All You Need to Know About Contract Compliance Audits
The term contract compliance audit is widely used to refer to various kinds of audits that focus on various areas of business. Regardless of the specific focus, a contract compliance audit is essentially just what is sounds like: An audit that measures and tests whether the specific contracts were completed according to their own provisions as well as whether they are in compliance with any and all legal requirements.
To be clear, there are many types of audits that businesses can undertake. These types generally include contracts, financials, environmental issues, regulatory concerns, vendor concerns, information technology, intellectual property, denial of payment, fraud, quality assurance, and matter management audits. The goal of these audits is primarily to assess the adherence to best practices in the business .
Contract compliance audits, however, are slightly different. These audits tend to lean more toward the legal side of the business, and analyze if what has been done is within legal guidelines. Rarely, if ever, do you end up with a business that is failing as a result of a contract compliance audit. More likely, a contract compliance audit will help reveal areas where the business can improve.
When it comes to contract compliance audits, there are three main objectives. First, the audit will determine whether the business or its contractors are in compliance with legal requirements. Second, the audit will seek to identify ways to improve business practices. Third, the audit will work to ensure that the business is protected from liability.
Attributes of a Thorough Audit
The success of a contract compliance audit turns on a number of key elements. First and foremost, the audit should be directed by a clear set of objectives. This is important because a directionless audit is bound to produce inconclusive or irrelevant results. Although most buyers of goods and services have taken the time to write their basic business requirements into a purchase agreement, "contract compliance" is a different story – purchasers (if they contemplate a contract compliance audit at all) often struggle with articulating exactly what they want to see as a result of the audit. These objectives must be conveyed to the auditor at the beginning of the engagement and re-visited frequently throughout the audit. They serve the purpose of "reality testing" and unless these objectives are met, the audit has failed.
Next, there must be key metrics to measure progress. A contract compliance audit is generally performed over a defined period of time (i.e., a sampling of data for a specified number of months). Ideally, those data points should be continuously and consistently analyzed for compliance with the agreement. The most common contractual requirements that fall within the scope of a contract compliance audit are:
An auditor can test for these requirements by reviewing records of incoming POs, the documents that would be generated by suppliers from here, documents that would be generated internally at the supplier based on those POs, etc. That is, the auditor should be looking for an established track in these key areas. These metrics should serve as a baseline for the audit, and be continuously monitored throughout the audit, as that serves to identify trends.
Third, the audit must be sufficiently documented as the outcome of the audit depends in large part on the quality of the documentation. Progress must be tracked by the auditor, formal and informal communications through-out the audit process should be documented and the audit report itself must be supported by thorough documentation.
How to Carry Out a Contract Compliance Audit
Once an organization decides to conduct an audit, careful planning is the next step in the process. A contract compliance audit looks to determine whether contractual obligations have been adhered to that affect the larger population of suppliers and, therefore, the organization. This is substantially different from a vendor audit of a particular supplier that typically involve investigations of specific transactions.
In its most basic form, planning will involve defining the scope of the contract compliance audit. Questions such as the following should be answered at this stage: Contract compliance audits should generally not delay ongoing contract negotiations, and thus should be conducted periodically to ensure executives have a better understanding of whether contractual obligations in deals are being met.
The amount of time required for the audit will depend on the size and complexity of the contracts and supplier population. To keep the project organized, it may be preferable to create a centralized database or spreadsheet that captures vendor supply information. The database or spreadsheet may also serve as a working document to capture exceptions identified during the audit. For small- and medium-sized deals and suppliers, the review may be completed somewhat casually from existing documentation. Larger deals, however, will require a more rigorous review process.
A contract compliance audit should seek to identify the following within the company’s systems(internal and external, including IT): A final report or presentation should communicate the overall results of the contract compliance audit in an objective, easy-to-understand manner. Detailed exhibits can be used to further substantiate the results. The report should address the audit objectives and scope, exception analysis, discussion of findings, and recommendations for improvement. It may also be useful to include the audit work papers and a list of participants as appendices.
Depending on the content of the report, the auditor may want to formally present the results to all key stakeholders collectively to develop a deeper understanding of the rationale for the findings, affect change where appropriate, and gain cooperation moving forward. For instance, it may be appropriate to collaborate with legal counsel to determine the best forum and approach to communicating a report to the executive committee. Further, the auditor may want to have a series of meetings with management. As required, be specific regarding the action items and responsibilities identified to track progress subsequent to the audit report.
