A modern therapy is a relay: an API plant on one continent, a contract manufacturer on another, a testing lab, a sterilizer, a serialization partner — and your name on the label at the end of it. Every regulator that matters holds the license holder answerable for all of it. A quality agreement divides the work; it never divides the accountability. We audit suppliers and vendors for pharmaceutical, biotech, medical device, and cell and gene therapy companies, at the depth of the standard each one actually answers to, with findings your quality system can act on.

A supplier's gap becomes your 483. We audit the chain before an inspector does.
EU GMP devotes an entire chapter to outsourced activities. The contract giver must assess the contract acceptor's competence before any work begins, and keep assessing it for as long as the work continues.
Your quality system doesn't stop at your fence line. ICH Q10 names control of outsourced activities and purchased materials a core responsibility of the QMS: one inspectors sample directly, through your supplier files.
For device makers, the QMSR carries ISO 13485's purchasing controls into FDA law: supplier evaluation, defined controls, and re-evaluation are now the same expectation on both sides of the Atlantic.

A regulator reads every supplier as an extension of you. The audit finds what your name is attached to.
There is no generic supplier audit. Each vendor type fails in its own way and answers to its own standard. Every audit is scoped against the rulebook that supplier will actually be held to.
CMOs and CDMOs for drug product, biologics, and devices, audited across the full quality system with your quality agreement open on the table, because that's how an investigator will read the relationship.
ICH Q7 depth where your molecule starts: starting-material controls, impurity fate, and the QC-lab data integrity that decides whether a certificate of analysis means anything at all.
Risk-proportionate audits of excipient, raw-material, and component suppliers, sharpest where risk concentrates: single-source materials, animal-origin inputs, and everything nitrosamines taught the industry to re-examine.
Primary packaging, artwork and label control, and serialization partners — the quiet suppliers behind most mix-up recalls, audited before the mix-up.
GMP and GLP testing labs probed where they actually fail: method validation, OOS handling, audit trails, reference standards, and the chain of custody behind every result you release on.
Sterilization, distribution and 3PL, calibration, and the software vendors inside your GxP processes, assessed against computerized-system and data-integrity expectations rather than a generic IT questionnaire.

Scoped to the supplier and its risk, on the floor, not filed as a generic IT questionnaire.
Auditing everything identically is as indefensible as auditing nothing. We tier your supplier base by what its failure would reach, then set the depth, the cadence, and the requalification clock to match, with a rationale you can defend in an inspection.

An API plant, a CMO, a sterilizer, a carrier: your license is only as strong as its farthest link.
Suppliers whose failure reaches the patient: contract manufacturers, API sources, sterilization, primary packaging. Audited on site, by a senior auditor, on a clock that never lapses.
Suppliers who can stop your supply or corrupt your data without touching the product: contract labs, key components, GxP software. Depth flexes with history, performance, and change.
Low-risk, commodity, and compendial suppliers managed through remote assessments and performance monitoring — documented well enough that no investigator mistakes proportionate for neglected.
Already have a tiering model? We pressure-test it rather than replace it. The goal is a program you can defend in an inspection, clause by clause.
A supplier file that ends at the approval memo is a finding waiting to be written. Every audit we run sits inside a lifecycle your QMS can hold onto and hand to an investigator.
Risk-rank the supplier base and build an audit schedule a regulator can follow — and your budget can survive.
An agenda built from your quality agreement, the product's risk, the supplier's history — and what previous auditors let slide.
On the floor or on the record: process walk-downs, data-integrity sampling, and interviews that leave the tour route.
Graded findings cited to the clause, delivered in days, written for your supplier file and whoever inspects it.
Findings become CAPA requests written to be answerable — then chased to verified closure, not acknowledgment.
The clock restarts with evidence behind it: performance data, change notifications, and the next audit already on the calendar.

Supplier qualification and audits that hold across the life of the relationship.
Every audit ends in a report written for its two real audiences: the quality team that has to act on it this quarter, and the investigator who will pull your supplier file years from now. Evidence-based, graded the way a regulator grades, and specific enough that nobody has to re-audit the site to understand it.
And when a signal hits — an OOS trend, an upstream recall, a warning letter naming your supplier — the same team runs for-cause audits on short notice, anywhere in the world.
Audits are judged by the work behind them. A representative sample of supplier-facing engagements delivered by our consultants:

A supplier audit is won in the aisles and the logbooks, not in the conference room.
Three years as FDA and EU MDR regulatory lead for thirty supplier-transfer projects across the global orthopaedics portfolio. Owned regulatory impact assessments, Tech File updates, labeling remediation, and reporting to the executive team.
Brought in weeks before an ISO 13485 notified body audit after the Quality Manager exited. Closed open CAPAs, remediated ISO 14971 gaps, executed the internal audit, and supported the organization through the audit itself.
The report is only worth what the audit behind it was. These standards go in writing at the start of every engagement.
The person on the supplier's floor has qualified suppliers for their own products — and knows the difference between a tour and an audit.
Every finding names the clause and the evidence. No vague observations a supplier can argue away or a regulator can't follow.
No conflicts with the suppliers we audit, and your data handled with the confidentiality we'd demand for our own.
A filed report closes nothing. We track every finding to verified closure, and tell you plainly when a supplier's answer isn't one.
Your audits are led by senior quality and regulatory leaders who have qualified, supervised, and fired suppliers for their own programs. Life sciences is all we audit, because it's all we do: pharmaceutical, biotech, medical device, and cell and gene therapy supply chains.
A sterile API plant, a device contract manufacturer, and a viral-vector CDMO fail in different ways. Your auditor has qualified your kind of supplier before.
On-site audits across North America, Europe, and Asia, with FDA, EMA, MHRA, and PMDA expectations built into the checklist from the start.
Drug and device, FDA and ISO: one auditor who can read a quality agreement, a DMF cross-reference, and an ISO 13485 certificate in the same afternoon.
The practitioner who scopes your program is the one who walks the supplier's floor. No handoff to a junior team after the agreement is signed.

When a supplier audit surfaces a systemic problem — theirs or yours — the same team can run the remediation: CAPA architecture, effectiveness checks, and the evidence trail that proves the fix held.
Tell us what's driving it — a qualification backlog, an approaching pre-approval inspection, a critical supplier nobody has visited in years. We'll scope the right audit program and respond within one business day. All inquiries are strictly confidential.