I had a similar problem and the same discussion. In the end I reached a compromise which was to take away the use of sa by changing the password and not telling anyone and agreeing that in time they software suppliers may need sysadmin on the box but and I would have to agree with that if the situation arose. In the meantime at least I could audit what they were doing by giving them there own account. Why are 3rd parties so afraid of being audited?!