🎉 Xenia raises $12M Series A and announces 2 new AI capabilities

Learn More

White cross or X mark on a black background.

Vendor Compliance Audit Software: Scoring the Supplier, Not Just the Store

Last updated:
July 3, 2026
Read Time:
9 min
Restaurant
conditional

Summary

Vendor compliance audit software scores whether a supplier delivered what the contract promised: the right product, quantity, temperature, and paperwork. On Xenia, a delivery driver or contractor completes the audit on a shared tablet or QR-triggered link with no login, conditional visibility shows only the questions for that vendor category, and a failed item escalates like a store audit finding. OnCue runs vendor compliance on Xenia, and Refuel uses the same no-login vendor access across more than 200 C-stores.

What is a vendor compliance audit?

A vendor compliance audit is a formal check that verifies a supplier delivered against the contract and the standard. It scores the drop or the service visit the same way a store audit scores a shift.

A supplier audit is a systematic evaluation of a supplier's ability to consistently meet quality, regulatory, and contractual requirements, covering the supplier's processes, documentation, and standards adherence, per simplerQMS on supplier audit types. Quality-management vendors list four broad categories (quality, social, environmental, and security), per MasterControl. For a multi-unit frontline operator, the practical categories are narrower:

  • Delivery compliance. Did the fuel drop or food delivery match the product, quantity, temperature, and bill of lading?
  • Service compliance. Did the pest control tech or HVAC contractor do the scoped work and document it?
  • Credential compliance. Is the license, insurance, and EPA registration current?

Two different things get scored, and it helps to keep them separate. First, the delivery or visit itself: was this drop compliant? Second, the vendor's track record over time: is this supplier trending toward a problem across many drops at many stores? A vendor audit checklist captures the first. A vendor scorecard rolls up the second.

Do not confuse a vendor compliance audit with a vendor management audit (an internal review of your own vendor program) or a contract compliance audit (a finance-led billing review, per SC&H Group). For the person at the back dock, the vendor compliance audit is the delivery-moment check.

Third-party risk is not a rounding error. One in two companies believe the cost of a third-party incident has at least doubled over five years, and they estimate a single incident could cost between US$0.5 billion and US$1 billion or more, per Deloitte's Extended Enterprise Risk Management survey. The supplier is a risk surface. The receiving dock is where you catch it or miss it.

The audit uses the same scoring engine as a store audit. That means weighted scoring that separates critical items from cosmetic ones, conditional visibility that shows different questions by vendor type, and a corrective action workflow that drives a failure to closure. If you are new to the category, start with the audit software hub and the conditional audits overview.

Example walkthrough, auditing a fuel delivery against a signed contract

A vendor compliance audit scores a fuel drop against the signed contract and the bill of lading at the moment of delivery, not weeks later when corporate catches a variance.

Picture a tanker pulling into a Refuel forecourt at 5:40am. The driver is a third-party carrier, not a Xenia user, and never will be. The store attendant is closing out the overnight shift. In the old workflow, the delivery gets signed, the bill of lading goes in a drawer, and nobody reconciles it against the contract until a variance surfaces later. With delivery vendor compliance scored at the dock, that gap closes. Here is the flow:

  1. The attendant scans the QR code at the fuel receiving point. The audit opens on a shared tablet or the attendant's device with no login. This is the same no-login pattern Xenia already uses for QR-code vendor work requests.
  2. Conditional visibility renders only the fuel-vendor questions. The pest control, food-vendor, and HVAC questions stay hidden because this is a fuel drop. C-store chains with mixed formats can run one audit and hide irrelevant questions per vendor, so the attendant never scrolls past items that do not apply.
  3. The audit checks the drop against the contract and the bill of lading. Product grade matches the order, gross and net gallons match the bill of lading, seal numbers match, the invoice price matches the contracted rate, and the delivery window was met.
  4. A follow-up question with a required photo triggers on any mismatch. If net gallons do not match, the form asks for the reading, requires a photo of the meter and the paperwork, and captures the driver's signature on the shared device.
  5. The failed item auto-creates a corrective task. It routes to the area manager, sets a deadline, and escalates to Regional if it is not resolved. A fuel price or quantity discrepancy becomes a corrective task to the DM that escalates to Regional if it is not done in 24 hours, the same closure loop as any store finding.

Why score against the bill of lading? Because it is a legally binding document issued by the terminal that details what is moving, who is moving it, and where. It is the backbone of fuel tax reporting and the first thing regulators cross-check when something looks off, per igentax on bill-of-lading tax compliance. Scoring the drop against it is not busywork. It is the record that protects the operator.

The payoff is documented outside Xenia too. Retailers who put fuel analytics and BOL reconciliation discipline in place improved variance rates by 64% and cut reconciliation investigations by 50%, per a Titan Cloud case study. Those are Titan Cloud's numbers, not Xenia's, but they show why the drop is worth scoring.

