GMP & GDP Audits · 7 min read
How Often Should You Audit Your Suppliers and Sites?
How to set GMP audit frequency for suppliers and sites using a risk-based model under EU GMP and ICH Q9 — intervals, triggers and self-inspection explained.
By B. Subramanian · 9 June 2026 · Updated 6 July 2026

The question of GMP audit frequency is one of the most common we field from quality teams, and the honest answer is rarely a fixed number. Under modern EU GMP and ICH Q9 thinking, how often you audit a supplier or site should flow from documented risk, not from a calendar habit inherited years ago. Getting that judgement right protects patients, satisfies inspectors, and stops your team burning audit days where they add little value.

Why "every three years" is the wrong starting point
Many organisations still default to a flat three-year cycle for every approved supplier. It is tidy, it is easy to defend in a spreadsheet, and it is fundamentally at odds with how regulators now expect you to think. EU GMP Chapter 5 and Chapter 7 make clear that the manufacturing-authorisation holder remains responsible for the quality of starting materials and outsourced activities, and ICH Q9 requires that quality risk management effort be proportionate to the level of risk. A low-risk excipient supplier and a sterile contract manufacturer should not sit on the same interval simply because it is administratively convenient.
The three-year figure is best understood as a common maximum interval for routine, well-performing suppliers — not a universal rule. A genuinely risk-based programme will compress that interval for some relationships and, with strong justification, extend it for others.
What should actually drive GMP audit frequency
A defensible interval is the output of a structured risk assessment that you can show an inspector. The factors that should move the dial include:
- Criticality of the product or material — sterile products, biologicals and APIs carry inherently higher patient risk than, say, a secondary packaging component.
- Process complexity and the activity outsourced — aseptic manufacture under Annex 1 demands closer oversight than simple labelling.
- Compliance history — previous findings, recurring deviations, recalls or regulatory action shorten the interval.
- Regulatory status — sites with recent, clean inspections by a recognised authority may justify a lighter touch than an unrated supplier in a region with limited oversight.
- Volume, change and dependency — a sole-source supplier of a critical material warrants more attention than one of several qualified alternatives.
Score these factors consistently, band the result into risk tiers, and assign an interval to each tier. The principle that should run through the whole programme is simple: risk drives frequency, and the rationale is written down.
A practical tiering model
As a starting framework — to be adapted to your own product portfolio and risk appetite — many quality systems land on something like this:
- High risk (sterile manufacture, APIs, sole-source critical materials): on-site audit roughly every one to two years.
- Medium risk (non-sterile finished product, significant intermediates): on-site audit around every two to three years.
- Low risk (low-criticality excipients, simple components): on-site audit every three years or longer, supported by questionnaires and monitoring in between.
These intervals are a default, not a destination. The point of the tier is to set a baseline that events can then override.
Triggers that should override your schedule
Even a well-justified interval must yield to "for-cause" auditing. Treat the following as triggers to bring an audit forward or commission an unplanned one:
- A significant deviation, complaint trend, or confirmed out-of-specification result linked to the supplier.
- A product recall or a regulatory action such as a warning letter or statement of non-compliance.
- A major change — new site, transferred process, new critical equipment, or a change of ownership.
- Adverse intelligence from a regulatory database, a customer, or your own pharmacovigilance signals.
- Repeated failure to close out CAPAs from a previous audit on time.
A programme that cannot respond to these signals is not risk-based, however neat its calendar looks. Inspectors increasingly want to see that your audit plan is a living document that reacts to what your data is telling you.
Self-inspection and your own sites
Frequency expectations are clearer for your own operations. EU GMP Chapter 9 requires self-inspections (internal audits) to be conducted to monitor implementation and compliance, and these are generally expected at least annually across the quality system, whether in one comprehensive exercise or a rolling programme that covers every area each year. For GDP operations, the principle mirrors this: the EU GDP guidelines call for self-inspections at an appropriate, defined frequency to verify adherence to good distribution practice. The discipline here is to ensure complete coverage over the cycle, not to leave a critical area unexamined for years because it never reached the top of the list.
Making the programme work in practice
A robust oversight model rarely relies on full on-site audits alone. Between scheduled visits, lighter-touch tools keep oversight current without exhausting your audit budget:
- Postal or remote questionnaires to confirm continued compliance and capture changes.
- Quality and technical agreements that define responsibilities and notification obligations clearly.
- Ongoing performance monitoring — deviation rates, on-time delivery against specification, and complaint data.
- Shared or third-party audit reports, used judiciously and within the limits regulators accept.
Remote and desk-based assessments earned their place during recent years of travel disruption, and they remain valid where risk is low — but they do not fully replace seeing a facility for high-risk relationships. The judgement of when an on-site visit is non-negotiable is exactly where experienced auditors earn their keep. Our GMP and GDP audit service is built around this risk-tiered approach, and you can see how it has worked for other organisations in our case studies.
Key takeaways on GMP audit frequency
There is no single correct interval — there is a defensible one, derived from risk and documented so that you, your customers and your inspectors can follow the logic. Set baseline intervals by risk tier, let real-world triggers override the schedule, keep your own self-inspections at least annual, and use questionnaires and monitoring to maintain oversight between visits. Review the risk ratings themselves periodically, because a supplier's risk profile is not static.
If you are rebuilding a supplier audit programme, struggling to justify your current intervals, or simply want a second opinion before your next inspection, we can help. Explore our full range of quality and compliance services, or get in touch to discuss a risk-based audit schedule that will stand up to scrutiny.
Regulatory sources
This guidance reflects current UK and EU GMP/GDP requirements. Primary references:
- EudraLex Volume 4 — EU GMP Guidelines
- EU GMP Chapter 9 — Self Inspection
- MHRA Inspectorate Blog
- EMA — GMP/GDP Questions & Answers
Always confirm against the latest published version of each source.
Frequently asked questions
Is there a legal requirement to audit suppliers every three years?+
No. EU GMP does not fix a universal interval; it requires the manufacturing-authorisation holder to assure the quality of materials and outsourced activities using a risk-based approach under ICH Q9. Three years is a common maximum for low-risk, well-performing suppliers, but high-risk relationships often warrant annual or biennial on-site audits. The interval must be justified and documented.
How often must we carry out self-inspections of our own site?+
EU GMP Chapter 9 requires self-inspections to monitor compliance, and these are generally expected at least annually across the quality system. You can run one comprehensive audit or a rolling programme, provided every area is covered within the cycle. For GDP operations, the EU GDP guidelines similarly require self-inspections at a defined, appropriate frequency.
When should we bring a supplier audit forward?+
Schedule a for-cause audit whenever risk signals appear: a significant deviation or complaint trend, a recall or regulatory action, a major change such as a new site or process transfer, adverse regulatory intelligence, or repeated failure to close CAPAs on time. A genuinely risk-based programme reacts to these triggers rather than waiting for the next calendar date.