The audit section in a services agreement contains the provisions that specify a party’s right to access and review another party’s information in order to determine such party’s compliance with the agreement. Depending on the scope of audit rights, the audit section can range from a single paragraph to an entire exhibit to the contract.
Many considerations go into drafting appropriate audit rights, including the types of services that the customer is receiving, and the industry in which the customer’s business operates. In many cases, the customer is the auditing party and the service provider is the audited party, but there are situations where the roles will be reversed. Below is an overview of several key issues to consider when drafting audit rights for services agreements.
Purpose of Audit
Defining the purpose of the audit is an important first step because the purpose often dictates the type of information and scope of access the auditing party will have under the agreement. Generally, the purpose of the audit is to verify compliance with the provisions of the agreement. However, the parties can tailor audit rights narrowly, as well. For example, fee audits are generally limited to determining the correctness of the fees being charged and paid, and data security audits are limited to testing the effectiveness of a party’s data security controls.
What kind of access rights does the auditing party need? Basic audit provisions allow the auditing party access to books and records. To take it one step further, the provision can specify certain types of documents such as invoices, tax filings, and emails that the auditing party may access and review. However, the auditing party may need access to much more than books and records in order to review the other party’s compliance with the provisions of the agreement. This access may need to extend to facilities, systems, personnel, software, and subcontractors. Fee audit provisions would also typically include the right to make copies of books and records. It is not unusual for the audited party to ask that the audit be conducted during normal business hours and not interfere with the day-to-day operations of the business.
Frequency of Audit
How often may the auditing party conduct audits? Depending on the length of the contract, and the type of services the customer is receiving, an annual audit may be appropriate. In other cases, the auditing party may require more frequent audits, such as when the auditing party is operating in a highly regulated industry and governmental authorities need access, or if the audited party has a history of violations. In addition, the auditing party should consider whether it needs post-termination audit rights. The latter is typical for fee audits and usually lasts for up to one year after the termination of the contract.
Who has the right to conduct the audit? The contracting party generally has a right, but it can be expanded to include external third-party auditors and governmental authorities depending on the need.
A key requirement in any audit provision is the requirement to remediate findings of noncompliance. In some cases, this is a collaborative effort between the auditing party and the audited party, which may include a review of the audit results, formation of a remediation plan, and approval of the plan by the auditing party. In other cases, such as when the audited party is the service provider, the service provider may be performing the same services for many customers, and such a collaborative effort may not be possible.
Costs of Audit
It is important to state whether the costs of cooperating with an audit are covered by the fees payable under the agreement. If the fees under the agreement do not cover the costs of the audit, it may make sense for the audited party to reimburse the auditing party for its costs if the audit results in any findings of noncompliance. In fee audit provisions, it is not unusual to include a threshold after which the costs of the audit will be borne by the non-compliant party (e.g., if the audit reveals 5%-10% difference in service fees).
Service providers may engage third parties to conduct their own audits, and the service provider will provide the results to their customers. Common audits of this type are the Service Organization Control (SOC) 1 and 2 audits, certifications to the ISO 27001 standard, and assurance engagements under the International Standard on Assurance Engagements (ISAE) 3000 standards.
This Contract Corner touches on a few key issues when it comes to drafting appropriate audit right provisions. Contracting parties should consider the types of audit rights that may be necessary under a services agreement and should draft the audit rights accordingly.