Right in the middle of your year end audit?

Great, my timing couldn’t be better then.

Since the early 90’s, governments and corporations alike have been implementing standards to ensure that controls and processes are in place to safeguard business and financial data.

To name a few:

  • The Statement on Auditing Standards No. 70, more commonly known as the SAS 70 was first introduced in 1992 as a measure for the controls in a data center.
  • The Statements on Standards for Attestation Engagements No. 16 (SSAE 16) takes it one step further by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed.
  • A similar international standard is the ISAE 3402.
  • The Sarbanes-Oxley (SOX) Act of 2002 legislates how long and the manner in which companies store their financial records.

Businesses that provide technical or financial services to their customers are typically required to demonstrate compliance to these audit standards.

Financial institutions and publicly traded companies have requirements related to audit as well.

This all sounds like good fun (and fees) for the accountants. But what does it have to do with the rest of us?


When auditors review an organization’s contract management process, they’re not only looking to see that you have the appropriate contracts in place, but that you and your suppliers are adhering to the terms and conditions in the contracts as well.

Because contracts, particularly those related to procurement and sales, are legally binding business transactions that often have a financial component.

And when the contract is executed, one party will issue a purchase order for the goods/services they are acquiring and the other party will issue invoices for the goods/services they are providing.

The audit will ensure that purchase orders and invoices are being issued and paid, respectively, are in accordance with what’s actually been agreed upon in the contract.

Many contracts will also define the way in which companies handle each others sensitive, confidential information.

Unfortunately, many organizations, including some who have expensive contract management software installed, fail to meet the minimum standards for audit compliance.


We were recently engaged by a mid-tier financial services provider (“The Client”) to help them revamp their internal contract management process after they failed an internal audit.

The Client provides credit card payment processing services for their corporate clients. The business relies heavily on technology and the use of a handful of data centers across the globe (in most cases it doesn’t make sense for organizations to own their own data centers so they will typically outsource or co-locate with other businesses).

The Client actually did a petty good job of negotiating terms and conditions with their suppliers. For the most part, their contracts had very strong language around privacy and confidentiality. And all of the outsourced data centers were contractually obligated to provide SAS 70 and SSAE 16 certification, SOX compliance, etc.

However, once the contract was signed it was stored in a document repository on a shared drive. Contract renewals were haphazardly tracked by procurement on a spreadsheet, and the only time the contracts were pulled out was at the time of a renewal or (unfortunately) during an audit.

The audit showed that they actually had a few suppliers whose contracts had expired but were continuing to provide outsourcing services, which created a huge data privacy exposure.

Also, because of the way the contracts were stored in a shared drive, the audit certifications provided by the suppliers on an annual/semi-annual basis couldn’t be attached to the contracts so they were being kept with the individuals who received them. When the audit team asked to see the certificates for a few of the suppliers, they couldn’t be found.

In one extreme case, a SaaS provider had moved their hosted software solution from an onshore location to a cheaper offshore facility without a formal 90 day notification to The Client, as required by the contract.


When we think of a contract management process, and the risks associated with not have a good process in place, we should keep in mind that most organizations are mandated by internal and external rules around contract management.

Simply slapping on an expensive tool to store documents will often fail the minimum requirements for audit compliance.

But a simple process that allows an organization to quickly and easily find a contract, and demonstrates their ability to adhere to its terms and conditions, will often be enough to satisfy the minimum requirements.