Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


The Importance of Audit Rights in Vendor Contracts

5 min read
Featured Image

Well-written contacts are the best way to ensure vendor compliance. When a vendor is critical to your operation, there is a continuing need for transparency throughout the relationship. Including a right to audit clause in your contract obligates your vendors to disclose data and to report with your organization on request.

This data can be requested during any part of the third-party risk management lifecycle, but most often is requested to complete as a part of vendor due diligence and ongoing monitoring. A right to audit clause entitles your organization to review your vendor’s work product and reporting which may include self-assessments, third-party audits and other, official documents detailing the sufficiency of internal systems and controls.

Commonly Reviewed Vendor Data and Reporting

Let’s review what types of data and reporting are commonly reviewed under a right to audit clause:

  1. SOC Reports. Otherwise known as Service and Operating Controls, these reports detail audits conducted by independent third-party auditors who provide an expert assessment of the control environment and any gaps they find.
    There are three types of SOC reporting:
    • SOC 1: Examines the effectiveness of internal financial controls at a service organization. As mandated by SSAE 18, SOC 1 audits a third-party vendor’s accounting and financial controls.
    • SOC 2: This evaluates a vendor’s internal controls on one or more of the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). Type I confirms that controls are in place and Type II confirms that the controls are in place and working.
    • SOC 3: A SOC 3 report is a public option that can be freely distributed but is less detailed than a SOC 1 or SOC 2 which can only be read by the direct users of an organization’s services.
  2. SLA Reports. In a contract, service level agreements (SLAs) represent the acceptable limits of service or quality, as agreed on by both parties. When those SLAs aren’t met, there is typically some sort of penalty for the vendor. To confirm that SLAs are being met, the vendor must provide reporting that validates the acceptable level of performance.
  3. Compliance Reporting. This may include overall compliance policies, such as a compliance training policy, fair lending or Equal Credit Opportunity Act (ECOA) policy or Telephone Consumer Protection Act (TCPA) policy, which only applies to vendors making phone calls or sending texts. Also, consider a marketing/CAN-SPAM policy, which only applies to vendors involved in marketing activities and the Fair Debt Collections Practices Act (FDCPA), which only applies to collections vendors.
  4. Data Privacy and Confidentiality Policy. This may need to be requested separately if not provided with compliance or information security documentation.
  5. Payment Card Industry (PCI) Compliance Reports. PCI compliance reporting can include data such as vulnerability scans or other methods used to validate compliance.
  6. Financial Statements. Audited financials, internally prepared financials and the organization’s annual tax filing can be important components in a right to audit clause.
  7. Insurance. Current insurance certificates and policy references should be thoroughly reviewed and may include general liability, professional errors and omissions or cybersecurity coverage types.
  8. Business Continuity and Disaster Recovery Reports. All plans, testing scenarios, test results and mitigation plans are essential to review to ensure that your critical vendors are prepared for a business impacting event. Plans should include the following:
    • Departments included in the program and their RTO
    • Business continuity exercise types, scenarios and findings
    • Report of the last activation outside of a drill with root cause analysis
    • Emergency management documentation that basic OSHA requirements are met (annual fire drill, etc.)
    • Facility (location) risk/hazard assessment
    • Evacuation & shelter in place procedures
    • Active threat plan
  9. Information security. Attestations/certifications for controls around security, processing integrity, confidentiality and privacy of a system, including but not limited to:
    • SSAE 18 SOC reporting (type II reports should be included in the ’03 - independent third-party audits’ document request)
    • ISO/IEC27001 certification
    • PCI ROC and/or penetration test reports
    • Technical and procedural measures for network protection through a firewall
    • Secure server configuration
    • Vulnerability identification and patching reports
    • Physical and logical access controls
    • Data security policy (See elements of documentation below):
      • Data classification and encryption methodologies, data loss prevention, password hashing, data retention and destruction
    • Documented incident response policy, standards and processes (See elements of documentation below):
      • Data security and confidentiality protections against threats or hazards
    • Data privacy and confidentiality policy
    • Facility (location) risk/hazard assessment
    • Disaster recovery exercise scope and schedule
    • Report of the last activation outside of a drill with root cause analysis
  10. Fourth parties. Your fourth party’s third-party risk management policy, risk rating methodologies, vendor inventory, critical vendor list, due diligence documents, ongoing monitoring schedule and critical contracts should all be reviewed.
  11. On-Site Audit. An on-site audit is typically performed on a vendor performing critical services to a client and is done to ensure the vendor is adhering to their stated policies and practices surrounding the client’s customers. These audits would generally review financial and operational activity, including the vendor’s internal controls, information systems and security, business resumption and adherence to internal policies and procedures. While this audit is primarily performed on site, it can be done remotely.
  12. Billing Audit. Many clients will want the right to audit the vendor’s billing statements – especially when the vendor is providing transaction services. The contract could include some language to assess penalties if any billing errors, specifically overcharging, are discovered.
  13. Subcontractor Audit. For any or all of the audit rights that is included in the contract for the vendor, a client could also require the same audit of any subcontractor performing activities on the vendor’s behalf in support of the client.
  14. Other Miscellaneous Audits. An audit clause might also require the vendor to perform regular testing or monitoring of other significant security controls such as application and network penetration testing, non-intrusive network audits or more intrusive network and physical audits, and to audit for compliance with applicable laws and regulations.
Critical vendors play an important role within your organization, so make sure to include a right to audit clause within your contracts so you can continually monitor your vendors’ and their subcontractors’ performance and identify any issues that need to be addressed.

Contract management is a key element in managing risk in your critical vendor relationships. Download the eBook.

how to master vendor contract management

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo