The first time I got pulled into a contract compliance audit, I thought I was going to be asked smart legal questions. I wasn’t. I was asked, in order: “Do you have the signed copy?” “Who owns this vendor?” “Did they actually deliver the discount on page four?” “When did that start?” “Is there an email confirming it?” “Who signed off?”

I had answers for about half of those, and I had to dig for the other half. The dig took eight days. The audit itself took two hours.

That experience taught me something most articles about audits don’t say out loud. A contract compliance audit is rarely a legal exercise. It’s a filing exercise wearing legal clothes. If your files are good, the audit is short. If your files are bad, the auditor finds out anyway, and now they’re suspicious about everything else.

What the auditor is actually doing

Strip away the jargon and a contract compliance audit is a systematic check that the deal you signed is the deal you’re getting. Apexanalytix describes it as a review of agreements to confirm financial terms and conditions are being honored. Sirion puts the average cost of a missed audit at about 9% of contract value in unrealized savings and exposure.

That number sounds dramatic until you’ve watched a procurement team find a rebate they forgot to invoice for two years running.

The auditor, whether internal, external, or a public-sector reviewer, is asking three questions over and over:

• What does the contract say?
• What actually happened?
• Can you prove it with a document?

That’s it. Almost every finding in a typical audit traces back to one of those three questions being answered with “I think so” instead of “yes, here.”

Why this is mostly a filing problem

Companies don’t fail audits because they have bad contracts. They fail because the contract is on a shared drive nobody updates, the obligation is in someone’s head, the proof is in a five-month-old email thread, and the owner left the company in March.

I’ve watched this happen at companies of every size. A 40-person startup with 80 active vendors and no central list. A 600-person company with three CLM-adjacent tools and still no single source of truth. A hospital system where the renewal date lived in a finance analyst’s personal calendar.

The pattern is always the same. The contract exists. The obligation is real. The work is happening. The evidence is just scattered across drives, inboxes, and humans. An audit is what forces all of that into one place at the worst possible moment.

The evidence checklist

Here’s the part I wish someone had given me on day one. Every line item in a contract compliance audit can be reduced to seven fields. Build the list this way, and audit prep stops being a fire drill.

For each contract obligation that matters, you need:

• Contract — the signed document, the version that’s actually in force.
• Owner — one named human who is accountable for this obligation today.
• Obligation — the specific clause, written in a sentence, not a paragraph.
• Proof — the document, report, invoice, or email that shows it happened.
• Date — when it was due, when it was met, or when it renews.
• Exception — anything that deviates from the contract, with a reason.
• Reviewer — who confirmed the proof matches the obligation, and when.

That’s the whole thing. Seven columns. You can build this in a spreadsheet today. You can build it in your current CLM tomorrow. You can build it on paper if you have to.

Walking through each field

Let me explain what each one actually means in practice, because the difference between a useful entry and a useless one is small and easy to miss.

Contract

You need the signed PDF, not the draft, not the redlined Word file, not “the one Sarah emailed in March.” Auditors will ask for the executed version. If you have three versions floating around and aren’t sure which is in force, that’s the first finding, and it makes everything after it look weaker.

A practical rule: one canonical folder per vendor, one final signed PDF per agreement, and amendments stored next to the parent contract with a clear filename. No “FINAL_v3_use_this_one.”

Owner

This is the single field most companies get wrong. “Procurement” is not an owner. “Legal” is not an owner. “The vendor team” is not an owner.

An owner is one person, with a name and an email, who can answer questions about whether the contract is being honored. If that person leaves, you reassign the owner the same week. If the owner doesn’t know they’re the owner, you don’t have an owner.

I usually tell people to print their contract list and walk it to the owners in person. About a third of the time, the named owner says “wait, I own that?” That’s the conversation you want to have before the auditor does.

Obligation

A contract has dozens of clauses. Most of them aren’t audit material. The ones that are tend to be specific and measurable: pricing, discounts, SLAs, rebates, renewal terms, exclusivity, audit rights, data handling, insurance minimums, reporting deadlines.

