Supplier &
Vendor Audits

Their facility. Your accountability.

Why Supplier Audits

Regulators Read Your Supply Chain as an Extension of Your Site.

A modern therapy is a relay: an API plant on one continent, a contract manufacturer on another, a testing lab, a sterilizer, a serialization partner — and your name on the label at the end of it. Every regulator that matters holds the license holder answerable for all of it. A quality agreement divides the work; it never divides the accountability. We audit suppliers and vendors for pharmaceutical, biotech, medical device, and cell and gene therapy companies, at the depth of the standard each one actually answers to, with findings your quality system can act on.

Your quality is their quality

A supplier's gap becomes your 483. We audit the chain before an inspector does.

The Regulatory Baseline

Outsource the Activity. Never the Responsibility.

Ch. 7

EU GMP devotes an entire chapter to outsourced activities. The contract giver must assess the contract acceptor's competence before any work begins, and keep assessing it for as long as the work continues.

ICH Q10

Your quality system doesn't stop at your fence line. ICH Q10 names control of outsourced activities and purchased materials a core responsibility of the QMS: one inspectors sample directly, through your supplier files.

QMSR

For device makers, the QMSR carries ISO 13485's purchasing controls into FDA law: supplier evaluation, defined controls, and re-evaluation are now the same expectation on both sides of the Atlantic.

Supply chain warehouse feeding a regulated manufacturing operation
Outsource the activity, never the responsibility

A regulator reads every supplier as an extension of you. The audit finds what your name is attached to.

Who We Audit

Every Link That Can Reach a Patient.

There is no generic supplier audit. Each vendor type fails in its own way and answers to its own standard. Every audit is scoped against the rulebook that supplier will actually be held to.

Contract Manufacturers

CMOs and CDMOs for drug product, biologics, and devices, audited across the full quality system with your quality agreement open on the table, because that's how an investigator will read the relationship.

API & Intermediate Manufacturers

ICH Q7 depth where your molecule starts: starting-material controls, impurity fate, and the QC-lab data integrity that decides whether a certificate of analysis means anything at all.

Excipients & Raw Materials

Risk-proportionate audits of excipient, raw-material, and component suppliers, sharpest where risk concentrates: single-source materials, animal-origin inputs, and everything nitrosamines taught the industry to re-examine.

Packaging, Labeling & Serialization

Primary packaging, artwork and label control, and serialization partners — the quiet suppliers behind most mix-up recalls, audited before the mix-up.

Contract Laboratories

GMP and GLP testing labs probed where they actually fail: method validation, OOS handling, audit trails, reference standards, and the chain of custody behind every result you release on.

Service & GxP Software Vendors

Sterilization, distribution and 3PL, calibration, and the software vendors inside your GxP processes, assessed against computerized-system and data-integrity expectations rather than a generic IT questionnaire.

Auditor inspecting a supplier facility on the floor
Every link that can reach a patient

Scoped to the supplier and its risk, on the floor, not filed as a generic IT questionnaire.

Risk-Based by Design

Not Every Supplier Earns the Same Audit.

Auditing everything identically is as indefensible as auditing nothing. We tier your supplier base by what its failure would reach, then set the depth, the cadence, and the requalification clock to match, with a rationale you can defend in an inspection.

A loaded container ship crossing calm water at dusk
The chain is the product

An API plant, a CMO, a sterilizer, a carrier: your license is only as strong as its farthest link.

Tier One
Critical
DepthOn-site, multi-day
CadenceEvery 1–3 years, plus for-cause

Suppliers whose failure reaches the patient: contract manufacturers, API sources, sterilization, primary packaging. Audited on site, by a senior auditor, on a clock that never lapses.

Tier Two
Key
DepthOn-site or hybrid
CadenceRisk-clocked, typically 3 years

Suppliers who can stop your supply or corrupt your data without touching the product: contract labs, key components, GxP software. Depth flexes with history, performance, and change.

Tier Three
Routine
DepthStructured remote assessment
CadenceRequalification-driven

Low-risk, commodity, and compendial suppliers managed through remote assessments and performance monitoring — documented well enough that no investigator mistakes proportionate for neglected.

Already have a tiering model? We pressure-test it rather than replace it. The goal is a program you can defend in an inspection, clause by clause.

When did a qualified auditor last walk your most critical supplier's floor?

Book a Strategy Call
The Audit Lifecycle

Qualification Is a Loop, Not a Gate.

A supplier file that ends at the approval memo is a finding waiting to be written. Every audit we run sits inside a lifecycle your QMS can hold onto and hand to an investigator.