The same pattern audits a food delivery. FDA Food Code requires temperature-controlled-for-safety (TCS) foods to be received at 41°F or below, and deliveries above that should be rejected, per ServSafe receiving criteria. The proper rejection is to set the item aside, tell the driver what is wrong, back it with the purchase agreement, get a signed credit slip, and log it, per ANFP safe receiving practices. A vendor compliance audit captures that rejection as evidence in one flow.

How does a vendor audit differ from a store audit?

A store audit scores your own team's execution. A vendor audit scores a third party you do not employ and cannot log into your system. That single difference drives how the audit is built.

| Dimension | Store audit | Vendor compliance audit |
|---|---|---|
| Who is scored | Your own store team | A third-party supplier or contractor |
| Who completes it | A manager or DM with a login | A driver or contractor with no login, or your attendant witnessing the drop |
| What it measures | Shift execution, cleanliness, safety, standards | Contract adherence: product, quantity, temp, paperwork, credentials, scope |
| Scoring focus | Weighted by operational risk | Weighted by contract and safety risk, plus the vendor's rolling track record |
| Conditional logic | By store format (patio, drive-thru, tap system) | By vendor category (fuel, food, pest control, HVAC, refrigeration) |
| Corrective action target | Internal: store manager, DM | External: the supplier, plus an internal owner |
| Frequency | Daily, weekly, or per shift | Per delivery or service visit, plus a periodic vendor review |

Three differences matter most in practice.

Access. The vendor does not have and should not need a Xenia account. That is the whole point of the no-login pattern, and it reuses the mechanics documented at QR-code anonymous work requests. Competitors in the supplier-audit space market similar field access, but none pair it with a full multi-unit ops platform that already runs your store audits, work orders, and comms.

Conditional logic runs by vendor type, not store format. A fuel drop shows fuel questions. A pest control visit shows integrated pest management and documentation questions. A food delivery shows temperature and date-code questions. Nullify scoring keeps each category honest: fuel-only stops do not get marked down for missing food-service items, and a fuel vendor is never penalized against food-vendor questions. This is the same conditional engine described at nullify scoring paired with conditional visibility and the tap-system-versus-fuel-only C-store example, pointed at vendors instead of stores.

Corrective action escalates outward. A store finding escalates from DM to Regional. A vendor finding becomes a documented supplier escalation, with photo, timestamp, and signature attached, so the corporate category manager has proof when they call the vendor. This is different from a franchise self-audit, where the franchisee checks their own unit, and different again from a mystery shopper audit, which scores customer experience.

On cadence, the industry standard is to run a vendor compliance assessment annually, on any significant change, and at the start or end of a relationship, with risk-based thresholds that trigger extra audits, per KirkpatrickPrice. Translated for a frontline operator: the delivery-moment check runs every drop, and the vendor scorecard review runs quarterly.

Rated 4.9/5 stars on Capterra
Pricing:
Supported Platforms:
Priced on per user or per location basis
Available on iOS, Android and Web
Pricing:
Priced on per user or per location basis
Supported Platforms:
Available on iOS, Android and Web
Download Xenia app on
Apple App Store BadgeGoogle Play

How to set up vendor compliance audits in Xenia

Setting up supplier audit software in Xenia starts from your existing contract or SOP, not a blank form. Follow these steps.

  1. Start from the SOP or contract. Upload the existing vendor delivery SOP or the service contract into the AI Template Agent, which converts it into a digital audit form with conditional logic and required fields. The agent digitizes a document you already have. It does not invent an audit from a vague brief.
  2. Group questions by vendor category and turn on conditional visibility. Build one template family. Tag question sets to vendor type (fuel, food, pest control, HVAC, refrigeration). Conditional visibility renders only the questions for the selected category, so the driver or contractor never scrolls past irrelevant items.
  3. Apply weighted scoring to separate critical from cosmetic. Give high point values to contract-critical and safety-critical items (net gallons versus the bill of lading, cold-chain temperature, an expired contractor license) and low values to minor items (paperwork formatting, cosmetic packaging). Weighted scoring is deterministic point assignment, not a black box.
  4. Turn on nullify scoring so N/A items do not distort the score. A fuel vendor is not penalized for missing food-vendor items. Each category's score stays honest and comparable.
  5. Add follow-up questions with required photo capture on failure. A mismatch triggers a description field, a required photo (the meter, the paperwork, the bait station, the equipment), and a signature on the shared device. The photo stores evidence. It is not interpreted by the platform.
  6. Set the corrective-action workflow and escalation. A failed item auto-creates a corrective task with an owner, a deadline, and an escalation rule. Route it so the store or facilities owner is notified and the supplier escalation is documented for the corporate category manager.
  7. Deploy access with QR codes at the receiving point. Post a QR at the fuel receiving point, the back dock, and the equipment a contractor services. Scanning opens the correct vendor audit with no login.
  8. Scope permissions with location hierarchy. Area managers see their stores' vendor audits. Regional sees the district. Corporate sees a vendor's performance across every location.

