Supplier Approval Program for Food Manufacturers (Free Template)

Your supplier approval program is one of the first things a food safety auditor will ask to see. Whether you're preparing for an SQF audit, a BRCGS inspection, or an FDA FSMA review, the auditor wants documented evidence that you know who supplies your ingredients, what risks they introduce, and how you verified them before the first delivery arrived.

A supplier approval program is required by every major GFSI-benchmarked certification scheme and by FDA food safety regulations. Yet the most common version found at food facilities is a spreadsheet with supplier names and a single column marked "approved," with no documented criteria, no risk tiering, and no re-evaluation schedule. That spreadsheet is not a supplier approval program. It's just a list.

This guide explains what a complete program looks like, what your certification scheme requires, how to build one step by step, and when a spreadsheet stops being enough. Understanding how your supplier approval program fits into your broader food and beverage supply chain compliance obligations is also worth considering as you build it out. A free supplier approval procedure template is included at the end.

What Is a Supplier Approval Program? (And Why It's Not Just a List)

A supplier approval program is a documented quality management system that governs how your facility identifies, evaluates, approves, and monitors every supplier providing raw materials, ingredients, packaging, or services used in your production process. The program includes written procedures, risk classification criteria, qualification requirements, an approved supplier list, and ongoing monitoring activities.

Most people conflate the supplier approval program with the approved supplier list. The list is just one output of the program, a living document that records which suppliers are currently approved and when their certifications expire. The program is the full system behind the list: the policies that define how suppliers get on it, the criteria they must meet, and the process for removing them when they fail.

A complete supplier approval program covers six areas:

• A written supplier approval procedure (SOP)
• A risk-based supplier tiering system
• Defined qualification criteria per risk tier
• An approved supplier list (ASL)
• Ongoing monitoring activities
• Re-qualification triggers and corrective action processes

If your facility is certified under SQF, BRCGS, or FSSC 22000, or if you're subject to FSMA as a food manufacturer or importer, a documented supplier approval program is not optional. The distinction between "program" and "list" matters because auditors evaluate your program. A list without a program behind it is an automatic finding.

Why Supplier Approval Programs Matter — The Regulatory and Business Case

The regulatory case for supplier approval programs starts with foundational food safety principles. The Codex Alimentarius General Principles of Food Hygiene (CXC 1-1969) establish supplier controls as a core prerequisite program requirement, the international baseline upon which FSMA, GFSI schemes, and national regulations are built.

Both FDA's FSMA regulations and GFSI Benchmarking Requirements mandate documented supplier controls. FSMA requires food manufacturers to control supplier-sourced hazards as part of their preventive controls program. GFSI-benchmarked schemes (SQF, BRCGS, FSSC 22000) each have specific clauses that auditors verify. If you're importing food into the US, the Foreign Supplier Verification Program (FSVP) creates a separate, legally binding layer of requirements on top of your internal program.

Liability is the other driver. When a contamination incident is traced back to an unverified or inadequately controlled supplier, the buying facility shares responsibility. FDA warning letters, recall notifications, and enforcement actions routinely cite failure to control supplier-sourced hazards as a root cause. A documented, risk-based supplier approval program is your primary defense.

Supplier compliance failure is also one of the most common root causes of non-conformances cited during GFSI audits. Expired certifications, missing allergen declarations, and undocumented provisional approvals consistently appear on audit reports. Building a rigorous program upfront is faster and less expensive than managing the corrective actions and re-audits that follow a finding.

FSMA and Supplier Approval — What the Law Requires

FSMA Preventive Controls — Supplier Program as a Preventive Control

Under FDA FSMA Preventive Controls for Human Food (21 CFR Part 117), if your facility receives a raw material or ingredient with a known or reasonably foreseeable hazard that requires a preventive control, you must implement a supplier program as that control. The supplier program is not a separate administrative function. It is part of your food safety plan and must be documented accordingly.

Under 21 CFR Part 117 Subpart E, required supplier verification activities include onsite auditing of the supplier, sampling and testing of product, review of the supplier's food safety records, and a Certificate of Conformance (COC). The activity you use and its frequency must be appropriate for the hazard and the supplier's performance history. Annual onsite audits are required for the highest-risk suppliers unless you have a documented basis for an alternative approach.

Your food safety management system documentation must show which suppliers are subject to the supplier program, what verification activities are required for each, who is responsible, and what the records show. A qualified individual (typically your Preventive Controls Qualified Individual, or PCQI) is responsible for approving the supplier program and reviewing its performance.

