Supplier Audits in the FDA-Regulated Industries: A Guide for Quality Leaders

Table of Contents

In the pharmaceutical and medical device industries, regulatory agencies require internal and supplier audits to ensure compliance with Good Manufacturing Practices and ISO standards.

The audits are conducted to identify potential problems that may impact product quality, efficacy, or safety and provide a mechanism for corrective actions to minimize public health risks. In this blog post, we will discuss seven critical areas to focus on during internal or supplier audits.

Regulatory agencies in the pharmaceutical and medical device industry require both internal and supplier audits to ensure that products are safe and effective for public use. The audit requirements are listed in the Good Manufacturing Practices (GMP), Good Distribution Practices (GDP), ISO 13485:2016, or other relevant standards. 

Conducting audits helps to identify potential issues that may affect the quality, efficacy, or safety of the products. By identifying and addressing these issues, audits help minimize public health risks. Companies are responsible for maintaining these standards during the period between audits.

Inside FDA's Pre-Approval Inspections with Former FDA Investigator, Christopher Smith

In October of 2020, he sat down to discuss PAIs in an episode of The FDA Group's podcast, The Life Science Rundown. Watch the full episode below and read on for a clear and simple deep dive into PAIs.

Listen and subscribe to The Life Science Rundown →

Regulatory Expectations for Supplier Quality Management

Many FDA-regulated manufacturers falsely assume that by outsourcing duties to suppliers, these third parties take on the responsibilities for maintaining regulatory compliance. This is a fundamental misunderstanding of the expectations laid out in 21 CFR Part 820 for medical device companies and FDA’s Q10 Pharmaceutical Quality System guidance for the pharmaceutical industry.

Although a viable supplier business model demands high-quality products and services, the regulatory burden ultimately rests on the company receiving their products or service. Monitoring and managing quality is extremely important when outsourcing anything that could potentially impact the product. This includes both the typical outsourced services like component suppliers and contract manufacturers, as well as consulting services, more generally.

To eliminate confusion around the expectations placed on manufacturers, we’ve summarized the key regulations governing supplier management for drug and device companies below.

Pharmaceuticals (Q10 Pharmaceutical Quality System Guidance)

This guidance extends quality systems responsibilities for drug makers to their outsourcing activities. One particularly important clause states that contract givers “should be responsible for assessing the suitability and competence of the contract acceptor to carry out the work required.” It also establishes that all responsibilities for quality-related activities between the two parties “should be specified in a written agreement.”

Beyond this, drug manufacturers must ensure that any product introduced into interstate commerce is neither adulterated nor misbranded due to the actions of a contracted facility but rather due to the labeled drug manufacturer. This point is particularly crucial for “virtual” companies that rely entirely on outsourced manufacturing.

All companies, virtual or otherwise, are ultimately responsible for the products they place into interstate commerce. A risk-based approach to supplier quality management is recommended to ensure this expectation can be met.

This should include, at minimum, the following actions:

  • Conduct a comprehensive risk assessment to determine the appropriate controls for the supplier based on the products or services they provide and their criticality to your product.
  • Perform a supplier audit to assess the company’s ability to deliver products and/or services, perform independent testing of any components or products, and review any previous compliance issues such as FDA 483s, warning letters, or consent decrees.
  • Monitor, document, and review supplier performance on a regular basis. Address and resolve any issues that arise.
  • Establish appropriate written quality agreements regarding responsibilities for cGMP activities. Create a table or chart detailing the responsibilities for each organization.

📄 Download our free white paperThe Complete Guide to FDA-Regulated Supplier Qualification and Quality Management — for a more in-depth guide to proper supplier qualification.

Screenshot 2023-10-26 at 1.47.38 PM

Medical Devices (21 CFR Part 820)

All medical device companies marketing products in the United States must have a Quality Management System that satisfies the requirements of Part 820. Specific to suppliers, this regulation establishes Purchasing Controls (Section 820.50), which require manufacturers to develop and maintain procedures that ensure all purchased or otherwise received products and services adhere to a specific set of requirements.

Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

1. Evaluate and select poten-tial suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

2. Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

3. Establish and maintain records of acceptable suppliers, contractors, and consultants.

Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with § 820.40.

The use of the term “establish” is particularly important to interpret properly. According to FDA in 21 CFR Part 820.3, “establishing” means to define, document, and implement. In the context of Purchasing Controls, thorough documentation (written or electronic) is absolutely essential.

