A vendor's quality problem becomes your quality problem the moment their parts reach your line. By then it is late, expensive and visible to your customer. A supplier audit is how you find out before that happens — a structured, scored assessment of whether a supplier can consistently meet your requirements, run before you place the business and repeated on a cycle to make sure it stays true.

This is a practical, end-to-end guide to running one. It covers what a supplier audit is, the cycle it follows, how to plan by risk, how to build a scored checklist, how to conduct the on-site assessment, how to issue non-conformances to a supplier and follow up their corrective action, and how a rating drives the re-audit cycle — with how Fast Audit Software runs each step. If you want the wider practice first, start with what is internal audit management? and come back for the supplier case.

The auditee is external

A supplier audit is mechanically the same as an internal audit — a scored checklist, an assessment, findings and closure — with one difference that changes everything: the auditee is an external vendor, not a colleague. That shapes how you notify, how you raise findings, and how you follow up, because you have influence rather than authority.

1. What a supplier audit is

A supplier audit is a structured assessment of a vendor's quality system and processes, conducted by the buying organisation to confirm the supplier can consistently meet requirements. It serves two jobs: qualifying a new supplier before you commit business to them, and re-auditing an existing supplier to confirm they are still capable — and to catch drift before it reaches your line.

Two features distinguish a supplier audit from an internal one:

Everything else runs on the familiar audit lifecycle — a reusable checklist template for the supplier-audit type, a plan, an assessment, findings and closure. Our industry page on supplier audit software covers the product angle in full.

2. The supplier audit cycle

A supplier audit is not a one-off event but a cycle — qualify, assess, close findings, rate, and re-audit on a frequency set by that rating. Compressed, the cycle looks like this:

#StepWhat happens
1
Plan & select Pick the supplier by criticality and risk, set the scope and date, and generate the supplier-audit document from the plan.
2
Notify Send the supplier the scope, the checklist and the date in advance, and request supporting documents so the visit is productive.
3
Checklist Select or build the scored assessment template for the supplier-audit type, mapped to the criteria that matter for this supplier.
4
On-site assessment Walk the supplier's process, sample records, interview staff and score each area against objective evidence.
5
Findings & NC Raise non-conformances against the supplier with clause, discrepancy and category, and agree them at the closing meeting.
6
CAPA follow-up The supplier submits a corrective-action plan with root cause and due date; your team verifies effectiveness against evidence.
7
Rate & re-audit Score the supplier, set an approval status, and schedule the next audit on a frequency driven by that rating.
Plan Notify Checklist On-site Findings CAPA Rate & re-audit
Circular diagram of the supplier audit cycle from plan and select, through notify, checklist, on-site assessment, findings and NC, and CAPA follow-up, to rate and re-audit, looping back to plan

The supplier audit is a repeating cycle, not a one-off — the rating from one audit sets the frequency of the next.

3. Planning a supplier audit

You cannot audit every supplier the same way, and trying to is how the critical ones get the same attention as the trivial ones. Planning starts by deciding who and how deeply, before deciding when.

1
Select by risk and criticality
  • Audit the suppliers whose failure would hurt most first — critical parts, single sources, poor past performance
  • Weight new and high-spend suppliers, and any supplying safety- or regulatory-critical items
  • A risk-ranked supplier list decides frequency and depth, not a flat everyone-once-a-year rule
2
Set the scope
  • Decide which processes, lines and products are in scope — and whether it is a system or a process audit
  • Match the scope to the risk: a critical part warrants a process audit at the line, not just a paperwork review
  • Confirm the criteria the supplier will be assessed against, so the visit is focused
3
Notify and request documents
  • Send the supplier the scope, the checklist and the date well in advance
  • Request supporting documents — the quality manual, control plans, records — before the visit
  • A prepared supplier makes the on-site time productive rather than a document hunt
4
Assign a competent auditor
  • Assign someone scored and authorised for supplier audits, not just any available person
  • For a technical process, the auditor needs the domain knowledge to read the evidence
  • Competency and authorisation are recorded, so the assignment is defensible

A system makes this repeatable: the supplier-audit plan is generated and routed for approval like any other audit, only competent, authorised auditors can be assigned, and the frequency is set per supplier so the next audit is scheduled automatically. See audit planning & calendar and auditor competency.

