A finished-product recall almost never starts on your line. It starts on someone else's — a supplier who shipped out of spec, a certificate of analysis that was never read, an incoming lot that was waved through receiving because the truck was blocking the dock. FSMA made that someone else's problem your legal problem: under the supply-chain program rules, you are responsible for verifying that the hazards in the materials you buy are being controlled, by whoever controls them. A structured supplier quality program is how you carry that responsibility without drowning in paper — and an iFactory supplier quality workspace turns the qualification records, scorecards, and verification activities the rule expects into one auditable system instead of a folder no one can find during an inspection.
iFactory Supplier Quality for Food
Food Supplier Quality Management That Holds Up to an Audit
FSMA expects you to verify your suppliers, not just trust them. Here is how to qualify, score, and re-verify suppliers in a way that protects food safety and your audit position at the same time.
3 yr
max re-evaluation cycle under the rule
95%+
SQF score that signals excellence
1 dock
where most quality gaps live
483
what an undocumented gap becomes
Qualification and Performance Are Not the Same Thing
The single most common supplier-quality mistake is treating a one-time qualification as if it were ongoing assurance. Qualification tells you what a supplier was capable of on the day you evaluated them. Performance monitoring tells you what they are actually shipping you, week after week. They answer different questions, and confusing the two is a real food-safety risk — a supplier can pass a glowing audit in March and quietly drift out of spec by September. A serious program runs both tracks, and keeps them visibly separate.
At onboarding
Qualification
"Can this supplier do the job?"
GFSI certification on file and current
Approved specifications and signed spec sheets
Initial on-site or virtual audit
Food-safety history and recall record
Every shipment, forever
Performance Monitoring
"Is this supplier still doing the job?"
On-time, in-full delivery rate
Incoming defect and rejection rate
CoA accuracy against actual results
Responsiveness to non-conformance reports
Not Every Supplier Earns the Same Scrutiny
Treating a spice importer the same as a corrugated-box vendor wastes effort where it doesn't matter and starves attention where it does. The rule expects verification intensity to follow risk — so the first design decision in any program is a risk tier that decides how hard each supplier gets verified. The ladder below is the logic most food plants land on: the higher the hazard the material carries into your process, the more verification it has to clear before and after approval.
Tier 3 — High Risk
Ready-to-eat ingredients, allergens, raw proteins, materials with no downstream kill step
Annual on-site audit + lot testing + CoA review + scorecard
Tier 2 — Medium Risk
Ingredients controlled by a downstream process step, secondary packaging in food contact
Periodic audit + CoA review + scorecard
Tier 1 — Low Risk
Non-contact packaging, shipping supplies, indirect materials
Document review + delivery performance tracking
Want a risk-tiering model mapped to your actual supplier list? Talk to our food team and we'll help you sort vendors into tiers and set the verification intensity for each.
The Four Numbers a Supplier Scorecard Lives On
A scorecard is what turns the noise of day-to-day receiving into a legible picture of supplier health. The trick is to score on the few metrics that actually predict a problem — not thirty vanity fields no one updates. These four, tracked over time and reviewed at a fixed cadence, catch most of the drift before it becomes a deviation.
On-Time In-Full
96%
Did the right quantity arrive on the promised date? Late and short shipments force line changes that create their own quality risk.
Incoming Defect Rate
1.7% rejected
Share of received lots failing incoming inspection. A creeping rate is the earliest signal a supplier's process is slipping.
CoA Accuracy
92%
How often the certificate of analysis matches your own verification testing. A CoA you can't trust is worse than no CoA.
NCR Responsiveness
4.2 day avg
Time from a non-conformance report to a documented corrective action. Slow responders are the ones that repeat the same defect.
How You Actually Verify a Supplier
Verification is the part of the rule with teeth: you have to choose an activity appropriate to the hazard, do it, and keep the record. There is no single right method — the point is that the method matches the risk, and that you can show why you picked it. These are the four the rule recognizes and how food plants tend to use them.
On-Site Audit
Best for high-risk suppliers
A qualified auditor at the supplier's facility. Strongest evidence, highest cost — reserve it for Tier 3 and for suppliers whose scorecard has slipped.