Internal Audits vs. Supplier Audits

Manufacturers conduct internal audits to evaluate their own processes and guarantee compliance with GMP and other regulatory standards. These audits are an essential component of the manufacturer's quality management system, and they offer an opportunity to detect potential issues and implement corrective actions to prevent recurrence while striving for continuous improvement.

Supplier audits provide an objective evaluation of supplier processes and compliance with regulatory requirements. These audits are essential for identifying potential issues related to purchased products or services that could impact internal production. In other words, supplier audits are crucial for ensuring the quality of purchased products or services and compliance with regulations.

Types of Supplier Audits

FDA-regulated firms conduct various types of vendor/supplier audits to ensure compliance with regulatory standards and to maintain the quality and safety of their products. Often, these types of audits will be combined based on the needs at hand.

The types of audits conducted can include, but are certainly not limited to:

Quality System Audits: These audits assess the supplier's quality management system to ensure it meets the standards required by the FDA. This includes reviewing processes for design control, production, product testing, and quality assurance.

Pre-Approval Inspections (PAI): For pharmaceutical companies, PAI audits are conducted on suppliers of active pharmaceutical ingredients (APIs) or critical components before the FDA approves a new drug application.

Good Manufacturing Practice (GMP) Audits: These audits focus on the supplier's compliance with GMP regulations, which are critical in ensuring that products are consistently produced and controlled according to quality standards.

Good Laboratory Practice (GLP) Audits: These audits are relevant for suppliers who conduct nonclinical laboratory studies. The audit ensures compliance with GLP regulations, which are designed to ensure the quality and integrity of safety data.

Good Clinical Practice (GCP) Audits: For suppliers involved in clinical trials, GCP audits assess compliance with regulations that ensure the integrity of clinical trial data and the protection of trial participants.

Supply Chain Security Audits: These audits assess the security of the supplier's supply chain, including transportation and storage, to prevent contamination, adulteration, or other compromises to product integrity.

Data Integrity Audits: These audits focus on the accuracy and reliability of the supplier's data, including record-keeping practices, data storage, and data processing systems.

Risk-Based Audits: These are tailored audits based on the risk profile of the supplier and the criticality of the materials or services they provide. They may cover a combination of the above areas depending on the specific risks identified.

When to Audit Your Suppliers

An FDA-regulated manufacturer should perform supplier audits at several key points and under various circumstances to ensure compliance and maintain the quality and safety of their products.

Here are some scenarios when supplier audits are typically conducted (again, this list is not exhaustive):

Before Onboarding a New Supplier: Before entering into a business relationship, an initial audit is crucial to assess the supplier's ability to meet regulatory and quality requirements. This is a critical part of supplier qualification.

Periodic Scheduled Audits: Regularly scheduled audits, often annually or biennially, are conducted to ensure ongoing compliance and to identify any changes in the supplier's processes or quality systems.

When Significant Changes Occur: If there are significant changes in the supplier's operations, management, production processes, or materials, a new audit may be necessary to evaluate the impact of these changes on quality and compliance.

Post-Issue Resolution: If a supplier was previously found to have issues or non-compliance, a follow-up audit is often conducted after corrective actions have been implemented to ensure that the issues have been adequately addressed.

Risk-Based Frequency: High-risk suppliers, or those providing critical components, may require more frequent audits. The frequency can be determined based on a risk assessment considering factors like the supplier's past performance, the supplied materials' criticality, and the manufacturing process's complexity.

Regulatory Requirement Changes: If there are changes in FDA regulations or industry standards that affect the supplied materials or components, an audit may be necessary to ensure the supplier's processes and products comply with the new requirements.

Random or Unannounced Audits: Some manufacturers conduct random or unannounced audits to get a more accurate picture of the supplier's typical operations and compliance status.

Market or Consumer Complaints: If there are market complaints or adverse events related to the quality or safety of the products, an audit may be conducted to investigate if the issue is related to the supplier's materials or processes.

As Part of Continuous Improvement: Audits can also be part of a continuous improvement program to enhance quality, efficiency, and compliance in the supply chain.

When Industry Trends or Issues Arise: If there are emerging trends or widespread issues in the industry that could affect the supplier, an audit might be conducted to ensure that these broader challenges are being effectively managed.

What Areas Comprise a Supplier Audit

When conducting a supplier audit for an FDA-regulated manufacturer, there are several key areas to focus on to ensure compliance with regulatory standards and to maintain product quality and safety.

Here are some of the critical areas, however, the specific components of any specific audit are situation-specific.

Quality Management System (QMS): Evaluate the supplier's QMS to ensure it aligns with industry standards and regulatory requirements. This includes reviewing their documentation, procedures, and records.

