The document discusses the importance of 'right to audit' clauses in contracts, emphasizing their role in mitigating fraud risk and ensuring compliance and accountability when outsourcing. It provides an overview of essential contract elements, potential pitfalls, and the various contexts in which these clauses should be applied, along with the necessity for auditors to be proactive in vendor management. The presentation also includes guidelines on how these audit rights should be structured and enforced to protect organizational interests.

1. 9/22/2017
1
Right To Audit Clauses:
What You Need to
Know!
September 25, 2017
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors (now
available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 Recipient of the IIA’s 2007 Bradford
Cadmus Memorial Award.
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2

2. 9/22/2017
2
About AuditNet® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,700 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with your
unique join link.
• We are recording the webinar and you will be provided access to that recording after the
webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• If you have indicated you would like CPE you must answer the polling questions (all or minimum
required) to receive CPE per NASBA.
• If you meet the NASBA criteria for earning CPE you will receive a link via email to download your
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important
to white list this address. It is from this email that your CPE credit will be sent. There is a
processing fee to have your CPE credit regenerated post event.
• Submit questions via the chat box on your screen and we will answer them either during or at
the conclusion.
• Please complete the evaluation questionnaire to help us continuously improve our Webinars.

3. 9/22/2017
3
IMPORTANT INFORMATION
REGARDING CPE!
• SUBSCRIBERS/SITE LICENSE USERS - If you attend the Webinar and answer the polling questions (all or
minimum required) you will receive an email with the link to download your CPE certificate. The
official email for CPE will be issued via NoReply@gensend.io and it is important to white list this
address. It is from this email that your CPE credit will be sent. There is a processing fee to have your
CPE credit regenerated post event.
• NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the Webinar and answer the polling
questions (all or minimum required) and requested CPE you must pay a fee to receive your CPE. No
exceptions!
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We
highly recommend that you work with your IT department to identify and correct any email delivery
issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system
or a firewall that will redirect or not allow delivery of this email from Gensend.io
• Anyone may register, attend and view the Webinar without fees if they opted out of receiving CPE.
• We are not responsible for any connection, audio or other computer related issues. You must have
pop-ups enabled on you computer otherwise you will not be able to answer the polling questions
which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see
to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views, positions, or
opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are
for educational purposes only and do not constitute accounting or legal advice or create an
accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet®
makes no representations, guarantees, or warranties as to the accuracy or completeness of the
information provided via this presentation. AuditNet® specifically disclaims all liability for any
claims or damages that may result from the information contained in this presentation,
including any websites maintained by third parties and linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC

4. 9/22/2017
4
Today’s Agenda
 Speaker’s experiences
 Hypothetical Case Study
 Contract Basics
 Onboarding New Vendors
 Service Level Agreements (SLA’s)
 Sub-Subcontracting Allowed?
 Right to Audit Clauses
Right To Audit Clauses: What You
Need to Know!
“You can delegate responsibility but not
accountability”
Donald E Sparks, CIA, CISA, ARM
Don@SmartCAATTs.com
407-756-0375

5. 9/22/2017
5
Disclaimer
I am not an attorney! This presentation contains
general information only and is not a substitute
for professional advice or services, nor should it
be used as a basis for any decision or action that
may affect your business. Before making any
decision or taking any action that may affect
your business, you should consult a qualified
professional advisor.
Just about every auditor knows that one of the best ways to fight
the fraud risk is to be sure outsource agreements include a
“Right-To- Audit” clause. Auditors feel good and sleep tight
when their client tells them of course we included the one we
use all of the time. The real test is when anomalies appear and
management asks auditing to do a quick visit with the third party
organization. The discussion will offer insights into:
· The perfect audit clause language
· Compliance, operational and/or financial audit
· Planned in advance or surprise visit
· Books and records
· Location of audit
· Who can/should conduct the audit
· Impact of absence of a Service Level Agreement (SLA)
Marketing

6. 9/22/2017
6
My Goals
Identify areas of “opportunity” for auditors to
demonstrate innovative consulting auditing
skills. The best opportunities are often
overlooked because they are associated with
“work”. One such often overlooked service is
assisting the business meet its objectives when
work is delegated to third parties (vendors) i.e.,
how can auditing get in front of the 8 ball before
they are called upon to do a vendor audit?
Things Change
• Virtual workspace/office
• Scattered locations
• Paperless documents
• Electronic payments
• Company wants to focus on core processes
• Cloud computing
• SAAS

7. 9/22/2017
7
Sources of Information
Audits I have Conducted
• Independent Insurance Agency Visits
• Insurance Broker (surprise visit)
• Third Party Administration Contract
• Outside Legal Council
• Public Adjustor Contract
• Third Party IS application (focus of this
presentation)

