Designing a Supplier Audit Programme

A credible supplier audit programme is the backbone of any defensible supply chain: it is the documented, risk-based system that decides who you audit, how deeply, how often and what you do with the results. Individual audits matter, but inspectors judge the programme behind them, the governance that turns scattered visits into evidence of genuine, continuous oversight. This article sets out how a UK Qualified Person designs that programme so it withstands MHRA scrutiny and actually reduces risk.

Why a programme, not a list of audits

Many quality teams have a calendar of audits but no programme. The distinction is not academic. A programme defines the policy, scope, criteria, responsibilities and lifecycle that govern every audit, and it is exactly what an MHRA inspector expects to see when they examine your control of outsourced activities under EU GMP Chapter 7 and supplier qualification under Chapter 5. For distributors, the equivalent expectations sit in the GDP guidelines, where qualification of suppliers and customers is a named responsibility of the Responsible Person.

The unifying principle is ICH Q9 (Quality Risk Management): the depth and frequency of assurance should be proportionate to the risk a supplier poses to product quality and patient safety. A programme makes that proportionality explicit and repeatable, so two auditors reach the same conclusion about the same supplier. It also feeds your wider quality system under ICH Q10, linking supplier performance to management review, CAPA and continual improvement rather than leaving it stranded in a spreadsheet.

Build the foundations: scope, policy and ownership

Start by writing down what the programme covers and who owns it. A defensible supplier audit programme rests on a small number of clear documents and decisions before a single audit is scheduled.

Define the supplier universe

List every external party whose activities can affect product quality: active substance and finished-product manufacturers, contract laboratories, sterile and packaging suppliers, licensed wholesalers, brokers and logistics providers. A supplier you have never mapped is a supplier you cannot govern. Our supplier management service exists precisely to help quality teams build and maintain this universe with the right depth.

Set policy and responsibilities

• A written audit policy stating objectives, risk criteria and decision rules.
• Named ownership: who approves the programme, who schedules, who audits, who signs off CAPA closure.
• Auditor competence and independence requirements, so the lead auditor is trained in both GMP and audit technique and is independent of the area audited.
• Links to the quality agreement and technical agreement that define each supplier's obligations and your right to audit.

Tier suppliers by risk

Risk tiering is the engine of the programme. Score each supplier against the criticality of what they provide, the complexity of the process, their regulatory and inspection history, and any quality signals such as deviations, complaints or out-of-specification trends. A practical model assigns each supplier to a tier that then dictates the assurance approach.

• Critical (high risk): sterile manufacturers under Annex 1, active substance makers and contract test laboratories. Expect periodic on-site audits.
• Major (medium risk): non-sterile finished-product or significant component suppliers, where a justified remote or hybrid audit may suffice between on-site visits.
• Minor (low risk): stable, low-impact materials or services, where a documented desktop assessment or questionnaire is proportionate.

Record the rationale for each rating. Tiering that cannot be explained is tiering an inspector will challenge. Where a supplier ships product to the United States, factor the relevant parts of 21 CFR 210/211 into the criticality assessment as well.

Schedule, resource and execute

The tier drives the frequency. Critical suppliers typically warrant audit on a defined periodic cycle, with lower tiers on extended intervals or alternative assurance. Build a rolling, multi-year schedule rather than a single annual scramble, and protect auditor capacity against it; an over-ambitious plan that slips is itself a finding.

Make the schedule risk-responsive

A good programme is not static. Beyond the planned cycle, certain events should trigger a for-cause audit or bring a scheduled one forward: a serious deviation, a recurring quality issue, a major change at the supplier, a failed delivery, or an adverse regulatory inspection outcome. Decide in advance how you allocate effort between routine and triggered audits so the for-cause work does not quietly consume the whole plan.

Standardise execution so quality does not depend on which auditor attends. Use a shared audit plan template, a tailored aide-memoire mapped to EU GMP, a consistent finding classification (critical, major, minor) and a fixed report timescale, typically ten to fifteen working days. Hold all findings to ALCOA+ expectations for the data and records you examine. For a deeper treatment of running each audit well, our broader consultancy services cover the full audit lifecycle.

Close the loop, measure and improve

A programme earns its keep only if findings change behaviour. Require a documented CAPA plan with genuine root-cause analysis, realistic timescales and named owners, and verify closure by evidence before you consider any finding resolved. Feed each outcome back into the supplier's risk tier and approved status: repeated majors or an unresolved critical should suspend approval, not generate another reminder email.

Then measure the programme itself. Track schedule adherence, overdue CAPAs, repeat findings, audit cycle time and the proportion of for-cause versus planned audits, and report these to management review under ICH Q10. These metrics reveal whether your oversight is improving or merely busy. Our case studies illustrate how a metrics-led programme turns supplier oversight from a paperwork exercise into measurable risk reduction.

Key takeaways

Designing a supplier audit programme is an exercise in governance, not box-ticking. Anchor it in ICH Q9 and ICH Q10, tier suppliers by genuine risk, schedule on a rolling risk basis, standardise execution and close the loop with verified CAPA and meaningful metrics.

• Write the policy, scope and ownership before scheduling any audit.
• Tier every supplier by risk and record the rationale.
• Let risk drive frequency, and let defined triggers prompt for-cause audits.
• Verify CAPA closure and feed outcomes back into approval status and metrics.

If you need experienced QPs and RPs to design your programme, run audits on your behalf or strengthen supplier oversight ahead of inspection, explore our supplier management service or get in touch with our team to discuss your requirements.

Regulatory sources

This guidance reflects current UK and EU GMP/GDP requirements. Primary references:

• EU GMP Chapter 7 — Outsourced Activities
• EU GMP Part II — Active Substances (APIs)
• EMA — GMP/GDP Questions & Answers

Always confirm against the latest published version of each source.