern & Greene LLP All rights reserved.
http://www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/ri... 11/12/2015
[Contractor] shall ensure [Company] has these rights with [Contractor]s employees, agents, assigns,
successors, and subcontractors, and the obligations of these rights shall be explicitly included in any
subcontracts or agreements formed between the [Contractor] and any subcontractors to the extent
that those subcontracts or agreements relate to fulfillment of the [Contractor]s obligations to
[Company].
Costs of any audits conducted under the authority of this right to audit and not addressed elsewhere
will be borne by [Company] unless certain exemption criteria are met. If the audit identifies
overpricing or overcharges (of any nature) by the [Contractor] to [Company] in excess of onehalf of
one percent (.5%) of the total contract billings, the [Contractor] shall reimburse [Company] for the
total costs of the audit. If the audit discovers substantive findings related to fraud,
misrepresentation, or nonperformance, [Company] may recoup the costs of the audit work from
the [Contractor]. Any adjustments and/or payments that must be made as a result of any such audit
or inspection of the [Contractor]s invoices and/or records shall be made within a reasonable
amount of time (not to exceed 90 days) from presentation of [Company]s findings to [Contractor].
2012 Association of Certified Fraud Examiners, Inc.