{"component": "clause", "props": {"groups": [{"snippet_links": [{"key": "system-security-review", "type": "clause", "offset": [3, 25]}, {"key": "contractor-must", "type": "clause", "offset": [27, 42]}, {"key": "audit-control-mechanisms", "type": "clause", "offset": [50, 74]}, {"key": "in-place", "type": "clause", "offset": [119, 127]}, {"key": "to-contractor", "type": "definition", "offset": [188, 201]}, {"key": "of-county", "type": "clause", "offset": [269, 278]}, {"key": "an-annual", "type": "clause", "offset": [298, 307]}, {"key": "risk-assessment", "type": "definition", "offset": [315, 330]}, {"key": "technical-controls", "type": "clause", "offset": [407, 425]}, {"key": "levels-of-protection", "type": "clause", "offset": [477, 497]}, {"key": "vulnerability-scanning", "type": "clause", "offset": [522, 544]}], "size": 59, "samples": [{"hash": "jZrzENCXaiK", "uri": "/contracts/jZrzENCXaiK#audit-controls", "label": "Phlebotomy and Laboratory Testing Services Contract", "score": 35.371181488, "published": true}, {"hash": "3EeT6MWN9u8", "uri": "/contracts/3EeT6MWN9u8#audit-controls", "label": "Digital Health Solution Services Agreement", "score": 35.3629684448, "published": true}, {"hash": "6h1Y9aHg03o", "uri": "/contracts/6h1Y9aHg03o#audit-controls", "label": "Subordinate Contract for Unarmed Security Guard Services", "score": 34.7470588684, "published": true}], "snippet": "a. System Security Review. CONTRACTOR must ensure audit control mechanisms that record and examine system activity are in place. All systems processing and/or storing PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools.", "hash": "38fead208f87f403235d106855f27f95", "id": 1}, {"snippet_links": [{"key": "contractor-agrees-to", "type": "clause", "offset": [0, 20]}, {"key": "an-annual", "type": "clause", "offset": [21, 30]}, {"key": "system-security-review", "type": "clause", "offset": [31, 53]}, {"key": "by-the-county", "type": "clause", "offset": [54, 67]}, {"key": "keeping-records", "type": "clause", "offset": [167, 182]}, {"key": "period-of", "type": "clause", "offset": [189, 198]}, {"key": "procedure-for", "type": "definition", "offset": [235, 248]}, {"key": "review-to", "type": "clause", "offset": [256, 265]}, {"key": "access-to-medi", "type": "clause", "offset": [285, 299]}, {"key": "by-the-contractor", "type": "clause", "offset": [329, 346]}], "size": 50, "samples": [{"hash": "1BFWfPTjQVR", "uri": "/contracts/1BFWfPTjQVR#audit-controls", "label": "Standard Services Agreement", "score": 26.7238349915, "published": true}, {"hash": "1HKYQ5W7O0Z", "uri": "/contracts/1HKYQ5W7O0Z#audit-controls", "label": "Standard Services Agreement", "score": 26.423740387, "published": true}, {"hash": "jodRIUr4E88", "uri": "/contracts/jodRIUr4E88#audit-controls", "label": "Standard Services Agreement", "score": 25.2576217651, "published": true}], "snippet": "Contractor agrees to an annual system security review by the County to assure that systems processing and/or storing Medi-Cal PII are secure. This includes audits and keeping records for a period of at least three (3) years. A routine procedure for system review to catch unauthorized access to Medi-Cal PII shall be established by the Contractor.", "hash": "5811705e2cde7176eb9fdc1227ad4000", "id": 2}, {"snippet_links": [{"key": "information-systems", "type": "definition", "offset": [85, 104]}, {"key": "electronic-information", "type": "definition", "offset": [125, 147]}], "size": 49, "samples": [{"hash": "4zxj8Qh9gnr", "uri": "/contracts/4zxj8Qh9gnr#audit-controls", "label": "Customer Agreement", "score": 36.3324317932, "published": true}, {"hash": "9TQZJb1CfBV", "uri": "/contracts/9TQZJb1CfBV#audit-controls", "label": "Data Processing Agreement", "score": 35.9657554626, "published": true}, {"hash": "lHbZ4DWBU9S", "uri": "/contracts/lHbZ4DWBU9S#audit-controls", "label": "Data