Blog | The FDA Group

How Often Should Firms Audit Their Suppliers in the FDA-Regulated Industries

Written by The FDA Group | March 19, 2025

In FDA-regulated industries, determining the optimal frequency for supplier audits represents a critical decision point that impacts compliance, risk management, and operational efficiency. Traditional calendar-driven approaches that mandate fixed-interval supplier visits are increasingly proving inadequate for today's complex and global supply chains.

The Evolution of Supplier Auditing Strategy

Historically, when ISO standards and quality regulations were first implemented, there was a strong emphasis on conducting regular audits as a fundamental requirement. As Festa explains: "When ISO and the QR came into being, it really was 'we need to audit suppliers, and we need to go on a very regular basis.'"

This approach created an assumption that frequent on-site visits were necessary regardless of supplier performance or characteristics.

However, over time, quality professionals have recognized the increasing constraints on audit resources. Festa notes, "We've understood that there are a lot of other constraints coming in on supplier quality... it's not just being able to go to every single supplier." This realization has driven a shift toward more strategic allocation of auditing resources, considering factors beyond simply adhering to a calendar schedule.

Risk-Based vs. Exception-Based Auditing

To effectively allocate auditing resources, Festa emphasizes the importance of distinguishing between two fundamental approaches:

Risk-Based Auditing

This approach focuses on suppliers that pose inherent risk based on several key factors:

  • The supplier profile: Their organizational structure and quality management system.
  • The product criticality: How essential the supplied material is to the final product.
  • Geographic and regulatory considerations: Where the supplier is located and potential geopolitical risks.
  • Supplier-customer relationship dynamics: What percentage of the supplier's business you represent.
"When we're looking at risk-based auditing, we're going to understand where the supplier is located, what their system is, what spend we are of them—are we 50% of their revenues?" explains Festa. "But then we're looking at the material risk and understanding the product risk of what they are providing to us, and that's a very key part."

Exception-Based Auditing

This approach targets suppliers based on their actual performance issues:

  • Suppliers showing quality deviations or failures
  • Those with delivery inconsistencies or delays
  • Suppliers experiencing significant process changes

Exception-based auditing responds to real-world performance data, directing resources to suppliers already demonstrating problems. This reactive approach ensures you're addressing known issues rather than pursuing theoretical risks.

The most effective audit strategy comes from the intelligent combination of these two approaches, creating a comprehensive view of supplier risk and performance.

A Dynamic Model for Determining Audit Frequency

Rather than adhering to a rigid calendar-based schedule, a structured but dynamic model enables more effective determination of optimal auditing intervals. This model consists of five interconnected steps:

Step 1: Initial Supplier Classification and Onboarding

The foundation of effective supplier management begins with thorough initial evaluation. The supplier lifecycle can be divided into two fundamental stages:

  • Onboarding Phase: This initial assessment should always include comprehensive on-site evaluation before a supplier enters your supply chain. This is not where optimization should occur.
  • Sustaining Phase: Once suppliers are established, their management should shift to a more nuanced approach based on risk and performance.

During onboarding, suppliers should be categorized based on:

  • Product criticality and complexity
  • Strategic importance to your supply chain
  • Regulatory requirements applicable to their products
  • Historical quality performance, if available

Step 2: Comprehensive Risk Assessment

After initial classification, conduct a thorough risk assessment considering:

  • Product impact and criticality: Any component, regardless of size or apparent simplicity, can potentially shut down a production line if defective or unavailable.
  • Regulatory risk factors: FDA inspection history, compliance records, and regulatory scrutiny level
  • Geopolitical and environmental risk: Factors like political instability, natural disaster vulnerability, or pandemic effects can significantly impact supply continuity.
  • Supply chain vulnerability: Single-source or sole-source status dramatically increases risk, requiring proactive evaluation of backup suppliers.

Step 3: Performance Monitoring

Implementing comprehensive monitoring through well-defined metrics is critical for making informed audit decisions. As Festa notes, "How robust your monitoring system is" plays a key role in determining audit frequency.

Key performance indicators should include:

  • Product quality metrics: Rejection rates, defect trends, return rates.
  • Delivery reliability: On-time delivery percentage, lead time consistency.
  • Responsiveness: How quickly and effectively the supplier addresses issues.
  • Change management: How well the supplier handles and communicates process changes.

"Does it make sense that we're always going to visit suppliers that are producing good product on time and really not giving us a lot of risk?" Festa questions. The robust monitoring system should provide data-driven answers to this question.

Step 4: Audit Frequency Decision Matrix

Based on the combined risk assessment and performance monitoring, a decision matrix can guide appropriate audit frequency:

Supplier Risk Performance Status Recommended Audit Frequency
High Good Every 1-2 years
High Poor Annually or immediately
Medium Good Every 2-3 years
Medium Poor Every 1-2 years
Low Good Every 3-5 years
Low Poor Every 2-3 years

Importantly, Festa challenges the notion that there should be a mandatory minimum frequency for all suppliers, disagreeing with a suggested three-year maximum interval between audits: "It comes down to how robust your monitoring system is and how well you know those suppliers and how well you've built in those service level agreements or KPIs."

