Back to Blog
A practical guide to audit-proofing your research contract portfolio: what auditors look for, common gaps, and how to prepare when time is short.

Preparing for a Compliance Audit: Getting Your Research Contracts in Order

Team Pactly · · Contract Management · 10 min read

Few things focus the mind quite like an upcoming compliance audit. Whether it is a funding body review, an accreditation assessment, or a government compliance check, the request is essentially the same: show us that your research contracts are complete, properly executed, and compliant with every applicable rule.

If your contracts are scattered across email inboxes, shared drives, departmental filing cabinets, and the occasional desk drawer, you already know you have a problem. The question is how to fix it before auditors arrive.

This guide covers what auditors typically look for, the gaps they most commonly find, and a 90-day action plan you can start using today.

What Auditors Look For in Research Contracts

Auditors are not reading your contracts for intellectual enjoyment. They are checking whether institutional processes are working as intended and whether the university is exposed to risk. Here is what they focus on.

Fully executed copies. Not drafts, not “final versions” sitting in email threads. Auditors want signed, countersigned copies with all parties’ signatures present.

Proper signing authority. Was the person who signed actually authorised to do so? Auditors will cross-reference your signing authority matrix against the signatures on file. If a PI signed a $2 million industry agreement that required a Vice Chancellor’s approval, that is a finding.

Compliance with funding terms. For sponsored research, auditors check that flow-down provisions from the funder appear in downstream contracts. Cost sharing obligations, reporting requirements, and expenditure restrictions must be reflected accurately.

IP provisions aligned with institutional policy. If your university policy states that Background IP remains with the institution, but a contract assigns it to a commercial partner, auditors will flag it, even if someone approved the deviation informally.

Active vs expired agreements. Auditors will ask for a list of active agreements and cross-check it against your files. Expired agreements that are still being relied upon without a formal renewal or extension are a common finding.

Amendment trail. Every modification to a contract, including scope changes, budget amendments, and timeline extensions, should be documented through a formal amendment or variation. Verbal agreements and email confirmations do not count.

Data protection provisions. If a research contract involves personal data, auditors will look for the appropriate data protection clauses (PDPA, GDPR, or equivalent depending on jurisdiction). Contracts without these provisions where personal data is clearly in scope represent a significant gap.

Counterparty due diligence. Increasingly, auditors check whether the institution screened counterparties against sanctions lists, Politically Exposed Persons (PEP) databases, and conflict of interest registers before entering into agreements.

Budget compliance. Are expenditures within the contracted scope? Auditors compare actual spend against the contract budget to identify overruns or out-of-scope charges.

Common Gaps That Audits Expose

Even well-run research offices get caught out. These are the gaps that surface most frequently.

Missing executed copies. The office has the draft and the redlined version, but no one can locate the final signed copy. Sometimes the signed version is in someone’s email. Sometimes it was never fully executed at all.

Unsigned amendments or side letters. The PI and the sponsor agreed to change the project scope, but the formal amendment was never completed. The work proceeded on the basis of an email exchange that no one filed.

Expired agreements still actively relied upon. The agreement expired 18 months ago. The research is still running. No one raised the renewal because the funding was still flowing. Technically, there is no contractual basis for the work.

No record of signing authority or approval chain. The contract is signed, but there is no documentation of who approved it, when, or under what authority. The approval happened verbally or via a lost email thread.

Inconsistent version control. The shared drive contains “Agreement_FINAL.docx”, “Agreement_FINAL_v2.docx”, and “Agreement_FINAL_v2_JK_edits.docx”. No one is entirely sure which is the executed version.

Counterparties not screened against sanctions lists. The agreement was signed without checking whether the counterparty or any of its principals appear on relevant sanctions or PEP lists. This is becoming a more serious finding as regulators increase scrutiny.

No obligation tracking. The contract contains deliverable milestones, reporting requirements, and financial obligations, but no one is actively monitoring them. Compliance is assumed rather than verified.

Data protection clauses missing. Agreements involving personal data (student records, patient data, survey responses) were executed without the data protection addendum that institutional policy requires.

The 90-Day Audit Preparation Checklist

If you have an audit coming and need to get your house in order, this is your action plan. It is not elegant. It is practical.

Days 1-14: Inventory

Your first job is to find every active research contract. This sounds simple. It is not.

  • Check the central contract repository (if you have one).
  • Search shared drives, departmental file servers, and cloud storage.
  • Email department heads and PIs asking them to send any contracts they hold locally.
  • Check filing cabinets in the Sponsored Programs office, the legal office, and department offices.
  • Pull records from your grants management system to identify funded projects that should have associated contracts.
  • Build a master spreadsheet listing every contract with: parties, start/end dates, funding source, contract type, and location of the executed copy.

Do not try to assess quality at this stage. You are simply building the inventory. Getting the list right is critical. You cannot audit what you cannot find.

Days 15-30: Gap Analysis

With your inventory in hand, review each contract against a basic checklist:

  • Do you have the fully executed copy (all signatures present)?
  • Is the agreement current (not expired)?
  • Are all amendments and variations on file?
  • Is signing authority documented (approval records, delegation letters)?
  • Does the contract contain the required data protection provisions?
  • Has the counterparty been screened for sanctions and conflicts of interest?

Mark each contract as green (complete), amber (minor gaps), or red (significant gaps). Prioritise high-value and high-risk agreements: large funding amounts, international counterparties, and agreements involving personal data.

