Supplier Audits
Regulated development and commercialization journeys where clinical, quality, and market access align.
Inside this journey
-
Customer Discovery
Align on supplier portfolio, audit backlog, regulatory obligations, risk tiers, and measurable success signals for supplier qualification.
Discovery Questions
Unpacking Your Supplier Oversight Rhythm
- Roughly how many suppliers fall inside your formal audit/qualification scope and how many of those need auditing each year?
- Which supplier categories take the most of your audit capacity right now?
- What portion of your suppliers are international (outside your main regulatory geography)?
- Tell me about a recent year when audit coverage slipped—what happened and what was the most concrete consequence?
- Who within your organization owns scheduling and resource allocation for supplier audits, and do they have enough capacity?
- If you could change one thing about how audits are scheduled or staffed, what would it be?
Are We Quietly Exposed?
- If an inspector asked for proof of supplier qualification tomorrow, which suppliers would you find hardest to justify and why?
- How long is your current audit backlog (suppliers that are overdue compared to your target cadence)?
- Which supplier categories or specific sites are most consistently overdue?
- Describe the single overdue audit you worry about most—who is it, what risk does it present, and how long has it been outstanding?
- Have overdue audits in the last 24 months already led to regulatory observations, supply holds, or product impacts?
- When you think about your backlog, what emotion comes up first—frustration, worry, resignation, urgency, or something else?
What's Actually Risking Your Product?
- Which single supplier failure would cause the most immediate harm to patients or your business, and do you know which supplier could cause it?
- Which failure modes concern you most across suppliers?
- How do you currently assign risk tiers to suppliers, and when was the last time you re-tiered a supplier? Describe that change.
- What objective triggers currently move a supplier into 'high risk' in your program?
- Who must sign off when a supplier’s risk tier changes, and how quickly does that approval typically happen?
Are Your Audits Consistent—or One-Off Hinges?
- When two different auditors assess the same supplier, how aligned are their findings and conclusions?
- Describe a recent audit report that failed to capture a known issue—what was missed and why do you think it happened?
- Which audit modalities do you rely on today and in what proportion?
- Which auditor qualifications are mandatory for you to accept an audit as credible?
- How long does it typically take from audit completion to receiving a final, risk-ranked report and executive summary?
- Which elements in an audit report matter most to you (pick top three)?
When Findings Appear, Do They Move the Needle?
- Do CAPAs from supplier audits actually close on time and prevent recurrence, or do they often stall as paperwork?
- What system do you use to track CAPAs and supplier remediation?
- Share one example where supplier CAPA led to a sustained improvement—and one where it didn’t. What was the difference?
- Who owns escalation when a supplier fails to implement corrective actions on time?
- How would you prefer escalation and CAPA ownership to look if you could design it today?
If We Rebuilt Qualification From Scratch, What Would Be Different?
- What single change would most reduce your day‑to‑day anxiety about supplier quality?
- Which short-term outcomes (6 months) would convince you a new audit approach is working?
- What measurable acceptance criteria would you require to move a supplier from 'provisional' to 'qualified'?
- Preferred monitoring cadence for high-risk suppliers?
- Preferred monitoring cadence for medium-risk suppliers?
- Preferred monitoring cadence for low-risk suppliers?
- What evidence or deliverables would make you confident that a remote document review is as reliable as an on‑site audit for a given supplier?
What's Needed to Move Forward (Budget, SLAs, People)
- What’s the single internal veto point that would stop a pilot today—budget, SLA, procurement rules, or something else?
- Which commercial or operational guarantees are non-negotiable for you?
- Who are the decision-makers we would need to convince and what are their top two concerns each?
- When could you realistically run a low‑risk pilot with a new audit partner?
- What would a minimal, low-risk pilot look like to you (scope, number of suppliers, locations, and success metrics)?
- How would you like us to communicate during a pilot (progress updates, dashboards, cadence)?
Agreeing on Success: What Will Count?
- If we complete a 90-day pilot, what exact evidence would make it an undeniable win for you?
- Which KPIs will you use to judge pilot success?
- What reporting cadence and format would make those KPIs most usable for you?
- Who should be in the recurring review meetings for the pilot (roles, not names)?
- Are there any data access, confidentiality, or compliance constraints (NDAs, IT restrictions, travel limits) we should plan for before starting?
-
Solution Experience
Validate how our audit approach, auditor qualifications, and risk-ranking deliverables solve your highest-risk supplier scenarios using real examples.
