5 Commonly-Overlooked Strategies for Supplier/Vendor Audits
Here are five strategies we find ourselves deploying most often when providing audit program support.
This guide is available in full for all subscribers. If you’re not already a paid subscriber, you can upgrade here.
Although a viable supplier business model demands high-quality products and services, the regulatory burden ultimately rests on the company receiving its products or services.
Monitoring and managing quality is extremely important when outsourcing anything that could potentially impact your product. This includes both the typical outsourced services like component suppliers and contract manufacturers and consulting services, more generally.
Here, we share a few strategies for supplier/vendor audits we find ourselves deploying frequently when supporting firms in the field.
Need audit support in 2024? Our certified, experienced auditors plan, schedule, and execute vendor/supplier quality management audits worldwide to identify areas of conformance and nonconformance with applicable global regulations. We have vetted, trusted auditors in 46 states and 47 countries. Following assessment, our experts provide a detailed report including all observations and deficiencies and a risk-based corrective action plan for improvement. We manage audit programs large and small and offer volume-based discounting. The more audits we manage for you, the more you save. Learn more and contact us.
Also, be sure to read our comprehensive guide to vendor/supplier auditing and catch our recent interview with Divya Gowdar on audit and inspection readiness best practices.
A brief review of responsibilities between parties
As we said before, the manufacturer remains ultimately responsible for the products it produces and sells, as per the FDA. The FDA views a manufacturer's suppliers as an extension of the manufacturer, regardless of whether some or all of the manufacturing or other operations are outsourced.
Both parties need to establish an active, ongoing partnership. Before jumping into our strategies, let’s level-set with the breakdown of responsibilities.
Supplier/vendor responsibilities
To establish a sustainable partnership, third-party partners such as suppliers and vendors must undergo audits and proactively meet the following responsibilities.
Suppliers and vendors must remain fully compliant with CGMPs. Having an effective QMS in place is not enough; they must also be ready to demonstrate its effectiveness during audits. This includes showing how the QMS identifies risks, manages quality across the supply chain, and ensures continuous improvement.
Suppliers and vendors must reveal any previous compliance issues, such as FDA Form 483s, warning letters, or consent decrees. This transparency is crucial for building trust. Deception or hesitance should never be accepted. As the manufacturer and their customer, you need to be able to assess risks accurately and work collaboratively on corrective measures to prevent future violations.
Suppliers and vendors must implement a robust and redundant risk management approach. This means identifying potential product quality or supply chain integrity risks and establishing preventive measures. The FDA expects risk management to be an integral part of the decision-making process, considering both primary (direct impact on product quality) and secondary (indirect impact) risks. Balancing these risks with cost considerations without compromising quality is a delicate but essential task that all suppliers and vendors should be able to explain in detail.
Suppliers and vendors must strictly adhere to all contract terms with manufacturers. This includes specifications for product quality, delivery timelines, and any other agreed-upon service levels. Honoring these terms is fundamental to maintaining a productive and sustainable partnership. It also minimizes legal risks and fosters a stable supply chain.
Suppliers and vendors must proactively notify manufacturers of any changes to their products or services. This includes changes in material composition, manufacturing processes, or even changes in subcontractors. Early notification allows manufacturers to assess the impact of these changes on the finished product's quality. Depending on the nature of the change, additional validation work or adjustments in the manufacturing process may be necessary to ensure continued compliance with quality standards. Make sure these notifications are clearly stated in your contracts in extreme detail.
Manufacturer responsibilities
The manufacturer must perform audits and fulfill their responsibilities to maintain compliance and a productive partnership.
Manufacturers must have a comprehensive supplier quality risk management program. This a detailed plan that assesses and manages the quality risks associated with their suppliers and vendors. It should include specific metrics for evaluating supplier performance, trigger action thresholds, and a matrix to categorize risks by severity and likelihood. The plan should also outline preventive actions and responses for identified risks. Before qualifying a supplier or vendor, manufacturers need to communicate the requirements of this risk management plan clearly. Suppliers need to understand the expectations and the standards they must meet from the outset. This is a huge gap we find in the field.
Manufacturers must be proactive and attentive to any potential noncompliance issues with their suppliers. The manufacturer is ultimately on the hook for their suppliers. This means not hesitating to raise concerns or ask questions when something is amiss. Early identification of potential noncompliance can prevent more significant issues down the line. The manufacturer should document the issue in detail if noncompliance is observed during an audit. This includes specifying what the noncompliance was, where and when it occurred, and any other relevant context. Detailed records support clear communication and effective corrective action.
When a noncompliance issue is identified, manufacturers must reference the specific supplier qualification SOP or policy violated. This adds weight to the observation and clarifies the nature of the violation, making it easier for the supplier to understand and address the issue.
