RCRCA Toolkit

Audit Guide

Supplier Audit Checklist: What to Look For and How to Score It

A supplier audit is only as good as the checklist behind it. This guide walks through the three audit types — system, process, product — with practical questions, the evidence to ask for, and a scoring approach that makes results comparable across suppliers and across years.

Supplier audits confirm that the quality system on paper matches the one actually being run. A certification on the wall is not evidence of compliance; an audit against a structured checklist is. See the broader supplier quality guide for where audits sit in the program.

The three audit types

  • System audit — full QMS review against ISO 9001, IATF 16949, AS9100, or ISO 13485. Usually annual, 1-3 days on-site. Confirms the supplier's documented system covers all required clauses and is operating.
  • Process audit — focused on a specific manufacturing process (welding, anodizing, heat treat, SMT, machining cell). Often performed as a Layered Process Audit (LPA) with standardized questions across the supply base.
  • Product audit — full inspection of a finished part against the print, spec, and PPAP/FAI record. Catches drift between approval and current production.

Preparation

Before the visit:

  • Pull the supplier's last audit report and verify open findings are closed.
  • Review recent SCAR history, NCRs, and scorecard performance — audits should target weak areas.
  • Request and review the supplier's QMS manual, process flow, control plan, PFMEA, and recent internal audit records.
  • Send the audit agenda and the checklist to the supplier at least one week in advance.
  • Confirm the supplier's process owners will be available — auditing without process owners present is wasted time.

System audit questions

Sample questions, organized by clause area. Every yes/no should be backed by evidence.

Management and risk

  • Is there a current quality policy signed by top management? Where is it posted or distributed?
  • Are quality objectives measurable, owned, and reviewed at management review?
  • Show the risk register. How often is it reviewed? When was it last updated?

Document and record control

  • Pull three controlled documents from the floor — are they current revision?
  • Show the change control record for the most recent work-instruction revision.
  • Show retention evidence for a record type required by the customer (e.g. FAI, PPAP, calibration).

Training and competency

  • Show the training matrix for one operator on the floor. Are all required qualifications current?
  • Who qualifies operators on special processes? Show their qualification record.

Production and process control

  • Show the control plan and PFMEA for one part. Do they match what is happening on the floor?
  • How are setup and changeover verified? Show the most recent first-piece approval record.
  • How are out-of-control conditions detected and reacted to? Show the reaction plan and the most recent excursion record.

Inspection, calibration, and gage R&R

  • Pull a gage from the floor. Is the calibration current? Where is the record?
  • Show the most recent gage R&R for a critical characteristic.

Nonconforming product

  • Show the quarantine area. Is it segregated, labeled, and traceable?
  • Pull the most recent NCR. Was disposition timely?

Corrective action and CAPA

  • Pull the most recent three corrective actions. Are root causes real or restated symptoms?
  • Show the effectiveness verification on a closed CAPA from 60-90 days ago.
  • How is read-across performed? Show evidence.

Supplier control (sub-tier)

  • Show the AVL and the criteria for adding or removing suppliers.
  • How does the supplier flow down customer-specific requirements to sub-tiers?

Process audit (LPA)

Layered Process Audits are short, structured audits performed at each layer of management (shift lead, supervisor, plant manager). Each layer uses the same checklist, performed at a defined frequency, to verify process discipline on the floor. Typical content:

  • Is the operator at the workstation the qualified operator on the schedule?
  • Are the work instruction, control plan, and visual standards at the workstation current revision?
  • Is the first-piece approval record completed for the current setup?
  • Are gages on the workstation calibrated and within usable range?
  • Are scrap and rework parts segregated correctly?
  • Are the most recent SPC charts current and signed?
  • Is PPE in use and is housekeeping (5S) consistent with the standard?

Product audit

Pull a finished unit from the end of the line at random. Inspect every characteristic on the print and against the PPAP or FAI record. The audit catches three failure modes: drift from approval, characteristic creep where the supplier has been running to a tighter or looser internal spec, and missing controls on characteristics that were waived at qualification.

Scoring and findings

Use a consistent three- or four-tier severity classification so scores roll up across suppliers:

  • Major — a clause is not being met or a control is absent. Triggers a SCAR.
  • Minor — a clause is met but with weak evidence or partial implementation.
  • Observation — improvement opportunity, no formal response required.

Score totals feed the supplier scorecard tier. See the supplier scorecard template for how audit results weight against PPM and SCAR performance.

Follow-up and SCAR

Every major finding should issue a SCAR with the same response timeline as a production escape. Minor findings can ride on a single consolidated response. Close all findings before the next scheduled audit; carrying open findings across audits is one of the most common audit-program failure patterns.

For the SCAR format the supplier will respond with, see the SCAR template guide. For the broader process the SCAR fits into, see corrective action.

Pair the audit with the SCAR Template

Audit findings flow into SCARs. Use the free SCAR template to issue them.

Download the SCAR template