Supplier Audit Scorecard — Score & Grade Your Audits

A supplier audit is not a checklist exercise — it's an investigation. The best auditors enter a facility with a structured framework but remain alert to what isn't on the checklist. The most serious findings are often things you didn't think to look for. A well-executed audit follows five phases.

Phase 1 — Plan: Define scope, team composition, and schedule. Provide the supplier 2 weeks advance notice — surprise audits damage relationships and rarely yield better findings because systemic issues aren't hidden in 2 weeks. Request pre-audit documentation: quality manual, organization chart, previous audit reports, CAPA log, process flow diagrams. Review these before arrival — the audit starts at your desk, not at their reception. A supplier that takes 2 weeks to produce basic documents is already signaling something about organizational discipline.

Phase 2 — Execute: On-site audit typically runs 1-2 days depending on facility size and scope. Follow the checklist but stay alert to ambient signals: Is the facility clean and organized per 5S principles? Do operators appear engaged? Are safety protocols visibly followed by everyone, including management? The single most diagnostic moment in any audit: approach an operator on the production floor, away from management, and ask "can you show me what you're working on and explain what you do?" An operator who can't explain their work in simple terms — or who glances at a supervisor before answering — tells you that documented procedures exist on paper only. Take photos (with permission), document evidence immediately — after 8 hours on a factory floor, findings blur. Hold a daily close-out meeting to confirm preliminary observations before memory fades.

Phase 3 — Score: Score each audit dimension checklist item as Pass (1 point), Partial (0.5), or Fail (0). Pass requires documented objective evidence — "they seem to do this well" is not evidence and cannot support a Pass finding. Partial means the requirement is partially met but specific gaps exist — a Corrective Action Request (CAR) is required. Fail means the requirement is not met — immediate CAR with an escalation timeline is mandatory. Every Partial or Fail must be supported by specific evidence: what you observed, when, where, and why it constitutes a finding.

Phase 4 — Report: The audit report has four sections: Executive Summary (overall grade, top 3 strengths, top 3 risks — readable by a VP in 2 minutes), Dimension Scores (with traffic light indicators), Detailed Findings (each with evidence, root cause if known, recommended corrective action), and CAR Register (tracking log with owner and due date). Issue the draft report within 5 business days. The supplier has 10 business days to respond with their corrective action plan. The final report is not complete until the supplier's response is incorporated.

Phase 5 — Track: An audit without CAR closure tracking achieves nothing — literally, it's wasted effort. Assign each CAR an owner (supplier-side), a due date, and a verification method. Track CARs to closure — a CAR past due without an extension request is itself a finding. Schedule re-audit based on risk: D grade = 90 days, C grade = 6 months, B grade = 12 months, A grade = 18-24 months. The audit is complete only when all CARs are closed and verified.

Quality Systems (default weight 25): Evaluate the supplier's Quality Management System as a living process, not a documentation set. Key audit questions: Is the quality manual current and approved by top management? Are internal audits conducted on schedule with documented findings and resulting corrective actions? Is document control effective — do operators on the shop floor have access to current, approved work instructions, or are uncontrolled copies circulating? The most common finding in this dimension: a QMS that is immaculate on paper but invisible on the shop floor. The diagnostic test: ask to see the last 3 internal audit reports. If every internal audit found zero non-conformances, one of two things is true — the supplier has achieved perfection (statistically improbable in manufacturing) or their internal audit process lacks rigor. Good suppliers identify their own problems before their customers do. Also verify: document retention policy, records management, and whether the QMS scope accurately covers all processes affecting product quality.

Production & Process Control (default weight 25): Walk the production line with the process flow diagram in hand. Does actual practice match documented procedure, or are operators improvising? Check equipment maintenance records — are they current and complete? Evaluate the preventive vs reactive maintenance ratio: if over 80% of maintenance is reactive (fixing breakdowns), production reliability is structurally fragile. Verify calibration status of all measurement equipment — a single gauge past its calibration date is an automatic finding that must be documented. Evaluate work instructions at operator stations: are they current, accessible, and in a language the operator understands? A work instruction in English at a station staffed by operators who primarily read Spanish is decoration, not documentation. Look at process capability data (Cpk) for critical characteristics — Cpk below 1.33 on a safety-critical dimension means the process cannot consistently meet specification and the supplier is relying on inspection to catch defects, which is not a sustainable quality strategy for production volumes.

