Summary
What is a vendor compliance audit?
A vendor compliance audit is a formal check that verifies a supplier delivered against the contract and the standard. It scores the drop or the service visit the same way a store audit scores a shift.
A supplier audit is a systematic evaluation of a supplier's ability to consistently meet quality, regulatory, and contractual requirements, covering the supplier's processes, documentation, and standards adherence, per simplerQMS on supplier audit types. Quality-management vendors list four broad categories (quality, social, environmental, and security), per MasterControl. For a multi-unit frontline operator, the practical categories are narrower:
- Delivery compliance. Did the fuel drop or food delivery match the product, quantity, temperature, and bill of lading?
- Service compliance. Did the pest control tech or HVAC contractor do the scoped work and document it?
- Credential compliance. Is the license, insurance, and EPA registration current?
Two different things get scored, and it helps to keep them separate. First, the delivery or visit itself: was this drop compliant? Second, the vendor's track record over time: is this supplier trending toward a problem across many drops at many stores? A vendor audit checklist captures the first. A vendor scorecard rolls up the second.
Do not confuse a vendor compliance audit with a vendor management audit (an internal review of your own vendor program) or a contract compliance audit (a finance-led billing review, per SC&H Group). For the person at the back dock, the vendor compliance audit is the delivery-moment check.
Third-party risk is not a rounding error. One in two companies believe the cost of a third-party incident has at least doubled over five years, and they estimate a single incident could cost between US$0.5 billion and US$1 billion or more, per Deloitte's Extended Enterprise Risk Management survey. The supplier is a risk surface. The receiving dock is where you catch it or miss it.
The audit uses the same scoring engine as a store audit. That means weighted scoring that separates critical items from cosmetic ones, conditional visibility that shows different questions by vendor type, and a corrective action workflow that drives a failure to closure. If you are new to the category, start with the audit software hub and the conditional audits overview.
Example walkthrough, auditing a fuel delivery against a signed contract
A vendor compliance audit scores a fuel drop against the signed contract and the bill of lading at the moment of delivery, not weeks later when corporate catches a variance.
Picture a tanker pulling into a Refuel forecourt at 5:40am. The driver is a third-party carrier, not a Xenia user, and never will be. The store attendant is closing out the overnight shift. In the old workflow, the delivery gets signed, the bill of lading goes in a drawer, and nobody reconciles it against the contract until a variance surfaces later. With delivery vendor compliance scored at the dock, that gap closes. Here is the flow:
- The attendant scans the QR code at the fuel receiving point. The audit opens on a shared tablet or the attendant's device with no login. This is the same no-login pattern Xenia already uses for QR-code vendor work requests.
- Conditional visibility renders only the fuel-vendor questions. The pest control, food-vendor, and HVAC questions stay hidden because this is a fuel drop. C-store chains with mixed formats can run one audit and hide irrelevant questions per vendor, so the attendant never scrolls past items that do not apply.
- The audit checks the drop against the contract and the bill of lading. Product grade matches the order, gross and net gallons match the bill of lading, seal numbers match, the invoice price matches the contracted rate, and the delivery window was met.
- A follow-up question with a required photo triggers on any mismatch. If net gallons do not match, the form asks for the reading, requires a photo of the meter and the paperwork, and captures the driver's signature on the shared device.
- The failed item auto-creates a corrective task. It routes to the area manager, sets a deadline, and escalates to Regional if it is not resolved. A fuel price or quantity discrepancy becomes a corrective task to the DM that escalates to Regional if it is not done in 24 hours, the same closure loop as any store finding.
Why score against the bill of lading? Because it is a legally binding document issued by the terminal that details what is moving, who is moving it, and where. It is the backbone of fuel tax reporting and the first thing regulators cross-check when something looks off, per igentax on bill-of-lading tax compliance. Scoring the drop against it is not busywork. It is the record that protects the operator.
