Wednesday, April 25, 2018
Over the years the concept and scope of audits have changed. In the past most contract audits involved money. Have you paid the other party what you were required to pay them? For items that required reimbursement, do the records exist that verify the cost to be reimbursed? Audits have migrated from a pure financial focus into information security such as cyber security, data protection, and data privacy. They have also been used to understand and help manage performance risk including third party risk, operational risk, and crisis management such as when a force majeure occurs. Internal audits may be to ensure compliance with laws or regulation. Individual issues such as quality problems may also warrant an audit or inspection of the premises where the product is made.
The starting point in any audit provision is to establish the requirement that the company keep and maintain records for a specific period of time so they can be audited and verified. Then you need the contract to grant you audit rights. When audit rights language is negotiated, the typical things that are negotiated are:
1. Who can perform the audit?
2. When or how often it can the audits be done?
3. The scope or extent of the audit.
4. What records will or won’t be made available for audit.
5. Who pays for the cost of the audit and the cost of any additional audits that may be required?
Audit rights are something that Suppliers are extremely reluctant to provide, as they are concerned about the information that the Buyer could discover. You should expect that Suppliers may:
1) Require audits be performed by to independent auditor, rather than Buyer personnel.
2) Have agreement or approval over the auditor that will be used.
3) Have the scope of the audit be restricted to only that information that is required to comply with the agreed audit scope.
4) Limit the frequency of audits as much as possible to reduce the disruption.
5) Want the Buyer to pay for all costs associated with the audit.
6) Want significant notice periods prior to the conduct of an audit.
What should be the notice period? The supplier may want a reasonable notice period. The problem with that is the parties may not agree upon what is reasonable. In fact, what is reasonable will always be dependent on what is being audited or inspected. For example to verify the status of work-in-process, the requirement could be immediate. The same immediate right makes sense if you were having a quality problem. An audit of financial records would require a longer period and should take into account the suppliers financial calendar. If you have a safety problem, or a data breach, you want the right to audit immediately. For thing such as financial risk of a supplier you could have the audit be once a year of more frequently if there is deterioration in their financial position.
In establishing specific notice periods, If the Supplier can provide you what you need immediately, I want the immediate right to audit. If it is a major issue that may require preparation time, I want a maximum of (10) days. For other situations I want a maximum period of thirty (30) days. These should be expressed as calendar days as that will create the shortest period.
Limitations on your right to audit may add to either your cost or risk. In negotiating the cost of an audit I want the results to be categorized as either: Acceptable, Minor Problems Found, or Unacceptable. If the Audit discloses acceptable performance, the Buyer will pay the full cost. If the audit discloses only minor problems, the buyer will pay for the cost of the audit and the parties will share the cost of a subsequent audit to ensure the problems have been corrected. If the audit results are classified as unacceptable, the Supplier must pay for the cost of the Audit and any subsequent audits to ensure compliance is met.