# Audit Rights Clause

Source: https://contracko.com/clause-library/audit

# Audit Rights Clause

Gives a party the right to inspect the other's records or systems to verify compliance.

## What it is

An audit clause entitles one party to examine the other's books, records, processes or security controls to confirm compliance, for example with pricing, royalty reporting, licence usage, or data-protection obligations.

## Why it matters

Trust is not verification. Audit rights let a customer or licensor check that reported figures and controls are accurate, deterring under-reporting and supporting regulatory accountability under the GDPR and similar regimes.

## How to apply it

- Define the scope, frequency, notice period and who may conduct the audit.
- Limit access to relevant records and protect the auditee's confidential information.
- Allocate costs: the auditor usually pays, unless a material discrepancy is found.
- State remedies: correction, repayment of underpaid amounts, and re-audit rights.

## Negotiation tips

- • Auditees should cap audit frequency and require reasonable notice and confidentiality.
- • Auditors should secure a cost-shift if the audit reveals a discrepancy above a threshold.

## Common pitfalls

- • Audit rights so intrusive they disrupt operations or expose unrelated confidential data.
- • No remedy attached, so an audit can find a breach but achieve nothing.

### How Contracko helps

Contracko stores the audit-rights clause alongside every supplier and processor agreement, so compliance teams can quickly verify the notice period, permitted scope, and cost-allocation rule before commissioning an audit. AI analysis flags whether the clause meets GDPR Article 28 requirements for data processing agreements, removing the need to re-read each contract from scratch.

## Legal references

- [GDPR Art. 28(3)(h) GDPR: audits of processors EU law](https://eur-lex.europa.eu/eli/reg/2016/679/oj)
- [BW 6:248 Reasonableness and fairness Dutch law](https://wetten.overheid.nl/BWBR0005289)

Unless marked otherwise, references are to Dutch law (Burgerlijk Wetboek, the Dutch Civil Code); EU instruments such as the GDPR apply across the EU. This is general information, not legal advice. Other jurisdictions treat these concepts differently. Verify the current text and your situation with a qualified lawyer.

## Relevant for

[IT Services](https://contracko.com/industries/it-services)[Financial Services](https://contracko.com/industries/financial-services)[Pharmaceuticals & Biotech](https://contracko.com/industries/pharma-biotech)[Managed Service Providers](https://contracko.com/industries/managed-service-providers)[Accounting & Audit](https://contracko.com/industries/accounting)

## Related clauses

- [Compliance Clause](https://contracko.com/clause-library/compliance)
- [Data Processing Clause](https://contracko.com/clause-library/data-processing)
- [Benchmarking Clause](https://contracko.com/clause-library/benchmarking)
- [License Grant Clause](https://contracko.com/clause-library/license-grant)

## Related terms

- [GDPR](https://contracko.com/glossary/gdpr)
- [Data processing agreement (DPA)](https://contracko.com/glossary/data-processing-agreement)
- [Confidential information](https://contracko.com/glossary/confidential-information)

### Never miss a contract deadline again

- AI finds renewal and notice dates
- Risks and obligations are surfaced automatically
- Reminders help you act before dates slip

Drop a contract to start

PDF, DOCX, PNG, or JPG

[Start 7-day trial](https://app.contracko.com/register?appLanguage=en&utm_source=clause_library_sidebar&utm_medium=lead_magnet&utm_campaign=clause_library_sidebar_contract_upload&content_slug=audit&content_title=Audit+Rights+Clause&cta_placement=clause_library_sidebar_cta&source_tool=clause_library_sidebar_audit)

GDPR compliant. Encrypted. Never used for AI training.

## Frequently asked questions

Common questions about this clause.

- **Q:** Who pays for an audit?
  **A:** Usually the party requesting it, but contracts often shift the cost to the auditee if the audit uncovers a material breach or underpayment.

- **Q:** Are audit rights required under the GDPR?
  **A:** Yes. A data processing agreement must let the controller audit or inspect the processor's compliance under Article 28.

- **Q:** Can an audit right be satisfied by an independent third-party certificate?
  **A:** Often yes. Many processors offer ISO 27001 or SOC 2 reports as a substitute. The contract should state explicitly whether certification satisfies the audit right or whether an on-site audit remains possible.

- **Q:** How much notice must you give before conducting an audit?
  **A:** Contracts typically require 10 to 30 days' written notice. For fraud or security-incident investigations, a shorter or unannounced audit right should be negotiated separately.

- **Q:** What remedies follow a finding of material underpayment?
  **A:** The standard remedies are repayment of the shortfall with interest, a cost-shift for the audit, and sometimes a right to terminate for breach if the underpayment was systematic or intentional.

## Never miss a risky clause again

Contracko automatically reviews every contract for this clause and the obligations it creates.

[Start 7-day free trial](https://app.contracko.com/register?appLanguage=en)

Book demo
