External Supplier Auditor for SMEs: Requirements and Process
Mid-sized businesses with supply chain obligations under ISO 9001, IATF 16949, or LkSG must audit suppliers systematically. An external supplier auditor closes the capacity gap – provided mandate, qualification, and documentation are in order.
ISO 9001:2015 requires in clause 8.4 that organisations control externally provided processes, products, and services on the basis of the provider's or supplier's ability to meet requirements. For companies in the automotive supply chain, IATF 16949:2016 sharpens this requirement: second-party audits at suppliers are not optional but form an integral part of a certifiable quality management system.
Mid-sized businesses face a resource problem in this regard: training in-house auditors is expensive and retention is difficult; audit trips to suppliers tie up capacity that is needed elsewhere. This article explains when an external supplier auditor is legally and normatively permissible, what qualification requirements apply, how the audit process should be structured, and which documentation obligations cannot be delegated by the commissioning company.
Key Takeaways
- ISO 9001:2015 clause 8.4 and IATF 16949:2016 require systematic supplier evaluation; SMEs can delegate this function to an external supplier auditor but retain ultimate responsibility.
- The external auditor must be qualified, independent, and have demonstrably audited against the agreed scope; a written audit mandate and a formal audit report are mandatory.
- Companies subject to the German Supply Chain Due Diligence Act (LkSG) (§ 4 LkSG) must document risk analyses and supplier checks; an external supplier auditor can carry out the operational assessment tasks, but the documentation obligation remains with the company.
Normative Foundations: ISO 9001, IATF 16949, and the LkSG
The obligation to carry out supplier evaluations and supplier audits arises from several regulatory frameworks, depending on the sector and company size. ISO 9001:2015 clause 8.4 stipulates that the organisation must establish criteria for the selection, evaluation, and monitoring of external providers. The type and extent of control depends on the supplier's impact on product conformity.
IATF 16949:2016, the automotive standard, goes considerably further: clause 8.4.2.4 requires second-party audits (2PA) as part of the supplier development and monitoring programme. The scope and frequency of audits must be determined on a risk basis. Auditors must meet the specific qualification requirements for IATF audits.
The German Supply Chain Due Diligence Act (LkSG) requires companies with 1,000 or more employees (from 2024) to conduct risk analyses at direct suppliers (§ 5 LkSG) and to initiate remedial measures and follow-up checks in the event of violations (§ 7 LkSG). Supplier audits are a recognised instrument for risk assessment. The Federal Office for Economic Affairs and Export Control (BAFA) checks during administrative oversight whether the risk analysis is methodologically sound.
Those who must fulfil multiple of these requirements should structure the audit process such that a single audit covers multiple normative requirements. The external supplier auditor at CIVAC is designed precisely for this multiple use of audit effort.
When an External Supplier Auditor Makes Sense
Not every mid-sized business employs full-time auditors. Supplier audits arise frequently when a new supplier is to be qualified (initial audit), when a supplier has shown quality problems (reactive audit), or when the quality management system prescribes regular monitoring (surveillance audit).
An external supplier auditor is appropriate when the company has no in-house audit capacity, when specific technical or normative expertise is lacking (e.g. IATF 16949, TISAX, ISO 14001), or when independence from a strategic supplier is desired. The external auditor also brings a fresh perspective that avoids in-house blind spots.
In the automotive supply chain, OEMs sometimes require evidence that supplier audits have been conducted by qualified auditors trained to VDA 6.3 or IATF requirements. An internal employee without the corresponding evidence does not meet this requirement. An external auditor with demonstrated qualification closes this gap.
For LkSG purposes, an external auditor does not replace an in-house due diligence structure but can carry out and document the operational assessment. The commissioning company remains obliged to furnish evidence to BAFA. The external auditor's audit report forms part of the due diligence documentation.
Qualification Requirements for External Supplier Auditors
The qualification requirements for an external supplier auditor follow from the applicable standard. ISO 19011:2018 provides general guidelines for auditing management systems; it defines competencies for auditors under ISO 9001, ISO 14001, and other management system standards. For IATF 16949, the requirements are more specific: the auditor must hold a demonstrated qualification to VDA 6.3 or an equivalent qualification.
