API has issued an interpretation (see page 4 of the attached, also available from the address below) that addresses this question.
https://mycommittees.api.org/standards/techinterp/mspecs/Shared Documents/Q1.pdf
Question: Purchased materials – When materials such as forgings and wrought materials are purchased from steel manufacturers (who perform the heat treatment and in some cases NDT), is it a requirement of API Spec Q1, 9th Edition, Section 5.7.1.5 for the licensee to also validate the steel manufacturer’s process controls for processes requiring validation?
No. Based on the information provided, this is a purchase issue and therefore all that is required is verification of that the product meets the contract requirements on receipt (5.6.3). Outsourcing (5.6.1.6) and validation (5.7.1.5) do not apply since the product requirements do not expect that the organization perform the forging activity itself, but simply to use forged product. Therefore, by extension, validation of those processes such as forging does not apply. Note however, that validation of a supplier’s processes is likely to be required in two cases: a) When this is included in the process of the initial qualification of a critical supplier per 5.6.1.2 and for reevaluation (optionally) per 5.6.1.4; or b) When the activity does become one of outsourcing (Section 5.6.1.6), i.e. the supplier is performing the activity on behalf of the organization when such an activity is required by the product spec or other obligation (contract).
If you are purchasing (and not outsourcing; API Q1 differentiates between these) the forgings, castings and fasteners, then you generally do not need to validate the special processes performed by the suppliers.
However, if you have decided to make special process validation a critical supplier (re-)evaluation requirement (this is not specified by API Q1 but you can choose to do so) or if the supplier is performing an activity on your behalf (for example, you are a forging manufacturer who outsources NDE on your forgings), then you are required to validate the process. Reviewing the supplier's validation records is generally sufficient for this - their personnel will be performing the process, so it often doesn't make sense for you to do a separate validation (you commonly don't have personnel to do it yourself anyway and you want to validate the supplier's process using the supplier's personnel).
For the second question, you are not required by API Q1 to do what you mention. However, per API Q1 9th Edition Addendum 2 5.6.1.1 c, you are required to address "type and extent of control applied to the supply chain for critical products, components or activities" and per 5.6.1.2 b and 5.6.1.4, you are required to verify "the type and extent of control applied by the supplier, internally and to their supply chain, in order to meet the organization’s requirements". Depending on risk, in some cases it may make sense for the Q1 organization to specify and verify controls on the supplier's supplier of raw material (and you could specify in your contract that your supplier only use raw material suppliers that you have approved). However, it is not a Q1 requirement to specify this and you can specify other controls, preferably that are appropriate for the risks associated with your product.