Unlock Hidden Contract Data to Mitigate Third-Party Risk

Unlock Hidden Contract Data to Mitigate Third-Party Risk

Bringing on a new vendor or partner is complex and involved. After vetting multiple contenders, you finally select the company you hope best suits your needs. Then, contract negotiations start – technical reviews and risk assessments are conducted, and legal teams edit the agreements until everyone has the wording they need to move forward. When the dust settles, the contract is filed away until it’s time to renegotiate or a problem arises, but contracts have valuable information buried in the details. Unlocking the data hidden in your organization’s contracts could be the key to improved third-party risk management through tracking key dates, meeting specific commitments, and updating vendor risk profiles. In this article, I will share best practices third-party risk management teams can implement to break down the silos in the risk, procurement, and contracting teams and to increase visibility into key contract data you can use to mitigate vendor risks proactively. 

Tracking Key Dates

Throughout my internal audit career, and now as the Manager of Product Solutions at AuditBoard, I have performed many independent assessments of third-party risk management programs. Aside from misplacing the actual contract, one of the most pervasive risks is losing track of key dates. Here are some of the more common dates that should be tracked for each contract:

  • Start Date and End Dates define the overall time frame for which the contract is in effect. End dates can also trigger onboarding events retrieving data from hosted applications and removing third-party access from internal systems  
  • Renewal Dates address the time window in which you can decide if you want to renew the contract and if the contract automatically renews if you do nothing. 
  • Milestone Dates are typically specific deadlines for deliverables or stages of a project. Milestones should be tracked to ensure everything stays on schedule to meet contractual obligations and the organization’s requirements.
  • Payment Dates should be tracked to ensure timely payments, take advantage of discounts, and avoid late fees.
  • Review Dates are included in some contracts to allow for reviewing performance or adjusting terms. Tracking these dates will enable you to prepare for the review and make adjustments if necessary.
  • Notice Periods may dictate how far in advance you must provide notice to terminate the agreement or exercise other rights.

Having a third-party risk management team keep track of these key dates can impact your ability to obtain the services needed from a vendor, avoid unnecessary costs, and decide whether to continue working with the partner or pursue another option. 

Meeting Contractual Obligations

Contractual obligations are formalized and documented to establish performance expectations and protect both parties. Recently, I was discussing vendor risk management with a colleague, and he shared an experience his company had with a vendor who failed to deliver on an expectation. The vendor provides hosted software and is expected to produce independent control evaluations (SOC reports), but this year, the vendor allowed the reports to lapse. When internal auditors reviewed the contract, the vendor was not required to produce the reports, creating extra work for the company due to the vendor’s failure. In this case, the company lost faith in the vendor and decided to find a new service provider when the contract ended. 

Similarly, many organizations can take advantage of the opportunity to monitor service level agreements (SLAs). Vendors, especially service providers, will often include SLAs in their contracts to show commitment to their customers and the quality of their services. SLAs typically allow customers to claim a discount when the vendor does not meet the service agreement; however, the customer is usually responsible for monitoring SLAs. Organizations can hold vendors accountable for their obligations by implementing a third-party risk management program and improving visibility to key requirements like agreed-upon SLAs.

Updating Vendor Risk Profiles

Finally, third-party risk management teams should keep an updated inventory of all vendors with current risk profiles. Vendor risk profiles could include information gathered from regular risk assessments, independent audit reports (e.g., SOC reports), and public information like press releases and news coverage. Managing all this information is much easier when utilizing third-party risk management software that sends out scheduled risk assessments and organizes key data like start and end dates, renewal dates, start/end dates, SLAs, and the actual contracts. Clear visibility into key contract data allows the organization to make informed decisions based on that information regarding third-party risk.

Making Informed Decisions

Creating visibility into key contract information will allow your team to collaborate effectively with others and make informed decisions when evaluating third-party risk. The valuable data found in contracts related to key dates, obligations, and SLAs, combined with updated vendor risk profiles, provides a clearer view of your organization’s risk exposure through your partners. Every contract, vendor relationship, and partnership your organization enters becomes a factor in your operations, and the information about that relationship should be filed and forgotten – that data should be visible and usable. 


Jimmy Pfleger is a Manager of Product Solutions at AuditBoard and has over 11 years of IT Audit, Compliance & Security experience. He started his career at KPMG in the IT Advisory practice where he lead external audit & assurance activities for some of the largest companies in the St. Louis area. In addition to managing the IT Internal Audit function at both Caleres & RGA, he also spent time as the Manager of Security Compliance at Express Scripts where he built and managed the SOC2 program. His experience working across the traditional lines of defense within various organizations has given him valuable insight into how companies are truly managing IT risk. Jimmy is also a Certified Information Systems Auditor (CISA) and Kanban Certified (Agile).