The QA Director's Supplier Compliance Documentation Checklist

Supplier compliance documentation is one of the highest-labor areas in food safety quality management — and one of the most likely to have gaps that only become visible during an audit or a recall event. For QA managers and food safety directors responsible for supplier programs, building a systematic documentation checklist ensures that every approved supplier has the records on file that your program requires, that those records are current, and that they are connected to the lot-level traceability chain your FSMA 204 program depends on.

This checklist is designed for food manufacturers and CPG brands purchasing from ingredient and packaging suppliers. It covers the four primary document categories every supplier compliance program needs and flags the FSMA 204-specific additions that are required for suppliers providing products on the Food Traceability List.

Category 1: Quality and Safety Certifications

These documents establish that your supplier has a functioning food safety management system and meets the quality standards your program requires.

GFSI-recognized scheme certificate

If your supplier program requires third-party certification, verify the scheme (SQF, BRC/BRCGS, FSSC 22000, IFS, GLOBALG.A.P., CanadaGAP, or Primus GFS for produce) and confirm the certificate scope covers the product categories you are purchasing. Key items to verify:

• Certificate issue and expiration date — certificates are typically valid for 12 months; verify that the current certificate is in scope for the commodity you are sourcing
• Certification body accreditation — the CB should be GFSI-recognized and accredited under the relevant scheme's conformance criteria
• Scope statement — confirm the scope specifically covers the ingredient or product type you are purchasing, not just the facility in general
• Grade or level — SQF certificates carry a level (Level 2 or Level 3); know what level your program requires

PCQI training records

Under FSMA's Preventive Controls rule (21 CFR Part 117), food manufacturers must have a qualified Preventive Controls Qualified Individual (PCQI) responsible for developing and overseeing the food safety plan. Your approved supplier list (AVL) should confirm that each supplier's food safety plan was prepared, validated, or reviewed by a PCQI. This is not always a standalone document — it may be embedded in the supplier questionnaire — but it should be verified.

HACCP plan documentation

Many CPG programs require suppliers to submit their HACCP plan or a summary thereof. At minimum, you want to confirm that the supplier has an active HACCP plan that covers the critical control points relevant to the products you are sourcing. For high-risk ingredients (raw proteins, produce, allergen-containing materials), a more detailed HACCP review may be warranted.

Category 2: Product-Level Documentation

These documents verify that the specific products you receive meet your specifications.

Product specification sheets

Current product specifications should be on file for every ingredient or material in your AVL. Specifications should include: identity characteristics (description, appearance, odor), chemical parameters (moisture, pH, Aw, fat/protein/carbohydrate if applicable), microbiological limits, allergen declaration, and country of origin. Confirm that the specification on file reflects the current version and matches the product you are actively receiving.

Certificates of Analysis (COA) with lot-level detail

This is the document with the most direct impact on your FSMA 204 traceability chain. A COA should include:

• Supplier lot code — this is the traceability lot code (TLC) that you must capture at receiving and carry through your transformation CTE records
• Product name and description
• Quantity and unit of measure
• Test results relevant to your specification (micro, chemistry, allergen testing as applicable)
• Date of manufacture or pack date
• Expiration date or best-by date
• QA release signature or electronic approval

Note: your COA filing system must link each COA to the receiving record for the corresponding lot. If you receive a COA as a PDF email attachment but log the lot in your WMS without connecting the two, you have a gap. Under FSMA 204, when you produce a transformation CTE record, you need to be able to link the input TLC (from the COA) to your trace chain.

Allergen control documentation

For each ingredient with allergen relevance (the Big Nine allergens under FALCPA: milk, eggs, fish, shellfish, tree nuts, peanuts, wheat, soybeans, sesame), you need supplier documentation covering: allergen declaration for the product itself, allergen controls at the manufacturing facility (especially for shared equipment or shared facility production), and allergen testing results for lots requiring testing under your supplier risk program.

Pesticide and environmental contaminant testing

For fresh produce ingredients and some agricultural commodities, pesticide residue testing results may be required by your program or by retailer requirements. If you have retail customers who require pesticide testing documentation, these records need to be on file and linked to the corresponding supplier lots.

Category 3: Regulatory Compliance Records

These records document that the supplier is operating in compliance with applicable regulations.