Good Manufacturing Practices (GMP): Assess the supplier's adherence to GMP regulations. This includes evaluating cleanliness, equipment maintenance, personnel training, and process controls.

Regulatory Compliance: Verify that the supplier complies with all relevant FDA regulations and any other applicable regulatory requirements.

Product Quality and Specifications: Ensure the products or materials supplied meet the agreed-upon specifications and quality standards.

Process Control and Validation: Evaluate the supplier's process control measures and validation procedures to ensure consistency and reliability in production.

Supplier Qualification and Performance: Review the supplier's qualification process and historical performance, including their ability to meet delivery timelines and quality standards.

Change Control: Assess the supplier's change control procedures to ensure that any changes in materials, processes, or equipment are properly documented, evaluated, and communicated.

Corrective and Preventive Actions (CAPA): Review the supplier's CAPA system to ensure that they effectively identify, document, and resolve quality issues.

Data Integrity and Record Keeping: Evaluate the integrity and accuracy of the supplier's data and their record-keeping practices.

Supply Chain and Material Traceability: Assess the traceability of materials throughout the supply chain to ensure transparency and the ability to track and recall products if necessary.

Environmental Control: Evaluate the supplier's environmental controls, including temperature, humidity, and contamination controls, especially for sensitive materials.

Employee Training and Competence: Review the training programs and competence of the supplier's personnel, particularly those involved in critical processes.

Facility and Equipment: Inspect the supplier's facilities and equipment to ensure they are suitable, well-maintained, and capable of producing quality products.

Risk Management: Assess the supplier's risk management practices and how they identify, evaluate, and mitigate potential risks.

Sub-Supplier Management: If applicable, evaluate how the supplier manages their own sub-suppliers to ensure quality and compliance throughout the supply chain.

Customer Complaints and Feedback: Review how the supplier handles customer complaints and feedback and how they implement improvements based on this feedback.

Audit and Inspection History: Review the supplier's history of audits and inspections, including any findings and how they were addressed.

In addition to these standard focus areas, supplier audits can provide valuable insight into other areas that paint a much more complete picture of their operation and standing.

For example, an exceptionally skilled auditor may evaluate the supplier's capacity for scalability ahead of increased production needs. This is crucial for manufacturers with growing demands or plans for expansion.

Cybersecurity is another major (and quickly growing) area of concern, especially if a supplier handles sensitive data or is integrated into digital aspects of the manufacturing process.

Supply chain resilience is another emerging area of focus. This includes their ability to manage disruptions, maintain inventory levels, and have contingency plans for emergencies or unexpected demand changes.

Addressing Common Supplier Auditing Challenges

Quality leaders responsible for auditing suppliers, particularly in FDA-regulated industries, face various challenges. These challenges can impact the audits' effectiveness and the supply chain's overall quality. 

Complex Supply Chains

Modern pharma/device supply chains can be incredibly complex, involving multiple tiers of suppliers spread across different countries. This complexity makes it challenging to maintain visibility and control over quality standards throughout the supply chain.

A few best practices:

  • Develop a detailed map that identifies every supplier, sub-supplier, and the flow of materials. This should include geographical locations, products supplied, and supplier relationships.
  • Assign risk levels to suppliers based on factors like their role in the supply chain, past performance, and the criticality of their supplied products. Apply more rigorous auditing and monitoring to higher-risk suppliers.
  • For suppliers in lower tiers or those in developing regions, consider implementing supplier development programs that help them meet your quality standards.

Risk Assessment and Prioritization

Effectively assessing and prioritizing risks among various suppliers to focus resources on the most critical areas can be complex.

A few best practices:

  • Develop a multi-dimensional risk matrix that evaluates suppliers based on various factors such as financial stability, geopolitical risks, historical performance, and the criticality of supplied products. (Involve cross-functional teams in the risk assessment process to gain diverse perspectives.)
  • Regularly update risk assessments to reflect changes in the supply chain, such as new suppliers, changes in supplier operations, or shifts in global trade patterns.
  • Use advanced predictive models that analyze patterns and trends to forecast potential risks. This can help in proactive risk mitigation.

Geographical and Cultural Differences

Conducting audits across different countries involves dealing with varying regulations, languages, and cultural practices. These differences can pose significant challenges in terms of communication, understanding local regulations, and ensuring consistent standards.

