Right in the middle of your annual audit? Great, my timing couldn't be better then. Since the early 90's, governments and corporations alike have been implementing standards to ensure that controls and processes are in place to safeguard business and financial data.

The Evolution of Audit Standards

To name a few:

• The Statement on Auditing Standards No. 70 (SAS 70): Introduced in 1992, SAS 70 measures the controls in a data center.
• Statements on Standards for Attestation Engagements No. 16 (SSAE 16): Requires the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed.
• ISAE 3402: A similar international standard.
• The Sarbanes-Oxley (SOX) Act of 2002: Legislates how long and the manner in which companies store their financial records.

Businesses that provide technical or financial services to their customers are typically required to demonstrate compliance with these audit standards. Financial institutions and publicly traded companies have requirements related to audits as well.

What Auditors Look for in a Contract Management Process

When auditors review an organization's contract management process, they’re not only looking to see that you have the appropriate contracts in place but that you and your suppliers are adhering to the terms and conditions in the contracts as well. 

Key Points Auditors Focus On:

• Legal Compliance: Contracts, particularly those related to procurement and sales, are legally binding business transactions.
• Financial Accuracy: The audit ensures that purchase orders and invoices are issued and paid in accordance with the agreed-upon terms.
• Data Handling: Many contracts define how companies handle each other's sensitive, confidential information.

Unfortunately, many organizations, including some with expensive contract management software, fail to meet the minimum standards for audit compliance. 

Case Study: What Happens When You Lose Control of Contract Renewals

We were recently engaged by a mid-tier financial services provider ("The Client") to help them revamp their internal contract management process after they failed an internal audit.

The Situation:

The Client provides credit card payment processing services for their corporate clients, relying heavily on technology and the use of multiple data centers globally. They negotiated strong terms around privacy and confidentiality, and their outsourced data centers were contractually obligated to provide SAS 70, SSAE 16 certification, SOX compliance, etc.

The Problem:

• Contracts were stored in a document repository on a shared drive.
• Contract renewals were tracked haphazardly on a spreadsheet.
• Contracts were only pulled out at renewal time or during an audit.

Audit Findings:

• Some suppliers' contracts had expired but were still providing services, creating a data privacy exposure.
• Audit certifications provided by suppliers were not attached to the contracts and could not be found when requested by the audit team.
• A SaaS provider moved their hosted software solution offshore without the required 90-day notification.

How to Build a Bulletproof Contract Management Process 

When we think of a contract management process, and the risks associated with not having a good process in place, we should keep in mind that most organizations are mandated by internal and external rules around contract management. Simply slapping on an expensive tool to store documents will often fail the minimum requirements for audit compliance.

Key Steps to an Effective Contract Management Process:

1. Centralized Storage: Store all contracts in a centralized, secure, and easily accessible location. Ensure that all relevant documents, including audit certifications, are attached and up-to-date.
2. Tracking and Alerts: Implement a robust system for tracking contract renewals and key dates. Set up automated alerts to notify relevant stakeholders well in advance of these dates.
3. Regular Audits and Reviews: Conduct regular internal audits and reviews to ensure compliance with contract terms and conditions. This proactive approach helps identify and address issues before they become significant problems.
4. Clear Processes and Responsibilities: Define clear processes for managing contracts, including roles and responsibilities. Ensure that all team members are trained and understand their duties.
5. Continuous Improvement: Regularly review and update your contract management processes to reflect changes in regulatory requirements and best practices.

Conclusion

Effective contract management is crucial for ensuring compliance and passing audits. By implementing a streamlined, well-organized process, you can avoid the pitfalls that lead to audit failures. Remember, it’s not just about having a system in place; it’s about maintaining and continuously improving that system to meet the evolving standards and needs of your organization.