There is no requirement that an on-site audit must be performed. It is up to your company to establish supplier approval and monitoring requirements commensurate with the criticality/risk of the product/service being provided.
Just to give you an example of what we do... we have our suppliers broken up into 3 tiers based on criticality. The Level 1's are the most critical suppliers (implants, sterilization)... these suppliers are audited on-site at least every 2 years, more if we have concerns with their quality. Level 2's are moderate criticality (instrument manufacturers, calibration labs, passivation, etc.)... in order to be approved, an on-site audit is required. Every year we we review the Level 2's to determine what kind of monitoring is needed. We then document what monitoring method will be used and justify why. Some are audited on-site, some we do a performance/record review, some we do a very focused desk audit. Level 3's are low risk (pest control, printing companies, UPS, etc.). Some initial evaluation is needed during the approval process, but no audit is needed.
In summary, use a risk-based approach to determine when audits are needed. When audits are over-kill, determine some other suitable method for evaluation, and document why that is OK. As long as you can justify it and it makes good sense, you should be fine.