1. Purpose
To define a comprehensive, risk-based, and systematic procedure for the evaluation, qualification, approval, and continuous monitoring of vendors, ensuring that all materials and services procured consistently meet quality, safety, and regulatory requirements (GMP/GDP).
This SOP aims to:
- Safeguard product quality and patient safety
- Ensure regulatory compliance
- Strengthen supply chain reliability
- Promote continuous improvement
2. Scope
This SOP applies to all vendors supplying:
- Active Pharmaceutical Ingredients (APIs)
- Excipients
- Primary and secondary packaging materials
- Contract manufacturing organizations (CMOs)
- Contract testing laboratories
- Critical service providers (e.g., sterilization, calibration)
Applicable to all departments involved in vendor lifecycle management:
- Quality Assurance (QA)
- Quality Control (QC)
- Procurement/Purchase
- Regulatory Affairs (RA)
- Warehouse
3. Responsibilities
3.1 Quality Assurance (QA)
- Prepare and maintain vendor audit program
- Perform risk assessment and vendor classification
- Plan, conduct, and document audits
- Review and approve CAPA
- Finalize vendor approval/rejection
- Maintain Approved Vendor List (AVL)
3.2 Procurement/Purchase
- Identify potential vendors
- Collect vendor documentation
- Ensure procurement from approved vendors only
- Communicate audit schedules with vendors
3.3 Quality Control (QC)
- Evaluate material quality data
- Provide analytical reports and trends
- Support technical evaluation during audits
3.4 Regulatory Affairs (RA)
- Verify compliance with regulatory requirements
- Review vendor certifications and approvals
3.5 Warehouse
- Ensure materials are received from approved vendors
- Maintain traceability and storage compliance
3.6 Vendor
- Provide complete and accurate documentation
- Facilitate audit activities
- Implement CAPA within defined timelines
4. Definitions
- Vendor/Supplier: Entity supplying materials/services impacting product quality
- Vendor Audit: Systematic evaluation of vendor’s compliance with GMP
- Critical Vendor: Vendor directly impacting product quality (e.g., API supplier)
- CAPA: Corrective and Preventive Action
- AVL: Approved Vendor List
- For-Cause Audit: Audit triggered by quality issues
5. Procedure
5.1 Vendor Lifecycle Overview
- Vendor Identification
- Pre-Qualification
- Risk Assessment
- Audit Planning
- Audit Execution
- CAPA Management
- Approval & Listing (AVL)
- Performance Monitoring
- Periodic Requalification
5.2 Vendor Classification (Risk-Based)
Vendors shall be classified based on risk to product quality:
| Category | Examples | Audit Requirement |
|---|---|---|
| Critical | API, sterile products, CMOs | Mandatory on-site audit |
| Major | Excipients, primary packaging | Audit required |
| Minor | Secondary packaging | Questionnaire-based |
Risk Factors Considered:
- Material criticality
- Regulatory impact
- Past performance
- Supply chain complexity
5.3 Vendor Pre-Qualification
Step 1: Vendor Information Collection
Vendor shall submit:
- Company profile
- GMP certificate
- Manufacturing license
- Regulatory approvals
- Product specifications
- COA samples
- Previous audit reports
Step 2: Vendor Questionnaire Review
QA evaluates:
- Quality systems
- Documentation practices
- Infrastructure
- Compliance history
Step 3: Risk Assessment
- Assign risk rating (High/Medium/Low)
- Decide audit type:
- On-site
- Remote
- Paper-based
5.4 Audit Planning
- Annual audit schedule prepared by QA
- Audit plan includes:
- Scope
- Objectives
- Audit team
- Timeline
Audit Notification
- Sent to vendor at least 2–4 weeks in advance
- Includes agenda and document requirements
5.5 Audit Execution
5.5.1 Opening Meeting
- Introduce audit team
- Confirm audit scope
- Review agenda
5.5.2 Detailed Audit Areas
A. Quality Management System (QMS)
- SOP control
- Deviation handling
- Change control
