Contracting Strategies, Processes, and Contract-Management Practices

Contracting is generally used when talking about outsourcing, but this is not always the case. Contracts can be between the organization and the customer or partners. A contract is an agreement between or among two or more persons or entities (business, organizations, or government agencies) to do, or to abstain from doing, something in return for an exchange of consideration. If the terms of a contract are breached, the law provides remedies, including recovery of losses or specific performance. A contract is written documentation of a "meeting of the minds" and contains the following five elements:

• Offer

  • Clearly identifies the subject matter of the agreement

  • Completely describes services, including time, plan, and quality

  • Identifies goods, including quantity

• Consideration

  • States what the offerer expects in return from the offeree

• Acceptance

  • Identifies the offeree

  • Is signed and dated by the offeree and the offerer

• Legal purpose

  • Must be created for legal purposes under the law (illegal services cannot be consummated via a contract)

  • Must be performable (parties must be able to deliver on their promise)

• Capacity

  • Must fit the legal definition for capacity (not under age, under the influence of alcohol or drugs, and so on)

The IS auditor might encounter a variety of contracts. The following paragraphs outline some of the more common contract types.

Employee Contracts

The employment contract is a specific type of agreement and differs slightly from a traditional contract. The offerer (employer) makes a one-sided promise (unilateral), and the offeree (employee) accepts the offer "at-will" based on continued performance. The employee is not bound by the contract because he or she can leave the employer at any time, but the employer is bound to the conditions of the contract and is the only entity that can breach the contract. Employment contracts stipulate titles, responsibilities, performance criteria, and compensation. Employment contracts cannot state the period of time that an employee must work for the employer because this is not enforceable under the law.

Confidentiality Agreement

This is an agreement between employee and employer or, in some cases, partners (with trade secret agreements). The agreement stipulates that the parties agree not to divulge confidential information that they might come in contact with during the course of the agreement. These agreements have specific time periods and should state the information being protected, list the appropriate uses of the information, and identify remedies if the information is divulged.

Trade Secret Agreements

This is an agreement that protects the trade secrets of an organization from disclosure. Such disclosure would negatively affect the economic viability of the company. It is important to note that trade secret agreements are enforceable for an indefinite period of time because when an organization reveals a trade secret, it is no longer protected as intellectual property.

Discovery Agreements

When an employee is specifically hired to develop ideas or innovations, there is a risk to the organization that the employee might claim these as his or her own intellectual property. With a discovery agreement, the employee agrees to transfer ownership of the discovery to the employer.

Noncompete Agreements

This type of agreement is normally put in place when, through the course of work with the employer, the employee learns how the company is successful in relation to its competitors. This might include a business, manufacturing, or sales process. Knowledge of this process would allow the employee to directly compete (either individually or with a competitor). The noncompete agreement must be reasonable with regard to time frame (it cannot be indefinite) and geography, and it cannot unduly restrain an employee from making a living in his or her field.

Contract Audit Objectives

The following bullets outline an excerpt of audit objectives for a contract audit. The objectives might change based on your organization, but we have included some of the more common objectives:

• Review the contract and perform the following:

  • Check that the contract has been signed by both parties and according to delegation (the CEO, vice president, and approving authority, for instance).

  • Check the reasonableness of the contract, including terms and conditions, period, rates exchange, and charges.

  • Check that the contract is still valid or binding and legally enforceable (within the period stipulated).

  • Check that all amendments in the contract are authorized by the delegated officials.

• Obtain a list of contracts that have expired and review the associated invoices.

  • Establish the expiration date from the contract.

  • Trace an invoice from the transactions listing to transfer batch reports that no payment has been made on these contracts.

  • Review this contract to ensure that it is legally enforceable.

• Establish where these contracts are kept and who is responsible for the safekeeping of the records.

  • Access to the records should be restricted to only authorized officials.

  • Removal of such files should be authorized and approved.

An IS auditor likely will audit a variety of contract vehicles, and it is important to know the differences in what is enforceable (legal) and what is not. The IS auditor must ensure that the contracts have the basic elements outlined and have been executed correctly, and that the contracts have legal review before execution. The organization should assign responsibility for regular review of contract dates and performance measurement, and should ensure that payments are made in accordance with the stipulations of the contract.