Re: QM for Specification Developer
You're located in Florida, within US FDA jurisdiction, and you ask about "FDA/3rd party" auditing, so this response is specific to US FDA rules. The ISO 13485 / MDD structure is different, but not significantly so.
A US FDA "Specification Developer" that has its physical manufacturing done by a contract manfacturer must have a complete QMS, encompassing all of the operations it does directly
and all of the operations that are done by the contract manufacturer. Such a Specification Developer is legally responsible for manufacturing operations done on its behalf, and is directly obligated by 21CFR 820 to "control" those operations. A complete QMS is mandatory to apply such control and demonstrate that you have done so.
The contract manufacturer's QMS is secondary, and does not take the place of the regulatorily responsible Specification Developer's QMS. In the event that the FDA inspects the contract manufacturer, their review of that company's QMS and records will be from the perspective of whether that company's customer--you, the Specification Developer--is applying proper controls to assure that they are conforming to your specifications.
So the premise of your question regarding extending your QMS to handle in-house manufacturing is incorrect.
Will we be vulnerable by 3rd party/FDA auditors if we have procedures that are not implemented, and can't be audited internally but are "implemented" in our Quality System?
No, it's entirely permissible to have QMS elements that are in place to control something that you are not currently doing. Just document that you aren't doing them.