Supply Chain Management (default weight 20): A supplier that doesn't audit their own suppliers passes unidentified risk directly to you. Evaluate: Do they maintain an approved supplier list with documented qualification criteria? Is incoming inspection performed on critical raw materials, and is the inspection data actually acted upon? Is full material traceability maintained — can they trace any finished product back to the specific raw material lot? For regulated industries (automotive, aerospace, medical devices), traceability isn't aspirational — it's a regulatory requirement with legal consequences for failure. Ask to see their supplier scorecards for their top 5 suppliers — a supplier that doesn't performance-manage their own supply base cannot credibly claim supply chain control. The audit finding to watch for: "we've used this supplier for 15 years, we trust them" — trust is not a substitute for incoming inspection, and a 15-year relationship without documented quality verification is a finding in itself. Also evaluate: sub-tier supplier risk assessment process, conflict minerals reporting, and counterfeiting prevention measures for electronic components.

Compliance (default weight 15): Cover regulatory compliance, environmental management, and health & safety as an integrated assessment of operational discipline. Verify certifications are current and complete — ISO 14001 for environmental management, ISO 45001 for occupational health & safety. Check for any regulatory violations, notices, or consent decrees in the past 3 years. Environmental: hazardous material handling procedures, waste disposal manifests, discharge permits — all current? Health & safety: OSHA recordable incident rate (manufacturing industry average is approximately 3.0 per 100 full-time workers; above 5.0 warrants structured investigation). Verify safety training records for completion rate and currency. Observe PPE compliance on the shop floor — if operators aren't wearing required PPE while the plant manager conducts your tour, what happens when you're not present? A supplier with a poor safety record has poor operational discipline — safety culture is a reliable proxy for overall management quality across all dimensions.

Continuous Improvement (default weight 15): Evaluate whether the supplier improves themselves or waits to be improved by customer pressure. Key areas: CAPA system effectiveness — do CARs get closed on time with verified effectiveness, or do they age? A CAR open beyond 90 days without documented extension is a failed CAPA system. Training: are training matrices maintained by role, and do they show competency verification (demonstrated skill), not just attendance? Management review: does top management actually review and act on quality data quarterly, or are management reviews a paperwork exercise where slides are presented and nothing changes? The single most telling indicator: flat KPIs for 2 consecutive years. In manufacturing, flat equals decline because input costs rise annually — if quality and delivery metrics aren't improving year-over-year, the supplier is effectively getting worse. Look for evidence of self-initiated improvement — a supplier that waits for customer complaints before fixing problems is fundamentally reactive and will always be a management burden.

Each audit dimension is scored at the checklist-item level: Pass (1 point), Partial (0.5 points), or Fail (0 points). The dimension score is the percentage of applicable items that pass: Dimension Score (%) = (Sum of item scores / Total applicable items) × 100%.

Pass requires documented objective evidence — an auditor must see it, not be told about it. Partial means the requirement is partially met but specific, documented gaps exist and corrective action is required. Fail means the requirement is not met or evidence is absent — immediate corrective action with escalation is required.

The overall audit score is the weighted average of dimension scores: Overall % = Σ (Dimension_Score_% × Weight) / 100.

Grade thresholds and business implications:

• A (≥90%): Approved — Supplier meets or exceeds requirements across all dimensions. CARs (if any) are minor. Re-audit in 18-24 months. Expected: less than 10% of first-time audited suppliers. If your program produces 40% A grades, your criteria are too lenient or your auditors aren't finding issues.
• B (≥75%): Conditional Pass — Supplier generally meets requirements but has specific, documented gaps requiring corrective action. The majority of first-time audits (50-60%) fall here — this is the expected and healthy result for a rigorous audit program. CAR closure expected within 90 days. Re-audit in 12 months.
• C (≥60%): Corrective Action Required — Significant gaps across multiple dimensions. Formal corrective action plan required within 30 days. Supplier must demonstrate measurable progress before new business is awarded. Current business continues but with heightened oversight. Re-audit in 6 months.
• D (<60%): Failed — Re-audit Required. This supplier is not currently qualified. All CARs must be closed and verified before the supplier can be considered for new business. If currently supplying production parts, immediate risk assessment and containment actions (100% incoming inspection on critical characteristics, increased safety stock) are mandatory. Re-audit in 90 days. A supplier that fails two consecutive audits is communicating that they either cannot or will not meet your requirements — believe them and initiate re-sourcing.

