The Complete Guide to Manufacturing Audit: Internal, Supplier, and Certification Audits

A manufacturer can lose weeks of production and millions of dollars because one supplier changed a material without approval, one gauge missed calibration, or one operator followed an outdated work instruction. That is not theoretical. ETQ’s 2025 Pulse of Quality in Manufacturing survey found that 75% of surveyed firms had experienced a product recall in the previous five years, and nearly half of those recalls cost between $10 million and $49.99 million.

Manufacturing audits are structured, evidence-based evaluations of manufacturing processes, facilities, and systems. They verify whether your existing operations conform to documented procedures, customer requirements, regulatory requirements, and industry standards. For automotive, aerospace, electronics, food and beverage, medical device, and other regulated manufacturing companies, audits are a risk management tool, not just another checkbox for regulatory authorities.

This guide covers internal manufacturing audit programs, the supplier audit process, and external certification audits such as an ISO 9001 audit or IATF 16949 audit. You will learn how to plan and conduct detailed audits, what auditors look for, how to document audit findings, and how to turn every audit report into an audit corrective action plan that drives continuous improvement.

Internal manufacturing audits are the backbone of an effective quality management system. ISO 9001:2015 and IATF 16949 both require internal audit programs, but the best companies treat them as part of an effective manufacturing audit approach, not just a compliance exercise. They use internal audits to improve production processes and manufacturing operations, strengthen quality assurance, support safety and quality standards, and identify improvement opportunities before customers or certification bodies find the gaps.

What is an internal manufacturing audit?

An internal manufacturing audit is a first-party audit conducted by your own organization. It verifies that internal processes, departments, and production areas conform to documented procedures, quality specifications, customer requirements, and relevant industry standards.

The audit scope may include production lines, maintenance, calibration labs, warehousing, purchasing, inventory management, logistics, receiving inspection, final inspection, and quality control. In many facilities, internal audits also include manufacturing process audits, product audits, compliance audits, and system audit reviews of the overall management framework of operations.

The audit team should be trained and independent of the area being audited. For example, a maintenance supervisor should not audit maintenance records alone, but may support a trained lead auditor as a subject matter expert. The internal audit team reviews relevant documents, interviews operators, observes production, samples records, and compares actual work against documented procedures.

Internal audits also support audit preparation for external audits. They provide management review inputs, reveal weak points in the quality management system, and help your team prepare for a successful audit with customers or certification bodies.

Use these examples as a starting point for your internal manufacturing audit checklist:

• Are all controlled work instructions at the workstation current and approved?
• Are all gauges in this cell within their calibration due date?
• Are operators trained and qualified for the tasks they are performing?
• Can the team trace material lots, components, and inspection results for a recent order?
• Are nonconforming parts identified, segregated, and dispositioned under procedure?
• Are preventive maintenance tasks completed according to schedule?
• Are safety, hygiene, and housekeeping requirements being followed?
• Were previous audit findings verified for effectiveness?

Checklists should be prepared in advance for effective audits and mapped to relevant clauses of standards such as ISO 9001:2015. Just for clarification, a checklist is not the audit itself. It is a guide to help auditors test whether the process is working.

Supplier performance is part of your own manufacturing quality. If a supplier ships unstable material, misses a process change, or loses traceability, your plant may absorb the cost through line downtime, scrap, warranty claims, or recalls. ETQ’s 2025 survey reported that 48% of recalls were attributed to supply chain issues, which is exactly why supplier audits matter.

What is a supplier audit and why it matters?

A supplier audit is a second-party assessment of a supplier’s facilities, production processes, quality system, capacity, and compliance controls. It may be performed on-site, remotely, or by an approved representative. The goal is to verify that the supplier can meet your quality, delivery, regulatory, and customer requirements consistently.

Supplier audits support supply chain risk management by finding weak controls before they become line stoppages or field failures. They also reduce dependence on incoming inspection because quality is verified closer to the source.

