How to Prepare for a Supplier Documentation Audit

A supplier documentation audit evaluates whether your company has current, valid records for every supplier in your approved supplier list. Auditors, whether from the FDA, a notified body, or an internal quality team, will check that you can produce the required documents on demand. The companies that pass these audits are not the ones with the best suppliers. They are the ones with a system for knowing exactly which documents they have, which are missing, and what they did about the gaps.

This page covers what auditors look for, how to run a gap analysis before they arrive, and how to build a sustainable process so audit preparation is not a fire drill every time.

Which Documents Must Be Current

The specific documents required depend on your industry, regulatory framework, and the nature of each supplier relationship. For medical device and life sciences companies, auditors typically expect the following for each approved supplier:

Certificates and Registrations

  • ISO certificates (ISO 13485 for medical devices, ISO 9001 for general quality management, ISO 14001 for environmental management). These expire, usually every three years, and must be re-verified.
  • FDA establishment registration, if the supplier manufactures or processes components that are part of a regulated product.
  • CE marking documentation or EU MDR compliance records, for suppliers involved in products sold in the European Union.
  • Industry-specific certifications such as AS9100 (aerospace), IATF 16949 (automotive), or GMP compliance documentation.

Quality and Compliance Records

  • Quality agreements: Signed agreements defining quality expectations, responsibilities, and escalation procedures between your company and the supplier.
  • Corrective and preventive action (CAPA) closure records: Evidence that past quality issues were resolved and verified.
  • First article inspection (FAI) reports: Documentation that the first production run from a new supplier or new process met all specifications.
  • Supplier audit reports: Records of your most recent audit of the supplier, including findings and closure status.

ESG and Regulatory Declarations

  • Conflict minerals declarations (CMRT or similar)
  • RoHS/REACH compliance declarations
  • ESG questionnaires or sustainability disclosures, increasingly required for large manufacturers
  • Insurance certificates (certificate of liability, workers’ compensation), depending on your contractual requirements

The key point is not the length of this list. It is that every document has an expiration date or review cycle. A certificate that was valid when you onboarded a supplier five years ago may have expired two years ago without anyone noticing.

How to Run a Gap Analysis Before the Auditor Arrives

A gap analysis compares what you should have on file against what you actually have. The goal is to find problems before an auditor does.

Step 1: Build a Complete Supplier List

Start with your approved supplier list (ASL). Cross-reference it against procurement records to confirm which suppliers are actually active. One SQE described finding significant deadwood in their list:

“We came down to 900 from about 1,300, because we found out that some of the suppliers, we’ve not even issued them a PO in the last four years.” — Senior SQE, Fortune 100 life sciences company

Removing inactive suppliers from scope reduces the number of gaps you need to close and focuses your effort on suppliers that matter.

Step 2: Map Required Documents to Each Supplier

Not every supplier requires the same documentation. A contract manufacturer building a critical subassembly needs ISO 13485, a quality agreement, FAI reports, and CAPA records. A supplier providing office furniture needs almost nothing. Build a matrix that maps each supplier to the documents required based on their classification (critical, major, minor) and the type of goods or services they provide.

Step 3: Check What You Actually Have

For each supplier in the matrix, verify:

  • Is the document on file?
  • Is it the current version?
  • Has it expired?
  • Is it signed or certified by the appropriate party?

This step is where most companies discover the real scale of their problem. The number of gaps visible at a glance is almost never the actual number.

The “Auditor Found 3, Team Found 64” Pattern

One of the most common and costly mistakes in audit preparation is assuming that if your last audit went well, your documentation is in good shape. External auditors sample. They do not review every supplier file. A clean audit result can mask a much larger problem.