Experience Meetings
- Current State & Consequence Alignment
- Solution Experience — Risk Scenario Walkthrough (Live Cases)
- Operational Proof — Pilot Planning & Logistics
- Validation Review & Decision
Issues & Enhancements
- Customer: Assign internal owner(s) for CAPA closure tracking and supplier scorecard updates.
- Show that the risk-ranking output prioritizes the customer's true risks and yields actionable findings.
- Obtain explicit validation that the proposed approach meets the customer's acceptance criteria.
- Seller: Deliver the scenario-specific draft audit report and risk-ranking export within 3 business days.
- Customer: Provide feedback on whether the auditor qualification and report granularity meet internal QA expectations.
- Seller: Propose a pilot audit scope and timeline based on this scenario for the Pilot Planning meeting.
- Pilot Objective & Acceptance Criteria
- Finalize pilot scope and measurable acceptance criteria.
- Confirm auditor assignment and logistics so audit can be executed without delay.
- Agree SLA for report delivery and checkpoints to evaluate pilot success.
- Define CAPA ownership and post-audit monitoring responsibilities.
- Customer: Provide supplier access approvals and any required NDAs/visas/logistics info.
- Seller: Finalize SOW/pilot order with detailed scope, auditor CVs, and SLA commitments.
- Seller: Confirm travel and scheduling for assigned auditor(s) and set audit dates.
- Both: Schedule post-pilot Validation Review within 2 business days of report delivery.
- Pilot Results Executive Summary (Diagnosis)
- Confirm whether pilot met acceptance criteria and proved the future state.
- Agree commercial terms and SLA for rolling out the audit program.
- Establish a clear roll-out roadmap, owners, and timeline into Deployment.
- Document any unresolved items and owners for closure prior to Deployment.
- Seller: Deliver final pilot report package, updated SOW, and proposed master rollout schedule.
- Customer: Provide formal decision (approve, modify, or reject) and any contractual PO/commitment required to proceed.
- Both: Schedule Deployment kickoff and populate the Deployment stage checklist (auditor assignments, first-quarter cadence).
- Introductions & Meeting Objectives
- Customer articulates current state in one clear sentence.
- Consequences of current gaps are quantified and explicit.
- Two to three real supplier scenarios are selected for the Solution Experience.
- Future state and measurable acceptance criteria are defined for each scenario.
- Required pre-work and documents are agreed and scheduled for delivery.
- Customer: Share supplier dossiers, recent audit reports, deviation/regulatory summaries for selected suppliers.
- Seller: Prepare tailored scenario plan and mapping template that ties audit evidence to customer's acceptance criteria.
- Seller: Confirm date/time for Scenario Walkthrough meeting and required attendees.
- Recap Current State & Success Criteria for Selected Supplier
- Demonstrate a clear line from the customer's problem to specific audit steps and outputs.
- Prove the selected auditor's qualifications are sufficient and relevant for the scenario.
- Scope & Audit Modalities
- Detailed Findings & CAPA Recommendations (Proof)
- Auditor Qualification Match
- One-Sentence Current State
- Auditor Assignment & Qualifications
- Consequence Quantification
- Mapping to Consequence Reduction
- Audit Approach Walkthrough (Diagnosis)
- Risk-Ranking Proof (Live)
- Commercial & SLA Confirmation for Scale
- Scheduling, Access, and Logistics
- Select 2-3 Real Supplier Scenarios
- Roadmap to Scale & Monitoring Plan
- Report & CAPA Example (Proof)
- Turnaround SLA & Deliverable Format
- Define Success Criteria & Future State
- Decision & Next Steps
- Pre-work & Data Transfer Checklist
- Tying Results Back to Consequence
- Escalation, CAPA Ownership & Post-Audit Monitoring
- Risk Mitigation During Pilot
- Final Q&A and Open Issues
- Forced Validation & Clarifying Questions
-
Solution Scope
Define audit types (on-site, remote, document review), scope per supplier category, geographic coverage, report standards, and monitoring cadence.
Scope Configuration
- On-site GMP audit
- Remote GMP document review
- API manufacturer GMP audit
- Packaging component supplier audit
- Contract laboratory GLP/GMP audit
- CDMO sterile/aseptic process audit
- Logistics and cold-chain GMP inspection
- Deliver risk-ranked audit report
- Provide corrective-action recommendation package
- CAPA effectiveness verification (remote or on-site)
- Supplier risk scorecard update
- Chain-of-custody and traceability review
Scope Questions
On-site GMP audit
- How many physical sites do you want included in the on-site audit(s)?
