How to Run a Supplier Audit: A Step-by-Step Guide for Enterprise Procurement Teams

Most supplier audit programs break at the same point. Teams issue findings, never verify them properly, and the same nonconformances surface on the next cycle. This guide covers how to run a supplier audit in seven steps. Each step builds defensible evidence — from scope definition to verified closure.

What Is a Supplier Audit?

A supplier audit is a structured, systematic examination of a supplier’s operations, processes, and management systems. It tests them against defined requirements — regulatory, contractual, quality, environmental, social or ethical. The auditor gathers objective evidence through document review, interviews, observation, and sampling rather than relying on supplier attestation. ISO 19011 defines three audit types: first-party (supplier self-audit), second-party (customer auditing its supplier), and third-party (independent certification or regulatory body).

Most enterprise procurement programs rely on second-party audits. These let the buyer set scope, define the evidence standard, and own the corrective action process. Third-party certifications such as ISO 9001 provide a useful baseline. They do not substitute for a direct supplier audit — the certifying body sets the scope, not the buyer’s risk profile.

Why a Disciplined Supplier Audit Process Matters in 2026

Regulatory pressure on supplier audit programs has accelerated sharply in 2026. Two frameworks have raised the bar: the U.S. Uyghur Forced Labor Prevention Act and the EU Corporate Sustainability Due Diligence Directive. Both create a legal obligation to show that suppliers are free from forced labor and environmental violations. That showing must rest on documented audit evidence. A signed code of conduct does not satisfy either framework.

For U.S. importers, UFLPA enforcement in 2026 applies a rebuttable presumption. CBP denies entry to goods with a nexus to the Xinjiang region unless the importer provides a documented supplier audit trail. CBP denied entry to 10,274 shipments between June 2022 and July 2025, as those shipments arrived at the border without that evidence. In Europe, CSDDD’s reduced but reinstated scope requires risk-based due diligence across value chains, including indirect suppliers in high-risk categories. The omnibus revision narrowed the in-scope company count but did not remove the due diligence obligation.

How to Run a Supplier Audit: 7 Steps

Running a supplier audit that holds up under regulatory scrutiny takes more than a checklist and a site visit. Each step builds the audit record that procurement teams, boards, and regulators need to see.

Step 1: Define Scope and Audit Type

Before scheduling a single interview, procurement and quality teams must agree on what the audit is measuring and why. The three primary audit types serve different purposes:

• Process audit — evaluates whether a specific process (a production line, a receiving inspection step, a screening workflow) is operating as designed and meeting defined criteria.
• System audit — evaluates the management system as a whole: quality, environmental, labor, or forced labor compliance. System audits assess whether policies, procedures, records, and outcomes align with each other.
• Product audit — evaluates finished product against specification, including sampling, testing, and traceability documentation from raw material to finished goods.

Scope definition also covers which sites are in scope and which product lines or commodity codes apply. It specifies which regulations the audit must address. A UFLPA-focused audit has a different checklist than an ISO 9001 surveillance audit. Write down the scope before the audit starts. Doing so prevents scope creep on-site and keeps findings traceable to specific requirements.

Step 2: Prepare the Audit Checklist and Evidence Request

The audit checklist translates the scope into specific, verifiable requirements. Each item should reference the requirement source — a regulatory clause, a contract term, or a standard. This keeps any finding immediately traceable to its basis. See Certainty’s example UFLPA checklist here.

Alongside the checklist, send the supplier an evidence request list in advance. This list names the documents, records, and certifications the auditor will review on-site. Examples include labor contracts, calibration logs, training records, sourcing declarations, or traceability files. Pre-requesting documents cuts time lost to retrieval. It also gives the supplier a fair chance to organize their records. Surprises are useful for uncovering systemic gaps. Finding that payroll records exist but sit at a different office is not useful.

Step 3: Conduct the Pre-Audit Document Review

The desk audit — reviewing supplied documents before the site visit — is not a formality. It is the first chance to spot gaps and red flags that sharpen the on-site agenda. A supplier who provides an expired ISO 9001 certificate has told the auditor something important before anyone boards a plane.

