77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Conducting a Supplier Audit: Process, Checklist, and Documentation under ISO 9001
Audits & Suppliers

Conducting a Supplier Audit: Process, Checklist, and Documentation under ISO 9001

27 May 202612 min readBy Dr. Henrik Bauer
CIVAC

A supplier audit under ISO 9001:2015 follows a clearly defined process. Those who structure planning, execution, and reporting consistently create reliable evidence for quality management and LkSG due diligence.

ISO 9001:2015 clause 8.4 requires organisations to systematically evaluate and monitor external providers. The supplier audit is the most operational instrument of this monitoring: it enables a direct assessment of the supplier's processes, systems, and risks on site or remotely. ISO 19011:2018 provides the general framework for auditing management systems, including the phases of planning, preparation, execution, reporting, and follow-up.

This article describes each of these steps in concrete terms: which documents are needed for preparation? How should the audit interview be structured? What belongs in the audit report? And what evidence does a certification body or BAFA expect during an LkSG review? The article is aimed at quality managers, compliance officers, and appointed officers who wish to conduct a supplier audit for the first time or in a newly structured manner.

Key Takeaways

  • A supplier audit under ISO 19011:2018 is structured into five phases: planning, preparation, execution, reporting, and follow-up; each phase generates evidence subject to documentation obligations.
  • The audit plan must be communicated to the supplier in good time; scope, criteria, and applicable standards must be set down in writing before the audit begins.
  • Findings in the audit report are classified by severity (non-conformity, observation, strength); the audit is only normatively concluded with written corrections and effectiveness evidence.

Phase 1: Audit Planning – Defining Scope, Objectives, and Criteria

Before actual preparation comes planning: what is the audit intended to achieve? Typical objectives of a supplier audit are verification of normative conformity (ISO 9001, IATF 16949, ISO 14001), assessment of process capability for a specific product or service, and fulfilment of the duty of care under § 5 LkSG.

The audit scope describes which processes, sites, products, or standard clauses are the subject of the audit. It should not be too broad: an audit intended to cover all business areas of a large supplier cannot be conducted reliably in a single day. A targeted scope with clear clause references (e.g. ISO 9001:2015 clauses 8.1 to 8.7) is preferable.

The audit criteria define the requirements against which conformity is assessed. These may be normative requirements (ISO 9001), contractually agreed specifications, or statutory requirements (LkSG). The criteria must be documented in the audit plan and communicated to the supplier before the audit.

The audit plan is also an internal resource planning tool: who audits (internal or external)? What technical equipment is required? What preliminary documents are requested from the supplier? A structured audit plan significantly reduces queries and setup time. The CIVAC workspace contains 490 audit templates, including several supplier audit templates.

Phase 2: Preparation – Documents, Questionnaire, and Preliminary Information

Good preparation begins with requesting relevant documents from the supplier: current quality management documentation (manual, procedural instructions), certificates (ISO 9001, IATF, ISO 14001), results of internal audits, complaint and CAPA histories, and inspection evidence for relevant products or processes.

On the basis of the preliminary documents, the auditor prepares an audit checklist. This checklist is not a questionnaire in the sense of a self-assessment, but a working instrument for the auditor: it structures the audit interview, ensures that all scope elements are covered, and serves as an evidential document for the commissioning company.

The audit plan is sent to the supplier at least five to ten working days before the audit. It includes: date, location or online format, audit team, scope, agenda (opening, process walkthrough, document review, closing) and the expected contact persons at the supplier. Late transmission of the plan is a frequent cause of poor audit atmosphere and incomplete documentation.

For the external supplier auditor at CIVAC, preparation checklists and document request templates are standardised and immediately ready to use.

Phase 3: Execution – Opening Meeting, Process Walkthrough, Document Review

The audit begins with the opening meeting. Here the audit team introduces itself, explains the scope and objective of the audit, clarifies confidentiality matters, and agrees the agenda. The opening meeting is not a formality but lays the foundation for a productive audit interview.

The process walkthrough is the core of the audit. The auditor observes processes, interviews employees, and reviews records on a sample basis. The three central questions are: is there a documented requirement? Is this requirement actually applied? Are there records that demonstrate this? Deviations from these three levels are noted.

