t the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week's editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.

ABOUT THE EXPERTS

Dan Zitting, CPA.CITP, CISA, is vice president of working papers software at ACL Services. He has several years of experience in audit, attestation, and risk and assurance services, having spent four years with the IT risk and assurance practice at Ernst & Young before co-founding the CPA firm Linford & Company. Zitting later founded Workpapers.com, a Web-based audit management system acquired by ACL Services to integrate with ACL's market-leading analytic solutions for a seamless audit experience that spans the complete audit process.

Zitting is a multiple-time winner of the CPA Practice Advisor Magazine 40 under 40, ColoradoBiz Magazine 25 Most Influential Young Professionals, and CPA Practice Advisor Readers' Choice awards.

David Gammell is co-chair of the firm's Emerging Technologies and Venture Capital practice and advises entrepreneurial companies in all stages of development, from formation to liquidity. He has extensive experience in corporate finance, venture capital, intellectual property, licensing and strategic alliances, mergers and acquisitions, and international law. Gammell counsels publicly and privately held companies in a variety of industries including information technology (hardware, software and services), cleantech, medical device, life sciences, and other high-technology sectors and social entrepreneurial businesses.

Prior to becoming an attorney, Gammell was a nuclear engineer and officer in the U.S. Navy.

Remediation Center

Click Here To Return To The Remediation Center

Submit a Question to the Remediation Center

QUESTION

I have a question about including a right-to-audit clause in contracts with third parties. The plain truth is that my company doesn't have the manpower or resources to audit our third parties—so should I even bother including a right-to-audit clause? I've heard that if you include one but then don't audit, and some issue later arises, now you've got a problem with the regulator saying, “You could have audited but you didn't. Why not?” Is that true? What do you recommend?

ANSWER No. 1

My view is that this fear is unfounded.  Regardless of the manpower and resources a company has to audit third parties, it is far better to have the contractual right to audit than to not. This right doesn't create an implied obligation to audit. If that was a serious concern, it would be simple enough to state that there is no implied obligation in the contract.

—David Gammell, Partner, law firm Brown Rudnick

ANSWER No. 2

The right-to-audit clause isn't of much value when we don't actually have the bandwidth to audit. The potential for harm tied to the “Why didn't you audit?” question likely depends on your regulator and other related legal exposures (which only your legal counsel can answer); but why open yourself to damaging repercussions, regardless of knowing you're not going to exercise?

Instead, consider other contractual vendor obligations that will achieve the same objective. Broadly speaking, if you require the vendor to obtain separate independent audits and to disclose to you immediately any event that you're trying to protect against, that may produce largely the same result.

First, try to get assurance in the contract that an independent party is auditing the key risks of concern. For example, if the vendor is storing your sensitive data and you are concerned about the risk of a security breach, require in the contract that someone independent periodically audits the vendor for adequate practice around security. (In this case, potentially require ongoing SOC 1/2/3 reports, ISO certifications, or similar.)

Second, ask for the contract to require the immediate disclosure by the vendor of the events of concern. For example, require that any known or potential security breach be immediately disclosed. Forty-seven states require vendors to disclose immediately the breach of personally identifiable information to their customers, but no such wide-sweeping regulation exists clearly requiring disclosure of breaches of corporate information. By requiring the vendor to disclose (immediately) such issues within the contract, you ensure that issues are recognized early and can be handled effectively with as little damage as possible.

—Dan Zitting, vice president at ACL Services, former auditor at Ernst & Young

Warning, Disclosure:

Compliance Week's Remediation Center is an information service only. Answers to questions should not be construed to be legal guidance. Consult with your auditors, internal counsel, external counsel, and/or other securities experts on all critical compliance and governance matters.

Specialists are solicited by the editor to answer Remediation Center questions based on their knowledge of the subject matter and their ability to provide commentary in their particular area of expertise.