4. The checklist and scoring

A supplier audit lives or dies on its checklist. It should be a reusable, scored template for the supplier-audit type, mapped to the criteria that matter — quality system, process control, measurement and calibration, material and traceability, and handling of non-conforming product. Every supplier is assessed against the same template, so the results are comparable rather than a matter of which auditor visited.

Scoring is what turns the audit into a rating. Each area is scored against objective evidence, and the scores roll up into an overall result that maps to an approval status. The bands are set by the organisation; the discipline is that they are applied the same way to every supplier:

Score bandRatingWhat it means and the action
85%+ApprovedFull approval; standard re-audit cycle. The supplier is capable against the criteria.
70–84%Approved with conditionsApproved subject to corrective actions and an earlier re-audit; monitor the open findings.
Below 70%Not approved / on holdNot approved for new business until the non-conformances are closed and the supplier is re-audited.

Illustrative bands inside a mock scoring scheme — set your own thresholds and weightings. The point is that every supplier is scored the same way, so the rating means the same thing across the supply base.

5. Conducting the on-site assessment

The on-site assessment is where the scoring gets its evidence. Run it the same way every time, and score against what you see rather than what you are told:

1
Open with the supplier's team
  • Confirm the scope, the criteria and the areas to be sampled
  • Set the tone — the audit assesses the process, and findings help both sides
  • Agree how findings and the score will be shared at the closing meeting
2
Walk the process, trace a real order
  • Follow a real order through the supplier's process, sampling records at each step
  • Watch the line, interview operators, check calibration and traceability at source
  • Trace end to end rather than accepting a description of how it should work
3
Score each area against evidence
  • Record conformance, score, clause and observation per checklist area on a tablet
  • Score what the evidence shows, not the supplier's assurance
  • Capture the record or sample seen, so the score is defensible later
4
Close with agreed findings and score
  • Walk the supplier through each finding, its grade and the overall score before you leave
  • Confirm the evidence for every non-conformance so there are no surprises
  • Set expectations on the corrective-action timeline

Recording at the point of observation is where mobile checklist entry earns its place — the auditor scores each area on the supplier's floor, with progress visible, so the assessment is not reconstructed from notes on the drive home.

6. Issuing NCs and CAPA follow-up

A non-conformance raised against a supplier is tracked to closure exactly like an internal finding — with the difference that the person actioning it works for the supplier, so the tracking has to carry the follow-up that authority would otherwise provide. Each NC carries its clause, discrepancy and category; the supplier submits a corrective-action plan with root cause and a due date; your team reviews it; and the auditor verifies effectiveness against evidence before it closes. Due dates and reminder emails chase overdue actions, and a serious or repeated non-conformance can escalate into a formal 8D / CAPA investigation with the supplier.

The leverage that makes supplier CAPA work is the rating: a supplier's approval status reflects how well and how promptly they close findings, so closure is not a favour but a condition of continued business. Our full guide to corrective action and CAPA closure covers the closure loop in depth.

Supplier audits on Fast Audit Software

Score every supplier the same way, and drive their findings to closure.

Fast Audit runs supplier audits on the same lifecycle as your internal programme — a reusable scored checklist, a plan routed for approval, a competent auditor, non-conformances raised against the vendor, and CAPA follow-up with due dates and reminders. The rating feeds the re-audit cycle, and a serious finding can escalate into Fast Quality's 8D / CAPA. Cloud or on-premise, standalone or suite-integrated.

One scored checklist template, applied to every supplier the same way
NCs issued to the supplier, tracked to verified closure with reminders
Supplier rating that drives the re-audit frequency automatically
Supplier audit software

7. Supplier rating and the re-audit cycle

The audit result is not the end — it is an input to the supplier's rating, and the rating is what drives the re-audit cycle. Rather than auditing every supplier on the same fixed calendar, a rating-driven cycle concentrates effort where the risk is: high-rated, low-risk suppliers are audited less often, while lower-rated or critical suppliers are re-audited sooner and more thoroughly. A supplier that fails or raises repeat non-conformances moves onto a shorter cycle until the rating recovers.