Common Obstacles and Errors
The Common Challenges and Pitfalls of Contract Compliance Audits
Identifying a problem with a contractor, vendor, or other third-party provider that is covered by a compliance auditing program is only half the battle. After a problem is discovered, the results need to be appropriately communicated, addressing any risk for reputational harm or legal liability, while also documenting any necessary steps for remediation. We have listed below some common challenges and pitfalls that arise during contract compliance audits:
14. Communicating Results
It’s essential to maintain an open line of communication with anyone who might be involved in the remediation of a problem. For example, communicating how to negotiate over-remit when your vendor has charged an incorrect rate, or seeking early advice about how to document an employee termination are all important to get ahead while the issues are fresh and to avoid rework later. As noted in the beginning of this guide, it is important to consider how to communicate difficult results to different audiences, including the board, senior management, internal audit, legal, and any third-party recovery partners. It can be equally important to properly communicate findings to those parties identified as responsible for remediation to avoid duplicated efforts, confusion, lack of follow-through, or even the risk that the matter is left unresolved entirely because the wrong party thought another party would be responsible for response.
15. Resisting Scoping Issues
Sometimes, there are matters that auditors wish to investigate further – whether it be more documents, deeper interviews, more time on-site, etc. Be careful to control scoping arrangements with your auditor, as the scope relates to issues originally discovered. It’s important to approach new issues through the right processes for adding scope, including possible expansion of the audit program for future audits.
16. Identifying Applicable Privileges
Before taking action, such as conducting an interview or requesting a document, determine what privilege, if any, applies to the subject matter. For example, interviews of employees may not be protected by the attorney-client privilege, since in most instances the employee does not have a personal interest in the outcome of the matters under investigation. In these instances, ask the employee for an immediate waiver of any privilege that may apply, so that you can include the results of their interview in your final report. (Be careful not to disclose extremely sensitive information to others, which could negate any benefit by destroying any attorney-client or other privileges that may apply.) Informing the employee in advance of your discovery that it will be documented in the final report may be sufficient consent in many cases. In addition, determining how privileged matters are handled in a litigation context can be different than during an audit context. In the litigation context, the parties must be careful not to include matters that are protected by attorney-client and/or work product privilege in discovery responses to each other. However, audit team members are typically contracts, compliance, and/or finance professionals, not lawyers, and so you are able to reveal information that would be privileged in a litigation context. That said, if an unexpected issue emerges that falls outside of the current scope of the audit program and you are not planning to pursue remediation through internal audit and reporting, you may want to consider ways to continue to maintain the confidentiality of the matters being discussed. For example, attorneys may draft memoranda backdated to the date of the discovery of the issues by the person responsible for the audit, and spiral bind that investigation as privileged and confidential, although not the preferred method of maintaining the information as confidential, it should maintain privileges, though care should be taken not to reference the memorandum at hearings or otherwise publicly, to avoid waiver of the privilege. In addition, where audit reports will be furnished to federal or state authorities, removing privileged matters or identifying symbols can help with application of all applicable privileges.
17. Issues with Program Effectiveness Can Inadvertently Emerge
Occasionally, an auditor will discover that a contractor’s compliance with the contract is too reliant upon internal training and documentation of key controls, and that the key controls for these measures have not been sufficiently tested. If so, the instances should be documented and monitored, as if they were findings from the audit. Further, to the extent they are material, they should be communicated to the affected parties for remediation.
18. Updating Audit Programs and Workplans
By the end of the contract compliance audit, an audit team can sometimes feel "audit fatigue," and are more likely to leave the audit program unchanged from its previous year, under the theory that "no news is good news." Resist this temptation! Audit programs should be updated as often as is practical, to include both new risks identified and any lessons learned since the last time the program was used.
Technology for Improving Audits
Contract compliance audits of the immediate past have been far more labor-intensive and time-consuming than we believe they should be. Conservative estimates are that properly trained, knowledgeable internal auditors spend at least twice as much time as they should on every contract compliance audit. A number of powerful technological tools available for purchase by companies have revolutionized the process.
In addition to certain Contract Compliance Audit Software which may help with tracking specific contract terms and conditions and managing an audit (e.g., Aptify, Icertis Contract Manager, Coupa, Ariba, RFP360, and Oracle), there are also a number of automated compliance software programs that can assist the contracting process before an audit is inevitable, including Contract Logix, Concord, Ironclad, Ceros, Litify, Agiloft, ContractSafe, Clause, and ContractRoom.
Some audit-specific technologies being used by both external and internal contract compliance auditors include analysis software (see below) and artificial intelligence programs such as DataRobot and Premonition. We are not fans of these artificial intelligence programs which require third parties to obtain access to everything from accounts payable to your Server before providing an analysis. Even if the results are accurate, a company may be hard pressed to trust the integrity of any of the data collected.