Step 5: Implementing Trigger-Based Audits

Beyond the scheduled frequency determined by the matrix, certain triggers should automatically prompt audit consideration:

  • Significant process changes: When a supplier modifies manufacturing processes, equipment, or facilities
  • Quality incidents or recalls: Major quality failures that impact product safety or efficacy
  • Regulatory actions: Government inspections revealing compliance issues
  • Supplier ownership changes: Acquisitions or major management restructuring

These trigger events should immediately prompt reevaluation of the audit schedule, potentially leading to accelerated audits regardless of the original timeline.

Addressing Compliance Requirements While Optimizing Resources

A common concern with moving away from calendar-based auditing is regulatory compliance.

Organizations can maintain compliance while optimizing resources through:

Strengthening documentation and justifications

When regulatory inspectors question extended intervals between supplier visits, comprehensive documentation can provide justification.

This should include:

  • Detailed supplier performance data showing consistent quality
  • Records of all supplier interactions and reviews
  • Evidence of robust monitoring systems
  • Documentation of risk assessments
  • Records of any change notifications (or verification of no changes)

This approach emphasizes that quality oversight continues even when on-site audits are less frequent. Any decision to extend intervals should be data-driven and thoroughly documented.

Implementing alternative verification methods

On-site audits can be supplemented with other verification methods:

  • Enhanced incoming inspection protocols
  • Periodic product testing or verification
  • Statistical process control monitoring
  • Regular performance reviews against established KPIs

These alternative verification methods provide ongoing assurance of supplier quality between formal audits.

Remote and desk audits — strengths and limitations

The pandemic accelerated the adoption of remote auditing approaches, which offer valuable alternatives when on-site visits aren't feasible:

  • Remote Audits: These involve interactive dialogue with supplier representatives through video conferencing, allowing real-time verification and observation of facilities and processes.
  • Desk/Document Audits: These are limited to review of supplier documentation without direct interaction, focusing on procedural compliance rather than operational effectiveness.

While remote audits offer more insight than document reviews alone, both approaches have limitations compared to on-site evaluations. On-site audits allow direct observation of manufacturing environments, assessment of operational control, and detection of non-verbal cues that might indicate compliance issues.

The Evolving Skillset of Effective Auditors

The effectiveness of any audit program depends heavily on the capabilities of the auditors themselves.  There has been a significant evolution in required skills:

From 'checklist auditors' to strategic partners

Traditional auditing focused primarily on compliance verification against standardized checklists. Modern auditing requires a deeper understanding of business operations and supply chain dynamics. Today's auditors must function as strategic partners who understand how supplier operations impact the overall business.

Commodity and technical expertise

Leading organizations now match auditor expertise to supplier characteristics. At Thermo Fisher, auditors are selected based on their knowledge of:

  • Specific regulatory standards (ISO 13485, GMP, etc.)
  • Technical commodity expertise (plastics, electronics, chemicals, etc.)
  • Regional regulatory requirements

This targeted matching produces superior results. An auditor with specific expertise in plastic manufacturing processes will identify subtle issues that might escape a generalist's attention.

Cross-functional understanding

Modern auditors need to grasp the interconnections between various business functions. Effective supplier audits aren't conducted in isolation but rather coordinate with procurement, sustainability, finance, and legal perspectives. This holistic understanding allows auditors to evaluate suppliers against multidimensional requirements.

Global Supply Chain Considerations

The COVID-19 pandemic forced significant adaptations in auditing approaches. Pre-pandemic auditing focused on travel and on-site evaluation, often prioritizing completion of standardized checklists. When travel restrictions made this impossible, organizations rapidly adopted remote auditing approaches.

As supply chains continue to evolve post-pandemic, a strategic shift has emerged - moving from simply counting completed audits to "auditing smarter" through more targeted, risk-informed approaches.

Global audit coordination is another factor, today. For multinational companies, maximizing global auditor resources becomes essential. This requires a coordinated approach to auditor deployment, avoiding situations where auditors travel internationally when qualified local resources exist.

Leading organizations implement centralized audit coordination systems to track global auditing activities and available resources. This enables more efficient allocation of specialized auditors across global operations.

The True Cost of Supplier Quality

Evaluating supplier performance requires looking beyond basic purchase prices to consider the total cost of quality. An innovative approach called the "supplier pricing index" provides a more complete picture.

Let's break this model down.

The supplier pricing index calculates the true cost of components by factoring in quality-related expenses:

  • If a component costs $1 but requires an additional $0.10 per unit in inspection, rework, or customer support due to quality issues, the real price index is 1.1.
  • This represents a 10% premium above the nominal purchase price.