Approved — longest cycle
  • High score, strong record, low risk
  • Re-audited on the standard, longer interval
  • Monitored on incoming quality between audits
Conditional — shorter cycle
  • Approved with open corrective actions
  • Re-audited sooner to confirm the fixes held
  • Watched closely until the rating improves
Not approved — on hold
  • Below the threshold or a major open NC
  • No new business until closed and re-audited
  • Re-audit scheduled once actions are complete
Critical part — risk override
  • Safety- or regulatory-critical items
  • Re-audited more often regardless of score
  • Risk, not just rating, sets the frequency

Held this way, the supplier programme becomes self-adjusting: good suppliers earn a lighter touch, struggling ones get more attention, and the audit calendar generates the next audit from the frequency set against each supplier — so nothing slips. The supplier audit report and the rating history give purchasing and quality a shared, evidenced view of the supply base, as in real customer deployments such as Optimas and ITR.

8. How Fast Audit Software does it

Fast Audit Software runs the supplier-audit cycle on the same platform as your internal programme, built in Pune by Improsys under the Fast Technology brand, cloud or on-premise:

StageHow Fast Audit Software does it
Scored checklistA reusable audit template for the supplier-audit type holds the scored assessment as sections and categories, revised under control and applied the same way to every supplier. See audit templates & checklists.
Plan & assignThe supplier-audit plan is generated by frequency and count, routed for approval, and only auditors authorised for supplier audits are assigned. See planning & calendar and auditor competency.
On-site assessmentAuditors score each area on a mobile worklist — conformance, score, clause and observation — with answered-versus-total progress. See checklist entry.
Findings & CAPANon-conformances raised against the supplier carry clause, category and a fresh-versus-repetitive flag, and run through action plan, review and verification with reminders. See findings, NC & CAPA closure.
Rate & reportThe supplier audit report and rating feed the re-audit frequency, and the auditee/auditor/HOD dashboards and NC register show status across the supply base. See dashboards & audit reports.
EscalateA serious or repeated supplier NC can escalate into Fast Quality's 8D / CAPA on the same document engine — no re-keying.

The result is a supplier programme where every vendor is scored against the same criteria, every finding is tracked to verified closure, and the rating keeps the re-audit cycle honest. For the wider context, start with what audit management software is, or read how the ISO 9001 checklist and CAPA closure underpin the supplier case.

9. Frequently asked questions

What is a supplier audit?
A supplier audit is a structured assessment of a vendor's quality system and processes, conducted by the buying organisation to confirm the supplier can consistently meet requirements. It runs on the same lifecycle as an internal audit — a scored checklist, an on-site or remote assessment, non-conformances raised against the supplier, corrective-action follow-up and a resulting rating — but the auditee is an external vendor. Supplier audits qualify new suppliers and re-audit existing ones on a cycle set by risk and performance.
How do you plan a supplier audit?
Plan by risk and criticality first — audit the suppliers whose failure would hurt most, and the highest-risk processes, before low-impact ones. Set the scope (which processes, lines and products, and whether it is a system or process audit), pick the scored checklist template, notify the supplier with the scope, checklist and date in advance and request documents, and assign an auditor competent and authorised for supplier audits. A good system generates the supplier-audit plan and routes it for approval.
How is a supplier audit scored?
Each checklist area is assessed against objective evidence and scored, and the scores roll up into an overall result that maps to an approval status — for example approved, approved with conditions, or not approved. Scoring makes suppliers comparable against the same criteria and turns the audit into a rating rather than a pass/fail opinion. The bands and weightings are set by the organisation; the discipline is that every supplier is scored the same way, so the rating means the same thing across the supply base.
How do you follow up on non-conformances raised against a supplier?
Each non-conformance is tracked to closure like any other finding: the supplier submits a corrective-action plan with root cause and a due date, your team reviews it, and the auditor verifies effectiveness against evidence before it closes. Due dates and reminder emails chase overdue actions, and a major non-conformance can escalate into a formal 8D / CAPA investigation. The supplier's rating and approval status reflect how well and how promptly they close the findings, which supplies the leverage.
How often should you re-audit a supplier?
Re-audit frequency should be driven by the supplier's rating and risk, not a fixed calendar for everyone. High-rated, low-risk suppliers can be audited less often; conditionally approved or lower-rated suppliers, or those supplying critical parts, are re-audited sooner and more thoroughly. A supplier that fails or raises repeat non-conformances is re-audited on a shorter cycle until the rating recovers. The audit calendar generates the next audit automatically from the frequency set against each supplier.

See a supplier audit scored and closed

A 30-minute demo — a supplier audit planned, scored on a tablet, non-conformances issued and driven to closure, with the rating feeding the re-audit cycle. No generic slideshow.