Supplier controls have always been a regulatory requirement - but recent FDA warning letters show increased scrutiny on how those controls are applied in practice. Inspectors are looking beyond documented procedures to evaluate whether organizations can demonstrate risk-based oversight, ongoing monitoring, and meaningful control over suppliers and outsourced services.

FDA enforcement trends make clear that services affecting quality outputs - such as complaint handling, MDR assessment, sterilization oversight, or software maintenance - are subject to purchasing controls. When these services are not formally evaluated and controlled, regulatory exposure often appears downstream in complaints and CAPA.

Approval alone does not demonstrate control. FDA increasingly expects manufacturers to define and justify the type and extent of control applied to suppliers based on risk, and to show evidence that those controls are implemented, monitored, and reassessed when conditions change.

When supplier changes occur without formal reassessment, organizations may inherit retrospective exposure - including distributed product risk. FDA has signaled through enforcement that CAPA responses must address not only procedural gaps, but whether past product or patient risk was affected.