The document review supplements the walkthrough: certificates, inspection reports, training records, measuring equipment calibrations, and internal audit reports are checked for currency and completeness. For IATF 16949 audits, core tool evidence (PPAP, FMEA, MSA) is also required.

The closing meeting summarises all findings. Non-conformities are communicated verbally, strengths noted. The supplier is given the opportunity to clarify misunderstandings. Nothing in the written report should come as a surprise to the supplier; the closing meeting creates transparency and reduces objections to the report.

Phase 4: Reporting – Structure and Content of the Audit Report

The audit report is the central evidential document of the supplier audit. ISO 19011:2018 describes the minimum content: audit identification (date, location, audit team), audit scope and criteria, an overview of the processes and documents reviewed, findings classified by severity, a conclusion on conformity, and a list of recommended or required actions.

Findings are classified: a non-conformity exists when a normative or contractual requirement is not fulfilled. An observation is a note on a potential risk without current non-conformity. A strength (positive finding) documents particularly well-implemented requirements and motivates the supplier.

The report should be finalised and sent to the supplier within five working days of the audit. Late transmission weakens the binding nature of action planning. The report must be archived by the commissioning company, preferably in the quality management system with a direct reference to the supplier master record.

In the CIVAC workspace, the audit report is structured as a digital document: findings are categorised, actions linked, deadlines set. Audit-ready, documented, and ISO 9001-compliant.

Phase 5: Follow-Up – Corrections, CAPA, and Effectiveness Check

A supplier audit is not concluded until all non-conformities have been closed with verified corrective actions. The supplier is required to submit a root cause analysis and a corrective action plan (CAPA) for each non-conformity. The deadline for the CAPA should be specified in the audit report or a separate action list; 30 to 90 days is customary.

The commissioning company reviews the submitted CAPA for plausibility: has the root cause been correctly identified? Is the action suitable to prevent recurrence? Is the timeline realistic? Where CAPAs are inadequate, feedback requesting revision is required.

The effectiveness check takes place after the action has been completed, either through document review, a follow-up on-site check, or a remote check. Only when effectiveness is confirmed is the non-conformity marked as closed. The entire CAPA history must be retained for at least three years and presented to the certification body on request.

Deadline runs from the point of knowledge: if a non-conformity represents a product risk, additional deadlines may begin to run under product liability law or IATF escalation processes. The CIVAC workspace automatically tracks deadlines, actions, and responsibilities and sends reminders before dates are missed.

Remote Audits: Prerequisites and Limitations under IAF MD 4:2022

Since the revision of IAF Mandatory Document MD 4:2022, remote audits are accepted for certification audits and second-party audits under certain conditions. Remote audits enable savings in travel costs and time; they are particularly suited to pure document and system audits or for follow-up checks after an on-site audit.

Prerequisites for an effective remote audit: stable internet access, camera technology for process walkthroughs (where required), secure transfer of confidential documents, and the explicit consent of the supplier. For process and product audits under IATF 16949, where a machine walkthrough or measuring equipment calibration is to be checked, a purely remote format is generally insufficient.

The audit plan must explicitly state remote formats. The technologies used (video conferencing, document transfer platforms) must be documented. The audit report does not differ in content from an on-site audit but must note the remote nature of the audit.

Licence the workspace for your internal auditors or appoint our officers. The CIVAC workspace supports both remote and on-site audits with the same structured templates and the same documentation workflow. Further information can be found on the page for the supplier auditor at CIVAC.

Supplier Audit and LkSG: Implementing Due Diligence Operationally

The German Supply Chain Due Diligence Act (LkSG) requires companies with 1,000 or more employees since 1 January 2024 to conduct risk analyses at direct suppliers (§ 5 LkSG) and to initiate preventive and remedial measures where risks are identified (§§ 6, 7 LkSG). A supplier audit is a suitable instrument for operationally implementing these obligations.

For LkSG purposes, the audit must go beyond purely quality criteria: human rights and environmental risks must also be assessed, such as working conditions, remuneration, child labour, forced labour, or environmental violations. The matters to be examined are based on the protected legal positions listed in § 2 LkSG.

