External Audit Program Management (Supplier Audits) *

by J.P. Russell

Many of the program requirements for internal and external audits are the same. However, external audits are different due to the relationship between customer and supplier.

Organizations continue to focus on core competencies resulting in greater dependence on high- quality materials and services from suppliers. Now, more than ever, supply chain management is important to ensure that organizations can compete in the global market and network community.

The audit program is a key player in monitoring the external supply chain. Supply chain management is an enterprise within an enterprise.

Audit program managers will need to interface with procurement to ensure that contracts contain access clauses and to understand procurement needs to schedule audits or other oversight services of the global supply chain. Oversight may be needed for first-, second-, and perhaps third-tier suppliers depending on organization objectives, customer requirements, and risk. A first-tier supplier is an organization that is a direct supplier. A second-tier supplier is an organization that provides a critical component to the first-tier supplier that is used by the customer.  Interruption of supply of critical components for second and third-tier suppliers could have a significant impact on the customer’s operations.

The supply chain enterprise may include:

  • Procurement
  • Requirements flow down
  • Logistics network
  • Manufacturing and technology, obsolescence management
  • Demand forecasting
  • Customer service relationship
  • Risk management
  • Performance management

The external audit program will most likely be involved with the procurement, performance management, and risk management aspects of the supply chain.


In many cases, the procurement department is the client that needs services of the audit program. Procurement personnel may be called procurement specialists, buyers, and purchasing agents as well as purchasing managers and supervisors. Depending on its needs, the organization may employ procurement and auditing personnel with international experience.

Procurement duties and responsibilities that may involve the auditing function are the following:

  • Creating and implementing performance metrics (key performance indicators [KPIs]).
  • Monitoring and reporting trends in the supplier and contract base that could affect supply. Establishing and promoting relationships with suppliers and customers: The organization may need to develop close relationships with suppliers of critical material and services. In some cases, partnerships will need to be established.
  • Following up on and monitoring supplier performance to ensure corrective action is taken on identified issues.
  • Verifying special programs as needed, such as vendor projects, changes, buy- resale, private label, and so on.

The audit program management and auditors are usually not involved in establishing supplier requirements but are likely to be involved in their oversight. Requirements may be technical, supplier process related, logistical, administrative, or legal. Technical requirements typically come from the process designer or process owner; quality (improvement) function; or technical, procurement, or legal department.

xample technical requirements include:

  • Physical characteristics such as weight or dimensions
  • Chemical composition
  • Physical properties such as hardness, smoothness, and finish
  • Performance results

Example supplier process requirements include:

  • Process variation monitoring
  • Certificate of compliance
  • First article inspection or other test requirements
  • ISO 9001 plus or minus requirements

Example logistical requirements include:

  • Identification such as bar code, name, serial number, or color code
  • Packaging such as padding, box, pallet, spacing, and so on
  • Instructions
  • Packing list
  • Special storage conditions listed on package
  • Storage service requirements (operate, change fluids, exercise, rotate, and so on)

Example administrative and legal requirements include:

  • Hazardous response instructions and markings
  • First aid instructions
  • Purchase order number or contract number
  • Disaster recovery plans (such as natural disaster, cyber-attack, material outage)

There may be other requirements depending on the risks involved, for example, source inspection for expensive and/or large equipment. Inspection type, sample size, and rejection criteria may be part of the product or service requirements.

The expansion of the supplier base for many organizations has spawned the evolution of logistics management. The globalization and outsourcing of products and services has led to increasingly complex supply chains with longer lead times, more pipeline inventory, and the need to control downstream and upstream logistics.

Establishing a supply chain network may include supplier selection and movement of goods and services to their final destination. Audit programs may not develop the supply chain network, but they may need to verify and monitor activities to ensure requirements are met. External audits may need different capabilities in order to be effective.

Movement of goods and services may include:

  • Modes of travel such as train, air, roadway, and sea
  • Distribution and storage services
  • Storage conditions
  • Technical service
  • Expedited services
  • Controlling storage costs and expenses such as detention and demurrage fines

Supplier selection may include:

  • Initial evaluation
  • Maturity model results
  • Assessment of capabilities

The supply chain may stretch across the globe, but in all cases,  deadlines must be met, and the customer must be satisfied. Language and cultural barriers may need to be overcome. Effective communication is an important factor for success. Conducting eAudits may be an important audit program strategy to ensure proper oversight and control of risks.