8. 9/22/2017
8
Cloud/SAAS Model
Design
Develop
TestAccept
Host
Cloud/SAAS Model
Hypothetical Case Study
How Does Auditing Get involved?
• Request of the business unit
• Internal Auditing Charter, approved by the
board, requires contract review
• Auditing has a seat on the technology
committee
• Auditing is included in all formal new vendor
onboarding processes
• Audit has access to the inventory of all
contracts

9. 9/22/2017
9
POLLING QUESTION #1
Where To Find Audit Right Terms
• Back of purchase order
• Property Management Agreement
• Insurance policies (WC, inventory, etc)
• Leasing Agreements
• Distribution Agreement
• Joint Development Agreements
• Services (payroll, HR, pensions, etc)
• Technology Development & Hosting Agreement

10. 9/22/2017
10
Where to use
• Many, but we will focus on outsourcing
application system development
• Not the only area – some others are inherent
such as workers compensation policies.
Premium is conditional until a final audit to
determine the premium at policy end.
Contract Sections
Performance Protection Protection
Scope Assignment Warranties
Performance Service
Levels (SLA’s)
Right to Audit Liability/Damages
Reports Compliance Indemnification
Subcontract Third
Parties
Intellectual Property
Rights (IP)
Dispute Resolution
Duration Confidentiality & Security Modification
Fees Business Continuity &
Contingency
Termination
Insurance

11. 9/22/2017
11
POLLING QUESTION #2
What Is A Contract?
“A legally enforceable agreement (promise or a set of
promises)for the breach of which the law gives a remedy,
or the performance of which the law in some way
recognizes as a duty.” Separated by two parts:
• Performance
– Documents expectations and obligations of the parties
and products/services to be provided
• Protection
– Provides remedies for the unexpected (i.e. breach)

12. 9/22/2017
12
Project Scope
Detailed description of product/services to be
provided and assigns specific obligations of all
parties (including any subcontractors/third
parties)
Service Levels (SLAs)
Plain language documenting specific minimum
service levels, standard maintenance periods,
response times for product (usually software) or
service issues or failures, additional support
(help desk) needs and measurement periods.
Best practice is to include as an attachment to
the contract and use industry standards to
develop service levels

13. 9/22/2017
13
Service Levels (SLAs)
Examples:
• Service will be fully functional not less than 98%
per day/month/quarter
• Must report and cure all Severity 1 issues within 4
hours of company’s written/verbal notification.
• Achieve and maintain a customer satisfaction
rating of not less than 75% each calendar quarter
Service Levels (SLAs)
• Maintenance periods should be during
customer’s off-peak hours
• Notification requirements specific personnel
& communication channel (email/telephone)
• Requires vendor to self report issues/failures
(Audit may should be considered)
• Damages for failure to meet SLAs usually in
form of a % credit of fees with right to
terminate for repeated

14. 9/22/2017
14
POLLING QUESTION #3
Subcontractors
• Contract should specify whether parties are
permitted to use subcontractors and the
specific obligations they will perform.
• Who has right to approve, remove or replace
contractor?
• Who is liable for subcontractor? Minimum
qualification/background requirements?
• Be sure that subcontractor use language does
not conflict with the assignment clause.

15. 9/22/2017
15
Subcontractors (pg2)
Pitfalls:
 Vendor has a lot of spending and thousands of invoices,
 All of the invoices are one-liners from a subcontractor.
 The vendor is a middle man who subcontracted all of the work
 who are the real owners of key documentation
 No timesheets, tracking module levels, payroll, or anything.
 Your contracted vendor has SLA’s with the subcontractor but your
involvement not mentioned
 No reference to require the subcontractor to keep any
documentation
 there is nothing that resembles an audit clause in contract.
POLLING QUESTION #4

16. 9/22/2017
16
Fees
• How calculated? (base payments, recurring
services, activity charges, etc.)
• Cost for product maintenance/upgrades
• Responsibility for state and federal taxes
• Right to dispute fees without penalty
• Late payment penalties should be reasonable
Right to Audit
• Allows party (or third party agents) to audit
company information/records to test internal
controls or prove compliance with contract
terms.
• Watch for:
– Overly broad property/information access
language.
– Who pays for cost of audit? (Under-reporting
penalties)

17. 9/22/2017
17
Why you should have right to audit clauses
• Identification of risky business partners
• Support compliance/regulations
• Strengthen security and privacy controls
• You cannot outsource your accountability
A few regulations contain legal requirements, directly or
implied, to perform business partner reviews:
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm Leach Bliley Act (GLBA)
• Sarbanes Oxley (SOX) Act
• Federal Trade Commission (FTC) Act
• Fair and Accurate Credit Transactions Act (FACTA)
• Internal Revenue Code (IRC) Section 7612
• U.S. state breach notice laws
• European Union Data Protection Directive
Some Contracts Require Audit Clause