In regulated sectors, supplier oversight is not optional. Automotive OEM requirements, medical device regulations, aerospace customer rules, and food safety schemes often require documented supplier control. These audits check both compliance and capability: Can the supplier meet the drawing today, and can they keep meeting it as volume, materials, or engineering changes shift?

💡 Pro Tip: Focus your supplier audit scope on high-risk materials, critical components, outsourced special processes, and historically problematic vendors. Do not spend the same effort on a low-risk packaging supplier and a safety-critical machined component supplier.

Types of supplier audits

Most organizations use several supplier audit types:

• Pre-qualification audits: Conducted before onboarding a new supplier. These evaluate certifications, equipment, technical capability, staffing, capacity, and fit with your requirements.
• Periodic audits: Scheduled annually, biannually, or based on risk for approved suppliers. These confirm ongoing control and continuous improvement.
• For-cause audits: Triggered by serious defects, delivery failures, customer complaints, suspected fraud, or repeated audit non-conformance.
• Virtual or remote audits: Useful for document review, video tours, and lower-risk suppliers. They save time but may not fully replace an on-site visit.
• On-site audits: Best for high-risk suppliers, new process validation, capability audits, and situations where factory-floor evidence matters.

Your audit plan should segment suppliers by risk, spend, complexity, and criticality. A supplier making a custom implantable device component needs a different audit frequency than a supplier of standard office labels.

The supplier audit process

A practical supplier audit process includes:

1. Select suppliers to audit: Use risk, performance, spend, and customer requirements.
2. Define audit scope and criteria: Include quality management system status, process controls, traceability, sub-tier supplier controls, capacity, contingency plans, and regulatory compliance.
3. Plan and schedule the visit: Confirm dates, audit team, language needs, safety rules, and required records.
4. Conduct the audit: Tour receiving, production, inspection, warehousing, and shipping. Interview operators, supervisors, quality staff, and relevant stakeholders.
5. Score the supplier: Use a supplier audit scorecard to create a consistent rating.
6. Issue the report: Document strengths, audit findings, non-conformances, and required responses.
7. Manage corrective actions: Require containment, root cause analysis, long-term action, owners, deadlines, and evidence.

During the actual audit, do not rely only on conference room documents. Walk the floor. Compare the control plan to real equipment settings. Pull a shipped lot and trace it backward. Ask how changes are approved. Look at scrap trends, rework records, complaints, and prior corrective actions.

Certification audits are independent external audits that verify your management system conforms to a published standard. For many manufacturers, certification is required to win business, keep customers, or demonstrate audit compliance to regulatory authorities and major buyers.

What is a certification audit?

A certification audit is a formal third-party audit conducted by an accredited certification body. The auditor verifies that your quality management system, environmental system, food safety system, or other management framework meets the requirements of a standard.

Certification audits focus on systems and processes, not only products. A third-party auditor will sample records, interview employees, observe work, and test whether documented procedures are implemented effectively.

First-party audits are internal audits. Second-party audits are supplier or customer audits. Third-party audits are certification audits. The independence of the auditor is what gives certification credibility.

Certificates commonly operate on a three-year cycle with surveillance audits in between. Certification bodies operate under accreditation rules such as ISO/IEC 17021-1, which helps ensure consistency in the certification process.

Key standards relevant to manufacturing

The International Organization for Standardization (ISO) sets standards relevant to manufacturing audits, but many sector schemes add extra requirements. Key examples include:

• ISO 9001: Quality management for any industry. It covers customer focus, process control, risk-based thinking, performance evaluation, and improvement.
• ISO 14001: Environmental management, including environmental impacts, compliance obligations, resource use, and waste controls.
• IATF 16949: Automotive quality management built on ISO 9001 with requirements for automotive core tools, product safety, customer-specific requirements, and supplier oversight.
• AS9100: Aerospace quality, including configuration management, product safety, counterfeit part prevention, risk management, and special process control.
• ISO 13485: Medical device quality management, with strong emphasis on regulatory requirements, risk, traceability, design controls, complaint handling, and post-market surveillance.
• FSSC 22000: Food safety management, including HACCP, prerequisite programs, food safety culture, and supply chain controls.