- Which audit standard(s) should on-site auditors assess against?
- What are the primary focus areas for the on-site audit (select all that apply)?
- Are there site access or security requirements we should plan for (e.g., visitor badges, NDA, site inductions)?
- Estimate the expected audit duration per site (hours or days):
- Any language, translation, or cultural considerations for on-site audit delivery?
Remote GMP document review
- Which document types should be included in the remote review?
- What is the expected document volume or how many document packs will be provided?
- What turnaround time do you require for the remote document review deliverable?
- Do you require live interviews or remote walkthroughs in addition to document review?
- Will documents be delivered via a secure portal or do we need to support multiple upload methods?
- Any regulatory or language translation needs for document review (e.g., non-English originals)?
API manufacturer GMP audit
- Which API manufacturing stages should the audit cover?
- Is the API site handling controlled substances, hazardous chemistries, or potent compounds requiring special PPE/controls?
- Do you require assessment of impurity control, cleaning validation, and cross-contamination controls?
- Are there regulatory filings or agency inspection history we should review as part of scope (e.g., warning letters, 483s)?
- Preferred auditor qualifications for API audits (select all that apply)?
- Geographic or travel constraints for API site visits (e.g., embargoed countries, travel approvals)?
Packaging component supplier audit
- Which packaging component types are in scope (select all that apply)?
- Is counterfeit or tamper-evidence assessment required for packaging suppliers?
- Do you require testing verification (e.g., extractables/leachables, container closure integrity) as part of the audit scope?
- Should the audit assess labeling accuracy, print controls, and revision control?
- Are supplier sites co-packers or full manufacturers (affects scope and depth)?
- Any geographic or regulatory packaging requirements to cover (e.g., serialization for EU, unique device identification)?
Contract laboratory GLP/GMP audit
- Which laboratory functions should be audited?
- Do you require review of data integrity practices and electronic system controls (LIMS, ELNs)?
- Is ISO 17025 accreditation or GLP compliance required or present?
- Are proficiency testing records, method validation dossiers, and equipment calibration records required in scope?
- Preferred depth of raw data review (select one):
- Any specific regulatory bodies or testing standards the lab must comply with?
CDMO sterile/aseptic process audit
- Should the audit include process simulation/media fills?
- Which aseptic technologies are in use that should be assessed?
- Do you require environmental monitoring program review and historical trend analysis?
- Should sterilization processes (e.g., terminal sterilization, depyrogenation) be part of the scope?
- Are personnel gowning, training records, and aseptic technique assessments required on-site?
- Any regulatory expectations or recent inspection findings to inform audit focus?
Logistics and cold-chain GMP inspection
- Which legs of the cold chain should be inspected?
- What temperature ranges and container types must the supplier support?
- Do you require review of temperature monitoring data and logger calibration records?
- Are emergency response and deviation handling processes for excursions in scope?
- Should the audit include carrier qualification and chain-of-custody handoff assessments?
- Any import/export, customs, or regulatory documentation review required for logistics?
Deliver risk-ranked audit report
- Which risk-ranking schema should we use for findings?
- What minimum report elements do you require?
- What is the desired report turnaround time after audit completion?
- Do you need reports formatted for internal systems (e.g., PDF only, structured XML/CSV for ingestion)?
- Should the report include mapped regulatory references (e.g., specific CFR/Annex citations)?
- Do you require an executive briefing or presentation of high-risk findings?
Provide corrective-action recommendation package
- What level of CAPA detail do you expect in recommendations?
- Should CAPA recommendations include estimated timelines and resource estimates?
- Do you require vendor-facing CAPA communication templates and acceptance criteria?
- Should we assign recommended ownership (client vs supplier vs third party) for each corrective action?
- Do you want CAPA priorities tied to risk ranking and potential product impact?
- Any formatting or delivery preferences for the CAPA package (e.g., Excel tracker, Jira ticket import)?
CAPA effectiveness verification (remote or on-site)
- Which verification method do you prefer for CAPA effectiveness?
- What is the expected timing for effectiveness checks after CAPA implementation?
- What evidence types are acceptable for remote verification (e.g., photos, logs, test reports)?
- Do you require statistical sampling or inspection of multiple batches/records during verification?
- Should effectiveness verification map to pre-defined acceptance criteria or client KPIs?
- Any regulatory audit or inspection follow-up requirements to consider during verification?
-
Mutual Commit
Confirm commercial terms, SLAs for report turnaround, auditor assignments, scheduling windows, and escalation and CAPA responsibilities.