Quality Systems (weight 25): 14 of 17 checklist items passed. Quality manual current and top-management approved. Internal audit program active — 3 internal audits conducted in the past 12 months identifying 2 non-conformances, both closed within 45 days (strong). Document control partial finding: 2 of 8 work instructions sampled at operator stations were revision B when revision C was the current approved version — a document distribution process gap. No evidence of uncontrolled documents, which is good, but distribution timing is unreliable. Score: 14/17 × 100% = 82.4%.

Production & Process Control (weight 25): 19 of 22 items passed. Preventive maintenance records current for 11 of 12 major equipment items — one CNC machine's PM was 3 weeks overdue (partial, corrected on-site). Calibration: all instruments current except one micrometer past calibration by 19 days — automatic finding regardless of impact. Process capability data available for 4 of 5 critical characteristics — the fifth characteristic is measured but Cpk is not calculated (partial, requires control chart implementation). Score: 19/22 × 100% = 86.4%.

Supply Chain Management (weight 20): 16 of 20 items passed. Approved supplier list exists and is current with documented qualification criteria. Incoming inspection procedure documented but execution inconsistent — 3 of 15 recent receiving inspection records lacked inspector sign-off, making traceability to the individual inspector impossible (partial). Material traceability partially implemented: raw material certs are retained but not systematically linked to finished goods by lot number — in a recall scenario, lot tracing would require manual investigation (partial). Supplier's own scorecard program exists for top 10 suppliers but they haven't conducted an on-site audit of any supplier in 2 years — their supplier oversight is desk-based only. Score: 16/20 × 100% = 80.0%.

Compliance (weight 15): 13 of 15 items passed. ISO 14001 certified and current. Waste disposal manifests complete with no discrepancies. Safety: OSHA recordable rate of 4.8 (above the manufacturing industry average of 3.0) — 3 recordable incidents in the past 12 months, all material-handling related, suggesting a pattern rather than random events. Safety training records show 87% completion rate — 13% of operators are overdue for annual refresher training (partial). PPE compliance: 2 of 20 operators observed in the production area without safety glasses — immediate correction on-site and retraining documented same day (strong response to the finding). Score: 13/15 × 100% = 86.7%.

Continuous Improvement (weight 15): 10 of 15 items passed. CAPA system: 8 CARs issued in the past 12 months, 6 closed on time, 2 open past 90 days (one at 142 days — this is a finding). Root cause: the CAPA coordinator was on extended leave and no backup was designated — a process design failure, not an individual failure. Training matrix exists and is updated annually but records attendance, not demonstrated competency — the system confirms people attended training, not that they learned anything. Management review conducted quarterly — the last two reviews show KPI presentation but no documented resulting actions. They review numbers but don't act on them — the purpose of management review is decision-making, not data presentation. Score: 10/15 × 100% = 66.7%.

CAR 1 — CAPA Timeliness: Close the 2 overdue CARs within 30 days. Root cause is the lack of a backup coordinator — corrective action is to designate a backup and implement monthly CAPA aging review as a management KPI. Due: 30 days.

CAR 2 — Document Control Distribution: Implement a verification system ensuring work instruction revision status is current at the point of use. Recommend quarterly line-side audit of 100% of work instructions. Due: 60 days.

CAR 3 — Training Competency Verification: Upgrade the training system from attendance-based to competency-based. Requirements: define competency criteria per role, implement demonstrated-skill assessment, achieve 100% verification within 6 months. Due: 180 days.

The overdue PM and uncalibrated micrometer were corrected during the audit — the maintenance supervisor's immediate response to both findings is noted as a strength. The safety glasses non-compliance was corrected on the spot with operator retraining documented the same day — this response quality is a positive indicator of management engagement.