The results of the audit feed into the annual LkSG report that companies must publish on their website and submit to BAFA under § 10 LkSG. BAFA expects a methodologically comprehensible presentation of the risk assessment; an undocumented or informal audit is not sufficient as evidence.

Those wishing to map LkSG due diligence and quality auditing within a single process can combine both requirements in a combined audit scope. The LkSG officer at CIVAC and the supplier auditor work on the same platform.

Common Errors in Supplier Audits and How to Avoid Them

Auditors observe four errors particularly frequently in mid-sized businesses:

  • Unclear scope: An excessively broad audit scope leads to superficial assessments without reliable findings. Better: a clear scope with standard clause references and specific audit objects.
  • Lack of advance communication: If the audit plan only reaches the supplier the day before, relevant contact persons are often unavailable. Minimum lead time: five working days.
  • Non-conformities without classification: If the report does not distinguish between non-conformities and observations, CAPA prioritisation is unclear. Classification by severity is mandatory.
  • Open CAPAs without deadline tracking: Actions that are not time-bound and tracked frequently end without an effectiveness check. This does not formally close the audit.

A fifth error is the absence of integration into the quality management system: audit reports in e-mail inboxes or on local drives are not accessible to certification bodies and authorities and are treated as missing documented information under ISO 9001:2015 clause 7.5.

Others manage compliance like a filing cabinet. We manage it like software. This principle applies particularly to supplier audits: structured templates, deadline tracking, and central document management significantly reduce errors and rework.

Structuring the Supplier Audit: Next Steps for Your Organisation

Anyone wishing to build a supplier audit programme or improve an existing one starts with an inventory: which suppliers must be assessed under ISO 9001, IATF 16949, or LkSG? Which audits were conducted in the past twelve months? Which non-conformities are still open?

On this basis an annual audit programme is produced that prioritises all suppliers by risk, specifies audit type and scope, and assigns auditors – internal or external. The programme is reviewed annually and updated when there are material changes to the supplier portfolio.

CIVAC is a compliance platform and Officer-as-a-Service for all 25 officer roles, including the supplier auditor. The CIVAC workspace provides structured audit templates, deadline tracking, an action module, and audit-proof document storage. Licence the workspace for your internal auditors or appoint our officers. Appointment is completed with a letter within two working days.

Turn reading into action. If you wish to structure your supplier audit programme or commission a qualified external auditor, write to info@civac.de.

FAQ

What documents are required for a supplier audit?

Before the audit you should request from the supplier: current certificates (ISO 9001, IATF 16949, etc.), the QM manual or relevant procedural instructions, results of internal audits, CAPA histories from the past twelve months, and inspection evidence and calibration records for relevant measuring equipment. These documents form the basis for the audit plan and audit checklist.

How long does an on-site supplier audit take?

Duration depends on the scope and size of the supplier. A focused system audit at a small supplier typically takes one day; a comprehensive process audit at a medium-sized supplier under IATF 16949 can take two to three days. Remote audits for pure document reviews can often be completed in half a day.

As the commissioning party, must I conduct the audit myself?

No. You may commission an external supplier auditor. What is important is that the audit report flows into your quality management system and is documented there. The ultimate responsibility for follow-up on non-conformities and the effectiveness check remains with the commissioning company.

What is the difference between a system, process, and product audit at a supplier?

A system audit checks whether the supplier's quality management system is constructed in conformity with the standard (ISO 9001 clauses). A process audit (under VDA 6.3) checks specific production or service processes for risk management and capability. A product audit spot-checks finished products or components for specification conformity. Depending on the objective, all three types may be combined.

How long must supplier audit reports be retained?

ISO 9001:2015 does not specify a fixed retention period; the standard merely requires that documented information is available. In practice, audit reports and CAPA histories are retained for at least three to five years to be able to furnish evidence to certification bodies and, where LkSG obligations apply, also to BAFA.

What happens if a supplier shows serious non-conformities during the audit?

Serious non-conformities require an immediate corrective action and should be noted negatively in the supplier evaluation. Depending on the contract, this may require initiating supplier development, securing the situation through increased incoming inspection, or in extreme cases initiating a supplier change. The decision must be documented.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles