What is MFA?
Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …
A supplier audit is a systematic assessment of a company’s suppliers to ensure they operate efficiently, adhere to the necessary standards and comply with regulatory requirements.
Supplier audits also optimise supply chain performance, mitigate financial and operational risk and foster mutually beneficial relationships between the company and its suppliers.
In an era of globalisation where businesses source materials and components from suppliers around the globe, maintaining a robust supplier management system is more critical than ever.
The importance of supplier audits can be understood via several key factors:
There are various types of supplier audits with each focusing on a specific aspect of supplier performance or compliance.
Below are some of the more common types.
Compliance audits verify that suppliers meet various legal, regulatory and contractual requirements.
Think of this type of audit as a process where a company’s processes or documents are examined for compliance in areas such as financial regulation, environmental regulation and employment law.
SaaS companies, for example, will need to prove that they do not violate copyright laws and follow standards that relate to interoperability.
As the name suggests, quality audits examine a supplier’s quality management systems and processes.
The objective here is to ensure that the supplier’s quality management system (QMS) consistently meets the buyer’s standards and specifications.
Part of a robust QMS is the ISO 9001 global quality management standard, which helps suppliers of all sizes (and in all industries) meet customer quality expectations.
Financial audits review the financial health and stability of the supplier. These audits assess the risk of financial instability or insolvency that could impact the supplier’s ability to fulfil contracts.
To conduct an audit, the buyer may analyse:
Process audits focus on specific processes across the supplier’s operations, with each examined for efficiency and efficacy. Areas for improvement may be identified to increase consistency and optimise supply chain performance.
Key focus areas for process audits include:
With companies increasingly responsible for the conduct of every link in their supply chain, suppliers are routinely audited for their social and ethical footprint.
In most cases, suppliers are checked for their compliance with labour laws – especially in countries where laws related to fair wages, working hours and safe work conditions are questionable.
Some audits focus on the ethical behaviour of a supplier. In other words, has it instituted anti-corruption measures or fair trade practices? Others, on the other hand, assess a supplier’s commitment to the environment and sustainability.
The supplier audit process consists of three broad stages: planning and preparation, execution and report submission/debrief.
Prior to this, there is also a reason that prompts an audit in the first instance. Many audits are precipitated because of quality issues, delivery delays or financial instability.
Other reasons include:
Let’s now explain each of the three stages.
In the planning stage, it is important to draft a plan that details the scope, objectives and criteria of the audit.
The scope defines the boundaries or extent of the audit. It may be limited to certain products, services, processes, locations or departments.
The audit’s objectives correlate with its goals and intended outcomes.
Example objectives, as we touched on earlier, include compliance verification, quality assessment, risk identification, performance evaluation or process improvement.
The criteria of a supplier audit are the standards, benchmarks and requirements against which the supplier’s performance will be evaluated.
To establish these criteria, the buyer can return to the audit objectives for inspiration. They can also identify risk factors, review supplier documentation and analyse the supplier’s performance history.
For a supplier that offers financial services and consulting to a major bank, key criteria may relate to:
The audit checklist should define the objectives of the audit in addition to criteria that are objective and measurable. It should also include:
Supplier audit checklists tend to utilise a question-based rating system where buyers can assess the performance of their vendors. For example, one question to be scored may be “Does the supplier have a document management system?”
The structure of the checklist will depend on the business and its industry. Nevertheless, a common method of scoring supplier performance is as follows:
Once the checklist has been completed, it can be pilot-tested to identify any knowledge gaps and then distributed to the audit team.
An audit team with the necessary expertise must be assembled to communicate the plan to the supplier in advance.
This team is comprised of staff from the buyer organisation who also decide whether the audit will be conducted internally or externally.
In most cases, an external third party performs the audit on behalf of the buyer.
The supplier is then notified that an audit will take place, with the notice period dependent upon contractual agreements, regulatory requirements, best practices or industry standards.
In the execution stage, the audit team or third party performs the audit.
This encompasses:
Once the audit has been completed, the auditors prepare a meticulous report that details areas of compliance, areas of non-compliance and recommended improvements.
Documentary evidence such as quantitative data, interviews and other observations are also attached to support the team’s assertions.
Some preliminary observations may be shared with the supplier before the report is finalised. Alternatively, the audit report is finalised and presented to the supplier and if applicable, management staff of the third-party auditor.
The supplier and all relevant stakeholders are then debriefed on the report. Key findings are presented in a constructive manner and any concerns or queries are addressed.
For areas of non-compliance, the auditors and supplier must agree on the required corrective actions. Clear deadlines must be set for their implementation with mechanisms also put in place to monitor the supplier’s progress.
This phase is essential for maintaining transparency, addressing any issues identified during the audit and fostering a collaborative relationship that is conducive to positive change.
In the aftermath of a supplier audit and upon receipt of the report, the supplier will usually conduct an internal review with the relevant department(s).
From there, an action plan will be developed that incorporates a root cause analysis to understand the drivers of non-conformities. The plan also details corrective actions, preventative actions and who is responsible for their implementation.
Some general corrective actions include:
The supplier will then monitor and evaluate the actions to ensure their effectiveness. This may involve further internal audits or self-assessments, periodic progress meetings or data analysis and performance tracking.
Based on specific requirements, the supplier must also provide updates to the auditor on the implementation of corrective actions.
In some cases, there may also be follow-up audits to verify that the supplier has adequately addressed the issues raised.
In summary:
Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …
Imposter scams are a type of fraud where scammers pretend to be trusted individuals, companies, or government agencies to deceive victims into …
Accounts payable fraud is a deceptive practice that exploits vulnerabilities in a company’s payment processes. It occurs when individuals—whether employees, vendors or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.