Contract with software vendor 1686

  • Hi all,
    Our backoffice software has been implemented since last January but we are still making changes to ensure that it will perfectly meet our exact requirements. All changes are effected by the vendor’s personnel and they post them into production after our approval/acceptance. We have gone thru extensive discussions with our internal external auditors on whether this is considered to be outsourcing and therefore requiring the software vendor to be audited and certified by an independent, such as SAS70. We have come up to an agreement that this might be left outside the scope for 2006, provided we place very strict controls around the changes/testing processes, by developing and formulating our internal procedures. This has been done. However, they suggested that we include some special terms in the contract with the software supplier, such as right to audit�, liability and confidentiality� plus some more clauses to ensure that every work they do is in accordance to our specifications, thoroughly tested and following proper segregation of duties. Does any of you have similar experience on the matter? Do you know any resources for such contract templetes? (preferably for free, because I have already purchased some software that didn’t offer what I needed)

  • I don’t think that best practice would require a SAS 70 type of report for software development. This is mainly for third party service providers who provide an ongoing transactional processing service for your company which can impact your financial statements.
    It would be in your best interest to have confidentiality and liability wording in your software development agreement. I am not certain what a right to audit phrase would do for you (what would you audit, their development process?) and may not be agreed to by the developer.

  • Hi Katrina and welcome to the forums 🙂
    As kymike notes, I would also favor contractual lanuage protecting the confidentiality of any information or software entrusted with the vendor developing your application. In the USA, we’ve seen recent breaches in security as information has leaked out accidently or via stolen laptops. Thus, I’d also encourage looking at any test data you send and ensuring all confidential information is probably removed, esp. if you are using any true copies of production data (e.g., move all 9’s to SSN or credit card fields).
    It might also be beneficial to get your legal department or corporate counsel involved in the contractual language . Internal audit can share their perspective and concerns also. Good luck on resolving these issues.

Log in to reply