Lot or Periodic Testing
Best for hazard confirmation
Sampling and testing incoming material against spec. The direct check on whether the CoA reflects reality — pathogens, allergens, composition.
Records Review
Best for medium-risk suppliers
Reviewing the supplier's own food-safety records, monitoring logs, and corrective actions. Lower cost, defensible when paired with a strong scorecard.
Third-Party Certification
Best as a qualification floor
GFSI-benchmarked schemes like SQF or BRCGS. A current certificate is the entry ticket, not the whole program — performance still has to be monitored.
Not sure which verification method satisfies the rule for a given material? Book a demo and we'll walk your supplier categories against the four methods.
The Receiving Dock Decides Everything
The dock is where the promises on paper meet a physical pallet — and it's where quality controls are usually thinnest, because the pressure to clear the truck is real. A documented incoming decision flow is what keeps a rushed receiver from becoming the root cause of your next recall. Every lot should travel one of three clearly recorded paths, and a rejection that isn't logged simply doesn't exist when the auditor asks.
Incoming lot arrives at dock
Check: CoA present · spec match · visual condition · temperature
Pass
Release to inventory, record the inspection, update the supplier scorecard.
Conditional
Quarantine pending test result or CoA follow-up. Label, log, and hold — no use until cleared.
Reject
Physically quarantine, label, log the non-conformance, raise an NCR to the supplier.
What Good Looks Like, Stage by Stage
Most food plants don't lack a supplier program — they lack a connected one. Records live in inboxes, scorecards live in someone's spreadsheet, and the audit trail gets rebuilt by hand the week before an inspection. The track below is the honest path from a paper-and-folder program to one an investigator can't poke a hole in.
1
Reactive
Approved-supplier list in a spreadsheet, CoAs in email, problems found after they reach the line. The audit trail is reconstructed under deadline.
2
Documented
Written qualification procedure, risk tiers defined, verification methods assigned per tier. Records exist but live in separate places.
3
Monitored
Scorecards updated on a fixed cadence, re-evaluation dates tracked, NCRs trend over time. Drift is visible before it becomes a deviation.
4
Connected
Qualification, scorecards, verification records, and re-evaluation reminders in one workspace. The audit packet is a report you run, not a week of digging.
Want to see which stage your program is really at? Talk to a specialist and we'll map your current setup against the four stages and show the gaps an auditor would find first.
Frequently Asked Questions
How often does FSMA expect me to re-evaluate a supplier?
At least every three years, and sooner whenever new information surfaces about a hazard or the supplier's performance. A slipping scorecard, a recall, or a failed lot all reset the clock — re-evaluation is event-driven as well as time-driven.
Does a GFSI certificate like SQF satisfy my verification obligation?
It's a strong qualification floor, not the whole program. Certification confirms a supplier had a sound system at audit time; you still owe ongoing performance monitoring and a verification activity matched to the hazard. Treat the certificate as the entry ticket, not the finish line.
What's the difference between qualification and performance monitoring?
Qualification answers whether a supplier can do the job; performance monitoring answers whether they still are. Qualification happens at onboarding and re-evaluation; monitoring happens every shipment through delivery, defect, CoA, and NCR data. A program needs both, kept visibly separate.
Why is the receiving dock such a common weak point?
Because the pressure to clear the truck competes with the discipline to inspect and record. A documented three-path decision flow — pass, conditional, reject — with every outcome logged is what keeps a rushed receiver from becoming a root cause. An unlogged rejection is a gap you can't explain later.
Where should we start if our records are scattered today?
Start by tiering suppliers by risk and pulling the four core scorecard metrics into one place for your Tier 3 suppliers. That single move — connected scorecards on your highest-risk vendors — surfaces the drift that matters most and gives you a defensible audit trail on the suppliers an investigator looks at first.
Stop trusting. Start verifying.
Turn Supplier Quality Into an Audit Asset
Bring your supplier list and one upcoming audit. We'll show how iFactory tiers suppliers by risk, runs the four-metric scorecard automatically, tracks every verification activity and re-evaluation date, and produces the audit packet on demand — so your supplier program becomes the evidence an investigator wants to see instead of the gap they go looking for.
4
metrics that predict drift
1
workspace, every record