FSMA Foreign Supplier Verification Program (FSVP) for Importers

If you import food for consumption in the United States, you are subject to the FDA FSMA Foreign Supplier Verification Program (FSVP) final rule. FSVP is a separate regulatory program from your internal supplier approval program, and both must be coordinated.

Under 21 CFR Part 1, Subpart L, FSVP requires importers to conduct a hazard analysis for each imported food, evaluate the foreign supplier's performance and food safety practices, and conduct verification activities appropriate to the identified risks. Verification activities under FSVP include annual onsite audits (for hazards that could cause serious adverse health consequences), sampling and testing, and review of the supplier's food safety records.

FSVP documentation must be maintained for a minimum of two years and must be available for FDA inspection at entry. If you purchase from a GFSI-certified foreign supplier, you may qualify for modified FSVP requirements, but you must document the basis for that determination. FSVP does not replace your internal supplier approval program. It runs alongside it with its own records and compliance obligations. The FSMA 204 traceability rule adds another layer of recordkeeping expectations for certain high-risk food categories, which importers should factor into their supplier documentation requirements.

USDA FSIS Requirements for Meat, Poultry, and Egg Processors

If your facility is regulated by USDA FSIS rather than FDA, supplier verification requirements flow through your HACCP principles and food safety audit obligations. USDA FSIS HACCP Compliance Guidance requires that supplier controls be documented as part of your HACCP system when ingredients introduce hazards that require control. FSIS inspectors review supplier approval documentation as part of verifying that your HACCP system is functioning effectively.

For meat, poultry, and egg processors, incoming material controls and supplier verification are expected to be addressed in prerequisite programs and, where applicable, as critical control points within the HACCP plan. Document your supplier approval activities in a way that ties directly back to your HACCP program records.

How Your Certification Scheme Defines Supplier Approval Requirements

GFSI-benchmarked schemes all mandate documented supplier approval programs, but each scheme has specific clauses, evidence requirements, and audit expectations. Knowing exactly what your scheme requires prevents gaps and makes audit preparation far more straightforward.

SQF Edition 10 — Supplier Approval Requirements (Element 2.4.4)

SQF Edition 10, Element 2.4.4, requires food manufacturers to maintain an approved supplier program for all raw materials, ingredients, packaging, and services (including outsourced processing). The program must be risk-based, meaning the frequency and type of verification activities are determined by the risk level of the supplier and the materials they provide.

Required evidence for SQF supplier approval includes completed supplier questionnaires, third-party audit results or GFSI-recognized certifications, certificates of analysis (COAs), and product specifications. For high-risk suppliers, more frequent verification is required. The SQF certification complete guide and SQF audit checklist cover what auditors evaluate across your entire quality system.

During an SQF audit, the auditor will verify that you have a current approved supplier list, documented approval criteria, and evidence of re-evaluation for all active suppliers. The SQF Institute Approved Supplier Program Guidance Document provides additional detail on how to structure your program to satisfy Element 2.4.4.

BRCGS Issue 9 — Supplier Approval Requirements (Clause 3.5)

BRCGS Issue 9, Clause 3.5, requires a documented supplier approval and monitoring procedure covering all suppliers of raw materials and packaging. The preferred path to approval under BRCGS is a current BRCGS certification or other GFSI-recognized certification from the supplier, which satisfies the third-party audit requirement. If your supplier is not GFSI-certified, you must conduct or commission an onsite audit or use an approved exception process with documented justification.

For high-risk ingredient suppliers, BRCGS requires annual audits regardless of certification status. The BRCGS Global Standard for Food Safety Issue 9 contains the full clause text and scope. For a broader understanding of BRCGS certification requirements and what the audit process involves, that resource covers the full standard in depth.

During a BRCGS audit, auditors check your written approval procedure, verify the approval status of all active suppliers on your ASL, and look for evidence of ongoing monitoring and re-evaluation. Missing or expired third-party certifications on your ASL are a common minor non-conformance.

FSSC 22000 Version 6 — Supplier Approval Requirements

FSSC 22000 v6 combines requirements from ISO 22000:2018, ISO/TS 22002-1, and FSSC-specific additional requirements. ISO 22000:2018 Clause 7.1.6 addresses externally provided processes, products, and services, requiring your organization to establish criteria for evaluating and selecting external providers based on their ability to meet your specified requirements. ISO/TS 22002-1 adds prerequisite program requirements for raw material and supplier selection and monitoring.

