Right to Audit Vendor Risk Assessment
We conducted Vendor Risk Assessment prior signing the agreement. One of the risk analysis is about Right to Audit. But the vendor refused to accept right to audit terms because the app is not hosted on customer premises and not on cloud. Vendor would not permanent access to client environment.
What would be best course of action? Can it be accepted?
ASKER
Thank you all for your valuable comments. I appreciate a lot.
Does Right to Audit apply to only in case if the organization is rendering managed services from the vendor?
Most of the times, we engage vendor for just implementing application/function and leave
When usually right to audit clause is applicable in the contract?
Let's not over engineer this and go back to the bottom line. I think we are all saying the same things here. Techno Savvy, you will not find a right or wrong answer you can take everything all 3 of us have said and define it into your MCR or whatever you want to call it. You need a baseline set of rules you want your suppliers to adhere to when doing business with your company. If you need to use this vendor and they won't allow you to audit them then risk accept it and move on (or find another vendor). Risk accept means you will document this risk somewhere into your system of record (risk register system) and into the contract itself.
In reviewing the contract, consider the following points: Indemnification, Right to Audit, Clear definition of the rights and responsibilities of each party, Measurable service level agreements, Costs and Services, Ownership of Data, and any additional audit reports (SOC2, SSAE16) that the client wants, BCP/DRP plans, Insurance, Data Breach procedures.
As per ISACA: The lack of a right-to-audit clause in the contract impacts the IS auditor's ability to perform the IS audit. Hence, the IS auditor is most concerned with such a situation. In the case of outsourcing to a private network, the organization should ensure that the third party has a minimum set of IT security controls in place and that they are operating effectively. The right to audit allows the enterprise to independently review the service provider's level of service as agreed in the contract.
If you don't include a clause for the right to audit, you will be missing and putting the enterprise at risk as a security manager for your role or part. So review your risk assessment/risk register, reflect on inadequate supplier security risks, and mitigate them.
The best and most practical course of action would be to alter the Supplier Agreement to incorporate the Right to Audit clause section after consulting with the Supplier/Vendor/Service Provider. Specify the aim, criteria, and specific plan for a supplier audit.
First, you must report it as a finding pointing to the need to amend the contract to include the Right to Audit clause. If that Right can't be included and enforced, management has two options: find a way to deal with it and mitigate the risks or replace the vendor.
Second, the Right to Audit clause may be enforced in one of two ways: You may conduct the audit of the contract compliance monitoring procedure if the vendor can offer proof of performance and compliance in the form of thorough reports. Or, you can use third-party services to ask for a review of the vendor controls.
Third, other aspects you may want to consider are:
1) Review other critical supplier contracts to see the adequacy of supplier security controls, including the Right to Audit clause.
2) Review your risk assessment/risk register, reflect inadequate supplier security risks, and mitigate them.