Guide

How to conduct a second-party supplier audit

Guide to planning and executing second-party audits of critical suppliers. Evaluation criteria, interview techniques, findings, and corrective action plans.

Second-party audits allow you to directly assess a supplier's capability to meet your organization's requirements. Unlike third-party audits, here you define the criteria and scope according to your own risk profile.

Step by step

Classify suppliers by risk level

Not all suppliers require the same level of scrutiny. Classify them as critical, important, and standard based on the impact of a supply chain failure, data breach, or regulatory non-compliance.

Auditor's tip: Audit on-site only critical suppliers. For others, use self-assessment questionnaires validated with documentary evidence.

Define audit criteria and checklist

Establish the criteria against which you will evaluate the supplier: contractual clauses, standard requirements (ISO 27001, ISO 9001), regulatory requirements, and your organization's specific expectations.

Auditor's tip: Include business continuity and cybersecurity criteria, not just quality. The most serious third-party risks are usually operational and information security risks.

Plan the audit and communicate with the supplier

Prepare an audit plan with scope, schedule, audit team, and logistics. Communicate it to the supplier with sufficient advance notice for them to prepare documentation and key personnel availability.

Auditor's tip: Request key documentation before the visit: policies, current certificates, incident records. This optimizes on-site time and focuses the audit on verification, not reading.

Execute the audit using objective evidence techniques

During the audit, use evidence triangulation: combine interviews, document review, and direct observation. Each finding must be supported by verifiable objective evidence.

Auditor's tip: Ask open-ended questions ('Show me how...', 'Explain the process for...') instead of closed questions. Closed questions allow rehearsed answers; open ones reveal real knowledge.

Document findings and agree on corrective action plan

Classify findings as major nonconformities, minor nonconformities, and observations. Present results to the supplier at the closing meeting and agree on deadlines for corrective actions with closure evidence.

Auditor's tip: Set a maximum 90-day deadline for closing major nonconformities. If the supplier fails to close on time, there must be predefined contractual consequences.

Key points

Classifying suppliers by risk avoids wasting resources auditing low-impact suppliers.
Evidence triangulation (interviews + documents + observation) is the most robust technique for defensible findings.
Second-party audits must include cybersecurity and continuity criteria, not just quality.

Frequently asked questions

When the supplier handles sensitive data, is a critical part of your supply chain, or when third-party certification does not cover your organization's specific requirements. Certification shows general conformity; second-party audits verify particular requirements.

The right to audit must be in the contractual clause from the start of the relationship. If the supplier refuses and the clause exists, it is a risk signal that should escalate to the risk or vendor committee.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Frequently asked questions

How to conduct a second-party supplier audit

Step by step

Classify suppliers by risk level

Define audit criteria and checklist

Plan the audit and communicate with the supplier

Execute the audit using objective evidence techniques

Document findings and agree on corrective action plan

Key points

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

ISO 27001

ISO 9001

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

How to conduct a second-party supplier audit

Step by step

Classify suppliers by risk level

Define audit criteria and checklist

Plan the audit and communicate with the supplier

Execute the audit using objective evidence techniques

Document findings and agree on corrective action plan

Key points

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

ISO 27001

ISO 9001

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

How to conduct a second-party supplier audit

Step by step

Classify suppliers by risk level

Define audit criteria and checklist

Plan the audit and communicate with the supplier

Execute the audit using objective evidence techniques

Document findings and agree on corrective action plan

Key points

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

ISO 27001

ISO 9001

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

How to conduct a second-party supplier audit

Step by step

Classify suppliers by risk level

Define audit criteria and checklist

Plan the audit and communicate with the supplier

Execute the audit using objective evidence techniques

Document findings and agree on corrective action plan

Key points

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

ISO 27001

ISO 9001

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?