Contractual audit rights give you the ability to effectively verify compliance with agreements. They are indispensable for licensing, supply chain, ESG, and compliance. In our practice, we see that many audit clauses do not work — too vague, too limited, or too burdensome for implementation. A well-thought-out audit clause balances control and feasibility and is respected by judges and arbitrators.

What is the legal problem?

Audit rights regulate who may inspect what, how often, at what cost, and with what consequences. Legal and cultural contexts vary internationally. No audit right means no inspection. An audit right that is too broad is unenforceable and meets with resistance. Privacy, confidentiality, and operational continuity must be respected.

What does the law say?

No specific law regulates audit rights; they stem from freedom of contract under Article 3:33 of the Dutch Civil Code. International standards (ISA) apply to financial audits. GDPR rules under Article 28, paragraph 3, sub h require audit rights for controllers at processors. For sectors such as finance (Financial Supervision Act), pharmaceuticals, and defense, supervisory rights can be mandatory. International model clauses, such as Standard Contractual Clauses under Implementing Decision (EU) 2021/914, contain mandatory audit elements for personal data. ISO 19600 provides compliance standards. What risks do companies face? Without audit rights, compliance with license payments, ESG requirements, and compliance obligations is virtually impossible to verify. Overly broad audit rights lead to resistance or abuse. Obtaining evidence in legal proceedings costs significantly more time and money under Article 843a of the Dutch Code of Civil Procedure without prior audit rights. Ignorance of underperformance or fraud makes early intervention impossible.

Practical example from our practice

We represented a Dutch software supplier that granted a per-seat license to an Italian client without an audit clause. Following suspicions of overuse, the supplier was unable to gain access to usage data. Upon renegotiation, we incorporated the following: annual audit rights, an independent accountant, costs for the licensee in the event of a deviation exceeding 5 percent, and confidentiality safeguards. The first audit resulted in a tax assessment of 280,000 euros.

What can you do?

Define the scope (which records, which period), frequency (annually), performer (internal auditor or external accountant), cost allocation (per result), burden of proof, and consequences in the event of a deviation. Ensure confidentiality and protection of trade secrets under the Trade Secrets Protection Act. Align with the GDPR for personal data. See also our article on Compliance clauses: necessity or formality?