Corporate Set-up Best Practices

I hope someone might be able to point me in the right direction here. 

I have used Teamviewer for years to connect from home to my work computer. Now we have purchased a Corporatre license so that a few other administrators can connect from home to work. 

We require two factor authentication for those users. They can only connect from their personal device (iPad, laptop, computer etc.) to their computer at work. 

The exception to this is the Maintenance Director and HVAC tech who connect to their computer and the HVAC server. 

I have access to all those computers as the IT director.

At the end of each session we require a comment. I then print out a list weekly and send it to each user to verify that they indeed where the individual that is connecting.

We are doing this for security purposes. 

Now we want all our vendors that need acccess to their servers to use teamviewer and have to log access as well. These vendors are HVAC, a local security company (to manage the cameras and keycards) and telecommunications company (that services our telecom servers). Recently it has come to our attention that they installed Teamviewer and are using their own Corporate license to connect. 

So questions

1. Are we doing the security right for our own internal connections?

2. What is the best set-up (host, full version) for administrator to access their machine and I still have access to help?

3. How do we have vendors access the servers they need access to?

When we have created accounts they complain because they are running an older version of teamviewer than we are (we are running 14).

  One of the confusing ones for me is the HVAC server. I need to acces it, the maintenance director needs access, the HVAC technician, the original company needs access and now the new HVAC company wants access.

Any advice is appreciated, even just pointing in the right direction.

Thanks