When a supplier issue stops a line, every minute costs. Tiered audits surface risk before it reaches production, protecting uptime, customer delivery, and compliance. 

If you manage supplier quality in a manufacturing organization, the job is simple to describe and hard to do, get fast visibility on new suppliers, keep long term partners improving, and focus scarce time where risk to safety, quality, or delivery is highest. A tiered audit framework does exactly that. You start with a light touch to establish a baseline, deepen only when the signals say you should, then lock in a cadence that keeps both sides honest and improving. 

This approach mirrors the risk based thinking in modern manufacturing standards and customer expectations. From ISO 9001, IATF 16949, AS9100, and ISO 13485 through to FSSC 22000 and BRCGS, the principle is the same, match effort to risk, performance, and change. With a tiered model you operationalize that guidance on the shop floor, linking audit depth to what matters in plants and programs, process capability, change control, traceability, first pass yield, and on time in full. 

Remote tools now let you verify claims before you travel, then target on site time where it adds real value, process validation, operator competence, maintenance and calibration, and material traceability. This blended approach is recognised by ISO’s Auditing Practices Group and by the International Accreditation Forum, so you gain speed without losing rigour.

Why “tiered” works

Risk based thinking asks you to match effort to risk, context, and change. Tiered audits do this in a way suppliers can understand, and accept. You publish the steps, the evidence you need at each step, and the gates that move a supplier forward. On low risk suppliers you keep things lean, on higher risk ones you increase depth and frequency. That is fully aligned with ISO 19011’s guidance to build audit programmes around risk, performance, and changes in the organisation or supply chain.

It also fits how teams work today. Remote tools let you do meaningful verification before you travel, then you combine that with targeted on site work. Both ISO’s Auditing Practices Group and the International Accreditation Forum describe when and how to use information and communication technology in audits, and how to blend remote and on site methods without losing rigour.

1) Self assessment, your fast baseline

Invite the supplier to complete a focused questionnaire and attach evidence, policies, work instructions, training records, certifications, change logs andrecent nonconformities. Keep it short and role based, make clear how you will use the information, and set a due date so momentum is not lost.

Do this inside AuditComply’s Supplier Management workspace so documents, approvals, and risk scoring live in one place from day one, not in email threads. You can track approvals, run targeted risk assessments, and keep a clean audit trail for every supplier record. 

2) Remote snapshot, turn documents into reality

Run a structured teleconference, walk key processes on video where appropriate, and screen share sample records. Agree the on site scope, sampling plan, and people to interview. Remote work here is not a shortcut, it is recognised best practice when planned and executed correctly, with ISO 19011 and IAF MD 4 giving clear guidance on feasibility, risks, and controls. 

Run the session using AuditComply’s Audit and Compliance workflows and Mobile app so findings, evidence, and actions are captured in real time. Convert any gap into a CAPA item with an owner and due date while you are still on the call. 

3) On site deep dive, verify process and people

Now test what you were told. Observe changeovers, interview operators and supervisors, review calibration and maintenance, and trace a product from goods into finished stock. Score consistently with the same question set you used remotely, and grade severity so everyone understands what matters most.

Using AuditComply Mobile at the line keeps your checklist, evidence, and timestamps together, and eliminates rework later. 

4) Final verification, publish the complete snapshot

Close actions, verify effectiveness, then publish a scorecard and set the steady state cadence. Share the rules and the status with the supplier. When both sides can see the same score, the same trend, and the next review date, the conversation changes from policing to improvement.

AuditComply’s Supplier Portal view and dashboards make this transparency simple, while AuditComply Drive centralises the documents behind every decision. 

Gates, cadence, and scoring, keep it simple and visible

Gates move a supplier forward only when the evidence is there, for example, a minimum average score, zero critical findings for two cycles, on time CAPA closure, and a stable complaints trend. That logic maps directly to ISO 19011’s guidance to build audit programmes around performance and change, rather than fixed dates alone. 

Cadence follows tiering. A pragmatic model is: strategic or high risk suppliers get quarterly or semi annual on site audits with remote spot checks, medium risk suppliers get a semi annual remote and an annual site visit, low risk suppliers complete an annual self assessment with witness checks. If something changes, if complaints spike, if an unapproved change appears, if there is a merger, the event overrides the calendar and you audit now. This is entirely consistent with risk based thinking and supplier segmentation approaches promoted by the Chartered Institute of Procurement and Supply, including use of tools like the Kraljic matrix.