Write each one in plain English in a single sentence. “Vendor provides quarterly rebate of 3% on volume over $50k.” Not a paragraph of legalese. The auditor doesn’t want to interpret. They want to compare.

Proof

This is where most audits actually live or die. The obligation says the vendor gives you a quarterly rebate. The proof is the credit memo, the invoice line, the bank transfer, or the email confirming the amount. If you can’t produce the proof, the obligation is unmet as far as the audit is concerned, even if the money actually came in.

Save the proof at the same time you save the contract. Not later. Later doesn’t happen.

Date

Three dates matter for almost every obligation: the effective date, the due date, and the actual date it was met. Renewals add a fourth: the notice deadline.

The notice deadline is the one that bites companies. A 60-day notice window on an auto-renewing contract means the decision has to happen 61 days out, not 60. A spreadsheet with a column for “decision needed by” beats a calendar reminder that fires the day of.

Exception

Contracts get changed in practice all the time. The vendor agreed by email to a different payment schedule. The discount got bumped after a bad quarter. The SLA was relaxed during the migration.

Every one of those is an exception, and every exception needs a written record. If you can’t show the auditor the email or the side letter or the meeting note, the exception looks like a violation. Same fact, different framing, completely different audit finding.

Reviewer

Someone has to look at the proof and confirm it actually matches the obligation. That someone is not the same person as the owner. The owner is accountable for the work. The reviewer is accountable for checking it.

In small companies, the reviewer can be a finance analyst, a compliance lead, or a contract manager. In a 12-person startup, it can be the COO once a quarter with coffee. The point is that one human signed off and dated it. That signature is what turns “we think we’re compliant” into “we are, and here’s who confirmed it.”

How to actually build this without a project

You don’t need a six-month rollout. Here’s what works in a normal week:

1. Pull a list of your top 20 contracts by spend or risk. Not all of them. Twenty.
2. Open a spreadsheet. Seven columns, matching the list above.
3. For each contract, fill in what you know. Leave gaps blank, don’t guess.
4. Walk the gaps to the named owner and fill them in together.
5. Save the spreadsheet somewhere everyone with audit responsibility can see it.

That’s a week of work for one person at a normal-sized company. It will not be perfect. It will be dramatically better than what you have now.

After the top 20, do the next 30. After that, set a rule that no new contract gets signed without these seven fields filled in. That’s how you stop the bleed.

When to move past the spreadsheet

A spreadsheet works fine up to maybe 150 to 300 active contracts, depending on how disciplined the team is. Past that, you start losing things in the rows, and version control gets ugly.

The signal that it’s time for a real tool isn’t a number. It’s a feeling. If you find yourself spending more time maintaining the spreadsheet than using it, the tool has outgrown you. If two people edit it at the same time and overwrite each other, same thing. If you can’t search across all contracts for a clause type in under a minute, same thing.

When you do shop for software, the seven fields are still the right test. Ask the vendor to show you how each one lives in their system. If they can’t, the tool isn’t built for audits. It’s built for demos.

The mindset shift

The hardest part of preparing for a contract compliance audit isn’t the work. It’s accepting that the work is filing, not law.

Most contract managers I know got into this job because they liked the legal side, the negotiation, the redlines, the strategic stuff. Filing feels beneath that. It isn’t. Filing is the entire job during an audit, and the people who do it well make their whole company look competent.

There’s a version of this work where you do it once a year, in a panic, with pizza boxes and a war room. There’s another version where you do it continuously, in fifteen-minute chunks, and the audit is a two-hour meeting with a checked-out auditor who has nothing to find. The second version is the same total work spread across the year.

Your next action

Open a spreadsheet right now. Seven columns: contract, owner, obligation, proof, date, exception, reviewer. Pick the five contracts you’d be most embarrassed to fail an audit on. Fill in what you know.

When you find the gaps, and you will, that’s your real to-do list for the month. The audit prep is already half done.

---

I’m Dave, and I write about contract management the way it actually works. No jargon, no sales pitch, just what I’ve learned from 15+ years of doing this job. If this was useful, stick around.