 Risk Management—Supply Chain

Management is always concerned about risk. MBAs are taught about business risk and the risk of failure. Management has been taught to avoid unnecessary risk. The ISO standards themselves represent strategies to reduce risk for selected areas such as product liability, environmental controls, and occupational safety and health. Increasing the supply chain may or may not increase organization risk. However, since fewer business processes are being controlled internally, there is a greater need to manage the supply chain risk. Increasing dependence on supplier organizations increases a customer’s business risk.

The risk management scope should include controls throughout a product’s life cycle, across all company processes and its external supply chain. The scope of the program could be limited by product or may include select enterprise processes.  The purpose of the program should be to ensure that customer requirements are being met and to prevent external product failures and nonconformities.  An effective risk management program will reduce the chances of undesirable and harmful consequences to the organization.

The absence of a risk management program exposes the organization to unknown problems in a reactionary mode. A risk management program allows the organization to be proactive by eliminating problems before they occur.

The benefits of proper verification and monitoring of the supply chain include:

  • Reduced probability of delivering nonconforming products and services
  • Increased probability of achieving organizational objectives
  • Reduced probability of delivering product or services behind schedule
  • Increased probability of compliance to quality, environmental, and safety regulations and the avoidance of undesirable consequences

If there are specific identified risks and risk treatments, the audit function may be asked to verify that they are being controlled and properly treated. Auditor and audit program managers are usually not asked to assess identified risks unless they are specifically assigned to the team for such purposes.

During any visit or interface with a supplier, an auditor has a duty to report any potentially significant risk to the audit program manager and the client.

 Performance Management

Supplier monitoring may include many activities depending on the risk and criticality of the product and/or service. Monitoring and reporting needs will continue to change due to organizational needs, changes, and relationships with suppliers.

Monitoring and verification may include:

  • Assessment of capabilities
  • Source inspection
  • Ongoing inspection (100% inspection, acceptance, and skip lot inspection)
  • Certification of conformance
  • Surveys
  • Conformity audit
  • Contract audit
  • Risk-based audit
  • Verification of corrective actions

In many cases, suppliers are asked to conform to a management system standard such as ISO 9001. If a supplier is asked to comply with a management system standard such as ISO 9001 plus specific additional requirements that may be found in another standard such as ISO 13485 (medical devices) or ISO/TS 16949 (automotive), it may be called an ISO 9001 plus audit. Audits of very small supplier organizations that are asked to implement only certain parts of a management standard such as ISO 9001 are called ISO 9001 minus audits.

External auditors may need additional training in working with different cultures.  A misunderstanding can delay an audit or damage a business relationship. External auditors may need to have appropriate technical knowledge about the part and the processes that yield the product being supplied.

Audit results are one input in maintaining a supplier report. The results may be the basis for increasing or decreasing oversight of the supplier organization.  Some organizations have supplier levels that affect not only oversight but also the share of the business and have monetary consequences. The higher the supplier level, the less oversight needed.

*Taken from The ASQ Auditing Handbook, 4th edition, Chapter 16 Audit Program Management/Part IV-A, pages 181-185.

Periodically, about every five years, ASQ Certified Quality Auditors (CQAs) participate in a survey to update the CQA Body of Knowledge (BOK).  Late in 2011, experts in the field of auditing were interviewed and 2,500 worldwide CQAs were surveyed. The data generated by the survey captures current trends and changes in the auditing industry that keeps us current and prepared for the future.  The ASQ Auditing Handbook 4th edition has been updated to include the latest BOK changes.

General topics include security, risk, social responsibility, ethnic diversity, and remote audits. New sections include External Audit Program, Best Practices, Organizational Risk Management, Common Causes, Outliers, and Risk Management Tools. Many other sections were expanded.

About the author

J.P. Russell is the founder and managing director of QualityWBT Center for Education (www.Qualitywbt.com), an eLearning provider. He is also an ASQ fellow, ASQ-certified quality auditor, member of the US TAG 302 for management system auditing, member of the U.S. technical advisory group for the International Organization for Standardization technical committee 176. Russell is a recipient of the Paul Gauthier Award from the ASQ Audit Division and author of several best-selling ASQ Quality Press books about auditing, standards, and quality improvement including editor of The ASQ Quality Auditing Handbook.