Manufacturers should classify the severity of each observation (minor, major, or critical) and communicate this classification to the supplier. This helps the supplier understand the seriousness of the issue and prioritize corrective actions accordingly. Manufacturers should require all suppliers to provide an action plan for resolving an identified issue. This plan should detail the steps the supplier will take, who will be responsible, and the timeline for resolution.
Manufacturers must follow through with established purchasing controls to ensure that only qualified suppliers are used and that products meet specified requirements. This may include periodic re-evaluation of suppliers based on performance and compliance. When noncompliance is identified, manufacturers should issue Supplier Corrective Action Requests (SCARs) to formally request corrective actions from the supplier. The SCAR process should track the implementation of corrective actions, verify their effectiveness, and document the resolution of the issue. (We help firms with this all the time. Contact us for expert SCAR support if and when you need it.)
Now let’s dive into our five strategies for supplier/vendor audits.
1. Conduct pre-audit research
The right pre-audit research helps you understand the supplier's current compliance status, quality systems, and operational risks. Investing in doing your homework before the audit allows for a more focused and efficient audit, targeting areas of potential concern rather than starting from scratch and doing that work on-site.
We recommend:
Reviewing previous audit reports, corrective action plans, and follow-up outcomes.
Analyzing the supplier's regulatory submissions and any regulatory actions (e.g., FDA warning letters).
Gathering internal feedback about the supplier from relevant departments (e.g., procurement, QC, legal).
Drive all of these inputs into developing a checklist of key areas to investigate based on known industry issues and the supplier's history. Also, look to industry databases and networks for insights into the supplier's performance and regulatory history. Here are some we find can have great information:
FDA Inspections Database: This database provides information on FDA inspections, including outcomes and any issued Form 483s indicating observed violations.
FDA Warning Letters Database: Contains letters sent to manufacturers and suppliers for violations of regulatory standards, offering insights into serious compliance issues.
FDA Recalls Database: Lists product recalls, which can indicate quality issues with suppliers involved in manufacturing recalled products.
EudraGMDP database: Offers details on GMP and GDP compliance for suppliers within the European Union. This includes inspection outcomes and certificates of compliance.
International Society for Pharmaceutical Engineering (ISPE) Engage: Offers resources and community discussions that can provide insights into supplier quality management practices.
Dun & Bradstreet Reports: Provides comprehensive business reports that can include financial health, operational stability, and potential legal issues of suppliers, which indirectly affect their reliability and quality standards.
Pharmaceutical Supply Chain Initiative (PSCI): A network of pharmaceutical and healthcare companies that share audit reports and supplier performance data, emphasizing ethical, social, environmental, and health and safety outcomes.
Parenteral Drug Association (PDA): A global provider of science, technology, and regulatory information and education for the pharmaceutical and biopharmaceutical community, often discussing supplier quality issues.
2. Take a careful look at customer complaints
Customer complaints can provide direct insight into potential quality issues with the supplier's products or services. This can highlight areas for detailed examination during the audit.
We recommend:
Requesting a summary of customer complaints related to the supplier's products or services from the supplier.
Analyzing complaint trends to identify potential systemic quality issues. (Feeding complaint data into a large-language model can be powerful for trend analysis.)
Discussing the findings with the supplier during the audit to understand their perspective and corrective actions.
We always stress that the focus should be on how the supplier handles and resolves complaints, not just the complaints themselves.
3. Know if a supplier is outsourcing
If a supplier uses subcontractors or third-party manufacturers, it introduces additional layers of risk and complexity into the supply chain. However, responsibility for managing the chain still flows back to the manufacturer, no matter how long it is.
We recommend:
Directly asking about the supplier's use of third parties during the pre-audit questionnaire.
Request details on the oversight and quality control measures the supplier has in place for managing their subcontractors. Yes, you’re responsible, but the supplier should oversee their contractors.
Always assessing the supplier's subcontractor audit processes and results. Consider conducting site visits or audits of critical subcontractors, especially for components or materials critical to product quality.
4. Segment and prioritize your suppliers by risk
This is a basic strategy that ties into risk management we often see lacking. Categorize your suppliers based on their risk to the supply chain and allocate audit resources accordingly. High-risk suppliers often need more frequent or detailed audits compared to low-risk suppliers.
We recommend:
Developing clear risk assessment criteria. These criteria should cover various factors, including product quality, regulatory compliance history, operational stability, financial health, geopolitical location, and the criticality of the supplied materials or services.
Using the developed criteria to assess each supplier. This may involve reviewing historical performance data, audit reports, financial statements, and any regulatory compliance records. Consider direct evaluations, such as site visits or questionnaires, to gather additional insights.
Based on the assessment, suppliers are categorized into risk tiers (e.g., low, medium, high). The categorization should reflect the potential impact of the supplier's failure on the organization's product quality, compliance status, and supply chain integrity.
