# Audit right

Source: https://contracko.com/glossary/audit-right

# Audit right

A contractual right to inspect a counterparty's records or processes to verify compliance.

## Definition

An audit right entitles one party, usually the client, to inspect the other party's records, systems or processes to verify compliance with the contract, pricing, quality or data-protection obligations. Contracts define the scope, frequency, notice period, confidentiality safeguards and who bears the cost. In data-processing contexts the right also supports the controller's oversight duties under GDPR Article 28.

## Example

> The client may audit the supplier's billing records once a year on thirty days' written notice, bearing its own audit costs.

## Why this is a business risk

An audit right without a clear exercise procedure is difficult to enforce. Suppliers who resist audits or impose unreasonable conditions can effectively nullify the right. Equally, an unlimited or poorly scoped audit right can disrupt a supplier's operations and damage the relationship. The risk is compounded in data-processing contexts, where the controller's failure to audit can itself be a GDPR compliance gap.

## How to manage it

- Define the audit scope precisely: which records, systems or sites are in scope, and which are excluded as commercially sensitive or unrelated to the contract.
- Fix the notice period, frequency and permitted auditor (in-house or independent) so the supplier can prepare without undue disruption.
- Include a confidentiality obligation for audit findings and restrict who within the client organisation can access the results.
- Track annual audit windows as a contract milestone so the right is exercised before it lapses for that year.
- For data-processing agreements, calendar the GDPR Article 28 audit right separately alongside the data-protection review cycle.

### How Contracko helps

Contracko tracks audit-right exercise windows and GDPR-review milestones extracted from contracts, sending reminders before they lapse. Storing audit clauses, notice requirements and prior audit reports alongside the contract gives a complete compliance record accessible at a glance.

## Legal references

- [GDPR Art. 28 GDPR: processor obligations and audits EU law](https://eur-lex.europa.eu/eli/reg/2016/679/oj)

Unless marked otherwise, references are to Dutch law (Burgerlijk Wetboek, the Dutch Civil Code); EU instruments such as the GDPR apply across the EU. This is general information, not legal advice. Other jurisdictions treat these concepts differently. Verify the current text and your situation with a qualified lawyer.

## Relevant for

[IT Services](https://contracko.com/industries/it-services)[Financial Services](https://contracko.com/industries/financial-services)[Managed Service Providers](https://contracko.com/industries/managed-service-providers)

## Related clauses

- [Audit Rights Clause](https://contracko.com/clause-library/audit)
- [Compliance Clause](https://contracko.com/clause-library/compliance)
- [Data Processing Clause](https://contracko.com/clause-library/data-processing)

## Related terms

- [Compliance clause](https://contracko.com/glossary/compliance-clause)
- [Data processing agreement (DPA)](https://contracko.com/glossary/data-processing-agreement)
- [Procurement audit](https://contracko.com/glossary/procurement-audit)
- [Contract compliance](https://contracko.com/glossary/contract-compliance)

### Never miss a contract deadline again

- AI finds renewal and notice dates
- Risks and obligations are surfaced automatically
- Reminders help you act before dates slip

Drop a contract to start

PDF, DOCX, PNG, or JPG

[Start 7-day trial](https://app.contracko.com/register?appLanguage=en&utm_source=glossary_sidebar&utm_medium=lead_magnet&utm_campaign=glossary_sidebar_contract_upload&content_slug=audit-right&content_title=Audit+right&cta_placement=glossary_sidebar_cta&source_tool=glossary_sidebar_audit-right)

GDPR compliant. Encrypted. Never used for AI training.

## Frequently asked questions

Common questions about this term.

- **Q:** Can a supplier refuse an audit?
  **A:** If the audit right is contractual, refusal is a breach. The client can enforce the right through the courts or use the refusal as grounds for termination for cause, depending on what the contract provides. For GDPR-mandated audits, refusal also risks regulatory enforcement.

- **Q:** Who pays for the audit?
  **A:** Typically the client bears the cost of exercising its own audit right. If the audit reveals a material discrepancy or breach, the contract may shift costs to the supplier. GDPR Article 28(3)(h) requires the processor to make information available, which shifts some of the data-protection audit burden to the processor.

- **Q:** Can a supplier substitute a third-party certification for an on-site audit?
  **A:** Many SaaS and cloud contracts allow the supplier to offer ISO 27001 or SOC 2 reports in lieu of a direct audit, provided the contract expressly permits this. Without that contractual carve-out, a certification report does not replace the client's right to audit.

- **Q:** How broad can an audit right be?
  **A:** Contractually there is no statutory limit, but proportionality and good faith under BW 6:248 limit how intrusively the right can be exercised. Courts have moderated overly broad audit rights that would expose a supplier's confidential commercial data unrelated to the audited contract.

- **Q:** Is an audit right required in every data-processing agreement?
  **A:** Yes. GDPR Article 28(3)(h) requires that the processor makes available all information necessary to demonstrate compliance and allows for and contributes to audits conducted by the controller or its mandated auditor. This is a mandatory term in every DPA.

## See these terms in your own contracts

Upload a contract and Contracko pulls out the key terms, dates and obligations, then reminds you before each one matters.

[Start 7-day free trial](https://app.contracko.com/register?appLanguage=en)

Book demo
