CSDDD by topic

Supplier Audit: Types, Where They Fit and Their Limits

Last updated · 2026-06-08

A supplier audit is a way to verify that a business partner actually meets the standards in your code of conduct. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), audits are one of several verification methods that support prevention, remediation and monitoring, but they have real limits and should be used as part of a wider approach.

TL;DR

  • A supplier audit verifies whether a partner meets your code of conduct in practice.
  • Common types: desktop review, self-assessment questionnaire (SAQ), on-site audit, and independent third-party audit.
  • Audits support verification across CSDDD steps 3 to 6 (prevent, remediate, engage, monitor).
  • Audits have limits: they are a snapshot and can miss hidden issues, so pair them with engagement and other signals.
  • A finding should lead to a corrective-action plan and support, not automatic termination.
Free DD QuestionnaireCheck if you are in scope

In plain English

What supplier audit means

Auditing is the verification layer that backs up contractual assurances. Because the CSDDD requires assurances to be accompanied by measures to verify compliance, audits, questionnaires and on-site checks are how in-scope companies show that a code of conduct is being met rather than merely signed.

How this fits the CSDDD

Supplier audits are a verification method supporting steps 3 to 6 (prevent, remediate, engage, monitor) of the CSDDD due diligence cycle. Directive (EU) 2024/1760 Omnibus I (Directive (EU) 2026/470)

Why it matters

Why supplier audit matters under the CSDDD

  • The CSDDD requires verification, not just signed assurances, and audits are a primary way to verify.
  • Audits scaled to risk keep your due diligence proportionate and evidence-based.
  • Findings feed corrective-action plans, which are central to prevention and remediation.
  • Relying on audits alone is a known weakness, so understanding their limits matters.

The detail

Types of supplier audit

Desktop review: checking documents, certifications and policies remotely. Self-assessment questionnaire (SAQ): the supplier reports against your standards, often using a shared industry template.

On-site audit: a visit to inspect conditions, records and worker interviews. Independent third-party audit: an accredited external auditor conducts the assessment, adding credibility and reducing conflict of interest.

Where audits fit in the six steps

Audits primarily support steps 3 to 6: verifying preventive measures (step 3), confirming actual impacts have been brought to an end and remediated (step 4), informing the complaints and engagement process (step 5), and providing evidence for monitoring and communication (step 6).

The intensity should match the risk identified in your assessment: a high-risk relationship may warrant an on-site or third-party audit, while a low-risk one may need only a desktop review or SAQ.

The limits of audits

Audits are a snapshot in time and can be gamed, miss hidden issues such as undeclared subcontracting, or fail to surface sensitive abuses like forced labour. They are necessary but not sufficient.

Pair audits with worker voice, grievance data, unannounced checks where appropriate, and ongoing engagement, in line with the CSDDD emphasis on stakeholder engagement and effective measures rather than paperwork.

Corrective-action plans

When an audit finds a gap, the response should be a corrective-action plan with clear actions, owners, timelines and follow-up verification, plus support and capacity building where the partner needs it.

Under Omnibus I, the emphasis is on suspending rather than immediately terminating a relationship while an action plan runs, so that pressure does not simply displace harm.

For the underlying standards, see the OECD Due Diligence Guidance and the UN Guiding Principles on Business and Human Rights.

Step by step

How to approach supplier audit

  1. Set the audit type and scope based on the relationship's risk level.
  2. Run the audit (desktop, SAQ, on-site or third-party) against your code of conduct.
  3. Record findings and rank them by severity.
  4. Agree a corrective-action plan with owners and timelines.
  5. Provide support and re-verify that actions have closed the gaps.
  6. Feed results into monitoring and your public communication.

Watch out

Common pitfalls

  • Treating an audit pass as proof that everything is fine.
  • Auditing every supplier identically instead of by risk.
  • No corrective-action follow-up, so findings never get fixed.
  • Terminating at the first finding instead of supporting an action plan and suspending where needed.

Put it into practice

Ready to act on this? Start with our free due diligence questionnaire to see what a customer can ask you for, check whether you are directly in scope with the scope checker, score your suppliers with the risk-assessment tool, and look up any unfamiliar term in the glossary. For the full picture of the directive, read what the CSDDD is.

FAQ

Supplier Audit: common questions

What types of supplier audit are there?
The main types are desktop review, self-assessment questionnaire (SAQ), on-site audit, and independent third-party audit. You choose the type and intensity based on the risk level of the relationship.
Does the CSDDD require supplier audits?
The CSDDD requires contractual assurances to be backed by verification. Audits are one way to verify, alongside questionnaires, on-site checks and independent verification. The directive does not mandate a specific audit for every supplier; it requires appropriate, risk-based verification.
What are the limits of supplier audits?
Audits are a snapshot, can be gamed, may miss hidden subcontracting, and often fail to surface sensitive abuses such as forced labour. They are necessary but not sufficient, so pair them with worker voice, grievance data and ongoing engagement.
What happens after an audit finds a problem?
You agree a corrective-action plan with clear actions, owners and timelines, provide support where needed, and re-verify. Under Omnibus I the emphasis is on suspending rather than immediately terminating a relationship while the plan runs.

Related topics

Keep reading

supplier code of conduct

Supplier Code of Conduct

A supplier code of conduct sets out the labour, health and safety, environmental and anti-corruption standards your business partners must meet. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), the code is part of embedding due diligence, it is cascaded through contracts, and it must be backed by verification rather than treated as a one-time signature.

Read the guide →
supply chain risk assessment

Supply Chain Risk Assessment

A supply chain risk assessment, also called a human rights risk assessment, is how you score where adverse human rights and environmental impacts are most likely and most severe across your chain of activities. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), this assessment drives where you prioritise prevention, verification and remediation.

Read the guide →
due diligence process

Due Diligence Process

The due diligence process under the EU Corporate Sustainability Due Diligence Directive (CSDDD) is a six-step cycle, aligned with the OECD framework, for identifying, preventing and accounting for adverse human rights and environmental impacts. This is the cornerstone of the directive, and every other topic on this site maps onto one of its steps.

Read the guide →

Get ahead of the CSDDD

If a big customer has sent you a due diligence questionnaire, our free DDQ shows what you actually need to send. Then explore the tools and guides built for your role.

Free DD Questionnaire

This is guidance, not legal advice

This page explains how supplier audit works under the CSDDD in plain English. It is guidance, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified adviser. The directive is still settling after Omnibus I, so we keep this page current.

Sources

  1. [1]Directive (EU) 2024/1760 (CSDDD / CS3D), original text (EUR-Lex)retrieved 8 Jun 2026
  2. [2]Omnibus I final amending act (Directive (EU) 2026/470): CSDDD amendments finalisedretrieved 8 Jun 2026
  3. [3]Clifford Chance: Omnibus I concludes CSDDD and CSRD reformsretrieved 8 Jun 2026
  4. [4]European Commission: Corporate sustainability due diligenceretrieved 8 Jun 2026
  5. [5]OECD Due Diligence Guidance for Responsible Business Conductretrieved 8 Jun 2026
  6. [6]UN Guiding Principles on Business and Human Rightsretrieved 8 Jun 2026

The CSDDD Brief

Subscribe to The CSDDD Brief

We watch Brussels so you don't. Plain-English CSDDD updates, free.

No spam. Unsubscribe anytime.