Provider’s typically require the ability to come to a customer’s facilities at any time and with almost no notice for the purpose of conducting an onsite audit of the use of provider’s product. While an audit, in and of itself, might not be a problem for a customer (in some cases, third-party associations argue that they have this right to audit as well), the convenience of any audit is of concern. For example, if a party had a sales cycle that was quarterly in nature, an audit at the end of the quarter could significantly disrupt the cycle and that quarter’s earnings.
The customer might also like the ability to audit the provider to review their accounting and bookkeeping practices. As such, audits are not a contractual problem so long as they are done upon several days’ prior written notice and at a mutually convenient time, usually during business hours.
Most audit provisions also detail that the expense of the audit is to be borne by the party conducting the audit unless, as a result of the audit, it is discovered that the audited party is somehow breaching the terms of the agreement. Watch out for situations where the audited party has to pay the costs of audit regardless, as this could merely encourage random and inconvenient audits designed more to harass rather than to find true issues. This also means that audits should only be performed a “reasonable” number of times. In other words, audits should be done on a consistent (i.e.: annual) basis and with some form of reason behind the audit.
With the advent of remote monitoring systems, many providers are now attempting to include the ability to audit remotely. This usually involves connecting through a secure system to enable the provider to gain access to the customer’s internal network and to view certain log files or other data that indicates software usage. From an ethical perspective, a customer should never have a problem with allowing their providers to review their usage. From an IT security perspective, however, the concept of remote monitoring may raise some concerns. Before agreeing to such a provision, a customer should make sure to check with their IT security group and include language regarding IT security into the license.
What audit language have you agreed to? Are you happy with it? Have you been burned?