“The auditor only found three. But then you realize that out of the 116, you have 60 or 64 that doesn’t have the compliance certificates, because someone tried to reach out to maybe 20 of them and gave up.” — Senior SQE, Fortune 100 life sciences company

In this case, an auditor reviewed a sample of 116 key suppliers and flagged 3 with documentation gaps. But when the quality team conducted their own comprehensive review, they found that 64 of those 116 suppliers had no valid certificates on file. The gap had grown silently over years of incomplete follow-up.

This pattern repeats across industries. The auditor’s sample reveals a small number of findings. The actual number is often 10 to 20 times larger. The only way to know the real number is to run your own full review before the auditor arrives.

Building a Sustainable Quarterly Review Cadence

Audit preparation should not be an annual panic. Companies that stay audit-ready treat supplier documentation review as a continuous process, not a project.

Quarterly Review Process

  1. Pull a report of all supplier documents expiring in the next 90 days. This gives you time to request renewals before the gap appears.
  2. Review any new suppliers onboarded in the last quarter. Confirm that all required documents were collected during onboarding.
  3. Check the status of any open remediation requests. If you requested a document 60 days ago and have not received it, that should be escalated now, not discovered during the next audit.
  4. Update the tracking matrix. Mark documents as current, expired, or pending. Record the date of the most recent outreach for any open items.

Annual Deep Review

Once a year, conduct a full gap analysis as described above. This is your chance to catch anything the quarterly reviews missed, remove inactive suppliers from the list, and verify that your document classification requirements are still aligned with current regulations.

What Happens When You Fail

The consequences of a failed supplier documentation audit depend on your industry and the severity of the findings. In regulated industries like medical devices, the consequences can be severe.

Regulatory Actions

  • FDA warning letters: Publicly issued, visible to competitors and customers, and require a formal response with corrective actions.
  • 483 observations: Issued during FDA inspections, these document specific compliance failures and require remediation.
  • Import alerts or product holds: In extreme cases, products can be detained at the border or pulled from the market.

“You don’t want the FDA in your door. Those guys come in with guns and stuff.” — Senior SQE, Fortune 100 life sciences company

Internal Consequences

  • Audit findings generate corrective action requirements that consume significant team bandwidth to close.
  • Certification risk: For companies with ISO 13485 or similar certifications, repeated audit failures can put the certification itself at risk.
  • VP-level escalation: Audit failures in supplier documentation rarely stay at the team level. They escalate quickly to director and VP attention, which creates pressure but rarely solves the underlying process problem.

How to Present Documentation to Auditors

When auditors arrive, they expect to request a supplier file and receive it immediately. How you organize and present your documentation matters.

Centralized Storage

All supplier documents should be in a single system, whether that is a quality management system (QMS), a shared drive with a consistent folder structure, or a supplier management platform. Auditors lose confidence quickly when documents are scattered across personal email inboxes, local hard drives, and multiple SharePoint sites.

Indexed and Searchable

Each supplier should have a dedicated folder or record containing all required documents, organized by document type. An auditor should be able to ask for “the ISO 13485 certificate for Supplier X” and have it in front of them within 60 seconds.

Version Control

Only the current version of each document should be the primary file. Archive expired versions separately. Auditors should not have to sort through three expired certificates to find the active one.

Evidence of Process

In addition to the documents themselves, auditors want to see evidence that you have a process for managing them. This includes:

  • Records of when documents were requested and received
  • Evidence of follow-up for missing or expired documents
  • Escalation records for unresponsive suppliers
  • Review logs showing regular gap analysis activity

The documentation trail matters as much as the documents. An auditor who sees a missing certificate alongside a record of 6 follow-up attempts and an executive escalation will treat that very differently than a missing certificate with no outreach history.

Where Bridgecurrent Fits

Bridgecurrent helps you close the gaps that gap analyses reveal. It identifies the right contact at each supplier, sends the document request, and follows up automatically until the document is received or escalation is triggered. For companies preparing for audits with dozens or hundreds of open gaps, it replaces the manual email work that causes most remediation projects to stall.

See how supplier certification remediation works at scale