This metric offers a powerful tool for cross-functional alignment, helping manufacturing, R&D, procurement, and quality teams understand the true economic impact of supplier performance. It transforms quality discussions from subjective assessments to quantifiable business impacts.

The Impact of Unnecessary Requirements on Suppliers

An important consideration in supplier management is avoiding the imposition of unnecessary requirements that can burden suppliers without adding value.

There's two ways this usually crop up:

  1. The multi-customer reality: Suppliers typically serve multiple customers, each with their own requirements. When each customer demands unique compliance approaches or documentation, suppliers face significant operational challenges managing these divergent expectations. Imposing unnecessary requirements increases supplier costs through additional resources, systems, and administrative overhead. These costs are ultimately reflected in product pricing or may lead to non-compliance if suppliers cannot sustain the administrative burden.

  2. Rightsizing ISO standards requirements: Many organizations reflexively require suppliers to maintain the same ISO certifications they hold themselves. This common practice often exceeds actual needs. For example, requiring ISO 13485 (medical device quality management) certification from suppliers of basic components may be excessive since these suppliers may not be manufacturing complete medical devices. A more strategic approach focuses on identifying the specific requirements relevant to the supplied components rather than imposing broad certification requirements. This ensures appropriate quality controls without unnecessary burden.

Measuring Success: KPIs to Care About

Measuring the effectiveness of a strategically designed audit program requires appropriate metrics:

Supply base performance metrics

One key metric focuses on the overall health of the supply base - tracking the percentage of suppliers classified as poor-performing. Success is demonstrated through systematic reduction in this percentage over time, indicating strengthening of the overall supply base.

Predictive value of targeted auditing

When the right auditors are matched with the right suppliers, audit findings gain predictive value. They identify emerging issues before they manifest as quality problems. This predictive capability enables proactive supply chain management, allowing early identification of suppliers requiring intervention or development of alternate sourcing.

A Few Best Practices for Building Effective Supplier Relationships

Effective supplier management extends beyond compliance verification to building productive partnerships. Here's what we suggest teams focus on in 2025 and beyond.

💡 Think beyond transactional interactions

Successful supplier management goes beyond compliance checking to establish collaborative relationships focused on mutual success. Supplier quality functions serve as a bridge between external suppliers and internal operations, facilitating effective communication and alignment.

💡 Acknowledge the limitations of certification

While ISO certifications provide a valuable foundation for quality management, they represent a point-in-time evaluation of general systems rather than ongoing assessment of specific product quality. Certification alone doesn't guarantee that a supplier can consistently meet specific requirements for your products.

💡 Get into the partnership mindset

Viewing supplier relationships as partnerships rather than merely transactional interactions enables more effective quality management. This perspective focuses not just on certification status but on the supplier's demonstrated capability to consistently meet specific requirements and contribute to overall business success.

Final Thoughts and Next Steps

A comprehensive framework for rethinking supplier audit frequency and effectiveness in FDA-regulated industries incorporates several key principles:

  • Move beyond calendar-based auditing to a strategic model that combines risk assessment and performance monitoring.
  • Differentiate between onboarding and sustaining phases in the supplier lifecycle management.
  • Match auditor expertise to supplier characteristics for more meaningful evaluations.
  • Implement robust monitoring systems that reduce the need for frequent on-site visits for well-performing suppliers.
  • .Document justifications for audit decisions to satisfy regulatory requirements
  • Consider the true cost of supplier quality beyond the basic purchase price.
  • Right-size requirements to avoid burdening suppliers with unnecessary standards.
  • Foster collaborative relationships across internal functions and with suppliers.

Need a strategic supplier auditing partner? Talk to us.

Managing supplier quality in FDA-regulated industries requires specialized expertise, strategic resource allocation, and a nuanced understanding of regulatory expectations. The FDA Group combines deep industry knowledge with practical experience to deliver supplier audit services designed specifically for life science organizations.

Our comprehensive supplier audit services include, but are not limited to:

  • Expert auditor deployment: Access our pool of industry specialists with commodity-specific expertise across pharmaceuticals, medical devices, biologics, and combination products. Our auditors average 15+ years of experience and are matched to your specific supplier profiles for maximum insight.
  • Risk-based audit program development: Let us help you design and implement a dynamic audit program that optimizes resource allocation while ensuring regulatory compliance. Our approach combines risk assessment methodologies with performance monitoring to create audit schedules that focus resources where they matter most.
  • Remediation support: Beyond identifying issues, we partner with you to develop effective corrective action plans and supplier development initiatives that drive meaningful quality improvements. Our team provides ongoing support to ensure lasting results.
  • Global reach, local expertise: With auditors strategically located throughout North America, Europe, and Asia, we provide efficient global coverage with specialized understanding of regional regulatory requirements and cultural dynamics.

Don't wait for a regulatory inspection or quality crisis to address supplier audit deficiencies. Contact The FDA Group today to discuss how our specialized supplier audit services can strengthen your quality management system while optimizing valuable resources.
View full post