A vendor's quality problem becomes your quality problem the moment their parts reach your line. By then it is late, expensive and visible to your customer. A supplier audit is how you find out before that happens — a structured, scored assessment of whether a supplier can consistently meet your requirements, run before you place the business and repeated on a cycle to make sure it stays true.
This is a practical, end-to-end guide to running one. It covers what a supplier audit is, the cycle it follows, how to plan by risk, how to build a scored checklist, how to conduct the on-site assessment, how to issue non-conformances to a supplier and follow up their corrective action, and how a rating drives the re-audit cycle — with how Fast Audit Software runs each step. If you want the wider practice first, start with what is internal audit management? and come back for the supplier case.
A supplier audit is mechanically the same as an internal audit — a scored checklist, an assessment, findings and closure — with one difference that changes everything: the auditee is an external vendor, not a colleague. That shapes how you notify, how you raise findings, and how you follow up, because you have influence rather than authority.
1. What a supplier audit is
A supplier audit is a structured assessment of a vendor's quality system and processes, conducted by the buying organisation to confirm the supplier can consistently meet requirements. It serves two jobs: qualifying a new supplier before you commit business to them, and re-auditing an existing supplier to confirm they are still capable — and to catch drift before it reaches your line.
Two features distinguish a supplier audit from an internal one:
- It is scored, not just pass/fail. Each area is rated against objective evidence and the scores roll up into a result that maps to an approval status — so suppliers can be compared and ranked against the same criteria, not judged on a subjective impression.
- The findings go to someone you don't control. A non-conformance raised against a supplier is a request, backed by the commercial relationship, not an instruction to a subordinate. Follow-up depends on tracking and on the leverage of the rating, which is why the closure discipline matters even more than internally.
Everything else runs on the familiar audit lifecycle — a reusable checklist template for the supplier-audit type, a plan, an assessment, findings and closure. Our industry page on supplier audit software covers the product angle in full.
2. The supplier audit cycle
A supplier audit is not a one-off event but a cycle — qualify, assess, close findings, rate, and re-audit on a frequency set by that rating. Compressed, the cycle looks like this:
| # | Step | What happens |
|---|---|---|
1 |
Plan & select | Pick the supplier by criticality and risk, set the scope and date, and generate the supplier-audit document from the plan. |
2 |
Notify | Send the supplier the scope, the checklist and the date in advance, and request supporting documents so the visit is productive. |
3 |
Checklist | Select or build the scored assessment template for the supplier-audit type, mapped to the criteria that matter for this supplier. |
4 |
On-site assessment | Walk the supplier's process, sample records, interview staff and score each area against objective evidence. |
5 |
Findings & NC | Raise non-conformances against the supplier with clause, discrepancy and category, and agree them at the closing meeting. |
6 |
CAPA follow-up | The supplier submits a corrective-action plan with root cause and due date; your team verifies effectiveness against evidence. |
7 |
Rate & re-audit | Score the supplier, set an approval status, and schedule the next audit on a frequency driven by that rating. |
The supplier audit is a repeating cycle, not a one-off — the rating from one audit sets the frequency of the next.
3. Planning a supplier audit
You cannot audit every supplier the same way, and trying to is how the critical ones get the same attention as the trivial ones. Planning starts by deciding who and how deeply, before deciding when.
- Audit the suppliers whose failure would hurt most first — critical parts, single sources, poor past performance
- Weight new and high-spend suppliers, and any supplying safety- or regulatory-critical items
- A risk-ranked supplier list decides frequency and depth, not a flat everyone-once-a-year rule
- Decide which processes, lines and products are in scope — and whether it is a system or a process audit
- Match the scope to the risk: a critical part warrants a process audit at the line, not just a paperwork review
- Confirm the criteria the supplier will be assessed against, so the visit is focused
- Send the supplier the scope, the checklist and the date well in advance
- Request supporting documents — the quality manual, control plans, records — before the visit
- A prepared supplier makes the on-site time productive rather than a document hunt
- Assign someone scored and authorised for supplier audits, not just any available person
- For a technical process, the auditor needs the domain knowledge to read the evidence
- Competency and authorisation are recorded, so the assignment is defensible
A system makes this repeatable: the supplier-audit plan is generated and routed for approval like any other audit, only competent, authorised auditors can be assigned, and the frequency is set per supplier so the next audit is scheduled automatically. See audit planning & calendar and auditor competency.
4. The checklist and scoring
A supplier audit lives or dies on its checklist. It should be a reusable, scored template for the supplier-audit type, mapped to the criteria that matter — quality system, process control, measurement and calibration, material and traceability, and handling of non-conforming product. Every supplier is assessed against the same template, so the results are comparable rather than a matter of which auditor visited.
Scoring is what turns the audit into a rating. Each area is scored against objective evidence, and the scores roll up into an overall result that maps to an approval status. The bands are set by the organisation; the discipline is that they are applied the same way to every supplier:
| Score band | Rating | What it means and the action |
|---|---|---|
| 85%+ | Approved | Full approval; standard re-audit cycle. The supplier is capable against the criteria. |
| 70–84% | Approved with conditions | Approved subject to corrective actions and an earlier re-audit; monitor the open findings. |
| Below 70% | Not approved / on hold | Not approved for new business until the non-conformances are closed and the supplier is re-audited. |
Illustrative bands inside a mock scoring scheme — set your own thresholds and weightings. The point is that every supplier is scored the same way, so the rating means the same thing across the supply base.