For the facilities manager, the same template handles a contractor. A pest control service-visit audit verifies EPA registration and state licensing are current, general liability insurance meets the contracted minimum (commonly $1M), workers' comp is on file, bait stations were serviced and documented, and the technician logged activity with a client sign-off. Credentials should be verified annually and emergency sightings answered within 24 hours, per oxmaint's IPM verification checklist and the SafetyCulture pest control service quality audit. The one conditional template that handles a fuel drop handles the pest visit, because conditional visibility swaps the question set by vendor category. Need a starting point? See the FSMA supplier verification checklist and the ISO 9001 supplier audit checklist, and the standard operating procedure reference if you are building the source SOP first.

Where do operators see results?

The payoff of a vendor compliance audit is not the single pass or fail at the dock. It is the vendor scorecard that turns a supplier's rolling performance across every location into evidence a category manager can act on.

  • The vendor scorecard. Custom dashboards surface the supplier's compliance trend, open corrective actions tied to that vendor, and the stores where a vendor keeps failing. These are operations dashboards built to show where the next problem is forming, not a business-intelligence warehouse.
  • Store captures, corporate owns. Score capture happens at the store, at the moment of delivery. Scorecard ownership sits with corporate or the category manager who owns the supplier relationship. Location hierarchy lets both views coexist: the store owns the drop, corporate owns the vendor.
  • Escalation as a conversation, not a complaint. A failed audit becomes a documented escalation with photo, timestamp, and signature. When the category manager calls the supplier, they turn "your driver was late once" into "your on-time compliance across 40 stores this quarter is 82%."
  • A record-keeping byproduct. For food operators, FSMA 204, the Food Traceability Rule, requires capturing key data at critical tracking events and keeping records for 24 months, available to FDA within 24 hours of a request. FDA's enforcement date was extended, and the agency will not enforce before July 20, 2028, per the Federal Register compliance-date extension. An audit that captures receiving data at each delivery builds that record as you go.

Two C-store operators anchor the pattern. OnCue runs vendor compliance on Xenia. Refuel put third-party vendor access, offline mode for rural fuel stops, and a DM-to-Regional escalation flow in place across more than 200 stores. Offline mode matters here because rural sites drop connectivity, and Refuel named it as a switching driver. The audit still captures at the dock and syncs when the signal returns.

Vendor compliance is not a separate tool. It is your audit engine and your C-store operations platform pointed at the people who deliver to you. Score the vendor the same way you score the shift.

Frequently Asked Questions

Got a question? Find our FAQs here. If your question hasn't been answered here, contact us.

Can a third-party vendor complete a compliance audit without a Xenia login?

Yes. A delivery driver or contractor completes the audit on a shared tablet or a QR-triggered link with no Xenia account. This is the same no-login pattern Xenia uses for QR-code vendor work requests. The attendant can also witness the drop and complete it. Refuel runs this third-party vendor access across more than 200 C-stores, capturing the driver's signature right on the shared device.

What should a vendor compliance audit score, the delivery itself or the vendor's track record over time?

Both, but keep them separate. The vendor audit checklist scores the single drop or service visit: was this delivery compliant against the contract and bill of lading? The vendor scorecard rolls up the second question, whether the supplier is trending toward a problem across many drops at many stores. The store captures the delivery moment, and corporate uses the rolling scorecard to manage the relationship.

How does a failed vendor audit turn into an escalation with the supplier?

A failed item auto-creates a corrective task with an owner, a deadline, and an escalation rule that fires if it is not closed. Unlike a store finding that escalates from DM to Regional, a vendor finding becomes a documented supplier escalation with photo, timestamp, and signature attached. That gives the corporate category manager proof when they call the vendor, turning "your driver was late once" into a real compliance number across every store.

Does the same conditional template work for a fuel vendor and a food vendor?

Yes. You build one template family, and conditional visibility swaps the question set by vendor category. A fuel drop shows fuel questions checked against the bill of lading. A food delivery shows temperature and date-code questions, like the FDA Food Code 41 degree receiving limit for TCS foods. Nullify scoring keeps each category honest, so a fuel vendor is never penalized against food-vendor items that do not apply.

Who at a multi-unit operator owns vendor compliance scoring, the store or corporate?

Both, split by role. Score capture happens at the store, at the moment of delivery, when the attendant or contractor completes the audit. Scorecard ownership sits with corporate or the category manager who owns the supplier relationship. Location hierarchy lets both views coexist: area managers see their stores' vendor audits, and corporate sees a vendor's performance across every location.
Unify Operations, Safety and Maintenance
Unite your team with an all-in-one platform handling inspections, maintenance and daily operations
Get Started for Free
Xenia ChecklistsXenia Software Mockups