1
Tier & Plan

Risk-rank the supplier base and build an audit schedule a regulator can follow — and your budget can survive.

2
Prepare

An agenda built from your quality agreement, the product's risk, the supplier's history — and what previous auditors let slide.

3
Audit

On the floor or on the record: process walk-downs, data-integrity sampling, and interviews that leave the tour route.

4
Report

Graded findings cited to the clause, delivered in days, written for your supplier file and whoever inspects it.

5
Close CAPAs

Findings become CAPA requests written to be answerable — then chased to verified closure, not acknowledgment.

6
Requalify

The clock restarts with evidence behind it: performance data, change notifications, and the next audit already on the calendar.

A Supplier File That Survives Scrutiny.

Qualified, then watched

Supplier qualification and audits that hold across the life of the relationship.

Every audit ends in a report written for its two real audiences: the quality team that has to act on it this quarter, and the investigator who will pull your supplier file years from now. Evidence-based, graded the way a regulator grades, and specific enough that nobody has to re-audit the site to understand it.

And when a signal hits — an OOS trend, an upstream recall, a warning letter naming your supplier — the same team runs for-cause audits on short notice, anywhere in the world.

The Deliverable

  • Findings graded critical, major, or minor, each cited to the applicable clause
  • A supplier risk rating with a recommended requalification clock
  • Quality-agreement gaps mapped against how the relationship actually operates
  • CAPA requests written to be answerable and tracked to verified closure
  • An executive summary your supplier file can carry into any inspection
  • Comparable scoring across your supplier base, audit after audit

The Standard, Demonstrated on Real Floors.

Audits are judged by the work behind them. A representative sample of supplier-facing engagements delivered by our consultants:

A warehouse employee verifying inventory with a tablet and scanner
Verified on the floor

A supplier audit is won in the aisles and the logbooks, not in the conference room.

Johnson & Johnson
Regulatory Lead · Thirty Supplier-Transfer Projects

Three years as FDA and EU MDR regulatory lead for thirty supplier-transfer projects across the global orthopaedics portfolio. Owned regulatory impact assessments, Tech File updates, labeling remediation, and reporting to the executive team.

ProPlate
Quality Lead · Notified Body Audit Rescue

Brought in weeks before an ISO 13485 notified body audit after the Quality Manager exited. Closed open CAPAs, remediated ISO 14971 gaps, executed the internal audit, and supported the organization through the audit itself.

An Audit That Flatters a Supplier Protects Nobody.

The report is only worth what the audit behind it was. These standards go in writing at the start of every engagement.

Senior auditors, no tourists.

The person on the supplier's floor has qualified suppliers for their own products — and knows the difference between a tour and an audit.

Cited, not asserted.

Every finding names the clause and the evidence. No vague observations a supplier can argue away or a regulator can't follow.

Independent in both directions.

No conflicts with the suppliers we audit, and your data handled with the confidentiality we'd demand for our own.

Closed means verified.

A filed report closes nothing. We track every finding to verified closure, and tell you plainly when a supplier's answer isn't one.

Who Walks the Floor

Auditors Who Have Sat on Your Side of the Quality Agreement.

Your audits are led by senior quality and regulatory leaders who have qualified, supervised, and fired suppliers for their own programs. Life sciences is all we audit, because it's all we do: pharmaceutical, biotech, medical device, and cell and gene therapy supply chains.

Matched to Your Supplier

A sterile API plant, a device contract manufacturer, and a viral-vector CDMO fail in different ways. Your auditor has qualified your kind of supplier before.

Global Coverage

On-site audits across North America, Europe, and Asia, with FDA, EMA, MHRA, and PMDA expectations built into the checklist from the start.

Fluent in Both Rulebooks

Drug and device, FDA and ISO: one auditor who can read a quality agreement, a DMF cross-reference, and an ISO 13485 certificate in the same afternoon.

Senior on Site

The practitioner who scopes your program is the one who walks the supplier's floor. No handoff to a junior team after the agreement is signed.

Supplier auditor reviewing a qualification file

The audit finds the gap. Someone still has to close it.

When a supplier audit surfaces a systemic problem — theirs or yours — the same team can run the remediation: CAPA architecture, effectiveness checks, and the evidence trail that proves the fix held.

Explore CAPA & Remediation
Work With Us

Know What Your Suppliers Look Like Before a Regulator Does.

Tell us what's driving it — a qualification backlog, an approaching pre-approval inspection, a critical supplier nobody has visited in years. We'll scope the right audit program and respond within one business day. All inquiries are strictly confidential.

Book a Strategy Call Send a Detailed Inquiry