Twenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwideTwenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Get started
All officer roles
LA

Supplier Auditor

On-site supplier audits per ISO 9001 and IATF 16949, non-conformance logs, CAPA tracking, audit report with risk score. Scheduled against a rolling three-year cycle.

Focus areas
ISO 9001IATF 16949CAPARisk score
Legal basis

ISO 9001 · IATF 16949

Quick contact

Talk to us about Supplier Auditor

Three lines and you are in our inbox. We reply within one business day.

By sending you agree to our privacy notice. We use the data only to reply to you.

What does a supplier auditor do?

The supplier auditor verifies whether a supplier meets contractually and normatively agreed requirements. The methodological foundation is ISO 19011:2018 Guidelines for auditing management systems, applicable to first-party (internal), second-party (supplier) and third-party (certification) audits. The six-phase model of ISO 19011 structures every audit: initiation, audit planning, preparation, on-site execution, audit reporting and audit closure with follow-up. Plan-Do-Check-Act (PDCA) frames the overarching improvement cycle.

In practice the duty to appoint arises from ISO 9001:2015 § 8.4 (Control of externally provided processes, products and services), which obliges every ISO 9001 certified company to risk-based supplier evaluation. Automotive suppliers must also meet IATF 16949:2016, whose Annex B references the VDA 6.3 process audit as the recognised methodology for tier-1 and tier-2 audits. The VDA 6.3 question catalogue covers seven process steps (P1 potential analysis through P7 customer care) with 64 individual questions and a scoring model from 0 to 10 points per question.

Since 1 January 2024 the German Supply Chain Act (LkSG § 4 Para. 3) adds another audit layer: companies with at least 1,000 employees must audit their direct suppliers on human rights and environmental risks. Recognised methodologies are SMETA (Sedex Members Ethical Trade Audit) and SA8000. The supplier auditor therefore bridges three domains: quality (ISO 9001, IATF 16949, VDA 6.3), information security (ISO 27001 supplier audits under Annex A.5.19) and sustainability (LkSG, CSDDD). Auditor registration is held with IRCA (International Register of Certificated Auditors), DGQ-PersZert or VDA QMC, with annual recertification and proven audit days.

Core duties

  • Build the risk-based audit programme under ISO 19011:2018 Section 5 with audit objectives, scope and criteria.
  • Classify suppliers by risk, volume and criticality under ISO 9001:2015 § 8.4.
  • Prepare the audit checklist based on standard, customer-specific requirements and prior audit findings.
  • Conduct VDA 6.3 process audits across the seven process steps P1 to P7 (64 questions, 0 to 10 points).
  • Conduct system audits under VDA 6.1 or IATF 16949 with focus on management system and customer specifics.
  • Classify audit findings as major nonconformity, minor nonconformity or observation under ISO 19011 Section 6.4.
  • Track corrective actions in the 8D framework with effectiveness verification in the follow-up audit.
  • Issue the audit report with findings, recommendations and supplier score.
  • Run LkSG and SMETA audits on human rights and working conditions along the supply chain.
  • Maintain own auditor qualification through annual training and audit-days proof (IRCA, DGQ-PersZert, VDA QMC).

Appointment and qualification

The duty to appoint a supplier auditor does not arise from federal statute but from normative and contractual requirements. ISO 9001:2015 § 8.4.1 requires every certified company to define criteria for the evaluation, selection, monitoring and re-evaluation of external providers. IATF 16949:2016 § 8.4.2.4.1 explicitly requires automotive tier suppliers to operate a supplier monitoring programme with second-party audits. The recognised methodologies are VDA 6.3 (process audit), VDA 6.1 (system audit) and predecessors.

Auditor qualification follows ISO 19011:2018 Section 7. General requirements: personal behaviour, technical competence for the audit subject, audit knowledge and audit days. Lead auditor training runs 40 hours with IRCA-accredited providers, with five logged audit days per year for maintenance. VDA 6.3 auditors complete a 3- to 5-day course at VDA QMC plus at least one practical audit per year. IRCA registration (Provisional Auditor, Auditor, Lead Auditor, Principal Auditor) requires between 5 and 35 proven audit days depending on level. External auditor day rates in Germany run from 950 to 1,800 EUR net for standard ISO 9001 audits and from 1,200 to 2,200 EUR net for VDA 6.3 specialists with automotive focus.

  • ISO 9001:2015 certified company with supplier evaluation duty under § 8.4.
  • Automotive tier supplier under IATF 16949 with mandatory supplier monitoring programme.
  • Customer requirement in supplier manuals such as VW Formel Q, BMW STA or Daimler MBST.
  • LkSG-obliged company from 1,000 employees with direct supplier audits.
  • Supplier change or new supplier with initial assessment before release.
  • Major customer complaint or PPM threshold breach at supplier.

Typical sectors for supplier audits

  • Automotive OEMs and tier-1 to tier-3 suppliers (IATF 16949, VDA 6.3).
  • Medical devices manufacturers (ISO 13485, MDR (EU) 2017/745).
  • Aerospace and defence (EN 9100, EN 9120).
  • Mechanical and plant engineering with global sourcing.
  • Pharmaceuticals and contract manufacturers (GMP, GxP audits).
  • Food production (IFS Food, BRC, ISO 22000).
  • Electronics and semiconductor manufacturing (IPC, IATF in automotive).
  • Chemicals and process industry with REACH and CLP audits.
  • Textile and apparel with SMETA, BSCI and SA8000 audits.
  • Consumer goods retail and private label with LkSG supplier audits.
CIVAC

How CIVAC supports the supplier auditor

CIVAC delivers an audit planner mapping the risk-based audit programme under ISO 19011:2018 Section 5, bundling audit dates into annual plans and assigning auditors with qualification status (IRCA, DGQ-PersZert, VDA QMC). Each supplier gets a version-controlled file with audit objectives, audit criteria, audit checklist and scoring template.

VDA 6.3 audits are supported with the full 64-question catalogue, the 0-to-10 point scoring and the A/AB/B/C maturity model. Findings are classified as major, minor or observation and tracked in 8D workflows with effectiveness verification. The LkSG audit track integrates SMETA question sets and routes findings directly into the complaints procedure under LkSG § 8. Audit trail retention defaults to ten years, compatible with IATF 16949 requirements.

Frequently asked questions

Need this officer role for your organisation?

Appoint our experts as your external officer or license CIVAC for your in-house team. Get in touch and we walk you through the right setup.

Talk to CIVACSee all 25 roles
Other officer roles