The FSSC 22000 Scheme Version 6 additional requirements for Category IV food manufacturers include specific expectations for supplier monitoring and the documentation of outsourced processes. For a detailed breakdown of what changed in the most recent version, see FSSC 22000 version 6 requirements. Audit evidence expectations include a documented procedure, risk assessment records, supplier evaluation criteria, and records showing ongoing monitoring activities.

ISO 22000:2018 — Supplier Approval Without a GFSI Scheme

ISO 22000:2018 Clause 8.8.3 addresses the control of externally provided processes, products, and services, requiring the organization to ensure that external providers are capable of meeting the organization's food safety requirements. The ISO 22000:2018 Food Safety Management Systems standard and ISO/TS 22002-1: Prerequisite Programmes for Food Manufacturing together define the framework for supplier controls.

ISO 22000 aligns closely with FSSC 22000 but allows more flexibility in how supplier verification activities are defined and documented. If you operate under ISO 22000 without pursuing full FSSC 22000 certification, you still need a risk-based supplier approval procedure with documented evaluation criteria, an approved supplier list, and records of ongoing monitoring. The standard does not prescribe specific verification methods, but your food safety team must justify the approach based on hazard analysis and risk assessment.

How to Build a Risk-Based Supplier Approval Program (Step by Step)

Building a compliant supplier approval program means covering the full lifecycle: from classifying suppliers by risk before you ever order from them, to removing a supplier from your approved list when they no longer meet your criteria. Here are the six phases every compliant program must address.

Step 1 — Classify Your Suppliers by Risk Level

Risk-based supplier tiering is the foundation of a defensible program. Every major GFSI scheme and FSMA require you to demonstrate that your verification activities are proportionate to the risk a supplier represents. Treating all suppliers identically (applying the same documentation requirements to a GFSI-certified spice supplier and an uncertified raw meat processor) will not satisfy auditors and wastes your team's time.

Classify each supplier as High, Medium, or Low risk based on factors including the food hazard category of the materials they supply (allergens, pathogens, chemicals), their regulatory and recall history, their certification status, the country of origin for imported materials, and whether they are a single-source or dual-source supplier. The FDA Draft Guidance: Hazard Analysis and Risk-Based Preventive Controls for Human Food provides a useful framework for thinking through how to identify and categorize supplier-introduced hazards.

High-risk examples include suppliers of allergen-containing ingredients from uncertified sources, raw produce with pathogen risk, and ingredients imported from regions with enforcement concerns. Low-risk examples include GFSI-certified dry goods suppliers with a strong audit history and no open non-conformances.

Risk tier determines verification intensity. High-risk suppliers require annual onsite audits and lot-by-lot COAs. Medium-risk suppliers require current third-party audit reports and periodic questionnaire reviews. Low-risk suppliers require a completed questionnaire and certificates of compliance with an annual review cycle.

Step 2 — Define Approval Criteria Per Tier

Once you have your risk tiers, document the specific approval criteria for each. This becomes the core of your Supplier Approval Procedure SOP and defines what a supplier must provide before receiving an approved status.

For high-risk suppliers, required documents typically include a completed supplier questionnaire, a current onsite audit report from a third party, GFSI-recognized certification where applicable, product specifications, lot-by-lot COAs, a signed allergen declaration, and FSMA FSVP evidence for imported materials. For medium-risk suppliers, a third-party audit report within the last 12 months, a completed questionnaire, and COAs on request are standard. For low-risk suppliers, a questionnaire and current certificates of compliance with an annual review cycle are generally sufficient.

Write these criteria into your SOP so that any new supplier is evaluated against a consistent, documented standard. Approval criteria that exist only in someone's head are not defensible in an audit and create inconsistency when staff turn over.

Step 3 — Collect and Review Qualification Documents

Document collection is where most manual supplier programs break down. You need the right documents from every supplier before their first shipment, and you need a systematic way to track which documents have been received, reviewed, and approved along with when they expire.

The standard document checklist for supplier qualification includes a supplier questionnaire, third-party audit report or certificate, product specifications, COAs, allergen declaration, insurance certificate where required, and FSMA FSVP records for imported materials.

When reviewing third-party audit reports, check the scope of the audit (does it cover the relevant product categories?), the audit expiration date, the non-conformance history, and the current certificate status. Red flags include expired certifications, critical non-conformances listed as open, no documented food safety management system, and audit scopes that don't cover the materials they supply to you. Understanding the food traceability requirements that apply to your supply chain will also inform which documents and records you need suppliers to provide.

Step 4 — Make the Approval Decision

Every supplier needs a documented approval decision before they appear on your approved supplier list. Approval statuses should include at minimum: Approved, Provisionally Approved (with conditions), and Rejected.