- CAPA effectiveness
B. Personnel & Training
- Qualification
- Training records
- GMP awareness
C. Facilities & Equipment
- Layout and design
- Maintenance
- Calibration
D. Production & Process Control
- Process validation
- In-process controls
- Batch records
E. Quality Control
- Testing methods
- Stability studies
- Laboratory controls
F. Material Management
- Raw material control
- Storage conditions
- Traceability
G. Documentation Practices
- Data recording
- Record retention
- Good Documentation Practices (GDP)
H. Data Integrity
- ALCOA+ principles
- Electronic system controls
- Audit trails
I. Regulatory Compliance
- GMP adherence
- Inspection history
- Licenses and certifications
5.5.3 Observation Classification
| Classification | Description |
|---|---|
| Critical | Direct risk to patient safety |
| Major | Significant GMP deviation |
| Minor | Low-risk issue |
5.5.4 Closing Meeting
- Present observations
- Discuss CAPA timelines
- Obtain vendor agreement
5.6 Audit Reporting
- Audit report issued within 15 working days
- Report includes:
- Summary
- Detailed observations
- Risk classification
- CAPA requirements
5.7 CAPA Management
CAPA Submission
- Vendor must submit within 15–30 days
QA Review
- Evaluate:
- Root cause
- Corrective actions
- Preventive measures
CAPA Approval
- Accepted / Rejected / Requires revision
Follow-Up
- Re-audit if required
5.8 Vendor Approval
| Status | Criteria |
|---|---|
| Approved | No critical observations |
| Conditional | CAPA pending |
| Rejected | Major/critical non-compliance |
Approved vendors are added to AVL.
5.9 Vendor Performance Monitoring
Continuous monitoring based on:
- Material quality trends
- Complaints
- Deviation reports
- On-time delivery
5.10 Vendor Requalification
Frequency
- Critical: 1–2 years
- Major: 2–3 years
- Minor: As required
Triggers for Re-Audit
- Quality issues
- Regulatory findings
- Change in process/location
5.11 For-Cause Audit
Triggered by:
- OOS results
- Product recalls
- Customer complaints
- Regulatory observations
5.12 Documentation & Record Control
Maintain:
- Audit plans
- Reports
- CAPA records
- Vendor documents
Retention Period: Minimum 5–10 years
6. Compliance & Risk Management
- Follow GMP & GDP guidelines
- Ensure data integrity (ALCOA+)
- Apply risk-based decision-making
- Promote continuous improvement
7. Key Performance Indicators (KPIs)
- % vendors audited on schedule
- CAPA closure time
- Vendor rejection rate
- Audit compliance score
8. Attachments / Templates
- Vendor Questionnaire
- Audit Checklist
- Audit Report Template
- CAPA Form
- Approved Vendor List (AVL)
9. Abbreviations
- GMP – Good Manufacturing Practices
- GDP – Good Documentation Practices
- CAPA – Corrective and Preventive Action
- AVL – Approved Vendor List
- QMS – Quality Management System
Here are 30 in-depth FAQs for Vendor Audit SOP, designed to be practical, interview-ready, and regulatory-focused:
📌 FAQs – Vendor Audit SOP
1. What is a vendor audit in the pharmaceutical industry?
A vendor audit is a systematic and independent evaluation of a supplier’s quality systems, manufacturing practices, and compliance with GMP requirements to ensure that materials/services meet predefined quality standards.
2. Why is vendor qualification mandatory before procurement?
It ensures that only reliable and compliant suppliers are used, reducing risks of:
- Product contamination
- Regulatory non-compliance
- Batch failures
3. What are the different types of vendor audits?
- On-site Audit – Physical inspection of facility
- Remote Audit – Virtual/document-based
- For-cause Audit – Triggered by issues
- Routine Audit – Periodic re-evaluation
4. What is a risk-based approach in vendor audits?
It involves classifying vendors based on criticality and impact on product quality, ensuring high-risk vendors receive more stringent evaluation and frequent audits.
