Supplier audits are one of the most overlooked yet critical activities in any quality management system. Many organisations treat them as a tick box exercise—a quick visit to check paperwork and shake hands. In reality, a well executed supplier audit can prevent costly failures, identify process improvements, and strengthen your entire supply chain. This guide walks you through the practical steps required to conduct a supplier audit that delivers genuine value rather than merely satisfying ISO 9001 requirements.
On this page
What Is a Supplier Audit and Why It Matters
A supplier audit, also known as a second party audit, is a systematic examination of a supplier's ability to meet your organisation's requirements consistently. It differs fundamentally from a certification audit conducted by an external body. The purpose is not to certify the supplier but to verify that they can deliver products or services that meet your specifications, quality standards, and regulatory obligations.
Under ISO 9001 Clause 8.4, your organisation must establish criteria for the evaluation and selection of external providers and apply appropriate controls to the outputs they provide. Many quality managers interpret this narrowly as a desk based review of credentials and certificates. In practice, a supplier audit provides direct evidence that the supplier's processes, capabilities, and commitment actually align with their claims. It also creates a baseline for monitoring supplier performance over time.
The financial impact of supplier failures is substantial. A late delivery disrupts your production schedule. A quality defect in supplied components reaches your customer and damages your reputation. A supplier's safety or environmental breach exposes your organisation to regulatory scrutiny. Conducting a proper supplier audit upfront costs time and resources, but it prevents far more expensive problems downstream.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesPlanning Your Supplier Audit Programme
Before you step foot on a supplier's site, you need a clear audit strategy. This begins with categorising your suppliers by risk and criticality. Not all suppliers warrant the same level of audit attention. A supplier providing office stationery presents far lower risk than a supplier providing critical safety components or sterilised medical devices.
Develop a risk assessment matrix considering factors such as the criticality of the supplied product or service to your operations, the complexity of the supply process, the supplier's track record with your organisation, whether they supply to other industries with higher risk profiles, and whether they handle your confidential information or intellectual property. Suppliers in the high risk category should receive on site audits at defined intervals. Medium risk suppliers might receive on site audits less frequently or targeted audits of specific processes. Low risk suppliers may be managed through document review and performance data alone.
Once you have categorised your suppliers, establish an audit schedule. This schedule should align with your internal audit programme planning so that supplier audits and internal audits work together to provide comprehensive coverage of your organisation's systems. ISO 9001 requires that audit activities and results be communicated, and supplier audit findings should inform your risk assessments, corrective actions, and supplier performance reviews.
Determine the scope of each audit. Will you audit the entire supplier's operation, or will you focus on specific processes relevant to what they supply to you? Will you examine quality management systems, occupational health and safety, environmental management, or a combination? If your organisation operates to ISO 9001, ISO 14001, and ISO 45001, your supplier audit scope should reflect the standards applicable to your operations and the risks associated with that supplier's role in your supply chain.
Preparing the Audit Documentation
Adequate preparation separates professional auditors from those who waste everyone's time. Before the audit, you need clear audit objectives, criteria, and a structured approach to gathering evidence.
Define your audit objectives in writing. What specific aspects of the supplier's operation do you need to verify? For example, your objectives might be to verify that the supplier maintains documented procedures for the process step where defects most frequently occur, to confirm that equipment used to manufacture your components receives calibration on schedule, or to confirm that the supplier's staff have received training appropriate to their roles. Write audit objectives that actually focus your audit rather than vague statements like "review the supplier's quality system."
Identify the audit criteria. These are the standards, procedures, specifications, or requirements against which you will judge the supplier's performance. Criteria might include ISO 9001 clauses if the supplier is required to be certified, your organisation's supplier requirements document, the supplier's own documented procedures, relevant industry standards, or regulatory requirements. Ensure that your audit team has access to these criteria documents before the audit begins.
Prepare an audit checklist or agenda. This is not a rigid script but rather a structured outline of topics and questions you plan to cover. A well designed checklist helps ensure consistency across multiple audits and prevents important areas from being overlooked. Your checklist should reference the audit objectives and criteria, group related questions logically by process area, include open ended questions that encourage discussion rather than yes/no questions, and leave space for observations and evidence references.
Gather background information about the supplier. Review previous audit reports if available, examine performance data from your purchasing system, identify any complaints or quality issues that have arisen, and check whether the supplier holds any relevant certifications. This background work often reveals patterns and priorities that should drive where you focus your audit effort.
Selecting and Preparing Your Audit Team
The competence of your audit team directly determines the quality of your findings. If you are not already trained in internal auditing principles and practices, this is an excellent time to pursue formal training. Learning how to become an ISO internal auditor provides structured knowledge in audit planning, evidence gathering, questioning techniques, and report writing that applies directly to supplier audits.
