Look at everything you receive and ask yourself "What do we check and why? What do we not check and why? For what we do check, what do we check and why?"
The bottom line is any time there is a decision to buy some decisions should be made about what to check. Do you have critical characteristics for the material you're planning to purchase? Maybe it's just cotton cloth to cover a rack that painted parts are transported on. Maybe theres nothing critical identified. Maybe it's just quantity you want to check. Maybe your product requires a part made of hardened steel. Is the hardness a critical characteristic? Do you want the supplier to submit test data? Do you want to institute an in-house check? Do you want to sub out a periodic check to an outside lab to verify your suplliers' data?
What part does the supplier play in your decision? Does the supplier you plan to buy from already supply similar parts to you? In the same quantities and to the same precision? What if the supplier normally supplies you with plastic parts but also sells several metal parts - you're satisfied with the plastic parts you currently buy but have never bought metal parts from that supplier. Can you assume their metal processes are as capable (etc., etc.) as their plastic processes? They're approved Ship-to-Stock on the plastic parts you purchase from them, but what about the new metal parts you plan to purchase? Are you going to pre-approve them as Ship-to-Stock based upon their current record with plastic parts or are you going to establish a separate rating (and acceptance criteria, etc.) for the metal part?
The role of a supplier asseessment is variable. A mailed or e-mailed survey to be completed by the supplier? A visit to the supplier - such as a process or systems audit?
You have to be ready to explain the process you go through, with consideration the the factors noted above and others, to determine receiving requirements. As far as a CofC goes, some companies find them acceptable for their requirements. But remember - CofCs without data (and CofCs [certificate of Conformance] are typically just a 'promise' statement) are of little value.
Remember the old advertisement: "Promise her anything, but give her...."