Why should companies perform a second-party audit of their supplier’s QMS?

ISO 9001:2015 is the most recent update in a long line of standard requirements for implementing a Quality Management System (QMS); and, from the beginning, one big selling point was that a company would not need to audit the QMS of a supplier that was certified to ISO 9001. The thinking was, if a third party was certifying that their Quality Management System met the requirements of the ISO 9001 standard, then customers of that company would not need to audit themselves. Many companies have used this approach and almost completely removed the use of second-party audits from their supply chain management strategy; however, is this the right approach?

Do you need to audit everything in the supplier’s QMS?

The promise of reduced second-party audits with ISO 9001 certification is mostly true; if a supplier has a QMS that is certified by a third-party audit to be compliant with the ISO 9001:2015 requirements, it is almost pointless to perform a similar audit yourself. You know what elements are required by ISO 9001:2015, and if this is what you need from your suppliers, and there is an independent auditor checking that the company meets these requirements, why would you spend the time and money to do a double check on this? The certification body auditors are experts, so let them do their jobs.

So, in short, you do not need to audit everything in the supplier’s QMS. The benefit of performing a second-party audit would come from checking any elements of the implemented processes that are specific to how you deal with the supplier. Checking the general QMS requirements, such as how the company does their internal audits, is not likely to be helpful in improving the quality of the products and services you receive, nor is it likely to improve your customer/supplier relationship. So, what is important to you: traceability, storage and transportation conditions, testing specifics, or how the supplier declares conformity?


What is important to you?

When deciding on the need for performing a second-party audit on your suppliers, the most important question to ask is: “What is important for us to check?” Do we have a specific requirement that is very important, above and beyond the general requirements of the ISO 9001 standard? One common example of this could be the method of dealing with nonconforming outputs and, in particular, how the supplier notifies you as a customer when process outputs are nonconforming and how the disposition is implemented and approved. If this were the case, then a second-party audit of the nonconforming outputs process may be beneficial. Another common requirements could be the inclusion of necessary design steps in the design and development process of your suppliers.

It is also important to remember that you do not need to implement second-party audits on every supplier in your supply chain. If you have some suppliers that only delivery general commodity products to you, these suppliers might not need the surveillance that is required of the suppliers that provide you with critical components that are necessary to make your end deliverable product work. It is for these critical suppliers that you may want to check the implementation of their crucial processes.

This can be exceptionally important when you are making assessments of suppliers at critical points in the supply chain. When you are first approving a supplier, then an audit of key processes is helpful. If you are deciding to approve a supplier for ship-to-stock status, where you no longer check the products when they arrive, you may want to include a second-party audit of key processes in the approval steps. By creating your audit checklist to focus on the process elements that are of interest to you, the audit can be much more useful than just repeating what the certification body auditors have done.

Find out more about creating an audit checklist with this article on How to create a check list for an ISO 9001 internal audit for your QMS.

Second-party audits can improve your supply chain

So, returning to the question posed at the beginning, is the strategy of removing second-party audits from your supply chain management strategy the right approach? In truth, only you can decide. If the only requirements that you have can be satisfied by any QMS implementation that meets the requirements of ISO 9001:2015, then you aren’t likely to get much benefit from performing second-party audits on your suppliers.

However, if you have specific requirements that need certain QMS processes to be implemented a certain way, such as nonconforming product or design processes as described above, then you might find it very useful to perform periodic, specific audits of these certain processes at your suppliers. Likewise, if you have critical suppliers whose processes are of utmost importance, or critical suppliers who are becoming ship-to-stock suppliers, then auditing critical processes may be necessary for you.

There is no requirement in ISO 9001:2015 that you perform audits on your suppliers, only that you have a way of approving them for use. Make the supplier audit decisions that make sense for your business, and that will make your supply chain better.

Use this free online training ISO 9001:2015 Internal Auditor course to learn about auditing techniques you can use in second-party auditing.

Advisera Mark Hammar
Author
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.