Overview

IACCM CONTRACTING PRINCIPLES
CUSTOMER AUDIT OF SUPPLIERS

IACCM

1. Definitions

The following definitions apply to these IACCM Contracting Principles:

  • "Financial Audit" means investigation and examination of financial records and other documents, for the purpose of verifying amounts charged (including any price changes as stipulated in the contract) and/or credited (e.g., SLA credits) by a Supplier.
  • "Compliance Audit" means investigation and examination of Supplier records and premises for the purpose of verifying Supplier’s compliance with data security requirements, specific legal requirements, employee screening requirements, and/or other Supplier contractual obligations (other than SLAs, which are covered by the Service Quality Audit).
  • "Service Quality Audit" means investigation and examination of Supplier records for the purpose of verifying that service levels are being met.

II. General Concepts

The following concepts form the basis for the more detailed IACCM Contracting Principles that follow:

  • The extent to which audit rights will be provided to a Customer is a commercial issue that should be negotiated based on the size and scope of the deal, and the nature of the solution. The type and extent of audit rights granted should be memorialized in the contract based upon business-to-business discussions.
  • Audits are a tool used by Customers to verify that contractual commitments are being met. However, Suppliers have a strong interest in ensuring that the scope of Customer’s audit rights are aligned with the Suppliers’ obligations so as to mitigate costs, confidentiality issues, disruption and other burdens to Suppliers associated with the audit.
  • Audit rights should not be unlimited, but should be prescribed based on legitimate Customer needs that cannot be otherwise satisfied, and should not subject a Supplier to undue hardship.
  • Audit rights cannot require the Supplier to violate its own legal or contractual obligations.

IV. IACCM Contracting Principles

A. General Audit Principles

  • All audit rights, whether for Financial Audits, Compliance Audits or Service Quality Audits, should be subject to (1) reasonable parameters on what can be audited; (2) requirements to provide reasonable advance notice; and (3) restrictions on frequency. One reasonable audit parameter should be the exclusion of third party information, confidential information (unless proper protections are in place) and Supplier highly sensitive information.
  • Audit rights should apply during the term and any other periods for which Supplier is contractually required to maintain the records subject to audit, but audits should not be permitted to go back further in time than the period for which a remedy is permitted under the contract.
  • Costs of an audit should be borne by the Customer, unless the parties agree that Supplier should bear some pre-agreed portion of the reasonable audit costs if a Financial Audit discloses material over-billing on the part of Supplier or in the event of other material non-compliance.
  • Where Customers need audit rights to comply with their own auditing and regulatory requirements, Supplier’s support obligations should be specified in the agreement and should be limited to its provision of services and/or products.
  • If faults found during audit constitute a breach of the Supplier’s contract obligations, they should be treated the same as any other contract breach, e.g., the Supplier should be given an opportunity to cure and the Customer should be entitled to the same remedies otherwise available under the agreement.
  • Customers and Suppliers should agree on audit methodology and on a process to review audit results, correct for disclosed deficiencies, and confirm corrections are completed.
  • If Customers request to use third party auditors, Supplier and Customer should ensure appropriate confidentiality obligations and use restrictions are established with that third party auditor, as well as that the third party auditor is not a competitor of Supplier who could gain competitive advantage through the audit. Audit results should be shared with the Supplier. Where feasible, the entity performing the audit should be required to destroy all data gathered during the audit.

B. Financial Audits

  • Financial Audit rights are appropriate for all types of Customer contracts, subject to the general audit principles described above.
  • For Financial Audits, records should be limited to those available under Supplier’s record retention policies.
  • Customer should not have Financial Audit rights to Supplier’s subcontractors.

C. Operational Audits

  • Service Quality Audits intended to determine compliance with service levels generally should be limited to relevant customer-specific operational data, and should not include on-site audit rights.
  • Compliance Audits related to data security should be satisfied by Supplier’s provision of responses to security questionnaires and non-sensitive data security information, which may include internal audit reports, SSAE 16, ISAE 3402 or similar audit reports (redacted or summarized as appropriate). Certifications demonstrating achievement of industry standards or the equivalent should serve as validations of compliance with those industry standards.
  • Audits should not include penetration or other real-time security testing, which could adversely affect Suppliers’ operations and their customers.