Processing Agreement", "score": 35.9077453613, "published": true}], "snippet": "Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.", "hash": "9d226aa57fe3db49ffabc2108ebbced1", "id": 3}, {"snippet_links": [{"key": "system-security-review", "type": "clause", "offset": [6, 28]}, {"key": "an-annual", "type": "clause", "offset": [101, 110]}, {"key": "risk-assessment", "type": "definition", "offset": [118, 133]}, {"key": "technical-controls", "type": "clause", "offset": [213, 231]}, {"key": "levels-of-protection", "type": "clause", "offset": [283, 303]}], "size": 13, "samples": [{"hash": "9yeGlSVCHZK", "uri": "/contracts/9yeGlSVCHZK#audit-controls", "label": "Contract for Provision of Services", "score": 32.1412391663, "published": true}, {"hash": "b8Q2XxPbH4E", "uri": "/contracts/b8Q2XxPbH4E#audit-controls", "label": "Contract for Provision of Physical Examination Services", "score": 31.9705085754, "published": true}, {"hash": "lakXTyFiig3", "uri": "/contracts/lakXTyFiig3#audit-controls", "label": "Agreement for the Provision of on Site Psychiatry and Telepsychiatry Services", "score": 27.4560909271, "published": true}], "snippet": "10 1. System Security Review. All systems processing and/or storing COUNTY PCI must have 11 at least an annual system risk assessment/security review which provides assurance that administrative, 12 physical, and technical controls are functioning effectively and providing adequate levels of protection.", "hash": "fd2da8560c14e5e9b75528cd2b4f5134", "id": 4}, {"snippet_links": [{"key": "in-place", "type": "clause", "offset": [39, 47]}, {"key": "compliance-with-policies", "type": "clause", "offset": [106, 130]}], "size": 10, "samples": [{"hash": "hHE9nIdKg5i", "uri": "/contracts/hHE9nIdKg5i#audit-controls", "label": "Main Subscription Agreement", "score": 35.499835968, "published": true}, {"hash": "cmJ54AOkOgh", "uri": "/contracts/cmJ54AOkOgh#audit-controls", "label": "Universal Main Subscription Agreement", "score": 35.1633415222, "published": true}, {"hash": "6eIXKnw3r9Z", "uri": "/contracts/6eIXKnw3r9Z#audit-controls", "label": "Universal Main Subscription Agreement", "score": 35.0864944458, "published": true}], "snippet": "Technical or procedural mechanisms put in place to promote efficient and effective operations, as well as compliance with policies.", "hash": "f74897f61c79556a6683f659d193c742", "id": 5}, {"snippet_links": [{"key": "executing-this-agreement", "type": "clause", "offset": [3, 27]}, {"key": "assignees-and-successors-in-interest", "type": "clause", "offset": [61, 97]}], "size": 8, "samples": [{"hash": "hPs7OUZAuwX", "uri": "/contracts/hPs7OUZAuwX#audit-controls", "label": "Local Implementation Agreement", "score": 36.0119667053, "published": true}, {"hash": "f5RstYtatRP", "uri": "/contracts/f5RstYtatRP#audit-controls", "label": "Professional Services", "score": 35.3848648071, "published": true}, {"hash": "6xp3u0Hl0KA", "uri": "/contracts/6xp3u0Hl0KA#audit-controls", "label": "Professional Services", "score": 35.0558853149, "published": true}], "snippet": "By executing this Agreement, CONTRACTOR, for itself, and its assignees and successors in interest, agrees as follows:", "hash": "ae138a5c75aa9d1379a67e5c916c71fd", "id": 6}, {"snippet_links": [{"key": "system-security-review", "type": "clause", "offset": [5, 27]}, {"key": "contractor-must", "type": "clause", "offset": [29, 44]}, {"key": "audit-control-mechanisms", "type": "clause", "offset": [52, 76]}], "size": 5, "samples": [{"hash": "e0ZOX87ruB", "uri": "/contracts/e0ZOX87ruB#audit-controls", "label": "Agreement for Provision of Services", "score": 25.7968845367, "published": true}, {"hash": "dsbId5KEjPy", "uri": "/contracts/dsbId5KEjPy#audit-controls", "label": "Agreement for Provision of Post Custody Re Entry Services", "score": 