The basic expectations are: an understanding of the applicable standard (ISO 9001, IATF 16949, ISO 14001, etc.), experience in the supplier's sector, demonstrated auditor training (lead auditor or process auditor), independence from the supplier being audited, and a willingness to report in writing.
For IATF audits, the International Automotive Task Force additionally requires evidence of second-party audit experience and knowledge of the core tools (APQP, PPAP, FMEA, MSA, SPC). The external auditor must disclose and be able to evidence these qualifications before being commissioned.
Qualified external supplier auditors are available in the CIVAC network. The appointment is made with a written mandate, proof of qualification, and a defined scope. Audit-ready, documented, and ISO 9001-compliant: the audit mandate is part of the compliance workspace, not an e-mail in an inbox.
Audit Process: From Planning to the Final Report
A structured supplier audit follows the phases under ISO 19011:2018: audit planning, preparation, execution, reporting, and follow-up. Planning establishes the audit scope, objectives, and criteria. The external auditor receives from the commissioning company all necessary documents: the supplier's current quality management documentation, delivery history, previous audit reports, and normative references.
Preparation includes the production of an audit plan, which should be sent to the supplier at least one week before the audit. During the audit itself, the auditor conducts opening and closing meetings, reviews documents and records, observes processes, and interviews employees. Findings and evidence are documented in an audit protocol.
The final report describes the audit scope, criteria applied, findings (conforming, non-conformity, observation), and where appropriate recommended corrective actions. The report is the central evidential document for the commissioning company. Corrections and their completion are tracked in the follow-up process.
The CIVAC workspace contains 490 audit templates, including supplier audit templates for ISO 9001, IATF 16949, and LkSG risk assessments. The external auditor works in the same workspace as the internal QMR, so that audit reports, actions, and evidence are centrally available.
Documentation Obligations: What the Commissioning Company Must Maintain Itself
Commissioning an external supplier auditor does not relieve the company of its own documentation obligations. ISO 9001:2015 requires in clause 8.4 that documented information is available on the results of supplier evaluations. This obligation rests with the company, not the external auditor.
Concretely this means: the company must document the mandate to the external auditor in writing (scope, methodology, criteria), store the auditor's qualification in a verifiable manner, file the received audit report in the quality management system, track identified non-conformities and initiated actions, and check and document the effectiveness of those actions.
For companies subject to LkSG, an extended documentation obligation applies: BAFA expects a comprehensible presentation of the risk analysis methodology, the assessment instruments used, and the resulting measures. An external audit report without internal linkage to the risk analysis under § 5 LkSG is not sufficient.
Others manage compliance like a filing cabinet. We manage it like software. For supplier audit documentation this means: audit reports, action tracking, and supplier evaluations in one system, with version history and timestamps, retrievable within seconds.
Supplier Evaluation: Risk-Based Approach under ISO 9001 and LkSG
ISO 9001:2015 clause 8.4.1 requires a risk-based approach to the selection and monitoring of external providers. The intensity of monitoring depends on the supplier's influence on the conformity of the end product. Critical suppliers with a high impact on product safety require more frequent and in-depth audits than non-critical C-suppliers.
Supplier evaluation is typically carried out against a scoring matrix that includes criteria such as delivery reliability, complaint rate, quality capability (Cpk values, first-off-tool inspection), certification status, and the outcome of the most recent audit. Suppliers with poor evaluation results are placed into a supplier development or escalation programme.
The LkSG requires in § 5(2) a risk-based prioritisation of direct suppliers. Criteria include sector, country of origin, and the nature of the raw materials used. Suppliers from high-risk sectors or countries must be assessed more rigorously. An external supplier auditor familiar with the LkSG risk categories can operationally implement this prioritisation.
Those who also wish to fill the LkSG supply chain officer externally can combine both roles through CIVAC. The CIVAC workspace links supplier evaluation, audit programme, and LkSG due diligence documentation in a unified system.
Costs and Contract Design for External Supplier Audits
The costs for an external supplier auditor comprise: the auditor's day rate (typically €900 to €1,800 per day depending on qualification and sector), travel costs, preparation effort, and reporting. An initial audit of a new supplier typically takes one to two days depending on scope and company size; a surveillance audit often half a day to a full day.
