EU-GMP · Supplier Qualification · Medical Cannabis

Shared Supplier Audits in EU-GMP Supply Chains: How Buyers Can Use Audit Reports Efficiently and in a Regulation-Compliant Way

Anyone who purchases medical cannabis, APIs, or other GMP-relevant products knows the problem: Suppliers must be qualified, monitored, and evaluated in a documented manner — often internationally, under time pressure, and with high regulatory standards. Especially in global supply chains, a central question therefore arises more and more frequently: Does every buyer have to audit every producer themselves, or can several companies use the same independent audit report?

The good news is: Shared supplier audits are generally possible. The EMA has explicitly stated that the same principles also apply when audit reports are shared between different MIA holders who use the same supplier. At the same time, the responsibility for the qualification, evaluation, and formal release of the supplier always remains with the respective user company. A shared audit report can therefore be a strong building block — but not a free pass.

Why Shared Audits Are Particularly Relevant for Medical Cannabis

The market for medical cannabis is international, complex, and highly documentation-driven. Producers in Europe, North America, Australia, Africa, or Latin America often supply several B2B customers in parallel. At the same time, European GMP processors, importers, and wholesalers expect reliable qualification processes, transparency, and a clean risk assessment.

If almost identical customer audits are carried out multiple times at the same site, this results in redundant costs, audit fatigue for the supplier, and longer onboarding times. This is exactly where shared supplier audits come in: An independent, qualified third-party audit is created in such a way that it can be used by several authorized buyers. This saves time, reduces the audit burden, and creates a structured information basis for purchasing, QA, and — where relevant — QP-related evaluation processes.

What is permitted by regulation — and what is not

The regulation-compliant answer is: Yes, an audit can be used by multiple parties. However, it is crucial that each user company evaluates, approves, and integrates the report into its own quality system.

The distinction is just as important: A shared audit report does not automatically replace the entire supplier qualification. For buyers under EU-GMP, this means that shared audits are an efficiency tool, but not a substitute for their own risk-based assessment.

What a Truly Usable Shared Audit Should Cover

A shared audit is only valuable if it is not too narrow. A report that only looks at a single customer-specific issue is often of limited use to other subsequent buyers.

Shared supplier audits become truly reliable when they look at the site as comprehensively as possible: quality system, documentation, hygiene, training, material and personnel flows, data integrity, validation, change control, deviation management, complaints, and the relevant manufacturing or processing steps across the main product groups.

In addition, the report must be substantial enough. For serious buyers, a mere certificate such as “Audit passed successfully” is usually not enough. Traceable information on the audit date, scope, auditor, findings, classification, agreed CAPAs, and ideally the status of the implementation of the measures is required.

What Advantages Shared Supplier Audits Offer Buyers

For buyers of medical cannabis and other GMP-relevant products, shared audits offer three main advantages: faster pre-selection of new suppliers, less effort for recurring audit processes, and better comparability between different producers.

Especially in markets with long supply chains and high qualification effort, this can make a noticeable difference. Shared audits help to organize audit effort more intelligently without diluting regulatory responsibility.

How This Can Work Using FlowerSynk as an Example

A practical model can be explained well using the example of FlowerSynk. On the FlowerSynk website, the company describes a marketplace approach in which producers list products, fill out standardized audit questionnaires, and can optionally book third-party audits; buyers can request audit reports directly from the supplier.

In such a setup, it is not FlowerSynk itself that audits, but auditors independent of FlowerSynk who audit the producers. The audit is designed in such a way that all products produced by the company and the systems relevant to them are covered as far as possible. This creates a report that is not only usable for a single buyer, but potentially for several authorized interested parties.

The user rights can be organized in such a way that the producer controls which buyers they grant access to their audit report. In this way, the audited company retains control over the report, while several buyers can use the same professional audit as the basis for their supplier evaluation.

In practice, this can result in an efficient digital supplier qualification process: The producer deposits the audit report, certificates, CAPA status, and supplementary quality documents in the supplier profile. An interested buyer receives access after approval and can document internally whether the report is accepted, whether there are any questions, or whether additional follow-up is necessary. A static PDF thus becomes an active component of a structured, scalable qualification workflow.

Where the Limits of Shared Audits Lie

As attractive as shared audits are, they do not replace every individual case. For high-risk suppliers, open critical findings, significant changes to the site or quality system, or very product-specific processes, a supplementary own audit may still be useful or necessary.

For import-related constellations under MIA/QP responsibility, special care is required, because the responsibility for certification and release is not transferred to a third party.

Conclusion

Shared supplier audits are a highly interesting approach for buyers of medical cannabis and other EU-GMP-relevant products: generally permissible from a regulatory point of view, operationally efficient, and economically sensible.

The key lies in the design: independent auditors, broad scope, controlled access rights, and a clearly documented evaluation by the respective buyer. It is precisely at this point that FlowerSynk can create added value — not as a substitute for GMP responsibility, but as a digital infrastructure with which audit information can be used in a more structured, faster, and more scalable way between producers and buyers.

FAQ

Are shared supplier audits even permissible under EU-GMP?

Yes. The EMA generally accepts third-party audits and explicitly clarifies that the same principles also apply to the sharing of audit reports between different MIAHs. The prerequisite is that the user company evaluates and formally releases the report itself.

Is a shared audit report alone sufficient for supplier qualification?

Not automatically. A shared audit can be a central building block, but it does not in itself replace one's own risk-based assessment, the examination of the scope, and, if applicable, other GMP or QP-related requirements.

What must a shared audit contain so that buyers can use it meaningfully?

At least traceable information on the scope, date, auditor, findings, classification, CAPAs, and ideally on the implementation status. Without sufficient report depth, a reliable internal final assessment is difficult to make.

Who retains responsibility when multiple buyers use the same audit?

Always the respective user company. The responsibility for supplier qualification, evaluation, and, if applicable, QP-relevant decisions remains with the buyer or MIA holder.

How does FlowerSynk support this process?

On its website, FlowerSynk describes a marketplace approach in which producers provide standardized audit information, can book optional third-party audits, and buyers can request audit reports directly. The platform can thus serve as a structured interface for documented supplier qualification workflows.