24.2986831665, "published": true}, {"hash": "e8ijNflAosV", "uri": "/contracts/e8ijNflAosV#audit-controls", "label": "Agreement for Provision of Services", "score": 22.2483940125, "published": true}], "snippet": "4 a. System Security Review. CONTRACTOR must ensure audit control mechanisms that", "hash": "6cd7161843b008173d4417d437018cd2", "id": 7}, {"snippet_links": [{"key": "access-to-facilities", "type": "clause", "offset": [73, 93]}, {"key": "confidential-information", "type": "clause", "offset": [105, 129]}, {"key": "personal-data", "type": "definition", "offset": [133, 146]}, {"key": "modification-of-data", "type": "clause", "offset": [193, 213]}, {"key": "information-systems", "type": "definition", "offset": [217, 236]}, {"key": "electronic-information", "type": "definition", "offset": [257, 279]}, {"key": "requirements-and-compliance", "type": "clause", "offset": [346, 373]}], "size": 4, "samples": [{"hash": "5IkDzH5UGMV", "uri": "/contracts/5IkDzH5UGMV#audit-controls", "label": "Master Product and Services Agreement", "score": 24.5640525818, "published": true}, {"hash": "5p70Md8mGBX", "uri": "/contracts/5p70Md8mGBX#audit-controls", "label": "Consultant Services Agreement", "score": 24.5558395386, "published": true}, {"hash": "iFFcJoTd5ej", "uri": "/contracts/iFFcJoTd5ej#audit-controls", "label": "Master Software License Agreement", "score": 24.4189720154, "published": true}], "snippet": "hardware, software, and/or procedural mechanisms that record and examine access to facilities containing Confidential Information or Personal Data and activity including deletion, addition, or modification of data in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.", "hash": "d242173f6e9b39a4789e09732fbc25c5", "id": 8}, {"snippet_links": [{"key": "supplier-shall", "type": "clause", "offset": [4, 18]}, {"key": "comply-with", "type": "clause", "offset": [19, 30]}, {"key": "the-services", "type": "definition", "offset": [46, 58]}, {"key": "customer-computer-systems", "type": "clause", "offset": [113, 138]}, {"key": "internal-audit", "type": "definition", "offset": [162, 176]}, {"key": "of-customer", "type": "clause", "offset": [186, 197]}, {"key": "by-customer", "type": "clause", "offset": [222, 233]}, {"key": "customer-party", "type": "definition", "offset": [285, 299]}, {"key": "in-addition", "type": "clause", "offset": [315, 326]}, {"key": "control-requirements", "type": "clause", "offset": [383, 403]}, {"key": "participating-in", "type": "definition", "offset": [418, 434]}, {"key": "compliance-with", "type": "definition", "offset": [465, 480]}, {"key": "by-supplier", "type": "clause", "offset": [542, 553]}, {"key": "cost-and-expense", "type": "clause", "offset": [622, 638]}, {"key": "controls-and-procedures", "type": "clause", "offset": [649, 672]}, {"key": "supplier-controls", "type": "definition", "offset": [675, 692]}, {"key": "the-facilities", "type": "clause", "offset": [698, 712]}, {"key": "services-are-provided", "type": "clause", "offset": [746, 767]}, {"key": "in-accordance-with", "type": "clause", "offset": [768, 786]}], "size": 3, "samples": [{"hash": "aMXlGgWt2r3", "uri": "/contracts/aMXlGgWt2r3#audit-controls", "label": "Master Services Agreement (Broadridge Financial Solutions, Inc.)", "score": 31.0807666779, "published": true}, {"hash": "4Pq67zfPky8", "uri": "/contracts/4Pq67zfPky8#audit-controls", "label": "Information Technology Services Agreement (Broadridge Financial Solutions, Inc.)", "score": 31.0807666779, "published": true}], "snippet": "(1) Supplier shall comply with, shall provide the Services to satisfy and shall otherwise not cause the in-scope Customer computer systems to fail to satisfy the internal audit controls of Customer as provided to Supplier by Customer (including any corrective recommendations or other Customer Party instructions). In addition, Supplier shall assist Customer in addressing its audit control requirements, such as: (a) participating in any reviews by Customer as to compliance with such requirements; and (b) including Customer in any reviews by Supplier as to compliance with such requirements.