Many manufacturers hold multiple certifications, such as ISO 9001 and ISO 14001. Integrated audits can reduce disruption when standards share common requirements like internal audits, management review, documented processes, and data-driven continuous improvement.

Stages of a certification audit

A certification audit usually follows a defined path:

1. Stage 1 document review: The auditor reviews scope, documented processes, internal audit history, management review, KPIs, and readiness. This may be off-site or partly on-site.
2. Stage 2 on-site audit: The auditor visits the facility, samples processes involved in the management system, interviews employees, and verifies real implementation.
3. Surveillance audits: These occur during the certification cycle, often annually. They focus on selected processes, performance trends, customer issues, and previous non-conformances.
4. Recertification audit: Near the end of the three-year cycle, the auditor performs a broader review to decide whether the certificate should be renewed.

Audit duration is usually based on rules tied to headcount, complexity, number of sites, shift patterns, and audit scope. It cannot normally be shortened just because a company wants less disruption.

How to prepare for a certification audit

Certification audit preparation should start months before the audit date. Do not wait until the week before the auditor arrives.

Use this practical sequence:

• Perform a gap analysis against the selected standard.
• Complete at least one full internal audit cycle.
• Close or contain major internal non-conformances.
• Review and control all relevant documents.
• Train employees on their roles, procedures, records, and escalation paths.
• Conduct management review using current KPIs, customer feedback, complaints, supplier performance, and audit findings.
• Prepare a certification audit checklist mapped to standard clauses, such as ISO 9001:2015 clauses 4 through 10.
• Confirm that records are easy to retrieve and match actual practice.

Employees do not need memorized speeches. They need to explain how they do their work, where instructions are located, what quality checks are required, and what they do when something goes wrong.

💡 Pro Tip: Run a mock certification audit three to six months before the real event. Keep a simple audit war room with updated KPIs, process maps, procedures, customer requirements, and major improvement projects.

What happens when non-conformances are found?

A non-conformance is a failure to meet a specific requirement of a standard, customer requirement, regulation, or your own documented system. In certification audits, non-conformances are usually classified as minor or major.

A minor non-conformance indicates a limited failure that does not show broad system breakdown. It typically requires a documented corrective action plan within a set timeframe, often 30 to 90 days.

A major non-conformance indicates serious failure, missing implementation, risk to product conformity, or repeated breakdown. It may require urgent correction, additional evidence, or a follow-up visit. Unresolved major findings can delay certification or lead to suspension of an existing certificate.

Auditors may also identify observations or opportunities for improvement. These do not usually require formal corrective actions, but smart organizations review them anyway. According to BRCGS food safety audit reporting summarized by Food Manufacturing , over 100,000 non-conformities were recorded under BRCGS Food Safety Issue 9 in 2024, showing how often documented systems and floor execution can drift apart.

Manufacturing audits (internal, supplier, and certification) are not bureaucratic obligations. They are the most reliable diagnostic tools your organization has for identifying risk before it becomes a crisis.

Internal audits keep your own processes honest and continuously improving. Supplier audits extend your quality standards upstream, where many of the most damaging failures begin. Certification audits provide independent verification that your systems meet the standards your customers and regulators require.

Together, the three create a quality ecosystem that protects your product, your relationships, and your reputation. The manufacturers who treat audits as an ongoing management discipline (rather than an annual fire drill) are the ones who catch problems early, retain certifications without scrambling, and build the kind of supplier and customer trust that is genuinely hard to replicate.

The question isn't whether your operation can afford rigorous audits. It's whether it can afford not to have them.