The payoff is documented outside Xenia too. Retailers who put fuel analytics and BOL reconciliation discipline in place improved variance rates by 64% and cut reconciliation investigations by 50%, per a Titan Cloud case study. Those are Titan Cloud's numbers, not Xenia's, but they show why the drop is worth scoring.
The same pattern audits a food delivery. FDA Food Code requires temperature-controlled-for-safety (TCS) foods to be received at 41°F or below, and deliveries above that should be rejected, per ServSafe receiving criteria. The proper rejection is to set the item aside, tell the driver what is wrong, back it with the purchase agreement, get a signed credit slip, and log it, per ANFP safe receiving practices. A vendor compliance audit captures that rejection as evidence in one flow.
How does a vendor audit differ from a store audit?
A store audit scores your own team's execution. A vendor audit scores a third party you do not employ and cannot log into your system. That single difference drives how the audit is built.
| Dimension | Store audit | Vendor compliance audit | |---|---|---| | Who is scored | Your own store team | A third-party supplier or contractor | | Who completes it | A manager or DM with a login | A driver or contractor with no login, or your attendant witnessing the drop | | What it measures | Shift execution, cleanliness, safety, standards | Contract adherence: product, quantity, temp, paperwork, credentials, scope | | Scoring focus | Weighted by operational risk | Weighted by contract and safety risk, plus the vendor's rolling track record | | Conditional logic | By store format (patio, drive-thru, tap system) | By vendor category (fuel, food, pest control, HVAC, refrigeration) | | Corrective action target | Internal: store manager, DM | External: the supplier, plus an internal owner | | Frequency | Daily, weekly, or per shift | Per delivery or service visit, plus a periodic vendor review |
Three differences matter most in practice.
Access. The vendor does not have and should not need a Xenia account. That is the whole point of the no-login pattern, and it reuses the mechanics documented at QR-code anonymous work requests. Competitors in the supplier-audit space market similar field access, but none pair it with a full multi-unit ops platform that already runs your store audits, work orders, and comms.
Conditional logic runs by vendor type, not store format. A fuel drop shows fuel questions. A pest control visit shows integrated pest management and documentation questions. A food delivery shows temperature and date-code questions. Nullify scoring keeps each category honest: fuel-only stops do not get marked down for missing food-service items, and a fuel vendor is never penalized against food-vendor questions. This is the same conditional engine described at nullify scoring paired with conditional visibility and the tap-system-versus-fuel-only C-store example, pointed at vendors instead of stores.
Corrective action escalates outward. A store finding escalates from DM to Regional. A vendor finding becomes a documented supplier escalation, with photo, timestamp, and signature attached, so the corporate category manager has proof when they call the vendor. This is different from a franchise self-audit, where the franchisee checks their own unit, and different again from a mystery shopper audit, which scores customer experience.
On cadence, the industry standard is to run a vendor compliance assessment annually, on any significant change, and at the start or end of a relationship, with risk-based thresholds that trigger extra audits, per KirkpatrickPrice. Translated for a frontline operator: the delivery-moment check runs every drop, and the vendor scorecard review runs quarterly.
Priced on per user or per location basis
Available on iOS, Android and Web
How to set up vendor compliance audits in Xenia
Setting up supplier audit software in Xenia starts from your existing contract or SOP, not a blank form. Follow these steps.
- Start from the SOP or contract. Upload the existing vendor delivery SOP or the service contract into the AI Template Agent, which converts it into a digital audit form with conditional logic and required fields. The agent digitizes a document you already have. It does not invent an audit from a vague brief.
- Group questions by vendor category and turn on conditional visibility. Build one template family. Tag question sets to vendor type (fuel, food, pest control, HVAC, refrigeration). Conditional visibility renders only the questions for the selected category, so the driver or contractor never scrolls past irrelevant items.
- Apply weighted scoring to separate critical from cosmetic. Give high point values to contract-critical and safety-critical items (net gallons versus the bill of lading, cold-chain temperature, an expired contractor license) and low values to minor items (paperwork formatting, cosmetic packaging). Weighted scoring is deterministic point assignment, not a black box.