Provisional approval is appropriate in limited circumstances: a new supplier whose audit is scheduled but not yet completed, or a short-term supply necessity where no approved alternative exists. Any provisional approval must be time-limited, must specify what conditions apply (such as enhanced incoming inspection or COA review per lot), and must have a clear path to full approval or rejection by a set date.

Document who made the approval decision, on what date, and based on what information. This creates the audit trail that auditors will review. Add approved suppliers to your ASL immediately, with their approval date, certification details, and next re-evaluation date.

Step 5 — Maintain the Approved Supplier List (ASL)

Your approved supplier list is a controlled document. It must contain, at minimum, supplier name and contact information, the materials or services they supply, approval status, approval date, re-evaluation due date, and certification details including certificate numbers and expiration dates.

Ownership of the ASL belongs with your QA or food safety team. The list must be reviewed and updated at minimum annually and any time a supplier's status changes. Inactive suppliers (those you no longer purchase from) should be clearly identified or removed from the active list so auditors aren't evaluating expired certifications for suppliers you haven't used in two years.

This is also where document control for compliance matters. Your ASL is a controlled document with a version history, a review cycle, and controlled access. It should be managed through your document control system rather than a personal spreadsheet on someone's desktop.

Step 6 — Ongoing Monitoring and Re-Qualification Triggers

Approving a supplier once and never reviewing them again is explicitly flagged as a non-conformance in all major GFSI schemes. Ongoing monitoring turns approval into a continuous process rather than a one-time administrative task.

Routine monitoring activities depend on risk tier. For high-risk suppliers, COA review per lot and certificate expiration tracking are standard. For medium and low-risk suppliers, periodic questionnaire reviews and annual re-evaluation of audit reports suffice. Supplier performance scorecards (tracking on-time delivery, non-conformance rate, and complaint history) add a quality dimension to the compliance focus.

Re-qualification is required when specific triggers occur: a failed COA or incoming test, supplier involvement in a recall or market withdrawal, a lapse in certification, a significant change in the supplier's processes or ownership, or a customer complaint traced back to that supplier. Your procedure should specify how quickly re-qualification must be initiated after a trigger event and who has authority to suspend a supplier from the approved list while the review is underway.

What to Include in Your Supplier Approval Procedure (SOP)

The written supplier approval procedure is required by every major GFSI scheme and FSMA. It is the document that defines your program on paper and is what auditors read first when evaluating your supplier controls. A vague or incomplete SOP that doesn't match your actual practice is as problematic as no SOP at all.

Every supplier approval SOP should include:

Purpose and scope statement. Who does this procedure apply to, what materials and services are covered, and what regulatory or certification requirements does it address?

Supplier risk classification criteria. How do you tier suppliers as High, Medium, or Low risk? What factors are used? Who conducts the risk assessment?

Approval criteria by tier. What specific documents and evidence must each tier provide before receiving approved status? This is the operational heart of the procedure.

Approval decision authority. Who is authorized to grant approved status, provisional approval, or rejection? Typically this is the QA Manager or Food Safety Director.

ASL maintenance responsibility and review frequency. Who owns the ASL, how often is it reviewed, and what triggers an out-of-cycle update?

Ongoing monitoring activities and frequency. What monitoring is required for each risk tier, who is responsible, and how are results recorded?

Re-qualification triggers and escalation process. What events trigger a re-qualification review? Who decides whether to suspend, re-qualify, or remove a supplier?

Corrective action process for non-conforming suppliers. What happens when a supplier fails a verification activity or triggers a re-qualification? How are corrective actions issued, tracked, and closed?

Record retention requirements. FSMA requires a minimum of two years. Check your certification scheme requirements for any longer retention periods.

A well-written SOP connects your supplier approval program to your broader food safety management system. It should not be a standalone document sitting in a folder nobody reads. It should be referenced in your food safety plan, your HACCP system documentation, and your corrective action procedure.

Common Supplier Approval Program Failures (And How to Avoid Them)

These are the failures that consistently appear on audit reports and in FDA warning letters. Knowing them in advance gives you the opportunity to close the gaps before an auditor finds them.

1. No Documented Risk Tiering System

Many programs treat all suppliers identically regardless of what they supply or how they are controlled. GFSI schemes and FSMA both require a risk-based approach, and auditors specifically look for evidence that verification activities are proportionate to risk. If you can't show how you classified your suppliers and why, you have a gap.

2. Outdated Approved Supplier List

Expired certifications, lapsed audit reports, and inactive suppliers left on the active ASL are among the most common minor non-conformances in SQF and BRCGS audits. An outdated ASL signals that no one is actively managing the program. Assign ownership and set a review cycle that is actually followed.

