Hi GStough,
There is not a requirement in the regulation or standards that you perform supplier audits. The requirement is that you:
1. Evaluate and select based on ability to comply
2. Define the extent of control/criteria
3. Establish and maintain records
When you set up a supplier auditing program, your decisions should be based on risk. I tell my clients to think of an audit as more of an exception rather than the rule. I have seen many systems that do not accurately determine risk because many companies incorrectly assume that their product has more end user impact than it actually does.
You will also need to consider the amount of resources which will be required to maintain the program. Although this shouldn't matter in the perfect quality-centric world, you need to stay on budget unless the level of risk is unacceptable.
Start with a rating system that will identify the most critical suppliers. Make sure that you include service organizations. From there take another swipe from a performance standpoint. You could also consider industry certifications, but more importantly who provided the company with the certificate.
Hopefully by this time you have a manageable set of suppliers that need to be audited. Next you can set up criteria that allow the suppliers to be audited less frequently, like a performance or responsiveness metric.
Hope this helps.
Best,
Scott