A few best practices:

  • Employ or partner with auditors who have local expertise. They should not only understand the language but also be familiar with local business practices and regulatory requirements. At The FDA Group, we have resources in 47 countries and routinely help assemble local auditing teams for suppliers around the world.
  • Establish dedicated teams or hire experts who are responsible for staying updated on regulatory changes in different regions and integrating these into audit protocols.

Resource Constraints

Quality leaders often face resource constraints, including limited time, budget, and personnel. This can make it difficult to conduct thorough audits, especially for a large number of suppliers or for suppliers located in distant regions.

A few best practices:

  • Partner with a reputable third-party auditing firm to access the auditors and additional project manamgent support you need. This can extend capabilities and allow internal teams to focus on strategic areas. This is one of our primary services areas at The FDA Group. Contact us for supplier auditing support.
  • Develop a schedule that prioritizes audits based on risk assessments. High-risk suppliers should be audited more frequently, while lower-risk suppliers might require less frequent audits.
  • If and when appropriate, embrace remote auditing techniques, including virtual tours, digital document reviews, and teleconferencing. This can save travel time and costs.

Supplier Resistance or Lack of Cooperation

 Sometimes suppliers may be resistant to audits or may not fully cooperate. This can be due to various reasons, including perceived intrusion, fear of revealing proprietary information, or concerns about potential disruptions to their operations.

A few best practices:

  • Clearly communicate the objectives, scope, and benefits of the audit. Emphasize that audits are a tool for improvement rather than just compliance.
  • Use robust confidentiality agreements to alleviate fears about sensitive information being disclosed.
  • Involve suppliers in the audit planning process. Seek their input on scheduling and the audit scope to make them feel more involved and less imposed upon.

Data Integrity and Transparency Issues

Ensuring the integrity and transparency of data provided by suppliers can be challenging. There may be instances of incomplete, inaccurate, or manipulated data, which can hinder the audit process.

A few best practices:

  • Implement stringent verification processes for supplier data. This could include cross-referencing information, conducting spot checks, and using third-party data sources.
  • Conduct unannounced or surprise audits occasionally. This can provide a more accurate picture of the supplier's typical operations and practices.
  • Conduct workshops or provide resources to educate suppliers on the importance of data integrity. Explain how accurate data benefits both parties in the long run.

Variability in Supplier Maturity

Suppliers can vary greatly in terms of their quality maturity, technological capabilities, and understanding of regulatory requirements. Tailoring audit approaches to suit different levels of supplier maturity can be challenging.

A few best practices:

  • Conduct thorough assessments to determine the maturity level of each supplier. This should evaluate their quality systems, technological capabilities, and overall business practices.
  • Develop different audit approaches based on the maturity level. We often find that less mature suppliers require more guidance and a focus on basic quality principles, while mature suppliers might benefit from audits focusing on continuous improvement and advanced quality practices.
  • Implement supplier development programs that provide training, resources, and support to help suppliers improve their quality systems and practices.

Estblishing a Robust Supplier Audit Program

Establishing a robust supplier audit program involves several key steps. These steps are designed to ensure that the program is comprehensive, effective, and aligned with the company's quality and compliance objectives. Here are the basic steps:

1. Define Objectives and Scope

Define what you want to achieve with the supplier audit program. This could include:

  • GMP compliance
  • Compliance with Marketing Authorization, NDA, BLA, etc.
  • Compliance with company policies and procedures
  • Matching of health regulatory agency procedures to duplicate regulatory inspections
  • Rehearsal of site staff to be part of regulatory agency inspections
  • Compliance with the contract terms

Then decide which suppliers will be audited, the frequency of audits, and the specific areas or processes that will be evaluated.

Action items:

  • Identify key quality and compliance goals.
  • Align audit objectives with overall business strategy.
  • List suppliers to be audited.
  • Decide on the frequency of audits.
  • Identify specific areas or processes for evaluation.

2. Develop Audit Criteria and Standards

Develop clear criteria for the audit based on regulatory requirements, industry standards, and your company's quality expectations. Then develop detailed checklists or guidelines that outline what will be assessed during the audits.

Action items:

  • Review regulatory requirements and industry standards.
  • Incorporate company-specific quality expectations.
  • Develop detailed checklists for each audit area.
  • Ensure checklists cover all necessary compliance points.

3. Resource the Audit Team(s)

Work with an experienced firm to access qualified auditors with the necessary expertise, experience, and certifications. Ensure they have a good understanding of the industry and regulatory requirements. Offer training to auditors on your company's procedures, the specific audit criteria, and any relevant regulatory updates. Some auditors will offer their own general audit criteria as well.