- Turn on nullify scoring so N/A items do not distort the score. A fuel vendor is not penalized for missing food-vendor items. Each category's score stays honest and comparable.
- Add follow-up questions with required photo capture on failure. A mismatch triggers a description field, a required photo (the meter, the paperwork, the bait station, the equipment), and a signature on the shared device. The photo stores evidence. It is not interpreted by the platform.
- Set the corrective-action workflow and escalation. A failed item auto-creates a corrective task with an owner, a deadline, and an escalation rule. Route it so the store or facilities owner is notified and the supplier escalation is documented for the corporate category manager.
- Deploy access with QR codes at the receiving point. Post a QR at the fuel receiving point, the back dock, and the equipment a contractor services. Scanning opens the correct vendor audit with no login.
- Scope permissions with location hierarchy. Area managers see their stores' vendor audits. Regional sees the district. Corporate sees a vendor's performance across every location.
For the facilities manager, the same template handles a contractor. A pest control service-visit audit verifies EPA registration and state licensing are current, general liability insurance meets the contracted minimum (commonly $1M), workers' comp is on file, bait stations were serviced and documented, and the technician logged activity with a client sign-off. Credentials should be verified annually and emergency sightings answered within 24 hours, per oxmaint's IPM verification checklist and the SafetyCulture pest control service quality audit. The one conditional template that handles a fuel drop handles the pest visit, because conditional visibility swaps the question set by vendor category. Need a starting point? See the FSMA supplier verification checklist and the ISO 9001 supplier audit checklist, and the standard operating procedure reference if you are building the source SOP first.
Where do operators see results?
The payoff of a vendor compliance audit is not the single pass or fail at the dock. It is the vendor scorecard that turns a supplier's rolling performance across every location into evidence a category manager can act on.
- The vendor scorecard. Custom dashboards surface the supplier's compliance trend, open corrective actions tied to that vendor, and the stores where a vendor keeps failing. These are operations dashboards built to show where the next problem is forming, not a business-intelligence warehouse.
- Store captures, corporate owns. Score capture happens at the store, at the moment of delivery. Scorecard ownership sits with corporate or the category manager who owns the supplier relationship. Location hierarchy lets both views coexist: the store owns the drop, corporate owns the vendor.
- Escalation as a conversation, not a complaint. A failed audit becomes a documented escalation with photo, timestamp, and signature. When the category manager calls the supplier, they turn "your driver was late once" into "your on-time compliance across 40 stores this quarter is 82%."
- A record-keeping byproduct. For food operators, FSMA 204, the Food Traceability Rule, requires capturing key data at critical tracking events and keeping records for 24 months, available to FDA within 24 hours of a request. FDA's enforcement date was extended, and the agency will not enforce before July 20, 2028, per the Federal Register compliance-date extension. An audit that captures receiving data at each delivery builds that record as you go.
Two C-store operators anchor the pattern. OnCue runs vendor compliance on Xenia. Refuel put third-party vendor access, offline mode for rural fuel stops, and a DM-to-Regional escalation flow in place across more than 200 stores. Offline mode matters here because rural sites drop connectivity, and Refuel named it as a switching driver. The audit still captures at the dock and syncs when the signal returns.
Vendor compliance is not a separate tool. It is your audit engine and your C-store operations platform pointed at the people who deliver to you. Score the vendor the same way you score the shift.
Frequently Asked Questions
Got a question? Find our FAQs here. If your question hasn't been answered here, contact us.
Can a third-party vendor complete a compliance audit without a Xenia login?
What should a vendor compliance audit score, the delivery itself or the vendor's track record over time?
How does a failed vendor audit turn into an escalation with the supplier?
Does the same conditional template work for a fuel vendor and a food vendor?
Who at a multi-unit operator owns vendor compliance scoring, the store or corporate?
.webp)
%201%20(1).webp)



.webp)
%201%20(2).webp)
