Why Your Supplier Evaluation Register Gets Scrutinised So Heavily
If you have been through an ISO 9001 certification audit, you already know that auditors spend a disproportionate amount of time on supplier controls. The supplier evaluation register is one of the most commonly cited areas for nonconformities, and it is not because businesses are ignoring the requirement. It is because most registers look like they were built to satisfy a checklist rather than to actually manage supplier risk.
On this page
The good news is that building a register that genuinely passes audit is not complicated. You do not need expensive software or a dedicated procurement team. What you need is a clear understanding of what Clause 8.4 of ISO 9001:2015 actually requires, and a register structure that reflects how your business genuinely evaluates and monitors the people and organisations it buys from.
This article walks you through exactly how to build that register, field by field, with practical examples drawn from real audit scenarios.
What Clause 8.4 Actually Requires
Clause 8.4 of ISO 9001:2015 covers the control of externally provided processes, products and services. It applies whenever you purchase anything that ends up in your product or service, or whenever an external party performs a process on your behalf.
The standard requires your organisation to:
- Determine and apply criteria for evaluating, selecting, monitoring and re-evaluating external providers
- Retain documented information of these activities and any necessary actions arising from evaluations
- Communicate requirements clearly to external providers
- Ensure externally provided processes, products and services do not adversely affect your ability to consistently deliver conforming products and services to customers
Notice that the standard does not prescribe a specific format. It does not tell you to use a spreadsheet, a database, or a particular set of fields. What it requires is evidence that you have a systematic approach to managing supplier risk. Your register is the primary piece of documented information that demonstrates this.
The ISO 9001:2015 standard text is worth reading directly if you have not done so recently. The language is more practical than many people expect.
Common Reasons Supplier Registers Fail Audit
Before building the register, it helps to understand why so many fail. In my experience reviewing systems before certification audits, the same problems come up repeatedly.
The register exists but is never updated
A register that was created during the initial implementation and has not been touched since is worse than useless in an audit. It tells the auditor that your supplier controls exist on paper only. If your last evaluation date for a critical supplier is three years ago, that is a nonconformity waiting to happen.
All suppliers are treated the same
Not every supplier carries the same risk. The company that supplies your office stationery does not need the same level of scrutiny as the subcontractor who installs electrical systems in buildings you certify. A register that treats both identically suggests you have not actually assessed risk at all.
Evaluation criteria are vague or missing
Writing “quality” or “performance” in the criteria column tells an auditor nothing. How do you measure quality? What does acceptable performance look like? Criteria need to be specific enough that a different person could apply them and reach the same conclusion.
No evidence of re-evaluation
Initial approval is only half the requirement. You need to show that you monitor and re-evaluate suppliers on an ongoing basis. This means the register needs fields that capture re-evaluation dates, outcomes, and any actions taken.
The register does not align with the rest of the QMS
If your nonconformance records reference supplier failures but those suppliers are listed as “approved” in the register with no corresponding review, an auditor will immediately question whether your system is integrated or just a collection of separate documents.
The Structure of a Register That Passes Audit
A well-built supplier evaluation register does not need to be elaborate. A well-structured spreadsheet works perfectly for most small to medium businesses. What matters is that the fields are logical, consistently populated, and clearly connected to your evaluation process.
Here is the field structure I recommend, with an explanation of why each field matters.
Supplier Name and Unique Identifier
Every supplier needs a name and a reference number or code. The code allows you to cross-reference the supplier across other documents in your QMS, such as purchase orders, nonconformance reports, and audit records. Without this, traceability breaks down quickly.
Category of Supply
Group suppliers by what they provide. Common categories include raw materials, subcontracted services, professional services, equipment and calibration, and IT and software. This field helps you apply consistent criteria across similar suppliers and makes it easier to filter the register when preparing for audits.
Criticality Rating
This is one of the most important fields in the register. Assign each supplier a criticality rating based on the potential impact their failure would have on your product or service quality. A simple three-tier system works well: Critical, Significant, or Low.
A Critical supplier is one whose failure would directly cause a quality failure in your output or create a safety or regulatory issue. A Significant supplier affects quality but with some buffer or alternative available. A Low supplier provides items or services with minimal quality impact.
The criticality rating should drive how often you re-evaluate the supplier and what monitoring activities you apply. This is what demonstrates to an auditor that your approach is risk-based, which is a core principle of ISO 9001:2015 that runs through Clause 4.4 and beyond.
Evaluation Criteria
List the specific criteria used to evaluate this supplier. These should be objective and measurable where possible. Examples include:
- Holds current ISO 9001 certification (verifiable via certification body database)
- On-time delivery rate above 95% over the last 12 months
- Zero critical nonconformances in the last 12 months
- Completed supplier questionnaire with a minimum score of 70%
- Satisfactory site visit or remote audit outcome
- Compliant with applicable regulatory requirements in their jurisdiction
The criteria do not need to be identical for every supplier. A Critical supplier might require certification verification and a completed questionnaire. A Low supplier might only require a completed questionnaire or a satisfactory reference check. The important thing is that the criteria are documented and applied consistently within each category.
Initial Evaluation Date and Outcome
Record when the supplier was first evaluated, what method was used, and what the outcome was. The outcome should be one of three things: Approved, Conditionally Approved (with conditions listed), or Not Approved. If a supplier is Conditionally Approved, there should be a corresponding action item with a due date and owner.
Current Approval Status
This field should reflect the current standing of the supplier, not just the initial evaluation. It needs to be updated whenever a re-evaluation occurs or when a significant event (such as a major nonconformance or a change in the supplier's certification status) triggers a review.