FDA registration confirmation

Under the Bioterrorism Act (21 CFR Part 1, Subpart H), domestic and foreign food facilities must be registered with FDA. Your supplier program should verify that each covered supplier has a current FDA facility registration. Registrations must be renewed biennially (in even-numbered years). Confirm that the registration on file is current for the facility actually producing the ingredient you purchase.

Foreign supplier verification records (if applicable)

If you import food from foreign suppliers, FSMA's Foreign Supplier Verification Program (FSVP) rules under 21 CFR Part 1, Subpart L require you to verify that your foreign supplier is producing food in a manner that meets US food safety standards. Your FSVP records for each foreign supplier — including the hazard analysis, supplier verification activities conducted, and corrective actions — must be documented and retained.

FSMA 204 traceability compliance for FTL suppliers

This is the addition that many supplier programs have not yet fully incorporated. If a supplier is providing you with a food on the FDA's Food Traceability List, that supplier has its own FSMA Rule 204 obligations — specifically, shipping CTE records that capture the TLC and KDEs for every shipment to you. Your supplier program should:

• Identify all AVL suppliers who provide FTL-covered ingredients
• Confirm that each such supplier has a system for maintaining FSMA 204 traceability records
• Establish a data sharing arrangement so that the supplier's shipping CTE records can be linked to your receiving CTE records for each lot received
• Verify that the supplier's TLC format is compatible with your receiving and traceability system (GS1-128 compliant barcode, or structured data in an agreed format)

Suppliers who cannot provide FSMA 204-compatible TLC data on shipping documentation should be flagged for a supplier corrective action request (SCAR) and a capability improvement timeline.

Category 4: Supply Chain Continuity Documents

Supplier questionnaire and approved vendor assessment

Your initial supplier qualification should include a completed questionnaire covering facility information, production processes, food safety program summary, allergen programs, regulatory history, and insurance coverage. This questionnaire forms the basis of your risk rating for the supplier — which determines inspection frequency and COA review requirements.

Business continuity and disaster recovery documentation

For critical suppliers (single-source ingredients, high-volume commodity suppliers), your program should include documentation of the supplier's business continuity plan — specifically, how they would maintain supply during a facility disruption. This is a risk management requirement, not a regulatory one, but it belongs in a complete supplier file for any critical-path ingredient.

Insurance certificates

Product liability insurance certificates from key suppliers protect your company in the event that a supplier-sourced ingredient causes a quality or safety event. Minimum coverage limits should be defined in your supplier agreement. Verify that the certificate is current and names your company as an additional insured if required by your contract terms.

Document Management: Expiration Tracking and Renewal

Having these documents on file at initial qualification is only half the challenge. The other half is maintaining current versions as they expire. Common expiration timelines:

• GFSI certification: 12 months from issue date (verify CB renewal cycle — some schemes allow 3-month extensions in certain circumstances)
• FDA facility registration: biennial (odd-year registrations lapsed after December 31 of each even year)
• Product specifications: should be re-confirmed at minimum annually or upon any supplier formulation or process change
• Supplier questionnaire: re-qualification typically required every 1-3 years depending on supplier risk tier
• Insurance certificates: annually, at policy renewal

Managing expiration dates manually — whether in a spreadsheet or a paper tickler system — is the most common source of expired documentation in supplier programs. When an audit or an FDA inquiry surfaces a COA or certification that expired 4 months ago and was never renewed, it represents both a compliance gap and a credibility issue with the auditor.

An automated expiration tracking system that alerts QA when supplier documents are approaching expiration — and requires updated documents before renewal — eliminates this class of gap. It also provides a complete audit trail of when each document was received, who reviewed it, and when the previous version expired.

Putting the Checklist to Work

A practical way to implement this checklist is to build a supplier compliance scorecard with a status indicator for each document category. For each AVL supplier, the scorecard shows whether each document type is: on file and current (green), expiring within 60 days (yellow), or expired/missing (red). The red items are your corrective action queue; the yellow items are your renewal follow-up list.

For FSMA 204-covered suppliers (those providing FTL ingredients), the scorecard should include an additional line for FSMA 204 traceability capability status — confirming that the supplier has an FSMA 204-compatible TLC data format and that your teams have a defined process for receiving and linking CTE data for each lot.

Foodtrce includes a supplier compliance module that automates this scorecard, tracks document expiration, and connects supplier COA data to the FSMA 204 lot code trace chain. If your current supplier program relies on manual spreadsheet tracking, we are glad to walk through how the module handles the document lifecycle for your specific supplier base.