5. Conducting the on-site assessment
The on-site assessment is where the scoring gets its evidence. Run it the same way every time, and score against what you see rather than what you are told:
- Confirm the scope, the criteria and the areas to be sampled
- Set the tone — the audit assesses the process, and findings help both sides
- Agree how findings and the score will be shared at the closing meeting
- Follow a real order through the supplier's process, sampling records at each step
- Watch the line, interview operators, check calibration and traceability at source
- Trace end to end rather than accepting a description of how it should work
- Record conformance, score, clause and observation per checklist area on a tablet
- Score what the evidence shows, not the supplier's assurance
- Capture the record or sample seen, so the score is defensible later
- Walk the supplier through each finding, its grade and the overall score before you leave
- Confirm the evidence for every non-conformance so there are no surprises
- Set expectations on the corrective-action timeline
Recording at the point of observation is where mobile checklist entry earns its place — the auditor scores each area on the supplier's floor, with progress visible, so the assessment is not reconstructed from notes on the drive home.
6. Issuing NCs and CAPA follow-up
A non-conformance raised against a supplier is tracked to closure exactly like an internal finding — with the difference that the person actioning it works for the supplier, so the tracking has to carry the follow-up that authority would otherwise provide. Each NC carries its clause, discrepancy and category; the supplier submits a corrective-action plan with root cause and a due date; your team reviews it; and the auditor verifies effectiveness against evidence before it closes. Due dates and reminder emails chase overdue actions, and a serious or repeated non-conformance can escalate into a formal 8D / CAPA investigation with the supplier.
The leverage that makes supplier CAPA work is the rating: a supplier's approval status reflects how well and how promptly they close findings, so closure is not a favour but a condition of continued business. Our full guide to corrective action and CAPA closure covers the closure loop in depth.
Score every supplier the same way, and drive their findings to closure.
Fast Audit runs supplier audits on the same lifecycle as your internal programme — a reusable scored checklist, a plan routed for approval, a competent auditor, non-conformances raised against the vendor, and CAPA follow-up with due dates and reminders. The rating feeds the re-audit cycle, and a serious finding can escalate into Fast Quality's 8D / CAPA. Cloud or on-premise, standalone or suite-integrated.
7. Supplier rating and the re-audit cycle
The audit result is not the end — it is an input to the supplier's rating, and the rating is what drives the re-audit cycle. Rather than auditing every supplier on the same fixed calendar, a rating-driven cycle concentrates effort where the risk is: high-rated, low-risk suppliers are audited less often, while lower-rated or critical suppliers are re-audited sooner and more thoroughly. A supplier that fails or raises repeat non-conformances moves onto a shorter cycle until the rating recovers.
- High score, strong record, low risk
- Re-audited on the standard, longer interval
- Monitored on incoming quality between audits
- Approved with open corrective actions
- Re-audited sooner to confirm the fixes held
- Watched closely until the rating improves
- Below the threshold or a major open NC
- No new business until closed and re-audited
- Re-audit scheduled once actions are complete
- Safety- or regulatory-critical items
- Re-audited more often regardless of score
- Risk, not just rating, sets the frequency
Held this way, the supplier programme becomes self-adjusting: good suppliers earn a lighter touch, struggling ones get more attention, and the audit calendar generates the next audit from the frequency set against each supplier — so nothing slips. The supplier audit report and the rating history give purchasing and quality a shared, evidenced view of the supply base, as in real customer deployments such as Optimas and ITR.
8. How Fast Audit Software does it
Fast Audit Software runs the supplier-audit cycle on the same platform as your internal programme, built in Pune by Improsys under the Fast Technology brand, cloud or on-premise:
| Stage | How Fast Audit Software does it |
|---|---|
| Scored checklist | A reusable audit template for the supplier-audit type holds the scored assessment as sections and categories, revised under control and applied the same way to every supplier. See audit templates & checklists. |
| Plan & assign | The supplier-audit plan is generated by frequency and count, routed for approval, and only auditors authorised for supplier audits are assigned. See planning & calendar and auditor competency. |
| On-site assessment | Auditors score each area on a mobile worklist — conformance, score, clause and observation — with answered-versus-total progress. See checklist entry. |
| Findings & CAPA | Non-conformances raised against the supplier carry clause, category and a fresh-versus-repetitive flag, and run through action plan, review and verification with reminders. See findings, NC & CAPA closure. |
| Rate & report | The supplier audit report and rating feed the re-audit frequency, and the auditee/auditor/HOD dashboards and NC register show status across the supply base. See dashboards & audit reports. |
| Escalate | A serious or repeated supplier NC can escalate into Fast Quality's 8D / CAPA on the same document engine — no re-keying. |
The result is a supplier programme where every vendor is scored against the same criteria, every finding is tracked to verified closure, and the rating keeps the re-audit cycle honest. For the wider context, start with what audit management software is, or read how the ISO 9001 checklist and CAPA closure underpin the supplier case.
9. Frequently asked questions
See a supplier audit scored and closed
A 30-minute demo — a supplier audit planned, scored on a tablet, non-conformances issued and driven to closure, with the rating feeding the re-audit cycle. No generic slideshow.