For your audit team, consider including a technical specialist familiar with the processes or products the supplier delivers, someone with purchasing or supply chain knowledge who understands your contractual requirements, and an auditor trained in audit techniques and systems thinking. The lead auditor should be the person most experienced in auditing. Avoid selecting the operations manager who deals with this supplier daily, as they often have difficulty questioning the supplier objectively and may have vested interests in minimising findings.
Brief your team before the audit. Review the audit objectives, criteria, and checklist. Discuss what evidence you expect to find, how you will gather it, and what questions will be asked. Agree on time allocation—don't waste time on areas of low risk when you should be examining areas of higher concern. Discuss the roles each team member will play and how you will communicate findings during the audit.
Conducting the Opening Meeting
Your opening meeting with the supplier sets the tone for the entire audit. It establishes credibility, clarifies expectations, and builds the cooperative atmosphere necessary for an effective audit. Many auditors rush through the opening meeting, but investing time here pays dividends in the quality of information you obtain.
Begin by introducing your team and explaining the purpose of the audit. Make clear that you are not conducting a certification audit and that your goal is to understand their processes and identify any gaps against agreed criteria. Explain that you are not looking to catch them out but rather to build confidence that they can continue to supply you reliably. This framing is genuine—you want the supplier to succeed, but you need honest information to have confidence in their capability.
Discuss the scope of the audit—which processes you will examine, which areas are out of scope, and approximately how long the audit will take. Clarify that you may need to interview employees at various levels and that you will need access to relevant documents, equipment, and production areas. Establish ground rules around confidentiality—information you gather will be treated as confidential and only shared with relevant people within your organisation.
Explain what you expect to happen after the audit. Will you provide verbal feedback at a closing meeting? When will the written report be issued? How will they respond to any findings? What is the timeline for corrective action? Setting these expectations upfront prevents misunderstandings and demonstrates that you have a structured, professional approach.
Ask about any recent changes to their processes, staffing, equipment, or management systems. Ask about any significant quality issues, customer complaints, or regulatory actions they have faced. This information helps you understand the context of what you will observe and often reveals risks that deserve additional attention during your audit.
Gathering Audit Evidence
The strength of your audit findings depends entirely on the quality of evidence you gather. Evidence comes in multiple forms: documents you review, interviews you conduct, observations you make during site tours, and measurements or tests you perform. Gathering audit evidence that stands up to scrutiny requires a disciplined approach.
When reviewing documents, don't accept copies without questioning their currency. Ask to see the master document and verify that the copy matches. For procedures, ask when they were last reviewed and whether they reflect current practice. For records, examine a sample rather than assuming consistency throughout. For quality records such as inspection data or test results, verify that they are complete, signed, and dated, and that they show evidence of review and action when results fall outside acceptable limits.
During interviews, use open ended questions rather than leading questions. Instead of asking "Do you calibrate your equipment on schedule?" ask "How often is this equipment calibrated and how do you decide when calibration is required?" The second question requires the interviewee to explain their actual practice and is far more likely to reveal whether calibration is truly systematic or ad hoc. Avoid asking "Do you follow this procedure?" because most people will say yes even if they don't. Instead, ask them to walk you through what they actually do, step by step, and ask them to show you where this is documented.
Take detailed notes during interviews and site observations. Record not just what people say but what you observe. Note the names and job titles of people you interview so your report can accurately attribute information. When you record a deficiency, note the specific location, time, individuals involved, and the evidence that supports your conclusion.
During site tours, observe whether procedures are actually being followed. Do you see the control measures described in the procedure actually in place? Are there signs that staff know their roles and responsibilities, or do workers appear confused about quality requirements? Are maintenance records current or gathering dust? Look for practical indicators that quality receives genuine management attention, not just written lip service.
Don't be satisfied with vague answers. If a manager tells you they have "strong quality culture," ask what evidence of this exists. How is quality performance communicated to staff? What happens when someone identifies a quality issue? Show me an example of a recent quality improvement. These specific questions force the supplier to demonstrate rather than assert.
Identifying and Documenting Findings
As you gather evidence, you will discover areas where the supplier's actual practice matches the agreed criteria and areas where it doesn't. Not every deviation constitutes a nonconformity requiring formal corrective action. You need to distinguish between findings of different significance.
An observation is information that does not contradict the audit criteria but may suggest an opportunity for improvement. For example, you observe that a supplier records quality inspection data in a spreadsheet that works adequately but is manually created each day and prone to entry error. This is not a nonconformity—the data is being recorded and reviewed—but it suggests an opportunity to implement a more robust data management system.
