Adequately Defining Which Suppliers to Audit and Frequency

[GStough]

When there are over 200 suppliers that need to be evaluated, how does the company determine which ones need to be audited? Is it expected that all 200+ suppliers must be audited? How is this adequately defined so that the audit schedule remains manageable and yet still achieves compliance to procedures and external requirements?

Any input is welcome. TIA....

 

[PaulJSmith]

I would think that two factors would drive that decision:
1) Importance of their product or service to your product or service, and
2) History of the supplier's performance

Clearly, there's likely no need to audit your toilet paper supplier. Probably not a COTS fastener supplier who always sends the right parts on-time, either.

Obviously, you are in the driver's seat regarding compliance to your internal procedures. You write them.
External requirements (customer?) may be a different matter, though.

 

[Bev D]

Unless you have a customer specific requirement there is no need to audit any of your suppliers. In fact, one of the main reasons for adoption of a universal - then some industry specific - standards was to eliminate the need to audit suppliers that were registered to the applicable standard. The general requirement is to assess them. How do you assess their performance?


I would recommend a technical audit of any new supplier or supplier location to ensure that there equipment is adequate and capable of meeting your quality requirements. *I* have found that QMS audits of suppliers are usually not predictive of supplier performance. A simple visit with a technical assessment can tell you if the supplier will be collaborative or combative. Those are probably the two most critical items to 'audit' personally.

 

[gunnyshore]

My recommendation is to identify a level associated with each supplier based on risk. Use categories such as :critical, major and "non-QS related" and associate one level for each supplier.

Once that is done, you can state in your procedure that critical and major suppliers are covered within the scope of the audits and non-QS related suppliers do not require an audit.

Then, take the performance profile of the first two category suppliers and look to see which suppliers are not performing to your expectations. Using the same approach as a FMEA, determine a level of performance that requires an audit to be performed.

 

[Scott A. Bednar]

Hi GStough,

There is not a requirement in the regulation or standards that you perform supplier audits. The requirement is that you:

1. Evaluate and select based on ability to comply
2. Define the extent of control/criteria
3. Establish and maintain records

When you set up a supplier auditing program, your decisions should be based on risk. I tell my clients to think of an audit as more of an exception rather than the rule. I have seen many systems that do not accurately determine risk because many companies incorrectly assume that their product has more end user impact than it actually does.
You will also need to consider the amount of resources which will be required to maintain the program. Although this shouldn't matter in the perfect quality-centric world, you need to stay on budget unless the level of risk is unacceptable.
Start with a rating system that will identify the most critical suppliers. Make sure that you include service organizations. From there take another swipe from a performance standpoint. You could also consider industry certifications, but more importantly who provided the company with the certificate.
Hopefully by this time you have a manageable set of suppliers that need to be audited. Next you can set up criteria that allow the suppliers to be audited less frequently, like a performance or responsiveness metric.

Hope this helps.

Best,
Scott

 

[dsanabria]

When there are over 200 suppliers that need to be evaluated, how does the company determine which ones need to be audited? Is it expected that all 200+ suppliers must be audited? How is this adequately defined so that the audit schedule remains manageable and yet still achieves compliance to procedures and external requirements?

Any input is welcome. TIA....

Look at you list of supplier and eliminates those that are mandated by your customers.

Then, use the 80/20 rules to reduce the suppliers that you want to work with. - this should reduce the list even further. Bottom line - don't bother that small suppliers that you use every 2 or 3 years.

Now your supplier list has been reduced to those that you primarily do most of your business with. So the next step is to make a Pareto chart and identify the suppliers with the most issues - that should reduce the list even further and you have identified suppliers that

a) you might want to find an alternative.
b) you could monitor and work with
c) increase communication with those suppliers that will work with you.

Bottom line - there is no requirement to audit suppliers and personally - don't see what you get from it - versus the invested time and resources

 

[Michael_M]

Hi GStough,

There is not a requirement in the regulation or standards that you perform supplier audits.

This is not true depending on what standard you are following. AS9100 (Aerospace) requires periodically review supplier performance and this review will be used as a basis for establishing the level of controls to be implemented. In addition, AS9100 requires a register of suppliers that includes approval status and scope of approval.

It depends on what standard is being followed.

 

[Scott A. Bednar]

Hi Mike,

She works in medical.

Thx,
Scott

 

[GStough]

Thank you, everyone, for the replies. I have taken the advice given here and used it to create an audit schedule based on risk for our critical suppliers.

Yes, I work in the medical device/IVD industry and while the regs/standards don't specifically state that we MUST do audits, it is one of the methods that our customers expect us to use in exercising purchasing controls.

I think that we have something in place that meets the expectations of our customers, as well as being compliant with the applicable regs/standards.

Thanks again for your help!