Login
Join for Free
Features
Topics
Discover

FAQ

Unlock the potential of your career in the Pharma industry with our online courses and qualifications.

Career Path

Pick a career path, follow its guided course roadmap, and secure industry-verified credentials in a few months.

Explore Career Paths
Courses

Earn career credentials from industry leaders that demonstrate your expertise.

Explore Courses

Vendor Audit Checklist for GMP: When to Audit,: Key Steps, Questions, and Red Flags

  • Compliance, Regulatory, Technology
Picture of Ershad Moradi

Ershad Moradi

Content Marketing Specialist

A Vendor Audit Checklist is a structured set of questions and evidence points you use to assess a supplier’s quality system and prove supplier control. It’s for Quality, Procurement, and Operations when qualifying new vendors, renewing contracts, adding a new site, or after deviations/complaints.

Aligned with Good Manufacturing Practices (GMP), it follows 3 stages—pre-audit preparation, on-site verification, and post-audit follow-up—plus 5 red flags (data integrity gaps, change control gaps, missing records, poor deviation handling, incomplete batch traceability). Checklist items map to WHO GMP guidance and EU/FDA expectations 

Table of Contents

What is a Vendor Audit Checklist?

An audit checklist is a controlled list of questions and evidence points you use to assess a supplier’s GMP readiness. It keeps your audit objective. It also helps you write a strong supplier audit report template with facts, not opinions. 

A good vendor inspection checklist PDF captures: 

  • Requirement (what GMP / your QMS expects) 
  • Evidence (document ID, record number, screenshot name, interviewee) 
  • Risk (patient/product impact) 
  • Finding level (minor/major/critical) 
  • CAPA (owner, due date, effectiveness check) 
vendor audit checklist
Vendor Inspection Checklist Snapshot: What It Covers

When to use a Supplier Audit Checklist

Use a supplier audit checklist when you need supplier confidence fast. It helps you verify quality systems before risk hits patients.

  • Before you approve a new supplier or add a new site.

  • Before you renew a contract, especially after pricing or scope changes.

  • After serious deviations, complaints, or late deliveries that repeat 3 times.

First, check records; then interview staff; and finally confirm controls on-site. Also use it before audits to close gaps and set clear CAPA actions. Therefore you reduce surprises, speed approvals, and protect your entire supply chain.

Supplier Audit Checklist Use-Cases Table (Trigger, Goal, Output)

Trigger Goal Output
New critical supplier / CMO / lab
Qualify before first GMP lot
Approved supplier + quality agreement
New material for a registered product
Confirm traceability + specs control
Risk assessment + updated specs/testing
Major change (site/process/equipment)
Confirm change control + validation links
Change impact review + re-qualification plan
Repeating deviations / complaints
Identify root causes in the supply chain
Audit report + CAPA plan + timelines
OOS/OOT trend or data integrity signal
Check investigations + governance
Gap list + remediation CAPA
Subcontracting introduced
Verify oversight of sub-suppliers
Subcontractor controls + audit rights
Regulatory inspection pressure
Reduce inspection risk fast
Targeted audit + evidence pack

Vendor Audit Key Steps

Start with a clear plan and scope. Then request key documents early. Next, review risks and define audit questions. Also align roles between Quality, Procurement, and Operations.

  • Pre-audit: review SOPs, deviations, CAPA, change control, and data integrity.

  • On-site and post-audit: verify evidence, record gaps, and close CAPA fast.

During the visit, follow the process flow, not slide decks. However, document facts with dates and owners. Finally, track actions weekly and confirm effectiveness.

vendor audit checklist
Vendor Audit Key Steps Flow

Pre-audit preparation

Pre-audit preparation starts with smart supplier selection. First, identify critical suppliers and prioritize risk. Then, focus on suppliers tied to patient safety and supply continuity.

  • Identify critical suppliers and prioritize risk.

  • Collect key documents and performance history.

  • Define audit scope, type, and clear objectives.

Next, assign roles and set timelines. Also, align questions with your product and process needs. Therefore you enter the audit with clarity, focus, and control.

Identify critical suppliers and prioritize risk

Critical suppliers can affect product quality and patient safety. Start by listing materials, services, and labs you cannot replace quickly. Include suppliers that handle data, temperature control, or aseptic processing.

First rank impact, then rank likelihood, and finally set audit priority.

  • Sterile, high-risk materials
  • Single-source services
  • Poor performance history

Collect key documents and performance history

Past supplier performance predicts future audit risk. Collect documents before the visit to save time. Also gather trends so you target real weaknesses fast.

First review quality basics, then check delivery trends, and finally flag gaps.

  • Quality agreement and key SOPs

  • Deviation, CAPA, and change history

  • On-time delivery and complaint rates

Define audit scope, type, and clear objectives

Define scope before you book travel or invite stakeholders. Choose the audit type: qualification, routine, or for-cause. Then set clear objectives tied to product risk and supplier performance. Also confirm sites, processes, and systems you will review.

  • Scope: materials, services, records, IT, labs, and subcontractors.

  • Objectives: verify controls, confirm traceability, and test CAPA effectiveness.

First align Quality, then involve Procurement, and finally brief Operations. Therefore everyone asks consistent questions and captures usable evidence.

On-site audit

During the on-site audit, follow the process from receipt to release. Then compare what staff do with documented procedures. Also sample records across different dates and batches. Therefore you confirm consistency, not a staged tour.

