7 Mistakes Companies Make When Auditing Critical Suppliers

Auditing suppliers is a well-established part of every medical device quality management system — but auditing critical suppliers is a different challenge entirely.

Because their processes directly affect device safety and performance, the expectations of these audits are higher. Yet too often, manufacturers approach them like any other supplier audit — and in doing so, they overlook risks that can undermine product quality and regulatory compliance.

Here are 7 mistakes companies frequently make when auditing critical suppliers:

1. Treating All Suppliers the Same

   The most fundamental mistake is applying the same audit scope and frequency to every supplier.
   
   ISO 13485 §7.4.1 requires supplier evaluation to be proportionate to the impact on product quality, and MDSAP explicitly distinguishes critical suppliers from others. Critical suppliers should be audited more deeply, more often, and with a stronger focus on validation, risk control, and traceability.
   

2. Relying on Questionnaires Instead of Audits 

   Self-assessment questionnaires can be useful tools, but they are not audits. Relying solely on paperwork to assess a critical supplier’s performance is insufficient. Regulatory auditors — and MDSAP auditors in particular — expect manufacturers to perform meaningful on-site audits of critical suppliers, with direct evidence collection and process observation.
   

3. Ignoring Change Control 

   One of the most significant risks with critical suppliers is uncommunicated changes. Whether it’s a software update, a process change, or a new piece of equipment, uncontrolled changes can invalidate validations and affect product safety. Supplier change-control processes — and your own supplier notification agreements — should be key focus points in any critical supplier audit.
   

4. Overlooking Design and Development Activities 
   Suppliers involved in design or development activities are often among the most critical — yet they are frequently audited using purchasing-centric checklists. ISO 13485 §7.3 requires design controls regardless of whether design is performed internally or externally. Audits should assess design inputs, verification, validation, and design change management when suppliers contribute to product design.
   

5. Failing to Link Findings to Risk Management 
   Audit findings must feed into the risk management process under ISO 14971. Too often, supplier audit findings remain isolated from the device’s risk file, missing the opportunity to improve hazard controls or detect emerging risks. Critical supplier audits should always consider how findings map to device hazards, risk controls, and residual risk justifications.
   

6. Accepting Superficial CAPA Responses 
   Corrective and preventive actions from critical suppliers should be scrutinised with the same rigour you apply internally. Superficial or unverified CAPAs leave risks unresolved and create regulatory exposure. Follow-up audits, evidence of effectiveness checks, and escalation processes should all be built into your supplier management procedure.
   

7. Conducting Audits Too Infrequently 
   Annual audits may be sufficient for low-risk suppliers, but they are often inadequate for critical ones. Risk-based frequency is key: a supplier providing sterilisation services or safety-critical software might warrant semi-annual or event-driven audits, especially following significant changes or nonconformities.

Avoiding these common mistakes requires a mindset shift: auditing critical suppliers is not a compliance task, but an extension of your own quality system.

Done correctly, these audits deepen supplier relationships, uncover systemic risks, and strengthen your regulatory readiness.

Avoid these mistakes in your next audit.