Scoring should reflect what your factory actually cares about. Weight product quality and process capability first, then change control and supply reliability. Use hard manufacturing measures, FPY, defect PPM or DPMO, capability indices Cpk and Ppk on critical characteristics, traceability performance, and concession rates. For reliability include at least one external metric that impacts your lines. Most manufacturers track On Time In Full, OTIF, the percentage of orders delivered complete and within the agreed window, which belongs on every supplier scorecard. Layer in responsiveness, containment speed, and CAPA effectiveness so issues are closed for good. Keep documentation and training in scope, but let shop floor performance carry the most weight.

Use AuditComply to keep those weights consistent across auditors and across time, then trend the results so you see improvement or drift at a glance.

Closing the loop with CAPA

An audit that does not change anything was just a tour. Make CAPA explicit and fast, containment within 24 hours for serious issues, root cause analysis within five business days, corrective action with owners and dates, verification, then an effectiveness check after a defined run length. The FDA’s CAPA guidance is clear, the action you take must be appropriate to the magnitude of the problem and the risk involved, so keep severity and risk visible as you work.

Manage this in AuditComply’s CAPA workflows so every finding is traceable to a closed action, with verification and effectiveness recorded against the original issue. 

Roll it out in ninety days

Month one, align on goals, draft phases and gates, build your standard checklists, and agree weights. Month two, pilot with a handful of suppliers across different tiers, run the full flow, self assessment, remote snapshot, on site, and final verification, then tune anything that created noise. Month three, scale to your top suppliers by spend and risk, switch on automated reminders and event triggers, and publish supplier scorecards. If you need a broader business case to take to leadership, third party risk research shows that organisations with more mature programs are measurably more resilient and adaptable in the face of disruption, which is the outcome the business cares about. 

Do the heavy lifting in AuditComply, where you can configure phases as workflows, keep one source of truth for evidence, automate scheduling by tier, and generate executive summaries and supplier friendly feedback without copy and paste. 

What this looks like for a new supplier

Week one, you invite the supplier to complete the self assessment and upload evidence. Week two, you run the remote snapshot and agree the on site plan. Week four, you walk the process on site, sample product, and agree a CAPA plan before you leave the building. Week eight, you verify actions, publish the scorecard, and confirm cadence. From there, performance is reviewed on a simple quarterly rhythm, with event triggers ready to bring audits forward when needed. The whole flow reflects accepted international guidance on managing audit programmes and the use of remote methods alongside on site work, so it will stand up to stakeholder and customer scrutiny.

Make it real with AuditComply

If you want this framework configured with smart self assessments, blended remote and on site audits, standard scoring, true CAPA, supplier scorecards, and automated cadence, you can do that in AuditComply today, start with Supplier Management, Audit and Compliance, Mobile, Drive, and the Supplier Portal to share scorecards and next steps with vendors. 

If you would like to learn more about AuditComply’s Supplier Management capabilities request a demo here or contact us at info@auditcomply.com. We love to hear more about your challenges and show you how AuditComply can help your organization. 

Helpful resources and deeper reading

Food manufacturing essentials

• ISO 22000, Food Safety Management, core FSMS requirements that integrate HACCP principles
• FSSC 22000, Version 6, scheme requirements that combine ISO 22000, PRPs, and FSSC additional requirements.
• BRCGS Food Safety, Issue 9, widely used site standard for food manufacturers.
• IFS Food, Version 8, process and product focused standard, now with updated doctrine.
• SQF Code, Edition 9, Food Manufacturing, GFSI benchmarked scheme.
• FSMA, 21 CFR Part 117, Preventive Controls for Human Food, US regulatory requirements.
• GFSI Benchmarking, how BRCGS, FSSC 22000, IFS, and SQF are recognised.

Manufacturing quality, sector specific

• ISO 9001, risk based thinking foundation used across discrete and process manufacturing.  
• IATF 16949 for automotive supply chains and PPAP, APQP alignment. 
• AS9100 for aerospace programmes and suppliers. 
• ISO 13485 for regulated manufacturing of medical devices.
  

Supplier segmentation and performance metrics

• Kraljic matrix and supplier segmentation guidance.
• OTIF, On Time In Full, definition for supplier reliability scorecards.
• Deloitte, Global Third Party Risk Management Survey 2023, higher TPRM maturity links to resilience and adaptability.