Ad OpsTransparencyHow-To

Transparency Checklist: Auditing Your Partners for Principal Media Compliance

sseonews

2026-01-28

9 min read

A Forrester-aligned checklist to vet DSPs and ad partners: what to ask, which ad logs to demand, and how to report audit findings in 2026.

Hook: Why your next media partner review must start with transparency

If your paid-media performance is slipping, your CFO is asking for invoices to explain diminishing returns, or procurement wants reassurance that fees aren’t being rebundled behind closed doors, this guide is for you. In 2026, principal media is mainstream — and with it comes a higher risk of opaque programmatic platforms and hidden economics. Forrester’s principal media guidance confirms the reality: the model is here to stay, which means advertisers must get systematic about audits instead of relying on vendor assurances.

Top-line: What this checklist delivers

This article gives you a Forrester-aligned, practitioner-ready transparency checklist for vetting ad partners and DSPs. You’ll get:

Audit questions grouped by governance, supply path, finance, measurement, privacy and tech.
Exact logs and fields to request (impression, bid, win, click, verification, and identity records).
How to score and report findings to executives and legal teams.
An actionable 7-step audit workflow you can run in-house or with an auditor.

Context: Why 2026 makes this urgent

Late 2025 and early 2026 saw faster consolidation of programmatic platforms and growth in managed “principal” buys. With cookieless identity pushes and new regional regulation tightening supply chain accountability, advertisers must move from trusting dashboards to demanding raw logs and provenance evidence. Forrester’s report signals a shift: transparency controls and auditability are now key procurement criteria, not optional extras.

Primary risk vectors

Hidden fees and layered reselling (rebundled principal charges).
Opaque supply paths (missing seller.json or schain data).
Insufficient measurement access (no impression-level logs available to advertisers).
Data privacy and retention gaps—mismatch between policies and logs.
Inventory quality issues—invalid traffic and viewability not surfaced.

How to use this checklist (inverted pyramid)

Start at the top: ask governance and contract questions first, then move into technical proof via logs. If a partner refuses the governance checks, you don’t get to the logs. If governance is OK but logs are incomplete or truncated, treat that as a high-risk finding.

Audit questions: What to ask your DSPs and ad partners

Use these questions verbatim in procurement questionnaires, RFPs, or email audits. Grouped by area for clarity.

Governance & contracts

Who is the legal contracting entity for media buys? Provide full corporate hierarchy, subsidiaries, and resellers.
Do you perform any principal buys on behalf of advertisers? If so, list the lines of business and the decision criteria for principal vs. pass-through buys.
Submit a copy of your standard MSA/media buy addendum that details fees, rebates, and pass-throughs.
What third parties do you engage for identity, bidding, or delivery? Provide agreements or T&Cs that affect advertiser rights to data and logs.

Supply path & inventory provenance

Provide seller.json and a map of upstream exchanges/SSPs you purchase from (including SSPs’ seller IDs).
Show your use of the OpenRTB supply chain object (schain). Can you surface the full schain for impression-level records?
List any private marketplace (PMP) IDs and give publisher domain mappings for active deals.
Confirm whether you use re-brokering or reselling; if yes, provide documentation of each intermediary.

Financial transparency

Provide a fee schedule showing line-item fees (platform, tech, data, ad ops). Indicate which fees are included in CPMs vs. invoiced separately.
Do you accept volume-based incentives or rebates from SSPs or publishers? Provide copies of those agreements or a summary of payments received.
Deliver reconciliation files (campaign-level) that tie DSP spend to upstream invoicing from SSPs/publishers.

Measurement & verification

Which third-party verification vendors do you support (e.g., IAS, DoubleVerify, Moat)? Provide access or shared reports for the campaign.
Can you supply impression-level verification logs (viewability, fraud flags, timestamped events)?
Are post-bid or pre-bid blocking rules applied? Provide the rule set and a sample of blocked event logs.

Data, identity & privacy

List identity partners you connect with (e.g., UID2, LiveRamp) and evidence of consent management integration.
Provide data retention policy and show how impression-level logs are retained, anonymized, or deleted.
Confirm whether you store PII in logs and how it is protected (encryption, access controls).

Technical & operational

Provide schema and sample files for these logs: bid requests/responses, win notices, impression events, click events, creative delivery, verification, and billing reconciliation.
What is the latency between impression and log availability? Provide SLA for log delivery and historical uptime metrics.
Do you support SFTP/HTTPS log delivery, Kafka streaming, or cloud storage (e.g., GCS/S3)? Provide example endpoints and authentication methods.

Exact logs to request (and the fields that matter)

Ask for raw, impression-level logs (not aggregated reports) and require a data dictionary. Below is a prioritized list and required fields.

