Supplier Audit

What a supplier audit actually is

A supplier audit is a systematic, independent, documented examination of a supplier's quality systems, processes, and controls. It verifies compliance with regulatory, contractual, and quality requirements. The work is hands-on, whether on-site or structured remote. Supplier audit is distinct from document review and questionnaire-based qualification: those are paper-side controls; audit is the in-person (or virtual-in-person) check.

Modern regulator practice treats supplier audits as the principal mechanism firms have for managing external quality risk. The reasoning is direct. When something goes wrong with a supplied material — contamination, specification failure, recall — the firm carries responsibility regardless of who manufactured the input. Supplier audit is where the firm builds the assurance that supports that responsibility.

Supplier audit is regulated explicitly under 21 CFR §211.84 (component testing and approval), 21 CFR §820.50 (purchasing controls), EU GMP Chapter 7 (Outsourced Activities) and Chapter 5 (Production), ISO 13485 §7.4 (Purchasing), ISO 9001:2015 §8.4, ICH Q10, and ISO 19011. The expectation is universal: structured, risk-based, documented supplier audits with credible follow-up.

Why supplier audits are a defining external-quality control

Supplier-driven quality events have driven some of the largest regulatory actions of the last decade. Contamination in active pharmaceutical ingredients — the nitrosamine wave is the recent example. Specification failures in critical components. Documented data integrity issues in contract laboratories. Cybersecurity incidents at outsourced IT services. In each case the auditing firm carries regulatory and commercial consequence regardless of which entity actually caused the issue. Supplier audit is the mechanism that lets the firm see the problem before the regulator does, or, when it can't, demonstrates that the firm exercised the oversight expected.

Recent enforcement has produced a consistent pattern around supplier audit discipline. Critical suppliers without recent audits. Scopes that covered documentation but didn't verify on-the-ground practice. Auditors without the technical qualification for the subject. Significant findings closed administratively without verifying corrective action effectiveness. Audit programs that ran but didn't feed supplier qualification decisions — suppliers with significant findings still on the approved list with no risk-based reassessment.

Specific things have shifted recently. ICH Q9(R1) (effective 2023) raises the bias-awareness bar on supplier risk assessment. EU GMP Annex 21 (effective 2022) tightened importation oversight. The 2024 final QMSR brings the device side closer to ISO 13485 supplier expectations, with the February 2, 2026 effective date now active. None of this is theoretical; inspections cite it.

The cultural side is concrete. When supplier audits get framed as commercial-relationship management, they tend to be light and miss things. When they're framed as risk management, they find what's there. The difference often shows up in finding rates: programs with consistent zero-finding audits over time usually have audit-quality issues, not supplier-quality success.

Inspector perspective: a credible review of supplier audits samples critical suppliers and asks four things. Was the audit done within the defined frequency? Was the scope adequate for the supplier's risk profile? Did the auditor have technical qualification for what was being audited? Were significant findings followed through to verified closure? When supplier audits look more like commercial visits than risk-management activities, the sample tends to expand.

Where supplier audit obligations come from

Supplier audit obligations sit across multiple frameworks:

• 21 CFR §211.84 — Testing and approval or rejection of components, drug product containers, and closures: ongoing supplier oversight implicit in the testing and approval discipline.
• 21 CFR §211.22 — Quality control unit: responsibility for approving suppliers.
• 21 CFR §820.50 — Purchasing controls: each manufacturer establishes and maintains procedures to ensure purchased product and services conform to specified requirements. Includes evaluating and selecting suppliers, defining requirements, defining controls over extent of evaluation, maintaining records of acceptable suppliers.
• 21 CFR §820.50(a)(1): evaluate and select suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements.
• 21 CFR §820.50(a)(2): define type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
• EU GMP Chapter 5 — Production: supplier qualification for starting materials and primary packaging; ongoing oversight.
• EU GMP Chapter 7 — Outsourced Activities: contract giver and contract acceptor responsibilities; written contracts; audit of the contract acceptor.
• EU GMP Chapter 1 §1.4(xi): ensuring activities undertaken by contracted parties are managed appropriately.
• EU GMP Annex 16 — QP Certification: QP oversight of the entire supply chain.
• EU GMP Annex 11 §3.1: outsourced computerised systems.
• EU GMP Annex 21 (effective 2022): importation of medicinal products; supplier oversight.
• ISO 13485 §7.4 — Purchasing: documented procedures to ensure purchased product conforms to specified requirements; supplier evaluation based on ability to supply per requirements; controls proportionate to risk and impact.
• ISO 13485 §7.4.1: criteria for evaluation and selection of suppliers; records of evaluation and any necessary actions arising from evaluation; re-evaluation.
• ISO 9001:2015 §8.4 — Control of externally provided processes, products and services: criteria for evaluation, selection, monitoring of performance, and re-evaluation.
• ISO 19011 — Guidelines for auditing management systems: principal audit methodology framework; competence, planning, execution, reporting, follow-up.
• ICH Q10 — Pharmaceutical Quality System: outsourced activities and purchased materials including supplier management.
• ICH Q9(R1) (effective 2023): risk-based supplier evaluation including audit frequency.
• ICH Q7 — GMP for APIs: API supplier evaluation.
• WHO TRS 986 Annex 2, TRS 1019, TRS 1033: WHO GMP supplier oversight.
• PIC/S PE 009-17 (June 2023): GMP guide including supplier qualification.
• FDA QMSR (final 2024, effective February 2, 2026): aligns device QMS more closely with ISO 13485 supplier expectations.
• MHRA "GxP" Data Integrity Definitions and Guidance for Industry (March 2018, updated September 2021): DI for outsourced activities.