Days 31-45: Remediation

Now close the gaps you identified.

  • Chase missing executed copies from counterparties. If the original cannot be found, request a certified copy or re-execute the agreement.
  • Get expired agreements formally renewed or terminated. If the work is ongoing, execute a no-cost extension or a new agreement. If the work has concluded, document the termination.
  • Complete unsigned amendments. If the parties have been operating under informal modifications, formalise them now.
  • Document signing authority retroactively where possible. Obtain retrospective ratification from the appropriate authority if needed.
  • Flag gaps you cannot close in time and prepare a written explanation for auditors describing the gap and the remediation plan.

Days 46-60: Compliance Check

With the basic documentation gaps addressed, review the substance of your key agreements:

  • Check that flow-down provisions match funder requirements. Cross-reference each sponsored research sub-agreement against the prime award terms.
  • Review IP provisions against institutional policy. Flag any deviations and check whether they were formally approved.
  • Verify data protection compliance. Confirm that agreements involving personal data contain the required clauses and that Data Protection Impact Assessments have been completed where required.
  • Run counterparty screening against current sanctions lists and PEP databases. Document the results.
  • Check budget compliance. Compare actual expenditure against contracted budgets and flag any overruns.

Days 61-75: Documentation

Prepare your audit file. Auditors appreciate organised documentation that allows them to work efficiently.

  • Organise contracts by type (sponsored research, industry collaboration, consultancy, sub-awards, NDAs).
  • For each contract, prepare a summary sheet showing: parties, dates, value, status, compliance notes, and the location of the executed copy.
  • Compile a separate file for exceptions: agreements with identified gaps, remediation actions taken, and any outstanding issues.
  • Prepare a signing authority register showing who is authorised to sign each category of agreement and the delegations in place.
  • Document your counterparty screening process and results.

Days 76-90: Dry Run

Walk through the audit file as if you were the auditor.

  • Pick 10-15 agreements at random across different categories and try to locate the executed copy, the approval record, and the compliance documentation within five minutes each.
  • For sponsored research contracts, trace the flow-down provisions from the prime award through to the sub-agreement. Are they consistent?
  • Check whether any agreements have expired since you completed your remediation. Set reminders for anything expiring during the audit period.
  • Identify the questions an auditor would ask and prepare answers. Where was this signed? Who approved it? Is this compliant with the funder’s terms? Where is the amendment?
  • Brief your team on what to expect during the audit and who will handle which categories of enquiry.

From Emergency Mode to Ongoing Audit Readiness

The 90-day checklist above is emergency mode. It works, but it is exhausting, and it leaves you vulnerable to the same scramble next time.

The real solution is building audit readiness into your daily operations so that when the next audit notice arrives, the answer is “we’re ready” rather than “we need three months.”

Here is what that looks like in practice.

A single contract repository. Every contract, including drafts, executed copies, and amendments, lives in one searchable system. No more hunting through email and shared drives. When an auditor asks for an agreement, you find it in seconds, not days. A dedicated contract lifecycle management platform makes this the default rather than something you have to enforce manually.

A complete audit trail. Every action on a contract, including creation, review, approval, signature, and amendment, is logged automatically with timestamps and user attribution. You do not need to reconstruct the approval chain from email threads because it is recorded as it happens.

Automated counterparty screening. Instead of running manual checks before an audit, screen every counterparty against global sanctions lists and PEP databases at the point of onboarding and on an ongoing basis. Pactly’s integration with Dilisense provides this as an automated check, available on the Growth plan.

Obligation tracking with reminders. Deliverables, milestones, reporting deadlines, and financial obligations are tracked within the contract record. Automated reminders notify the responsible parties before deadlines arrive, so compliance is proactive rather than retrospective.

Bulk contract analysis. When you need to audit specific clauses across hundreds of agreements, checking that all sponsored research contracts contain the required flow-down provisions, for example, you need a way to do that without opening each contract individually. Pactly’s Projects feature enables this kind of portfolio-wide clause analysis. If this capability is relevant to your audit preparation, it is worth discussing in a demo.

Renewal and expiry tracking. Automated alerts before agreements expire mean you never discover during an audit that a contract lapsed 18 months ago. Renewal tracking and reminders keep your portfolio current without manual diary management.

Security and data governance. Auditors increasingly scrutinise where contract data is stored and how it is protected. Hosting on infrastructure that meets institutional security requirements, with role-based access controls and encryption, addresses these questions before they are asked. You can review Pactly’s security and compliance posture for details.

Conclusion

Compliance audits do not have to be a crisis. The contracts, approvals, and compliance documentation that auditors want to see are the same records you need to manage your research portfolio effectively. The gap is usually not in the substance of your agreements but in how they are stored, tracked, and maintained.

If you are facing an audit in the coming months, the 90-day checklist above will get you through it. If you want to make sure you never need that checklist again, the answer is building audit readiness into your contract management process from day one.

Want to see how Pactly helps research offices maintain audit readiness year-round? Book a demo and we will walk you through it.

If you found this article helpful, you may also want to read our guides on building a university contract clause library and streamlining internal approvals for university research contracts.

    Share:

    See it in action

    Turn contract chaos into a streamlined workflow

    Join legal teams who cut contract turnaround time by 60%. Book a 15-minute demo to see how.

    Book a DemoOr explore the platform
    Back to Blog

    Related Posts

    View All Posts »

    Chat with us

    We typically reply within a few minutes