See the question and my original answer on StackOverflow

Yes, you should check for argument validity.

If the client is in-process (and same apartment, etc.) with the server, there's nothing (no proxy, no stub) to protect your code from being called with a NULL.

So you're the only one left there to enforce any COM rule, whether that's considered to be a "violation" or not.

PS: defining in+out (w/o using VARIANTs) for Automation clients seems a bit unusual IMHO. I'm not sure all Automation clients can use this (VBScript?)