Agreement Modules
- Non-Disclosure Agreement (NDA)
- Master Services Agreement (MSA)
- Statement of Work (SOW)
- Pricing & Commercial Terms
- Service Level Agreement (SLA)
- Auditor Assignment Annex
- Scheduling & Access Plan
- Escalation & CAPA Responsibilities
- Data Protection & Data Processing Agreement (DPA)
- Change Order & Scope Management
- Acceptance Criteria & Supplier Status Update Procedure
- Insurance & Indemnity Terms
- Termination, Renewal & Transition Plan
-
Deployment
Plan and execute audits: assign qualified GMP auditors by region, confirm access/logistics, schedule execution, and set delivery checkpoints.
-
Success
Review audit outcomes against acceptance criteria, update supplier status/scorecards, and maintain a shared channel for findings, CAPA tracking, and enhancements.
Success Reviews
- Audit Acceptance Review
- Supplier Scorecard Update & Trend Review
- CAPA Prioritization & Verification Sync
- Audit Program Retrospective & Enhancements
Issues & Enhancements
- Define and publish quarterly metrics (e.g., CAPA closure rate, audit turnaround time) to the shared program dashboard.
- Update the supplier scorecard fields in the system and attach the audit report.
- Schedule follow-up or surveillance audits for suppliers exceeding risk thresholds.
- Flag and create a watchlist for suppliers showing negative trend patterns.
- Document any temporary controls or release restrictions in the supplier profile.
- Open Findings Roll Call
- Prioritize CAPAs so that the highest risk items have clear owners, timelines, and verification methods.
- Ensure CAPA responses include verifiable evidence and an agreed verification plan.
- Standardize use of the shared channel for CAPA tracking and evidence submission.
- Define escalation triggers and responsible escalation contacts.
- Create/update CAPA tickets with owners, due dates, verification criteria, and link to the audit finding.
- Post the standardized CAPA template and channel protocol to the shared channel.
- Schedule verification activities (remote review or on-site) and calendar invites for owners.
- Escalate any CAPAs meeting regulatory notification thresholds to regulatory affairs.
- Summary of Recent Audit Outcomes
- Identify and prioritize program-level improvements to reduce repeat findings and improve audit consistency.
- Calibrate auditors and standardize reporting to ensure comparable, high-quality audit outputs.
- Assign owners and timelines for SOP/training changes and define metrics to measure improvement.
- Establish a clear roadmap for enhancements and resource adjustments for the upcoming quarter.
- Draft and approve revisions to audit checklists and reporting templates based on calibration outcomes.
- Schedule auditor calibration sessions and training modules to close identified skill gaps.
- Update SOPs or acceptance criteria where systemic gaps are identified and publish version control.
- Pre-work & Attendance Check
- Decide supplier disposition (Accept / Conditional / Reject) with documented rationale.
- Assign owners and deadlines for all critical/high CAPAs required for conditional acceptance.
- Ensure audit evidence and acceptance decision are posted to the shared channel for traceability.
- Clarify interim controls or release holds required until CAPA verification is complete.
- Record formal disposition in supplier profile and audit file with decision rationale.
- Create CAPA tickets for critical findings with owners, due dates, and verification criteria.
- Publish a one-page decision summary and required actions to the shared findings/CAPA channel.
- If applicable, trigger immediate supply or release controls with procurement and quality ops.
- Pre-work Review
- Accurately update supplier scorecards to reflect the latest audit outcomes.
- Identify trend-driven risks and flag suppliers that require increased oversight.
- Set or adjust monitoring cadence and escalation rules for affected supplier cohorts.
- Assign owners to maintain scorecard records and follow-up actions.
- Effectiveness & Evidence Review
- Root Cause Themes & Repeat Findings
- Current State (one-sentence)
- Map Audit Results to Scorecard
- Prioritization Matrix Application
- Consequence Assessment
- Auditor Calibration & Report Consistency
- Trend Analysis Across Cohort
- Owner Assignment & Verification Plan
- Acceptance Criteria Comparison
- Thresholds & Status Change Rules
- Process Improvements & SOP Updates
- Shared Channel Protocol & Templates
- Training, Resourcing & Regional Coverage
- Risk Ranking & Recommendation
- Monitoring Cadence & Controls
- Roadmap & Metrics for Next Quarter
- Record Updates & Ownership
- Escalation Paths & Regulatory Triggers
- Decision & Disposition Vote
- Immediate CAPA Assignments
- Next Steps & External Communications