Companies are unlikely to find , and even less likely to be willing to pay someone to staff even one hundred percent distracted from the accuracy of the numbers. The importance of accuracy during the training period can result in discrepancies from the data being used, and when the machine learning takes over, no more discrepancies are caught. In addition, that means the auditing process used by the artificial intelligence program does not make the same distinctions drawn by an auditor which favor the company’s position. It also means that no customized program can be created for the existing data. Even if the artificial intelligence program works perfectly, the data may change by the time the artificial intelligence is hired or has learned what to do with the data.
In general, it is no surprise that data analytics or data mining software is becoming increasingly important across industries. Certain data analytic tools are being used to provide better data associated with similar contracts (looking for only the variances), to predict results based upon the variance, and to extrapolate the data to better understand potential risks.
A few of the data analytics programs being used by companies include: Borlabs Cookie, SurveyMonkey, SAP® BusinessObjects, Zoho Analytics, SAS, IBM® SPSS® Statistics, TIBCO Spotfire, Google BigQuery, and HubSpot.
The Value of Routine Audits
The need for conducting regular audits is often overlooked. However, it is imperative that these audits be conducted regularly to assess and manage risk as it relates to the organization. There are a number of benefits that come with regularly scheduled contract compliance audits.
First, regular audits allow the organization to manage business risk. Organizations can be held liable for their suppliers’ failure to comply with certain contracts terms and conditions. Regular audits ensure that your suppliers are in compliance before a violation occurs, thereby managing risk to the organization from the beginning.
Second, organizations can leverage the relationship they have with their suppliers. By performing regular audits, organizations can differentiate themselves from other organizations. Suppliers recognize that there is a greater need and interest in doing business with organizations that prioritize compliance, particularly in a global economy where violations could bring public attention, which the supplier may not want to have associated with its brand.
Third, by working with a supplier through the auditing process and demonstrating to customers that the organization is prioritizing compliance, the supplier could provide more favorable pricing for the goods or services provided.
Fourth, organizations demonstrate that they intend to be good actors by performing regular audits. The act of being a good actor may prevent litigation of parties acting in bad faith. For example, a court may be less likely to hold an organization liable if the organization can demonstrate that it took measures to ensure that a supplier was in compliance.
Lastly, compliance audits against a standard such as ISO: 9001 is a way of demonstrating that an organization is committed to improving its processes over time.
Considerations for Different Industries
The Essential Guide to Contract Compliance Audits
For industries such as healthcare and finance, HIPAA and GLBA regulations already exist, mandating the usage of specific contractual terms in the relationship between the covered entities and covered account data and the financial institutions. Since the GLBA, or the Gramm-Leach Bliley Act, was enacted in 1999, financial institutions have been careful in not allowing access to customers, and other financial records with other companies that do not have contractual agreements or a need to have the information. Non-compliance with the GLBA can lead to major civil and criminal penalties, and enforcement can come from the state level all the way up to federal government.
Due to the sensitive nature of the patient information, the healthcare industry has clear guidelines, provided by the Health Insurance Portability and Accountability Act (HIPAA). This act protects the interests of patients in all matters related to private health information and confidentiality. HIPAA has both administrative and physical safeguards that must be put in place to protect patient data. Failure to comply with HIPAA regulations can result in not only fines but also civil and criminal prosecution.
The National Institute of Standards and Technology (NIST) provides standards to be used by all federal departments and agencies that handle sensitive information. The requirements set by NIST are not a far stretch from what the private sector uses to protect their financial and private data. As far as contract compliance audits are concerned, there is not much difference in how they are performed from an industry to industry basis, except to be aware that the level of regulations is different in healthcare, government, and the financial sectors.
Emerging Trends in Compliance Auditing
Looking ahead, the landscape of contract compliance audits is set for further evolution. One key trend is a likely tightening up of regulatory requirements following recent high-profile enforcement actions. The U.S. Federal Acquisition Regulation (FAR) will possibly see adjustments aimed at reinforcing oversight and compliance, while industry-specific regulations may also become stricter. Additionally, the growing concern for economic and international security could lead to enhanced compliance scrutiny when it comes to federal contracts.
Concurrently , we are witnessing a growing reliance on artificial intelligence (AI) and machine learning in auditing practices. AI presents an additional tool to detect non-compliance more efficiently and at scale. Some current auditing systems already utilize AI to analyze large volumes of contractor data, which opens up unprecedented opportunities for identifying discrepancies and triggering compliance actions.
For effective contract compliance, organizations should remain on the leading edge of these trends. They must be aware of the potential regulatory changes on the horizon and adapt their internal processes and procedures accordingly. They also need to invest in new technologies that can leverage AI for smarter, faster, and more consistent audits.