A nonconformity is a failure to meet the audit criteria. A major nonconformity represents a systemic failure or a single significant incident with serious consequences. A minor nonconformity is typically a isolated deviation from procedure or a documentation gap. For example, if you find that a supplier's procedure requires weekly equipment calibration but you discover that calibration records exist only monthly, this is a nonconformity. If you discover that one batch was processed without documented evidence of calibration, this is a different (and typically more serious) nonconformity.
Document your findings in real time or immediately after gathering evidence, while details are fresh. Record the specific audit objective, the criteria applicable to that area, the evidence you examined, what you found, and your conclusion. Include enough detail that someone reading your notes months later would understand exactly what you discovered and why you drew the conclusion you did.
The Closing Meeting
The closing meeting provides the supplier with preliminary findings and gives them opportunity to clarify or provide additional information before your formal report. This meeting also builds credibility and demonstrates that your audit was thorough and fair.
Begin by thanking them for their cooperation and confirming the positive areas you observed. Describe any strengths you identified—these might include well maintained equipment, clear documentation systems, staff who demonstrated good knowledge of their roles, or evidence of genuine management commitment to quality. This balanced feedback is both accurate and motivating.
Present your findings clearly and specifically. Avoid generalised criticism. Instead of saying "your documentation is poor," describe the specific documents you reviewed, what they should have contained according to criteria, and what you actually found. Give the supplier opportunity to respond. They may clarify information you misunderstood, provide missing documents you did not locate during your search, or explain context that changes your interpretation. Remain open to this feedback—good auditors adjust their conclusions when additional information emerges.
Agree on next steps. For any nonconformities, what timeframe do you expect for corrective action? Do you require the supplier to submit a written corrective action plan before implementing it, or will you verify the correction on a follow up visit? For observations, do you want them to take action, or are you simply flagging an area to monitor? Confirm when your formal report will be issued and how they should respond.
Writing and Distributing Your Audit Report
Your audit report is the formal record of what you found and its significance. It must be clear, specific, and actionable. A vague report that doesn't clearly explain what was found and why serves little purpose.
Structure your report to include an executive summary confirming the audit scope, dates, and team, a brief statement of overall findings, sections organised by process area or audit objective describing what you examined and what you found, detailed findings (nonconformities and observations) with reference to criteria and evidence, and a statement of when corrective action is required and how you will verify its effectiveness.
For each nonconformity, explain what the requirement is (the audit criterion), what you found (the evidence), why this matters (the consequence or risk), and what needs to happen to correct it (the required corrective action). Avoid writing the corrective action for the supplier—their job is to determine how to fix the problem, your job is to verify that the problem exists and that their solution actually works.
Distribute the report promptly while findings are recent and memorable. Provide it to the supplier so they understand the audit conclusions and can respond. Share relevant findings with your purchasing function, your quality management team, and anyone responsible for managing the supplier relationship or using their supplied products.
Following Up on Supplier Corrective Actions
Many auditors consider the audit complete when they leave the site. In reality, the audit is incomplete until you verify that corrective actions are effective. Without follow up, nonconformities often remain unfixed, and you gain no improvement in supplier capability.
When the supplier submits their corrective action plan, review it critically. Does it address the root cause of the nonconformity, or does it merely treat the symptom? If your audit found that equipment was not calibrated on schedule, is their corrective action to catch up on the missed calibrations (symptom treatment) or to implement a system that prevents missed calibrations going forward (root cause treatment)? Ask clarifying questions if the plan is unclear.
Plan a follow up audit or verification visit within the timeframe agreed. This might be a full audit returning to examine all areas, or it might be a focused audit examining only the areas where nonconformities were identified. During this verification, examine evidence that the corrective action was implemented. Were procedures updated? Was training conducted? Did the implementation actually prevent recurrence? Request evidence such as updated procedures, training records, or recent performance data that demonstrates the correction is working.
This follow up serves two purposes. First, it demonstrates to the supplier that you take nonconformities seriously and that you will verify their response. Second, it provides genuine assurance that supplier capability has genuinely improved.
Building a Continuous Supplier Audit Programme
Effective supplier management is not a one time event but an ongoing programme. Once you have conducted your initial supplier audits, establish a schedule for periodic re audits to monitor continued performance. The frequency should reflect the risk category you assigned to each supplier during your initial planning.
Use performance data from your operations to supplement formal audits. Track quality defect rates for supplied products. Monitor on time delivery performance. Record any customer complaints linked to supplier delivered components. This data alerts you to deteriorating supplier performance that may require an unplanned audit before the scheduled periodic audit is due.
When you are preparing for external certification audits, your certification body will examine your approach to supplier management and your audit records. Demonstrating a disciplined, risk based approach to supplier audits significantly strengthens your management system.
Audit Workshop offers accredited ISO Internal Auditor training that includes comprehensive coverage of supplier and second party audit techniques. Our courses are Exemplar Global recognised and built around real audit scenarios.