Re-evaluation Frequency
Set a re-evaluation frequency based on criticality. A common approach is:
- Critical suppliers: annually or after any significant quality event
- Significant suppliers: every 18 to 24 months
- Low suppliers: every three years or on contract renewal
Document this frequency in the register so it is clear what your commitment is. Auditors will check whether your actual re-evaluation dates align with the frequency you have set for yourself.
Last Re-evaluation Date and Next Due Date
These two fields are what most registers are missing. They make it immediately visible whether your re-evaluations are current. If the next due date has passed and there is no updated evaluation on record, you have a gap. Catching this before an audit is far better than explaining it to an auditor.
Re-evaluation Method and Outcome
Record what method was used for the re-evaluation and what the result was. Methods might include reviewing delivery performance data, reviewing nonconformance records related to the supplier, checking their certification status online, sending a re-evaluation questionnaire, or conducting a supplier visit. The outcome should be clearly stated: Continued Approval, Conditional Approval with actions, or Removed from Approved List.
Performance Notes and Linked Records
Include a free-text field for any relevant notes, and a reference field that links to related records such as nonconformance reports, corrective actions, or purchase orders. This is what makes your register a living document rather than a static list. When an auditor asks why a supplier's status changed, you can point directly to the linked record.
Practical Example: A Small Construction Subcontractor Register
Consider a small construction company certified to ISO 9001 that uses three types of external providers: structural engineers, electrical subcontractors, and materials suppliers.
Their register has 22 suppliers in total. The structural engineers and electrical subcontractors are rated Critical because their work directly affects the safety and compliance of the finished building. Materials suppliers are rated Significant or Low depending on whether the material is load-bearing or incidental.
For Critical suppliers, the company requires a current ISO 9001 or ISO 45001 certificate, a completed supplier questionnaire, and an annual performance review based on site feedback and defect records. For Low suppliers, a completed questionnaire at the time of first order is sufficient, with a review triggered only if a nonconformance is raised.
During their last surveillance audit, the auditor reviewed five supplier records at random. All five had current re-evaluation dates, linked performance records, and clearly documented approval statuses. The auditor noted it as a strength of the system. That outcome did not happen by accident. It happened because the register was structured to be maintained, not just created.
Connecting the Register to the Rest of Your QMS
A supplier evaluation register that sits in isolation is a weak piece of evidence. Its value multiplies when it is visibly connected to other parts of your quality management system.
Link to your nonconformance process
Whenever a supplier causes or contributes to a nonconformance, that event should trigger a review of the supplier's status in the register. If you raise a corrective action against a supplier, the register should reflect that review occurred and document the outcome. This connection shows auditors that your supplier controls are responsive, not just administrative.
Link to your purchasing process
Your purchasing procedure should reference the supplier register as the source of approved suppliers. Procurement staff should be required to check the register before placing an order with any new or existing supplier. If a supplier is not on the approved list, there should be a clear process for how they get evaluated before being used.
Link to your risk register
For Critical suppliers, it is worth referencing supplier risk in your broader risk register. What happens if this supplier fails? Do you have a contingency? This is particularly relevant for sole-source suppliers where there is no readily available alternative. Connecting supplier risk to your organisational context analysis demonstrates mature, integrated thinking.
Link to management review
Supplier performance should be a standing agenda item in your management review meetings. Include a summary of supplier evaluation outcomes, any suppliers added or removed from the approved list, and any open corrective actions related to supplier performance. Documenting this in your management review minutes shows that top management is engaged with supplier risk, which directly supports the leadership requirements of Clause 5.1.
Maintaining the Register Between Audits
The most common failure point is not building the register. It is keeping it current. Here are three practical habits that prevent your register from going stale.
Assign a register owner
One person needs to be responsible for the register. This does not mean they do all the evaluations, but they are responsible for ensuring evaluations happen on time, outcomes are recorded, and the register reflects current reality. Without a named owner, maintenance drifts.
Set calendar reminders for re-evaluation due dates
Do not rely on people checking the register to notice when a re-evaluation is due. Set automated reminders, whether in your calendar system, your document management platform, or your project management tool. When the reminder fires, the owner follows up with the relevant person to complete the evaluation and update the register.
Review the register at every internal audit cycle
Your internal audit programme should include a review of the supplier evaluation register at least once per audit cycle. Check that all re-evaluations are current, that approval statuses reflect actual performance, and that any linked corrective actions have been closed or are being actively managed. Catching gaps internally is always better than having an auditor find them.
A Note on Supplier Self-Declarations and Questionnaires
Many businesses use supplier questionnaires as their primary evaluation tool, particularly for lower-risk suppliers. This is entirely acceptable under ISO 9001, provided you treat the responses as evidence rather than just administrative paperwork.
If a supplier declares that they have a quality management system but cannot provide a certificate or any supporting evidence, that declaration should be treated with appropriate scepticism. For Critical suppliers, a self-declaration alone is rarely sufficient. For Low suppliers, it may be perfectly adequate.
The key is that your evaluation criteria define what level of evidence is required for each category, and you actually verify that evidence rather than just filing the questionnaire. An auditor who asks to see the evidence behind an approval decision should be able to find it referenced in the register or attached to the supplier record.
Getting Help With Your Supplier Controls
If you are building a supplier evaluation register for the first time, or if your existing register has been flagged in a previous audit, it is worth getting a second opinion from someone who has reviewed these documents from both sides of the audit table. A good ISO consultant can review your register structure, identify gaps before your audit, and help you build the connecting documentation that makes the register credible.
If you are looking for a consultant with genuine QMS experience, CertBetter connects Australian businesses with vetted ISO consultants and certification bodies. You submit one form and receive up to three competing quotes, which makes it straightforward to compare experience and pricing without spending hours on research. The service is free for businesses seeking certification support.