  • Review QMS effectiveness and continuous improvement evidence.

  • Verify document/record control and full traceability.

  • Assess NCM controls and CAPA effectiveness

Next, interview key roles and verify training records. However, focus on objective evidence, not promises. Finally, record observations with clear facts, owners, and due dates.

Review QMS effectiveness and continuous improvement evidence

Review QMS effectiveness by checking metrics, trends, and management review actions. Then confirm CAPA closes root causes and prevents repeats. Also verify internal audits drive real change, not paperwork.

First check data, then check actions, and finally check results.

  • CAPA cycle time and effectiveness

  • Audit findings trends

  • Complaint and deviation trends

Verify document/record control and full traceability

Verify document and record control to protect data and product history. Then confirm version control, approvals, and controlled access. Also test traceability from raw material to final release.

First pick a batch, then follow records, and finally confirm signatures.

  • Current SOPs and controlled forms

  • Batch records and deviations linked

  • Data integrity checks and audit trails

Pre-Audit Document Request List

Document Owner Due Date Status
Quality Manual + QMS map
Document/record control SOP + templates
Deviation + CAPA SOPs + last 12 months metrics
NCM/material disposition SOP + examples
Batch/test record sample set
Training matrix for critical roles
Supplier management + subcontractor controls

Assess NCM controls and CAPA effectiveness

Nonconforming material (NCM) control shows how the supplier prevents quality escapes. 

Verify these controls: 

  • Quarantine, labeling, and segregation rules 
  • Disposition authority (who decides and why) 
  • Impact assessment on distributed lots 
  • Clear escalation rules to customers 

Post-audit activities for a Vendor Audit Checklist

Post-audit activities for a Supplier audit checklist turn findings into measurable risk reduction. First, you write the audit report quickly and link every finding to a requirement and evidence.

Then, you classify each gap by risk and set clear expectations for CAPA content, owners, and deadlines. Therefore, the supplier understands what must change and why it matters. 

Here are two main steps :

  • Reporting, CAPA, and follow-up
  • Verify effectiveness through follow-up or re-audit

Reporting, CAPA, and follow-up

Write the supplier audit report template within 5–10 business days. Use neutral language. Anchor every finding to evidence. 

Include: 

  • Scope, dates, audit team, supplier attendees 
  • Summary of strengths and key risks 
  • Findings table (evidence + requirement + risk) 
  • CAPA expectations (owner + deadline + effectiveness) 

Verify effectiveness through follow-up or re-audit

Close findings only after an effectiveness check. 

Choose follow-up based on risk: 

  • Remote evidence reviews for minor gaps 
  • Targeted visit for major system gaps 
  • Full re-audit for critical risks or repeat findings 

Common Findings and Red Flags in audit checklist

Audits often reveal the same high-risk gaps. First, spot patterns across records and interviews. Then, challenge weak explanations with evidence. Also, follow one batch end-to-end for fast clarity. Therefore you catch system issues, not isolated mistakes.

  • Weak data integrity controls, missing audit trails, or shared logins.

  • Poor change control, unclear impact assessment, and late approvals.

  • CAPA closes late, repeats issues, and misses root cause evidence.

  • Incomplete traceability, missing attachments, or inconsistent batch documentation.

Final words

Vendor Audit Checklist: a practical guide to control supplier risk and prove compliance. It helps QA teams standardize vendor decisions. It walks you through 3 stages—pre-audit, on-site, and post-audit. You learn what to review, what to sample, and how to document findings. You also get 4 red flags: integrity gaps, weak change control, repeat deviations, poor traceability.

A 10-year FDA recall analysis found 3,718 recalls: impurities 37%, control 28%. Build strong supplier oversight, and reduce these avoidable failures today.

FAQ:

1️⃣ What does “GMP certified supplements” mean?

It usually means a supplement manufacturer follows dietary supplement GMP rules (in the US, 21 CFR Part 111). It does not guarantee product effectiveness. 

2️⃣ Do third-party seals matter (NSF, USP Verified, sport testing)?

They can help. Programs like NSF Certified for Sport and USP Verified typically emphasize identity, purity, and label claim checks, plus ongoing verification.

3️⃣ What happens when a supplement fails GMP standards?

Regulators and companies can issue recalls, warnings, or enforcement actions. A failure can also trigger retailer removals and reputational damage

References:

[1] European Comission – EU GMP Guide (EudraLex Volume 4), Chapter 7: Outsourced Activities (Supplier/Vendor Oversight) 

[2] FDA – 21 CFR Part 211: Current Good Manufacturing Practice for Finished Pharmaceuticals 

[3] ICH Q10 – Pharmaceutical Quality System (PQS) – CAPA, Change Management, Supplier Control Concepts 

Picture of Stephanie Männicke

Stephanie Männicke

Digital Marketing Especialist at Zamann Pharma Support, brings 8 years of experience in Corporate and Digital Communication. Specializing in Digital Marketing and Content Creation, Stephanie is currently focused on creating strategic content for Pharmuni's networks, especially content on topics such as recruitment, onboarding and employer branding. Outside of work, Stephanie is a mum, a crocheter and a movie fan. An avid reader and in search of expanding her knowledge, Stephanie is always looking for ways to innovate communication in the digital environment and connect people in a genuine way.

Connect With Author

Share