A supplier audit is a planned, evidence-based examination of a supplier against defined criteria, a contract, a standard, or a control plan, to confirm the supplier can consistently meet your requirements. It is a second-party audit: you, the customer, auditing your supplier, with scope and evidence standards you control.
A good supplier audit is not a plant tour with a clipboard. It is a structured comparison of what the supplier says they do, what they actually do, and what your requirements demand, settled with objective evidence rather than opinion. Done right it tells you whether a supplier belongs on your approved list, why a stream of defects keeps arriving, or whether a corrective action actually took hold. This guide covers the three audit types, how to scope and build the checklist, a seven-step process, and how to score and close it out, the same evidence-first discipline behind a working supplier quality management program.
What is a supplier audit?
A supplier audit is a systematic, independent, documented process for gathering audit evidence and evaluating it objectively against agreed criteria. Because the customer performs it on a supplier, it is a second-party audit, distinct from a first-party internal audit the supplier runs on itself, and from a third-party audit a certification body runs to grant a registration. The distinction matters because you set the scope: you decide which criteria apply, how much evidence is enough, and what a finding obligates the supplier to do. A certification body audits to the standard; you audit to your parts, your risks, and your contract.
The purpose is not to catch a supplier out. It is to reduce the uncertainty in a sourcing decision to a size you can live with. Every audit answers one question, can this supplier consistently give me conforming product?, and the audit type you choose narrows that question to something you can actually check in a day.
System audit, process audit, or product audit?
The three audit types look at the same supplier through different lenses, and choosing the wrong one wastes the visit. A system audit asks whether the quality management system exists and functions, is there document control, corrective action, calibration, training, internal audit, and are they connected. A process audit zooms into one manufacturing process, a molding cell, a plating line, a weld station, and checks whether it is capable, controlled, and run to its own control plan. A product audit ignores the system and the process and inspects finished product against the drawing, as a customer would receive it.
| Audit type | Question it answers | Evidence it gathers | Best used when |
|---|---|---|---|
| System audit | Does a working quality system exist? | Procedures, records, management review, training and calibration files, internal audit results | Qualifying a new supplier; periodic re-assessment of an approved one |
| Process audit | Is this specific process capable and followed? | Control plan adherence, setup and inspection records, SPC data, operator instructions in use | Chasing a recurring defect; approving a new part or process; automotive PPAP support |
| Product audit | Does finished product conform to the drawing? | Dimensional and functional results on parts pulled from finished stock | Verifying containment; validating that shipped product matches records |
Automotive quality treats the process audit as its own discipline, and standards such as IATF 16949 lean on process auditing to keep production streams under control. For most manufacturers the practical answer is not one type but a sequence: a system audit to get a supplier approved, then process audits when a part or a problem needs them, and product audits to confirm that containment and corrective actions are real.
How do you scope a supplier audit and build the checklist?
Scope is the single decision that makes or breaks the audit. Before you book travel, write down three things: the objective (qualify, re-assess, or investigate), the criteria (which contract terms, standard clauses, and part requirements apply), and the boundary (which sites, lines, and shifts are in and out). An audit with a fuzzy objective becomes a wandering tour; an audit with no stated criteria produces findings no one can dispute or defend.
The checklist turns that scope into verifiable questions. Every line item should trace to a source, a clause in ISO 9001, a term in the purchase agreement, a characteristic on the drawing, and ask for evidence, not a yes. "Is incoming material inspected?" invites a nod; "Show me the last five incoming inspection records for part 4471 and the disposition of any rejects" produces evidence. Build the checklist from your requirements first and the standard second, so the audit reflects the risk this supplier carries for you, not a generic template. A weak supplier audit and a weak internal quality audit checklist fail the same way: they ask closed questions and accept assertions.
What is the supplier audit process, step by step?
ISO 19011:2018, the recognized guideline for auditing management systems, lays out a process that scales from a two-hour process audit to a full system assessment. Here it is in seven steps.
- Initiate and plan the program. Set the objective and type, confirm the audit is feasible, agree dates, and assign a lead auditor competent in the process being audited. Notify the supplier and request the documents you will review in advance.
- Review documents and prepare the checklist. Read the supplier's procedures, prior audit results, scorecard, and open corrective actions before you arrive. Build the criteria-linked checklist and an agenda that covers every shift and line in scope.
- Hold the opening meeting. Confirm scope, criteria, schedule, and confidentiality with the supplier's team. Explain how findings will be classified so there are no surprises at the close.
- Gather objective evidence. Follow the process on the floor, interview the people who do the work, and trace real records end to end, a receiving inspection through to a shipped lot. Sample enough to be representative; record what you saw, not what you were told.
- Evaluate evidence and classify findings. Compare evidence to criteria and grade each gap: major nonconformity (the requirement is absent or systemically failing), minor nonconformity (a lapse in an otherwise working control), or observation (a risk not yet a failure).
- Hold the closing meeting and issue the report. Present findings with the evidence behind each, agree the facts, and give the supplier a defined window to submit a corrective-action plan. Issue a written report with scope, criteria, findings, and the overall rating.
- Verify corrective action and close. Require root cause and containment for every nonconformity, then verify effectiveness with evidence, a re-audit, submitted records, or a product audit, before you close the finding. An audit closed on a promise is not closed.
How do you score a supplier audit?
Scoring turns a pile of findings into a decision, and the honest way to do it is to weight sections by risk and let the numbers gate the outcome. A common approach assigns points per section, each requirement scored against its maximum, then computes a section score and an overall rating as the sum of section scores over the sum of maximums. What separates a useful score from a vanity metric is the gate: a single major nonconformity in a safety-critical section should cap the overall result regardless of how high the arithmetic runs, because one systemic failure in the wrong place outweighs a hundred tidy records elsewhere.
Feed the rating into the supplier scorecard so the audit is not a standalone event but one input among delivery, quality, and responsiveness data. And treat the recurring on-site process check as its own tool: some plants run layered process audits internally and expect key suppliers to do the same, which turns the annual audit into continuous evidence rather than a once-a-year snapshot.
By the numbers
By the numbers. ISO 19011:2018 is the recognized international guideline for auditing management systems; it defines the audit process, managing the program, planning, conducting, reporting, and following up, and names seven principles of auditing: integrity, fair presentation, due professional care, confidentiality, independence, an evidence-based approach, and a risk-based approach (ASQ, ISO 19011). ISO 9001:2015 clause 8.4 requires organizations to determine and apply criteria for the evaluation, selection, monitoring, and re-evaluation of external providers, and to retain records of the results, the clause a supplier audit generates evidence for (ISO 9001:2015). And the business case sits in the cost of quality: ASQ notes total quality costs commonly run 15-20% of sales revenue, much of it in the appraisal, internal-failure, and external-failure costs that a defect-prone supplier drives straight onto your floor (ASQ, Cost of Quality).
What comes after the audit?
The report is the beginning, not the end. Every nonconformity should trigger a corrective action with root cause, containment, and an effectiveness check, the same discipline you would expect from your own nonconformance process. Where the supplier is strategic and the gaps are real but fixable, the right move is often not to walk away but to invest, which is where audits feed into supplier development. Where the supplier is new, the audit is one gate in a larger supplier qualification sequence that also weighs samples, capability, and capacity. And where audit results, receiving data, and corrective actions live in disconnected spreadsheets, none of it compounds. Capturing findings and evidence digitally, connected to the receiving records and scorecards they relate to, the kind of plumbing Harmony's quality intelligence and connected-systems modules handle, is what turns a stack of audit reports into a picture of a supplier over time. CLS made exactly that shift, from findings filed in a binder to findings visible the moment they matter.