Auditors should thoroughly understand your facility’s technical operations (equipment, facilities, processes and quality systems) before moving forward.

Contact us to access the indsutry's best auditors. Here's a look at our proven process for auditing projects:

Screenshot 2023-10-26 at 1.07.01 PM

Action items:

  • Identify auditors with relevant expertise.
  • Verify certifications and experience.
  • Conduct training sessions on audit procedures.

4. Plan and Schedule Audits

Prioritize audits based on risk assessments. High-risk suppliers or critical supply chain components should be audited more frequently. Communicate with suppliers to schedule audits at mutually convenient times. Provide them with information on the scope and expectations of the audit.

Action items:

  • Assess the risk level of each supplier.
  • Prioritize audits based on risk.
  • Inform suppliers about upcoming audits.
  • Agree on dates and times for audits.
  • Communicate the scope and expectations.

5. Conduct Audits and Report Findings

Auditors should conduct thorough evaluations based on the predefined criteria and checklists. This may include reviewing documents, inspecting facilities, and interviewing staff. Collect evidence to support findings. This could include records, logs, photographs, or samples.

Since an auditor’s time on-site is often limited, make the most of the visit by utilizing your resources efficiently.

  • Prepare and review key documents in advance to save time.
  • Make necessary arrangements so most of the time auditors spend on site can be used to interview personnel and observe the facility/operations.
  • Arrange for any necessary subject matter experts to assist the auditor with technical processes when they arrive.

After the audit, compile the findings into comprehensive audit reports. Reports should clearly outline any non-compliances, areas for improvement, and best practices observed. Share the audit reports with the suppliers. Provide them with clear feedback and discuss any areas of concern.

Action items:

  • Inspect facilities and operations, review relevant documents and records, interview staff and management, and conduct other audit activities, including documenting findings with notes and photographs, collecting samples if necessary, and recording any observed non-compliances.
  • Compile findings into structured reports that highlight areas of non-compliance and excellence.
  • Share reports with suppliers. Discuss findings and clarify any questions.

6. Follow-Up and Corrective Actions

Work with suppliers to develop corrective action plans for any non-compliances or issues identified. Regularly follow up with suppliers to monitor the implementation of corrective actions. Offer support and guidance as needed. We regularly assist with planning and executing these remediation projects. Contact us to discuss remediation support.

fda-Illustration-Webinars-SmallWatch our free webinar to learn more about conducting a thorough gap analysis as well as a step-by-step process for resourcing and implementing remediation afterward.

Watch the Webinar »

Action items:

  • Work with suppliers to outline corrective steps. Set deadlines for implementing changes.
  • Schedule follow-up meetings or calls.
  • Review evidence of implemented changes.

7. Review and Continuous Improvement

Analyze audit results over time to identify trends, common issues, or areas for overall supply chain improvement. Regularly review and update the audit program based on feedback, changes in regulations, or shifts in company strategy.

Action items:

  • Look for patterns in audit findings. Identify common issues across suppliers.
  • Make adjustments based on feedback and results.
  • Incorporate any new industry or regulatory changes.

8. Documentation and Record Keeping

Keep detailed records of all audits, including reports, corrective action plans, and follow-up communications. Ensure that sensitive information gathered during audits is kept confidential and secure.

Action items:

  • Store all audit reports and correspondence securely.
  • Keep a log of all audit activities and outcomes.
  • Be sure to protect sensitive supplier information and follow data privacy regulations.

Interested in putting a comprehensive supplier auditing program in place? We can help.

Our certified, experienced auditors plan, schedule, and execute vendor/supplier quality management audits to identify areas of conformance and nonconformance with applicable global regulations. Following assessment, our experts provide a detailed report including all observations, deficiencies, and a risk-based corrective action plan for improvement.

With an enhancement plan in place, our quality professionals will work closely with you to provide recommendations, resolve compliance issues, track corrective actions, and communicate the status of resolutions with company management.

This comprehensive approach to vendor/supplier quality management strengthens your vendor/supplier relationships while ensuring your products are of the highest quality through a quality system that is compliant and efficient.

Our vendor/supplier auditing services include:

  • Vendor/supplier audit plan strategy and creation
  • Vendor/supplier audit execution and project management
  • Vendor/supplier audit plan maintenance and support
  • Veeva eQMS data entry services

Contact us to start the conversation.

Gap Analysis Webinar

Watch the Webinar »

Watch our free webinar to learn more about conducting a thorough gap analysis as well as a step-by-step process for resourcing and implementing remediation afterward.

Topics: FDA Auditing