Copy to clipboard 
EduQuest, a global team of FDA compliance experts, answers industry’s pressing questions. In this round, the experts
offer Supplier Auditing insight.
QUESTION: Is there a recommended frequency for auditing a supplier?
ANSWER: That’s an interesting question for several reasons.
First, your question assumes that supplier audits are expected–which is true, but not always clearly stated in the regulations. Depending on your industry (medical device, biological, etc.), FDA regulations are not always consistent, and neither are audit frequency expectations.
Secondly, your question implies a one-size-fits-all concept for all suppliers. That’s not practical, nor advisable.
So let’s approach the answer from a real-world, patient-centered, and regulatory defensible position:
First, you need to determine the risk of the supplier to the product you provide, keeping in mind that at FDA risk is evaluated as risk to the:
• Consumer (patient, user, health care practitioner, etc.)
• Product (quality, consistency, safety, effectiveness, etc.)
• Process (conditions of use and potential impact on the consumer and product), and
• Data (you need evidence to demonstrate the quality attributes are present—designed and built into
each item as demonstrated through validation, verification, testing, analysis, etc.).
Determining the risk begins as “educated guess-work” derived from product concepts, design inputs, required and expected attributes. As you further develop your product, the risk becomes more clear, and the potential impact of a supplier becomes better defined. So then you ultimately arrive at a categorization of suppliers based on risk.
You can refine this categorization by collecting and evaluating actual supplier data such as qualification information, previous audits, quality of the products supplied over time, validations, etc.
Your goal should be to determine the key attributes of the products the suppliers make and identify which of those attributes you must monitor upon receipt/prior to use.
That approach assures you receive acceptable materials for your use and further manufacturing. If you do this well, auditing becomes only a checkpoint in supplier management. In other words, audits become less important and can be spaced further apart.
With auditing then representing only a checkpoint in the major activity of supplier management, you construct a schedule based on science and knowledge. Generally, annual audits are used for the highest risk suppliers. Sometimes you’ll need to audit them even more frequently, based on specific needs or perhaps poor potential for on-going monitoring.
For suppliers in your second-level risk category, perform audits every two years (more often, as needed), and do evaluations/assessments every two years for other suppliers who represent lower risk levels. If you detect poor performance based on your monitoring of these lower-risk suppliers, the frequency of your audits or evaluations should increase.
Here’s what it all boils down to: you should develop a frequency for audits based on science and knowledge of your product/use risk levels.
Your frequency must be documented, defensible and based on collected data. Science always wins with FDA (after all, that’s what the Agency is all about).
Mr. Browning, President and Co-Founder of EduQuest, served as an expert field investigator and Special Assistant to the Associate Commissioner for Regulatory Affairs during his 22-year career at FDA. EduQuest can be reached by email.
