How to Set Up a Vendor Audit Schedule That Actually Works
We audited our LED supplier once — when we onboarded them. They passed. Two years later, we had a batch with 12% LED failure rate. The supplier had quietly switched to a lower-grade LED without telling us. If we had audited them annually, we would have caught the switch at the first annual audit.
One-time supplier audits are insufficient. You need a recurring audit schedule. But most audit schedules fail because they’re too ambitious (audit every supplier every quarter) or too lax (audit every supplier once every 3 years). Here’s a risk-based audit schedule that actually works.
The Risk-Based Audit Frequency
Not all suppliers need the same audit frequency. Base it on risk.
| Supplier Risk Level | Criteria | Audit Frequency | Examples |
| High risk | Single-source, custom components, quality issues in past | Annual | LED supplier, controller board supplier, OEM factory |
| Medium risk | Multiple sources available, some customization, generally reliable | Every 2 years | Packaging supplier, manual printing supplier |
| Low risk | Commodity, multiple sources, low impact of failure | Every 3 years | Shipping box supplier, accessory supplier |
The single-source criterion: If a supplier is your only source for a component, they’re high risk. If they fail, you have no alternative. Audit them annually.
The past quality issues criterion: If a supplier has had quality issues in the past 2 years, they’re high risk. Audit them annually until they have 2 consecutive clean audits.
The Audit Schedule Structure
A 3-year rolling audit schedule ensures every supplier is audited at the appropriate frequency.
| Year | High-Risk Suppliers | Medium-Risk Suppliers | Low-Risk Suppliers |
| Year 1 | Audit all | Audit 1/2 of them | Audit 1/3 of them |
| Year 2 | Audit all | Audit other 1/2 | Audit 1/3 of them |
| Year 3 | Audit all | (All medium-risk audited) | Audit other 1/3 |
| Year 4 | Audit all | Audit 1/2 of them | (All low-risk audited) |
The advantage of a rolling schedule: You’re never overwhelmed with audits in a single year. You spread them out. And you always have a clear view of which suppliers are due for audit.
The audit timing: Schedule audits 2-3 months in advance. Suppliers need time to prepare. And you need time to schedule travel (if on-site) or set up a remote audit.
The Audit Types
You don’t have to visit every supplier every time. Mix audit types.
| Audit Type | When to Use | Cost | Effectiveness |
| On-site audit (full) | High-risk suppliers, initial audit | $1,500-3,000 (travel + time) | High |
| On-site audit (focused) | Follow-up audit, specific issue | $800-1,500 | Medium-High |
| Remote audit (video call + document review) | Medium-risk suppliers, interim audit | $200-500 | Medium |
| Self-assessment questionnaire | Low-risk suppliers, between audits | $0 (supplier time) | Low-Medium |
| Third-party audit (hire auditor) | When you don’t have internal audit capacity | $2,000-5,000 | High |
The remote audit is underutilized. For medium-risk suppliers, a 2-hour video call where you review their quality documentation, ask questions, and request evidence (photos of production, test reports) is sufficient. It’s not as good as on-site, but it’s 10x cheaper and catches 70-80% of issues.
The self-assessment questionnaire: Send the supplier a detailed questionnaire covering quality management, production capacity, incoming inspection, etc. Review their responses. If anything looks concerning, follow up with a remote or on-site audit. This is a low-cost way to maintain oversight between audits.
The Audit Findings and Corrective Action
The audit is useless if you don’t follow up on findings.
| Finding Severity | Definition | Required Action | Timeline |
| Critical | Immediate risk of product failure or safety issue | Correct immediately, re-audit in 3-6 months | 0-30 days |
| Major | Systemic quality issue, no immediate risk | Correct within 90 days, verify in next audit | 30-90 days |
| Minor | Opportunity for improvement | Correct within 6-12 months | 90-180 days |
| Observation | No issue, but note for future | Monitor | Next audit |
The corrective action plan: For major and critical findings, the supplier must submit a corrective action plan (CAP) within 30 days. The CAP should identify root cause, corrective action, and preventive action. Review and approve the CAP. Verify implementation in the next audit or via remote follow-up.
The re-audit: If a supplier has a critical or major finding, re-audit them in 3-6 months (not wait for the next scheduled audit) to verify the corrective action was implemented and is effective.
The Audit Documentation
Keep audit records organized and accessible.
| Document | Content | Retention |
| Audit plan | What will be audited, who, when | 3 years |
| Audit checklist | Questions, findings | 3 years |
| Audit report | Summary, findings, CAP | 5 years (or as required by your QMS) |
| Corrective action plan (CAP) | Root cause, corrective action, preventive action | 5 years |
| Audit follow-up | Verification of CAP implementation | 3 years |
The audit checklist: Use a standardized checklist. Don’t wing it. The checklist should cover quality management system, incoming inspection, production process, outgoing QC, calibration, training, and corrective action. Adapt it for the supplier type (LED supplier checklist differs from packaging supplier checklist).
The audit report: One-page summary + detailed findings. Distribute to the supplier (obviously) and to your internal stakeholders (quality, procurement, engineering). The audit is useless if only the auditor reads it.
What We’ve Learned
1. The 12% LED failure rate would have been caught at the first annual audit. The supplier switched to lower-grade LEDs without telling us. An annual audit (sample 10 LEDs from recent production, test them) would have caught the switch. We now audit our LED supplier annually and sample-test 10 LEDs per audit.
2. The rolling 3-year schedule prevents audit overload. In Year 1, we tried to audit all 12 suppliers. It was overwhelming (12 audits in 12 months). In Year 2, we switched to a rolling schedule: 4 high-risk (annual), 3 medium-risk (1/2 per year), 2 low-risk (1/3 per year) = 9 audits total, spread across the year. Manageable.
3. Remote audits are 80% as effective as on-site audits at 10% of the cost. For medium-risk suppliers, the $200-500 remote audit is sufficient. We do remote audits every other year, on-site audit every 4 years (for medium-risk). This balances oversight and cost.
4. The self-assessment questionnaire catches 30-40% of issues. Low-risk suppliers complete the questionnaire. If they answer “No” to “Do you have incoming inspection?” or “Is your production process documented?” — that’s a red flag. Follow up with a remote audit. The questionnaire is a low-cost screening tool.
5. Audit findings without corrective action are useless. We audited a supplier, found a major issue (no incoming inspection on LEDs), and… didn’t follow up. The issue persisted for 18 months. Now we have a CAP tracking system. No CAP = no further orders. It’s strict, but it works.
Setting up a vendor audit schedule that actually works requires a risk-based audit frequency (high-risk: annual, medium-risk: every 2 years, low-risk: every 3 years), a 3-year rolling schedule to spread audits evenly, a mix of audit types (on-site, remote, self-assessment), a rigorous corrective action process (CAP for major/critical findings, re-audit to verify), and organized documentation (audit plan, checklist, report, CAP, follow-up). The 12% LED failure rate that cost us $18,000 in returns would have been caught at the first annual audit. A risk-based, rolling audit schedule is not bureaucratic overhead — it’s quality assurance. Implement it before you have a quality failure, not after.