1. Impression (ad served) log

timestamp (ISO 8601)
impression_id (unique identifier)
auction_id or bid_id
creative_id and creative_url
publisher_domain and page_url or app bundle
seller_id and sspid (SSP/exchange identifiers)
schain (full supply chain object or equivalent)
price_paid (net CPM) and gross_price
buyer_currency and cost_type
viewability and verification_flags
ip_hash/geo and identity token hash

2. Bid request & response logs

timestamp, auction_id, bidder_id
bid_price, bid_currency
bid_response_raw or decoded fields (targeting signals, segments)
floor_price and seatbid info

3. Win notices & billing reconciliation

timestamp, auction_id, seller_node
clearing_price, currency
invoice_id and billing_line_item

4. Click and post-click events

timestamp, click_id, impression_id
redirect_chain and final_url

5. Verification & invalid traffic (IVT) logs

timestamp, impression_id
fraud_flag (reason codes), bot_score
viewability_seconds and human_verified indicators

6. Identity and sync logs

identity_token hash, sync_event, partner_id
Consent string version and timestamp (TCF/other frameworks)

Sample audit scoring and risk model

Use a simple 3-tier scoring model for stakeholders: Green (low risk), Amber (moderate), Red (high). Score each audit dimension and surface a single consolidated risk level.

Green: Full schema, impression-level logs available, seller.json + schain present, line-item fees disclosed.
Amber: Aggregated logs only or partial schain, some fee categories redacted, limited verification access.
Red: Refusal to provide logs, no schain or seller.json, undisclosed reselling, or conflicting invoices.

How to report findings (templates and governance outputs)

Reporting must translate technical evidence into business risks. Deliver two artifacts: an executive one-pager and a technical annex with raw evidence and queries.

Executive summary (one page)

Campaign assessed, time period, spend
Overall risk rating and one-sentence rationale
Top 3 findings and immediate remediation actions
Recommendations for contract changes or pause conditions

Technical annex

Raw CSV/NDJSON extracts (sample of 10k impressions) with redaction where necessary
SQL or Spark queries used for analysis
Evidence mapping: impression_id -> seller chain -> clearing price -> invoice
Reconciliation summary showing spend alignment/mismatch

Actionable 7-step audit workflow (practical)

Kickoff: Share the audit scope, legal rights to logs, and NDA if needed.
Governance check: Collect contracts, seller.json, and list of intermediaries.
Log request: Instruct partners to deliver a well-documented sample of impression-level logs for a recent campaign.
Ingest & validate: Load logs into a secure environment and validate schema and completeness — observability matters; see notes on model observability.
Cross-check: Match impression logs to billing reconciliation and third-party verification records.
Score & prioritize: Use the risk model to create remediation tickets and contractual asks — record scores and remediation as part of the audit pack.
Report & remediate: Deliver executive briefing, require vendor remediation within SLA, and plan re-audit.

Practical examples: What good (and bad) looks like

Example: A mid-market retailer saw 18% of programmatic spend with creative IDs tied to two unknown seller_ids. After requesting schain and seller.json, the DSP identified a reseller relationship where 6% of spend was rebundled. The audit forced fee reclassification and a refund for mismatched line items.

Contrast that with a SaaS advertiser whose DSP supplied an aggregated spend report only. The DSP refused impression-level logs citing vendor IP; risk model flagged this as Red. The advertiser paused new spend until contract language mandated logging access.

Recommended contract clauses and SLA language

Insert these clauses into MSAs or SOWs:

Right to receive impression-level logs for a minimum of 90 days after campaign end (extendable by request).
Supply path transparency clause requiring delivery of seller.json and schain for any resold inventory.
Fee disclosure: all platform, reseller, and data fees must be itemized and reconciled monthly.
Third-party verification access: advertiser must be granted viewer-level access to verification dashboards or raw verification exports.
SLA for log delivery: 24–72 hour availability window and uptime/latency guarantees for streaming endpoints. Budgeting for latency and cost tiering should be included.

Operationalizing for ongoing governance

Turn the audit checklist into an operational control:

Quarterly partner audits based on spend thresholds (e.g., >$500k annual).
Automated reconciliation scripts that match impression-level logs to invoices weekly.
Policy: escalate any partner that returns an Amber or Red score to Procurement and Legal.
Keep a vendor registry mapping supply path risk, fee exposure, and verification posture.

Final considerations and future-proofing

As identity and regulation evolve in 2026, the ability to produce audited, impression-level evidence will become a standard procurement filter. Forrester’s principal media guidance stresses transparency rather than prohibition — the industry will keep buying principal media, but advertisers with structured audits win better economics and lower compliance risk.

"Principal media is here to stay — wise advertisers will demand auditable proof, not promises." — Forrester-inspired guidance, 2026

Checklist recap (quick reference)

Ask: legal entity, principal buys, third-party agreements, seller.json, schain
Request logs: impression, bid, win, click, verification, identity
Score: Green / Amber / Red with documented evidence
Report: Executive one-pager + Technical annex with raw evidence
Contract: Add clauses for logs, fees, verification access, and SLAs

Next steps (call-to-action)

Start by running step 1 this week: send the governance questionnaire and seller.json request to your top three DSPs. If you want a template RFP or a reusable NDJSON schema for logs, download our Forrester-aligned media partner audit pack or contact our team to run a 2-week transparency audit. Don’t wait — principal media will only get more common, and the first advertisers who demand auditability will reclaim margin and reduce risk.

seonews

Contributor

Senior editor and content strategist. Writing about technology, design, and the future of digital media. Follow along for deep dives into the industry's moving parts.