18. 9/22/2017
18
Right to audit myths
Myths for “why” a right to audit clause is not needed:
• Auditors are not lawyers (CEO, CFO, CO, etc.)
• If you include a right to audit clause then you are
obligated to actually perform an audit
• The contract is for 6 or 7 months so done before needed
• You should only include a right to audit clause within the
contracts considered to be high risk
• The right to audit option is a given or implied in our
business
• We have a Service Level Agreement (SLA)
POLLING QUESTION #5

19. 9/22/2017
19
Example Right To Audit Clause?
• [Third Party] will keep accurate and complete
records. The [Company] may audit [Third Party]’s
records relating to its performance under this
Agreement.
• The process involves internal personnel (internal
audit, compliance, legal, investigations, etc.) to
take model audit clause language and evaluate the
audit clause against the not signed contract terms.
• ACFE version (eveything including the kitchen sink)
What can trigger an audit?
• Anomalies in standard performance reports
• Clues from required service level agreement
• End user observations
• Customer input on complaint system
• Other clients of the same third party

20. 9/22/2017
20
Auditing Golden Opportunity
Internal auditing should be a member of the
team considering replacing or overhauling a
significant system. This involvement should be
from the outset as other business users
inventory the pro’s and con’s of the current
processes. Discussing what is or is not working
will be an invaluable learning experience for
auditing.
Compliance
• All parties should agree to comply with
applicable laws (federal, state and local) and
related guidance.
• Be sure to include language that vendor will
provide assistance/access as needed to
company’s government regulators.

21. 9/22/2017
21
Intellectual Property Rights
• Ownership, rights to and permissible use of
company data, equipment, software
• Property rights should generally remain with
the property owner or licensor except in cases
where there is work product specifically
developed for another party
Business Continuity
• Back-up and protection plan in case of disaster
or other extraordinary event that prevents use
of primary/standard systems.
• Vendor should provide copy of plan. Updated
and tested regularly and provide results.

22. 9/22/2017
22
Inventory of Audit Rights
• All organizations need to identify and document all the
outsourced and contracted entities that possess or
otherwise access their information, in all forms. After
identifying them, make sure that they have appropriate
controls in place, and then establish an oversight
method so you can demonstrate due diligence. Then,
in the event they have some type of security incident
and/or a privacy breach, you will have documented
evidence that you did all you could to ensure all hands
secured the information appropriately, and you also
will have limited your liability as much as possible.
Issues To Consider
• who is permitted to access which information
• the permitted reasons for carrying out an audit
• the frequency with which audits can occur
• timescales and notice requirements
• allocation of costs incurred by each of the parties
in connection with the audit
• Required obligation to maintain certain records

23. 9/22/2017
23
Inventory
• Does your organization maintain a complete
inventory of all third parties that you rely on
for key materials?
• Does that inventory indicate what the SLA’s
are (monitors)?
• Can you easily obtain a list of contracts with a
right to audit clause included?
• Are you aware of clauses directed at your
organization
RFP
DUE DILIGENCE
& RISK
ASSESSMENT
VENDOR
SELECTION
CONTRACT
REVIEW
CONTRACT
NEGOITIATION
CONTRACT
EXECUTION
VENDOR
MONITORING
Onboarding
Vendors

24. 9/22/2017
24
Right to Audit Clause Pitfalls (Failures)
• No clause in contract (good relationship)
• Very few details Audit Rights in Contract
• Mention of 'Reasonable Accounting System‘
• Honor privacy rights of other clients
• Right to Determine How Funds were Used
• Withdraw from Audit When Scope is Limited
• Limiting Time for Audit
• Level of vendor assistance
• Record Retention requirements
• Can vendor invoices pass pre and post audit tests
• Access but no utilities
• Copy (and retention) not allowed
• Suitable work space or just stand
• Who pays for audit expenses?
Pitfalls(Failures) page 2
• No place to work
• Include Subcontractors
• Understand Vendor's Business, Products
• Additional Warranties as Part of Contract
(who owns finished product)
• Conduct Regular Audits Before Fraud Occurs
• Audit Methodology

25. 9/22/2017
25
POLLING QUESTION #6
Dispute Resolution
The audit is over and the vendor disagrees with
every finding the audit team has identified. The
findings are not definitive enough to file charges
of outright fraud, but there are definitely
improper billings. The vendor invokes the
arbitration clause to hash out the audit issues.

26. 9/22/2017
26
Dispute Resolution (pg 2)
• Mediation/arbitration clauses
– Be aware of who decision makers are and how
selected
– Jurisdiction and venue are important
• Ensure continuation of products/services
during any dispute period
• Losing party responsible for costs/fees
Questions?
• Any Questions?
Don’t be Shy!
Page 52

27. 9/22/2017
27
AuditNet® and cRisk Academy
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would
like to obtain CPE credit
for this webinar
• Previous AuditNet®
webinars are also
available on-demand
for CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
Thank You!
Page 54
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Donald E Sparks
SmartCAATTs, LLC
don@smartcaatts.com
1-407-756-0375