Confirm that an accredited body issued current certifications and that a named individual with proper authority signed the declarations. Check that previous audit records are consistent — recurring findings should increase on-site scrutiny depth. Document open questions so the site visit resolves them with physical evidence. For virtual audits, the document review doubles as the primary evidence collection step.

Step 4: Execute the On-Site or Virtual Audit

The on-site audit is where process checking happens. Opening meetings confirm scope and the supplier’s understanding of the audit’s purpose. Auditors then follow the checklist through three activities. Process observation means watching operations as they actually run, not a prepared demonstration. Records sampling means selecting records randomly to test whether documented practices match observed ones. Personnel interviews mean speaking with workers, supervisors, and management about how they follow procedures.

For forced labor audits, include workers directly in sampling. Interview a random cross-section of production workers, not only the compliance officer’s nominees. Document every observation with a timestamped photograph linked to the relevant checklist item.

Step 5: Document Findings with Photo Evidence and Severity Ratings

The auditor must document every finding during the audit, not reconstruct it afterward from memory. Each finding record must capture: the checklist requirement, the objective evidence observed, at least one timestamped photograph, and a severity rating. Severity classification is not optional — it prioritizes corrective action and sets follow-up frequency.

A three-tier severity classification aligns with most regulatory frameworks:

• Critical — an immediate risk to safety, regulatory compliance, or product integrity. Requires corrective action within 24–72 hours and may require a hold on shipments pending closure.
• Major — a systemic nonconformance that increases risk significantly if not addressed. Requires corrective action within 30 days and documented evidence before the next shipment or audit cycle.
• Minor — an isolated or low-impact deviation. Requires corrective action within 60–90 days and documentation in the follow-up review.

Step 6: Issue Corrective Actions with Owners and Deadlines

The audit report is not the end product — it is the starting point for corrective action. Each finding should generate a corrective action request (CAR). Assign a named owner at the supplier and a deadline tied to severity classification. The CAR must describe what counts as acceptable closure evidence. Generic instructions such as “fix the issue” generate generic responses. Specific instructions generate verifiable evidence. An example: “provide revised work instruction WI-047, training records for all affected operators, and a photograph of the updated posting at the workstation.”

For guidance on structuring corrective action workflows, see Certainty’s library of corrective action examples from real enterprise programs. These cover root cause requirements, action owner accountability, and evidence standards. A corrective action program vague on acceptance criteria will not survive a regulator’s request for evidence of effectiveness.

Step 7: Verify Closure Before Marking the Finding Resolved

This is the step most supplier audit programs fail to run consistently. Verified closure requires three conditions before the team marks a finding resolved. First, the supplier must submit objective implementation evidence — not a plan or promise. Second, an independent reviewer at the buying organization must confirm the evidence addresses the original finding criteria. Third, for critical or recurring findings, a follow-up check at 30, 60, or 90 days must confirm the issue has not recurred.

A supplier who submits an updated procedure document is providing partial evidence, not verified closure. The team must also train affected personnel, then confirm compliance in a follow-up inspection. Programs that accept corrective action plans as closure evidence will find the same findings on the next audit cycle — every time.

Common Supplier Audit Mistakes to Avoid

Even well-resourced procurement teams repeat the same structural errors across supplier audit programs. Catching these mistakes early is faster than discovering them after a regulatory inquiry.

• Closing findings without evidence. Accepting a supplier’s written assurance — without requiring objective evidence — turns the audit record into an attestation file. Regulators reviewing a UFLPA rebuttal will ask for evidence, not assurances.
• No severity classification. When all findings receive the same response timeline, critical risks queue behind minor documentation gaps. Severity tiers are the prioritization system that prevents that outcome.
• Audit fatigue from duplicate checklists. Sending the same comprehensive checklist to every supplier regardless of risk tier wastes capacity on both sides. A multi-tier supplier audit program uses risk-calibrated instruments. Low-risk suppliers get a focused short-form; Tier 1 critical suppliers get the full system audit.
• No Tier 2 or Tier 3 visibility. UFLPA enforcement specifically targets the sub-tier supply chain — raw material and processing steps that occur before a Tier 1 supplier touches the goods. A program limited to direct suppliers leaves that exposure entirely unaddressed.
• Manual spreadsheet handoffs. Spreadsheet-based programs accumulate version control failures, lose photo evidence, and cannot produce a defensible audit trail on short notice. Purpose-built audit management software is not optional for programs that must hold up under external scrutiny.