3. Missing or Incomplete Supplier Documents

Receiving the first shipment before collecting a COA, allergen declaration, or product specification is a control breakdown. Your SOP should make clear that no approved-supplier status can be granted (and no purchase order released) until required documentation has been collected and reviewed.

4. No Re-Qualification Process

Approving a supplier once in 2019 and not reviewing them since is explicitly non-conforming under every major GFSI scheme. Ongoing monitoring and re-qualification on a defined schedule are required, not optional. If your program doesn't have a documented re-qualification cycle tied to risk tier, add one.

5. Provisional Approvals That Never Get Resolved

Provisional approvals are legitimate when used correctly. They become a problem when they have no end date, no defined conditions, and no documented path to full approval or rejection. Auditors treat open-ended provisional approvals as a sign the program isn't being managed. Every provisional approval should have a deadline and a condition for resolution.

6. Supplier Approval SOP Not Referenced in HACCP or Food Safety Plan

Your supplier approval program cannot be siloed in procurement or QA without connection to your food safety system. Under FSMA, supplier controls are a type of preventive control and must appear in your food safety plan. Under GFSI schemes, auditors expect the supplier program to be integrated into your overall food safety management system. If your HACCP plan or food safety plan doesn't reference the supplier approval procedure, add the cross-reference.

7. FSVP Program Missing for Imported Ingredients

FSMA FSVP is a separate, legally binding regulatory requirement for importers. It does not replace your internal supplier approval program. It operates alongside it with its own hazard analysis, verification activities, documentation, and FDA inspection requirements. If you import food ingredients and do not have a documented FSVP program, this is a regulatory gap, not just an audit finding. Working with a PCQI training programs graduate is the right starting point for establishing your FSVP documentation.

Need to get your supplier program audit-ready fast? Allera's centralized supplier management software tracks approval status, document expiration, and re-qualification due dates in real time, so you're never scrambling before an audit.

Managing Your Supplier Approval Program: Spreadsheets vs. Software

Where Spreadsheet-Based Programs Break Down

Spreadsheets work when you have a small, stable supplier base and one person managing the entire program. They stop working reliably once you scale beyond 20 to 30 active suppliers, when staff turn over, or when a single missed certification expiry triggers a major non-conformance.

The most common failure mode is manual expiration tracking. When certificate and audit report expiration dates live in a spreadsheet, the review depends entirely on someone remembering to check it. If the person who built the spreadsheet leaves, or if the review gets skipped during a busy period, certifications lapse unnoticed. Auditors do not accept "we didn't realize it had expired" as a control measure.

Document collection bottlenecks are the second failure point. Chasing suppliers by email for questionnaires, COAs, and updated audit reports consumes significant QA time and creates gaps when suppliers don't respond promptly. Without a supplier portal or automated reminder system, the burden falls entirely on your team.

Audit preparation is where spreadsheet-based programs create the most acute pain. When an SQF or BRCGS auditor asks to review your approved supplier list and supporting documentation, scrambling to locate the current version of every supplier's third-party audit report and cross-referencing it against your ASL is a time-consuming and error-prone process.

What to Look for in Supplier Management Software

When evaluating supplier management software or food quality management software, prioritize these capabilities:

Automated document collection. A supplier portal where suppliers can upload their own questionnaires, certifications, COAs, and allergen declarations, with automated reminders when documents are approaching expiry or have not been submitted.

Certificate expiration tracking with proactive alerts. Alerts should go to the responsible QA team member before expiration, not after. The system should distinguish between certifications that have lapsed and certifications that are simply approaching renewal.

Risk tiering and approval workflows. The ability to classify suppliers by risk tier and route approval decisions through a documented workflow, so that every approval decision has a timestamp, an approver, and a clear record of what documentation was reviewed.

Supplier scorecarding and performance dashboards. Tracking non-conformance rates, delivery performance, and complaint frequency gives you a complete picture of supplier performance beyond document compliance alone.

Audit-ready reporting. The ability to export a complete supplier approval record for any supplier (including their documents, approval history, monitoring records, and corrective actions) in a format an auditor can review without additional preparation from your team.

Integration with your food safety plan and corrective action system. Supplier controls are part of your preventive controls program. Supply chain software for food manufacturers that integrates supplier approval status with your HACCP documentation and corrective action workflows creates a unified compliance system rather than a disconnected set of tools.

Ready to transform your supplier approval program from a spreadsheet burden into an automated compliance system? Talk to a food safety specialist at Allera.