5. Who decides whether a vendor audit is required?
The Quality Assurance (QA) department decides based on:
- Risk assessment
- Material criticality
- Regulatory requirements
6. What documents are reviewed before conducting an audit?
- GMP certificates
- Quality manual
- Product specifications
- COA (Certificate of Analysis)
- Previous audit reports
7. What is a vendor questionnaire?
A structured document used for preliminary evaluation of a vendor’s:
- Quality system
- Infrastructure
- Regulatory compliance
8. What is the purpose of an opening meeting during an audit?
To:
- Define audit scope
- Introduce audit team
- Align expectations with vendor
9. What areas are covered during a vendor audit?
- Quality Management System (QMS)
- Production processes
- Quality Control
- Warehousing & distribution
- Documentation practices
- Data integrity
10. What is the importance of data integrity in vendor audits?
It ensures that all records are accurate, reliable, and trustworthy, following ALCOA+ principles, which is critical for regulatory compliance.
11. How are audit observations classified?
- Critical: High risk to patient safety
- Major: Significant deviation from GMP
- Minor: Low-risk non-compliance
12. What is a critical observation?
A deficiency that directly impacts:
- Product quality
- Patient safety
- Regulatory compliance
Example: Lack of validated manufacturing process.
13. What is a CAPA in vendor audits?
CAPA stands for Corrective and Preventive Action, addressing:
- Root cause of deviation
- Measures to prevent recurrence
14. What is root cause analysis in CAPA?
It identifies the underlying reason for a problem using tools like:
- Fishbone diagram
- 5 Why analysis
15. What is the typical timeline for CAPA submission?
Usually within 15–30 days after receiving the audit report.
16. What happens if CAPA is not satisfactory?
- Re-submission is required
- Vendor may be downgraded or rejected
- Follow-up audit may be conducted
17. What is the Approved Vendor List (AVL)?
A controlled list of qualified and approved vendors authorized for procurement.
18. Can procurement be done from a non-approved vendor?
Generally not allowed, except in emergencies with:
- QA approval
- Temporary qualification
19. What is vendor requalification?
Periodic reassessment to ensure vendors continue to meet quality and regulatory standards.
20. How often should vendors be audited?
- Critical vendors: Every 1–2 years
- Major vendors: Every 2–3 years
- Minor vendors: As needed
21. What triggers a for-cause audit?
- Product complaints
- OOS (Out of Specification) results
- Regulatory findings
- Supply chain issues
22. What is a remote audit and when is it used?
A virtual audit using:
- Video conferencing
- Document sharing
Used when:
- Travel is restricted
- Vendor risk is low
23. What is a vendor audit checklist?
A structured tool ensuring consistent and comprehensive evaluation of all audit areas.
24. What is the role of procurement during audits?
- Coordinate with vendors
- Share vendor details with QA
- Ensure sourcing from approved vendors
25. What is the significance of COA verification?
It confirms that:
- Test results are accurate
- Materials meet specifications
26. What are common deficiencies observed during audits?
- Poor documentation practices
- Inadequate training records
- Lack of validation
- Data integrity issues
27. What is vendor performance monitoring?
Ongoing evaluation based on:
- Quality trends
- Delivery performance
- Complaints
28. What is a technical agreement with vendors?
A formal document defining:
- Responsibilities
- Quality expectations
- Regulatory obligations
29. What is the role of QA in vendor approval?
QA:
- Conducts audits
- Reviews CAPA
- Grants final approval
30. How does vendor auditing impact regulatory inspections?
Strong vendor audit systems:
- Demonstrate compliance
- Reduce regulatory risks
- Improve inspection outcomes (e.g., USFDA, MHRA)
For more articles, Kindly Click here
For pharmaceutical jobs, follow us on LinkedIn
For Editable SOPs in Word format contact us on info@pharmaceuticalcarrier.com
For more information kindly follow us on www.pharmaguidelines.co.uk