The service contract should clearly cover: audit scope and applicable standards, proof of the auditor's qualification, timeline and delivery date for the report, a confidentiality agreement (since the auditor gains insight into the supplier's organisation), liability provisions for incorrect reporting, and provisions for the event that the supplier denies access.
Many mid-sized businesses underestimate the negotiation effort and follow-up involved in external audits. A structured commissioning process that standardises all contract elements significantly reduces internal effort. The CIVAC workspace provides corresponding templates for the audit mandate and contract documentation.
Deadline runs from the point of knowledge: when a supplier audit reveals non-conformities that affect the product or due diligence under LkSG, internal and external deadlines begin to run. Those who track these deadlines digitally respond faster than those who maintain a spreadsheet.
Integration into the Quality Management System: Audit Programme and Annual Planning
A single supplier audit has only limited value; it becomes meaningful as part of an audit programme. ISO 19011:2018 recommends establishing an audit programme that documents all planned audits, auditors, deadlines, and resources. For certified organisations under ISO 9001, a documented audit programme is an implicit expectation of the certification body.
The audit programme specifies: which suppliers are audited at what frequency (risk-based), which standards or scope elements are assessed, which internal or external auditors are deployed, and how the results feed into supplier evaluation. The programme is reviewed and updated annually.
External supplier auditors must be integrated into the audit programme. The commissioning company is responsible for ensuring that the external auditor knows the programme objectives, audits the correct scope, and delivers the report on time. An ad hoc commissioning without embedding in the programme creates gaps in the audit documentation.
The CIVAC workspace houses the audit programme as a structured module. Annual audit plans are created with deadlines and responsibilities; the external auditor is granted access to the relevant modules. The inspector calls, the evidence is ready.
Structuring the External Supplier Audit: Next Steps
Anyone wishing to commission an external supplier auditor for their SME starts by analysing their own audit needs: which suppliers must be assessed under ISO 9001, IATF 16949, or LkSG? What qualifications must the auditor bring? At what frequency are audits required?
On this basis, the external auditor is selected and given a written mandate specifying scope, criteria, timeline, and report format. The audit report is filed in the quality management system; non-conformities are linked to actions and deadlines. The audit programme is updated annually.
CIVAC is a compliance platform and Officer-as-a-Service for all 25 officer roles, including the supplier auditor. Licence the workspace for your internal auditors or appoint our officers. Appointment is completed with a letter within two working days. All audit reports, actions, and supplier evaluations are documented in a single EU-hosted workspace.
Turn reading into action. If you wish to structure the supplier audit at your company or appoint a qualified external auditor, write to info@civac.de.
FAQ
May an external auditor be used as a supplier auditor under ISO 9001?
Yes. ISO 9001:2015 and ISO 19011:2018 do not require an internal auditor; they require only that the auditor is competent and independent. The commissioning company must ensure that the results of the external auditor flow into its own quality management system and are documented there.
What qualification must an external supplier auditor demonstrate for IATF audits?
IATF 16949:2016 requires for second-party audits auditors with demonstrated VDA 6.3 qualification or equivalent process auditor training, as well as knowledge of the automotive core tools (APQP, PPAP, FMEA, MSA, SPC). The proof of qualification must be obtained and documented before commissioning.
How often must supplier audits be conducted under ISO 9001?
ISO 9001:2015 prescribes no fixed audit frequency; the frequency depends on risk and the supplier's impact on product conformity. In practice, critical suppliers are audited annually; non-critical ones every two to three years. The risk-based audit programme must be documented.
Does a supplier audit replace the due diligence assessment under LkSG?
A supplier audit is a recognised risk assessment instrument under § 5 LkSG but does not replace the complete due diligence structure. Companies must additionally present a documented risk analysis, a prevention and remediation concept, and an annual report under § 10 LkSG.
What does an external supplier audit cost for an SME?
Costs depend on scope, the auditor's qualification, travel requirements, and the number of audit days. An initial audit typically takes one to two days; day rates range from €900 to €1,800 depending on qualification and sector. Travel and preparation costs and the effort for reporting are additional.
Must the supplier consent to the audit?
For second-party audits, the supplier's consent is typically governed contractually or agreed as a condition of supplier qualification. If a supplier denies access, this is a relevant risk signal and should be documented in the quality management system and, where applicable, in the LkSG risk analysis.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.