Do they have any justification for being in there other than 'taking a look around?' Do they do remote monitoring?
It's a tricky question to answer since it depends a lot on your relationship with your vendor and the terms of what they're supposed to be doing.
From a vendor point of view I might need access to any load at any given time depending on what I'm doing but I also work for a customer who has assigned the job of password and access control to me... the vendor.
If they're in there without justification then I think a password change is in order along with a call to the vendor to get a few things straight.
I have caught a few former employees trying to log in to 'take a look around.'
Of course that's just my $.02 USD, I've only worked in one aspect of this business on one contract so that's all I know.
-T