\n(2) Supplier shall, at its cost and expense, maintain controls and procedures (\"Supplier Controls\") in the facilities under its control from which the Services are provided in accordance with [****].", "hash": "b18842197618498f6444a99d1efb001e", "id": 9}, {"snippet_links": [{"key": "system-security-review", "type": "clause", "offset": [3, 25]}, {"key": "an-annual", "type": "clause", "offset": [99, 108]}, {"key": "risk-assessment", "type": "definition", "offset": [116, 131]}, {"key": "technical-controls", "type": "clause", "offset": [208, 226]}, {"key": "levels-of-protection", "type": "clause", "offset": [278, 298]}, {"key": "vulnerability-scanning", "type": "clause", "offset": [323, 345]}], "size": 2, "samples": [{"hash": "6NQm5ODUHtg", "uri": "/contracts/6NQm5ODUHtg#audit-controls", "label": "Whole Person Care Agreement", "score": 24.0540733337, "published": true}, {"hash": "4oSZTWBVxTE", "uri": "/contracts/4oSZTWBVxTE#audit-controls", "label": "Whole Person Care Agreement", "score": 22.7180023193, "published": true}], "snippet": "A. System Security Review. All systems processing and/or storing DHCS PHI or PI must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools.", "hash": "752a10357e4fe14b91a8eb1e8ee60582", "id": 10}], "next_curs": "ClcSUWoVc35sYXdpbnNpZGVyY29udHJhY3RzcjMLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IhdhdWRpdC1jb250cm9scyMwMDAwMDAwYQyiAQJlbhgAIAA=", "clause": {"size": 474, "title": "Audit Controls", "parents": [["business-associate-data-security-requirements", "Business Associate Data Security Requirements"], ["data-security-requirements", "Data Security Requirements"], ["vehicle", "Vehicle"], ["staffing-training-and-supervision", "STAFFING, TRAINING AND SUPERVISION"], ["requirements", "REQUIREMENTS"]], "children": [["change-control", "Change Control"], ["log-reviews", "Log Reviews"], ["system-security-review", "System Security Review"], ["anomalies", "Anomalies"], ["emergency-mode-operation-plan", "Emergency Mode Operation Plan"]], "id": "audit-controls", "related": [["agreement-controls", "Agreement Controls", "Agreement Controls"], ["tia-controls", "TIA Controls", "TIA Controls"], ["accounting-controls", "Accounting Controls", "Accounting Controls"], ["personnel-controls", "Personnel Controls", "Personnel Controls"], ["export-controls", "Export Controls", "Export Controls"]], "related_snippets": [], "updated": "2025-07-24T04:27:57+00:00", "also_ask": ["What audit rights are essential to include for effective oversight?", "How can audit scope and frequency be negotiated to balance interests?", "What are the main risks if audit controls are too broad or too narrow?", "How do audit control clauses differ across jurisdictions or industries?", "What standards do courts apply to determine if audit controls are enforceable?"], "drafting_tip": "Specify audit frequency and scope to prevent disputes, require advance notice to respect operational needs, and mandate confidentiality of findings to protect sensitive information.", "explanation": "The Audit Controls clause establishes the right for one party to review and verify the records, processes, or systems of another party to ensure compliance with contractual obligations. Typically, this clause outlines the scope of audits, the notice period required before an audit, and any limitations on frequency or confidentiality. Its core practical function is to provide transparency and accountability, helping to detect errors, prevent fraud, and ensure that both parties adhere to agreed standards or regulations."}, "json": true, "cursor": ""}}