What disciplined supplier audit programs look like

The practices that hold up at inspection share a common shape:

• Supplier audit SOP. Defines scope, risk-based frequency, auditor competence, planning approach, execution structure, finding classification, follow-up discipline, closure criteria.
• Risk-based audit program. Suppliers tiered by criticality — impact on product quality, regulatory exposure, single-source status, history. Frequency, scope, depth, and on-site vs remote decision all driven by tier.
• Per-supplier audit schedule. Next audit due date tracked, surfaced before passing, escalated when overdue.
• Audit planning. Scope, objectives, criteria, audit team, agenda, and document pre-review defined ahead of the audit. Pre-audit document review identifies focus areas.
• Qualified audit team. Auditors competent for the scope: audit methodology (ISO 19011 alignment), technical subject matter, independence from the activity being audited, language as needed.
• On-site or structured remote execution. Risk-based decision with documented rationale per audit. Remote audits structured rigorously: pre-audit document review, video site walkthrough, real-time records access, structured interviews.
• Structured audit execution. Opening meeting, document review, facility walkthrough, process observation, interviews, closing meeting with preliminary findings.
• Finding classification. Consistent classification under defined tiers (critical, major, minor, observation), with rationale documented and classification consistent across audits.
• Audit report. Documented within a defined timeline; covers scope, objectives, methodology, findings with evidence, classification, recommendations, conclusion.
• Supplier CAPA response evaluation. The supplier's corrective action plan evaluated for adequacy; implementation verified; effectiveness checked for critical/major; closure documented.
• Audit outcomes feed supplier qualification. Findings drive supplier qualification status — approved, conditional, disqualified. Risk tier updated accordingly.
• Audit program metrics. Findings by category and severity, closure rates, recurring issues across suppliers. Standing input to MR under ICH Q10 §3.2.4.
• Periodic review of the audit program. Program effectiveness reviewed; auditor competence reassessed; SOP updated as practice evolves.

What strong supplier audit programs do

The controls that hold up at inspection:

• Risk-based audit program. Tier-driven frequency, scope, depth, on-site decision.
• Per-supplier schedule tracked. Overdue surfaced and escalated.
• Documented audit planning. Scope, objectives, criteria, team, agenda ahead of execution.
• Qualified audit team. Methodology, technical competence, and independence all verified.
• Structured execution. ISO 19011-aligned. Opening, review, walkthrough, observation, interviews, closing.
• Consistent finding classification. Defined tiers, rationale documented.
• Timely audit report. Within defined SLA from execution close.
• Supplier CAPA evaluation and verification. Adequacy evaluated, implementation verified, effectiveness checked.
• Audit feeds qualification status. Outcomes drive supplier tier and approval status.
• Quality agreement alignment. Quality agreement scope and audit scope aligned.
• Program metrics to MR. Standing input under ICH Q10.
• Periodic review of program. SOP and auditor competence assessed regularly.
• Lessons-learned feedback. Recurring patterns across suppliers feed program improvement.

How Complere supports supplier audits

Supplier audit is the main mechanism your team has for managing external quality risk. Complere is built to run the full lifecycle — planning, execution, finding classification, CAPA-linked follow-up, closure, and feedback into supplier qualification — as one connected, traceable process.

Your team plans each audit on a single record: scope, objectives, criteria, the audit team you've assigned, the agenda, and the pre-audit document review notes. Whether it's an internal, external, supplier, or regulatory audit drives how the record behaves and how it reports. During execution, your auditor captures opening-meeting notes, document-review observations, walkthrough findings, interview notes, and attached evidence — all against the same record, so when you reconstruct the audit later there's no scattered paper to chase.

Findings come out as structured records, classified under your defined tiers (critical, major, minor, observation), with the description, the supporting evidence, the recommended action, a target closure date, and an owner. For significant findings, your team can require cross-functional sign-off — and the platform confirms each signer actually has the authority before letting them sign. Your auditor's sign-off carries identity, timestamp, and the meaning of the signature, and you have your own service-level windows you can track on each audit so overdue work surfaces before it embarrasses you.

When the supplier comes back with a CAPA response, your team captures their corrective action plan, implementation evidence, and effectiveness verification against the original finding. Closure is gated on documented verification per your SOP — no closing on the response document alone, which is one of the most-cited supplier audit findings in inspections. Where your own firm needs to act on a systemic issue surfaced by the audit, that routes into your CAPA workflow with the audit referenced as the source.

The audit history feeds back into supplier qualification. Repeated significant findings flag the supplier; your qualification decisions can be made with the full audit context visible. Program-level metrics — findings by severity, closure rates, recurring patterns across your supplier base, SLA performance — are reportable across the audit workflow and feed your Management Review inputs.

What stays with your team: tiering your suppliers by risk, defending the audit frequency rationale, qualifying your auditors for the scope they cover, keeping classification consistent, holding the line on unverified CAPA closures, and letting audit outcomes actually move suppliers between qualification states. Complere supplies the workflow, the record structure, and the aggregated reporting; the quality judgment is yours.

Related supplier and audit system terms

Supplier audit sits inside the broader supplier-management and audit disciplines:

• Supplier Qualification — supplier audit feeds qualification status
• Internal Audit — same audit discipline applied internally
• Risk Management — supplier risk tiering drives the audit program
• CAPA — supplier findings and internal findings drive CAPA
• Management Review — audit program metrics as MR inputs
• Data Integrity — DI is a principal supplier audit focus
• Audit Management Module