Prioritizing audit resources, including frequency, depth, and scope, based on the supplier's risk category. High-risk suppliers may require more frequent and comprehensive audits, while low-risk suppliers may be audited less often or through less intensive methods, such as self-assessments or document reviews.
Supplier risks can change over time due to various factors, such as changes in management, financial health, or the geopolitical environment. Regularly review and update the risk segmentation to reflect current conditions.
5. Integrate modern tech to enhance your audits
In just the past few years, a whole crop of tech tools that dramatically improve audit management have come onto the market. But we continue to see the industry lagging in adopting these tools despite the benefits.
Audit management software and data analytics, in particular, represent a strategic approach to modernizing and enhancing the efficiency and effectiveness of supplier/vendor audit processes.
Here are a few specific types of these tools, their functionalities, and how they can be leveraged to optimize audit operations.
Audit Management Software
Tools like MasterControl, AssurX, and SimplerQMS vary in features and specialization, with some focusing more on specific industries like pharmaceuticals or manufacturing. But they all automate and streamline all aspects of the audit process, making it easier for organizations to plan, execute, and follow up on audits. These tools offer a range of functionalities:
Planning and Scheduling: Helps in the organization and scheduling of audits, ensuring that all necessary audits are conducted in a timely manner. Tools may offer calendars, notification systems, and resource allocation features to facilitate planning.
Documentation and Evidence Collection: Enables auditors to collect and store audit evidence digitally. Features might include mobile compatibility for on-site data capture, document management systems, and secure storage solutions.
Workflow Management: Automates the audit workflow, guiding auditors through each step of the process. This includes checklists, templates, and predefined audit protocols that ensure consistency and completeness.
Real-time Reporting and Dashboards: Provides dashboards and reporting tools that allow for the real-time analysis of audit data. This can include compliance status, audit findings, and trend analysis, facilitating quick decision-making.
Action Tracking and Follow-up: Manages corrective action plans, tracking the implementation of corrective actions and verifying their effectiveness. This feature ensures issues are resolved and prevents recurrence.
Is your team using Veeva as your eQMS? In addition to conducting audits, we can complete your data entry directly within your Veeva system, saving you significant time and attention. Our dedicated project support team works directly with our auditors to streamline the process of inputting audit reports into the Veeva platform. We’ll guide your Veeva Administrator through the steps to confer the necessary user permissions in the platform and take care of the audit input on your behalf. Contact us to learn more about integrating Veeva management into your auditing service so you can focus on your core operations.
Data Analytics for Risk Assessment
SAS Analytics, Tableau, and IBM Cognos Analytics offer powerful data analysis capabilities. Additionally, specialized supply chain risk management platforms such as Sphera and Resilinc can provide targeted insights into supply chain vulnerabilities.
By analyzing large volumes of data, these tools can uncover patterns, trends, and insights that might not be visible through traditional analysis methods.
For example:
Risk Identification: Utilizes advanced data mining techniques to identify potential risks within the supply chain. This can include analyzing supplier performance data, market trends, and external factors like geopolitical risks.
Risk Prioritization: Employs algorithms and modeling techniques to prioritize risks based on their potential impact and likelihood. This helps organizations focus their efforts on the most critical areas.
Predictive Analytics: Leverages historical data to predict future risk scenarios, allowing organizations to proactively address potential issues before they impact the supply chain.
Supplier Performance Monitoring: Continuously analyzes supplier performance data against KPIs to identify deviations from expected levels, signaling potential risks.
Need supplier/vendor audit support or interested in putting a comprehensive supplier auditing program in place? We can help.
Our certified, experienced auditors plan, schedule, and execute vendor/supplier quality management audits to identify areas of conformance and nonconformance with applicable global regulations. Following assessment, our experts provide a detailed report including all observations, deficiencies, and a risk-based corrective action plan for improvement.
With an enhancement plan in place, our quality professionals will work closely with you to provide recommendations, resolve compliance issues, track corrective actions, and communicate the status of resolutions with company management.
This comprehensive approach to vendor/supplier quality management strengthens your vendor/supplier relationships while ensuring the highest quality of your products through a compliant and efficient quality system.
Our vendor/supplier auditing services include:
Vendor/supplier audit plan strategy and creation
Vendor/supplier audit execution and project management
Vendor/supplier audit plan maintenance and support
Veeva eQMS data entry services
Read our comprehensive guide to supplier audits and get in touch to start the conversation.
Who is The FDA Group?
The FDA Group helps life science organizations rapidly access the industry's best consultants, contractors, and candidates. Our resources assist in every stage of the product lifecycle, from clinical development to commercialization, with a focus on Quality Assurance, Regulatory Affairs, and Clinical Operations.
With over 2,500 resources worldwide, over 225 of whom are former FDA, we meet your precise resourcing needs through a fast, convenient talent selection process supported by a Total Quality Guarantee.