How to Run a Supplier Audit That Actually Tells You Something

After eighteen months of disrupted shipping, single-source shocks, and suppliers quietly going under, a lot of organizations rediscovered that they did not really know their supply base. A supplier audit is supposed to fix that. Done badly, it becomes a paperwork ritual: someone confirms the certificate is on file, ticks a box, and learns nothing. Done well, it surfaces the things that actually break delivery. The difference is almost entirely in the preparation.

Decide what you are auditing for

An audit is only as useful as the question behind it. "Are they ISO certified?" is a weak question. "Can this supplier keep delivering if their second-tier source in another country shuts down?" is a question worth a site visit. Before you schedule anything, write down the two or three risks that would genuinely hurt you if this supplier failed. For a sole-source critical part, that might be capacity and continuity. For a commodity item, it might be financial health and ethics compliance. Tailor the audit to the risk, not to a generic template.

A workable sequence

1. Segment first. You cannot audit everyone, and you should not try. Rank suppliers by spend and by how badly a failure would hurt. Reserve deep, on-site or video-walkthrough audits for the high-risk, hard-to-replace ones; use a self-assessment questionnaire for the rest.

2. Send the scope in advance. Tell the supplier exactly what you will review, what records you need ready, and who you need to speak with. Surprise audits feel rigorous but mostly produce defensiveness. You want a working session, not a raid.

3. Verify against evidence, not assertions. For every claim, ask to see the record behind it. If they say they inspect incoming material, ask for last month's inspection logs. If they say they have a business continuity plan, ask when it was last tested and read the after-action notes.

4. Trace one real order end to end. Pick an actual purchase order and follow it through receiving, production, quality, and shipping. A single traced order reveals more than a hundred policy documents.

5. Score findings by impact. Separate a minor housekeeping gap from a finding that could stop your line. A flat list of twenty equal-weight observations buries the two that matter.

6. Close the loop. Agree on corrective actions with owners and dates, then schedule the follow-up before you leave. An audit with no verified closure is just a report nobody reads.

What good auditors look for that checklists miss

• Concentration risk hidden one tier down — your supplier may be diversified while depending on a single sub-supplier you have never heard of.

• Capacity headroom: how much of their output is already committed to other customers, and where you sit in their priority list when things get tight.

• Whether quality and continuity are real habits or documents produced for the audit — ask the people doing the work, not just the quality manager.

• Financial warning signs: stretched payment terms to their own suppliers, key staff turnover, delayed investment in equipment.

With remote and hybrid working now normal, you do not always need to fly out. A live video walkthrough of the floor, screen-shared records, and a structured interview can cover most of a routine audit, with travel reserved for the suppliers where seeing the operation in person genuinely changes your judgment. The discipline is the same either way: clear scope, evidence over assertion, findings ranked by impact, and a closure you actually verify.

Finally, treat the audit as the start of a relationship, not a verdict. The goal is a supplier who is more resilient next year, not a folder of findings. Share what you found, agree on what improves, and check back.

If you want help building a risk-based audit program and tightening the contracts behind it, XNM's procurement, sourcing & contract management can help you focus the effort where the real exposure is.