Why supplier audits are growing in importance
by J.P. Russell
Now more than ever, supply chain management is important to ensure organizations can compete in the global market. Organizations continue to focus on core competencies, resulting in greater dependence on high-quality materials and services from suppliers.
An audit program is a key component for monitoring the external supply chain, the management of which is an enterprise within an enterprise. Many of the program requirements for internal and external audits are the same. But external audits are different due to the customer-supplier relationship.
Audit program managers must interface with procurement departments to ensure contracts contain access clauses and to schedule audits or other oversight services of the global supply chain. Oversight may be needed for first, second and perhaps third-tier suppliers depending on organization objectives, customer requirements and risk.
The supply chain enterprise includes:
- Requirements flow-down.
- A logistics network.
- Manufacturing and technology, and obsolescence management.
- Demand forecasting.
- The customer service relationship.
- Risk management.
- Performance management.
The external audit program most likely will be involved with the procurement, performance management and risk management aspects of the supply chain.
In many cases, the procurement department is the client that needs the services of an audit program. Procurement personnel are sometimes called procurement specialists, buyers, purchasing agents, purchasing managers and purchasing supervisors. Depending on its needs, the auditing organization may employ procurement and auditing personnel with international experience.
Procurement duties and responsibilities that involve the auditing function include:
- Creating and implementing performance metrics, such as key performance indicators.
- Monitoring and reporting trends in the supplier and contract base that could affect supply.
- Establishing and promoting relationships with suppliers and customers. The organization may need to develop close relationships with suppliers of critical material and services. In some cases, partnerships might be established.
- Following up on and monitoring supplier performance to ensure corrective action is taken on identified issues.
- Verifying special programs as needed, such as
vendor projects, changes, buy-resale and private label.
Usually, audit program managers and auditors are not involved in establishing supplier requirements but are likely to be involved in their oversight.
Requirements may be technical, logistical, administrative, legal or related to supplier processes. Technical requirements typically come from the process designer or owner; quality department; or technical, procurement or legal department.
Examples of technical requirements include physical characteristics, such as weight or dimensions; chemical composition; physical properties, such as hardness, smoothness and finish; and performance results.
Examples of logistical requirements include identification, such as barcode, name, serial number and color code; packaging, such as padding, box, pallet and spacing; instructions; packing lists; special storage conditions listed on packages; and storage service requirements.
Examples of administrative and legal requirements include hazardous response instructions and markings, first-aid instructions, purchase order or contract number, and disaster recovery plans, such as those for natural disasters, cyber attacks and material outages.
Examples of supplier process requirements include process variation monitoring, certificates of compliance, first-article inspection or other test requirements, and ISO 9001 plus or minus requirements.
There may be other requirements depending on the risks involved—for example, source inspection for expensive or large equipment. Inspection type, sample size and rejection criteria also may be part of the product or service requirements.
For many organizations, the expansion of the supplier base has spawned the evolution of logistics management. The globalization and outsourcing of products and services has led to increasingly complex supply chains with longer lead times, more pipeline inventory, and the need to control downstream and upstream logistics.
Establishing a supply chain network includes supplier selection, and movement of goods and services to their final destinations. Audit programs don’t develop the supply chain network, but they must verify and monitor activities to ensure requirements are met.
Movement of goods and services includes modes of travel, such as train, air, roadway and sea; distribution and storage services; storage conditions; technical services; expedited services; and controlling storage costs and expenses, such as detention and demurrage fines.
Supplier selection may include initial evaluation, maturity model results and assessment of capabilities.
Supply chains can stretch across the globe and thus can vary widely. In all cases, however, deadlines must be met and customers satisfied. Language and cultural barriers must be overcome because effective communication is an important factor for success. E-audits are an increasingly viable option and becoming an important audit program strategy to ensure proper oversight and control of risks.
Management is always concerned about risk and has been taught to avoid unnecessary risk. The ISO 9000 standards and similar sector-specific standards represent strategies to reduce risk for selected areas, such as product liability, environmental controls, and occupational safety and health.
Because fewer business processes are being controlled internally, there is a greater need to manage supply chain risk. This presents a difficult situation because increasing dependence on supplier organizations increases a customer’s business risk.
The risk management scope should include controls throughout a product’s life cycle across all organizational processes and its external supply chain. The scope of the program could be limited by product or may include select enterprise processes.
The purpose of the program should be to ensure customer requirements are being met, and to prevent external product failures and nonconformities. An effective risk management program will reduce the chances of undesirable and harmful consequences to the organization.
The absence of a risk management program puts the organization in a reactionary mode and exposes it to unknown problems. Having a risk management program allows the organization to be proactive by eliminating problems before they occur. The benefits of proper verification and monitoring of the supply chain include:
- Reduced probability of delivering nonconforming products and services.
- Increased probability of achieving organizational objectives.
- Reduced probability of delivering product or services behind schedule.
- Increased probability of compliance to quality, environmental and safety regulations, plus the avoidance of undesirable consequences.
If there are specific identified risks and risk treatments, the audit function may be asked to verify they are being controlled and properly treated. Auditor and audit program managers are usually not asked to assess identified risks unless they are specifically assigned to the team for such purposes.
Adjust your monitor
During any visit or interface with a supplier, an auditor has a duty to report any potentially significant risks to the audit program manager and the client. Depending on the risk and criticality of the product or service, supplier monitoring may include many activities. Monitoring and reporting needs will continue to change due to organizational needs, changes and relationships with suppliers.
Monitoring and verification may include:
- Assessment of capabilities.
- Source inspection.
- Ongoing inspection (100% inspection, acceptance and skip lot inspection).
- Certification of conformance.
- A conformity audit.
- A contract audit.
- A risk-based audit.
- Verification of corrective actions.
In many cases, suppliers are asked to conform to a management system standard, such as ISO 9001. If a supplier is asked to comply with that, plus specific additional requirements found in another standard—such as ISO 13485 (medical devices) or ISO/TS 16949 (automotive)—it may be called an ISO 9001-plus audit. Audits of small supplier organizations that are asked to implement only certain parts of a management standard such as ISO 9001 might be called ISO 9001-minus audits.
External auditors may need additional training in working with different cultures. A misunderstanding can delay an audit or damage a business relationship. For the same reason, external auditors may need to have technical knowledge about the parts and processes that yield the product being supplied.
Audit results are one input to maintaining an effective supplier relationship. The results may be the basis for increasing or decreasing oversight of the supplier organization. Some organizations have supplier levels that affect not only oversight, but also the share of the business, and have monetary consequences. The higher the supplier level, the less oversight needed.
- This article was excerpted from chapter 16 of The ASQ Auditing Handbook, fourth edition, edited by J.P. Russell. It’s available in the Quality Press Bookstore at http://asq.org/quality-press/display-item/index.html?item=H1435 (case sensitive).
J.P. Russell is the founder and managing director of QualityWBT Center for Education. He also is an ASQ fellow, ASQ-certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. Russell is a recipient of the Paul Gauthier Award from the ASQ Audit Division.