How Software Changes Supplier Audit Outcomes

Purpose-built supplier audit software changes outcomes in four measurable ways. First, automation features handle scheduling, evidence requests, and follow-up reminders — freeing auditor time from coordination tasks. Second, the platform links timestamped photographs directly to the finding record, building the evidentiary chain regulators require.

Third, severity workflows require an explicit auditor override to downgrade any critical finding. This creates an auditable escalation record. Fourth — and most consequentially — the verified closure workflow requires evidence submission and reviewer sign-off before the system marks any finding resolved. Verified closure becomes the default rather than a discipline that depends on each auditor’s consistency.

You might also be interested in:

Frequently Asked Questions (FAQs)

What is a supplier audit?

A supplier audit is a structured, evidence-based examination of a supplier’s operations, management systems, or products to verify conformance with defined regulatory, quality, contractual, or ethical requirements. It differs from a questionnaire or self-assessment in that it requires objective evidence — documents, records, observations, and photographs — gathered by the auditing party, not self-reported by the supplier. Results in a formal finding report with corrective action requirements and a defined closure standard.

How often should you run supplier audits?

Audit frequency should be risk-tiered, not uniform. Tier 1 critical suppliers — particularly those in regulated categories such as food, pharma, or goods with Xinjiang exposure — warrant an annual audit. For standard Tier 1 suppliers, the cadence drops to every 18 to 24 months. High-risk Tier 2 suppliers should be audited when triggered by Tier 1 findings, adverse events, or intelligence flags rather than on a fixed calendar. Any supplier that generates a critical finding should receive a follow-up audit within 90 days of corrective action closure to confirm the issue has not recurred.

Who performs supplier audits — internal or third party?

Supplier audits fall into three categories defined by ISO 19011. First-party audits are self-audits conducted by the supplier — useful for internal improvement but not sufficient for customer or regulatory assurance. Second-party audits are conducted by the customer directly on the supplier, with the buyer controlling scope, evidence standards, and corrective action requirements — this is the standard format for enterprise procurement programs. Third-party audits are conducted by independent certification bodies; their scope is set by the standard or regulation, not by the buyer’s risk profile. Mature programs combine all three.

What does a supplier audit checklist include?

A supplier audit checklist is organized by the requirement categories relevant to the audit scope. Common categories include quality management system documentation (procedures, work instructions, calibration records), labor and human rights practices (contracts, working hours, recruitment fees, freedom of association), environmental controls (waste management, emissions records, chemical handling), product traceability (BOM, material sourcing declarations, testing records), and corrective action history (previous findings, closure evidence, recurrence rates). Each checklist item should reference the specific regulatory clause, standard, or contract requirement it tests, so that any finding is immediately traceable to its basis and the corrective action acceptance criteria are unambiguous.

What is verified closure in a supplier audit?

Verified closure means a supplier audit finding is not marked resolved until the supplier has submitted objective evidence that the corrective action was implemented — not a plan or a promise, but actual implementation evidence such as updated procedures, training records, or inspection photographs — and an independent reviewer at the buying organization has confirmed the evidence addresses the original finding criteria. For critical or recurring findings, a follow-up effectiveness check at 30, 60, or 90 days confirms the issue has not recurred. Without verified closure, findings accumulate a paper status of “closed” while the underlying conditions remain unchanged, causing the same nonconformances to surface on every subsequent audit.

How does software change supplier audit outcomes?

Purpose-built supplier audit software changes four key outcomes. First, automated scheduling, evidence requests, and follow-up reminders free the auditor from administrative coordination. Second, native photo evidence capture — timestamped and linked to the specific finding record — creates the evidentiary standard regulators require. Severity workflows then prevent critical findings from being downgraded without an auditor override. Finally, verified closure becomes the default workflow, requiring evidence submission and reviewer sign-off before any finding can be marked resolved.