How to Build an Approved Supplier List (+ Free Template)

If your business buys materials, products, subcontracted work, or critical services from outside companies, someone needs to know which suppliers are actually allowed to be used.

That is the job of an approved supplier list.

On paper, it sounds like a simple list. In practice, it is usually one of the first records an auditor, customer, or internal reviewer asks to see. It is also one of the easiest records to let drift: a certificate expires, a subcontractor changes insurance, a site adds a new supplier in a hurry, and suddenly the list no longer matches reality.

This guide covers what an approved supplier list should include, how it differs from the approval process behind it, what different regulated industries tend to look for, and how to keep the list useful after the first version is created. You can also download a free template and adapt it to your own supplier controls.

Download the template

• Download PDF template
• Download Excel template

The Excel version is a blank working tracker with a status dropdown and a key evidence expiry column. The PDF is a printable blank reference. The full template layout is also written out at the end of this guide.

What is an approved supplier list?

An approved supplier list, often called an approved vendor list, is the register of suppliers your business has reviewed and authorized for a defined purpose.

It should answer three practical questions without anyone having to search through emails or old folders:

• Who are we allowed to buy from?
• What are they approved to supply?
• Is that approval still valid?

The list itself is not the approval process. It is where the decision lands after the review is done. Each line should point back to a risk decision and the evidence used to approve the supplier.

For example, a packaging supplier might be approved for cartons from one site, but not for printed labels from another site. A contractor might be approved for low-risk maintenance work, but not for confined-space entry. The useful detail is not just the supplier name. It is what they are approved to do.

Approved supplier list vs approved vendor list

Most companies use these terms interchangeably. "Supplier" is more common in manufacturing, food, and quality-management contexts. "Vendor" is more common in procurement, finance, software, and services teams.

The name matters less than the control. Whether your team calls it an approved supplier list, approved vendor list, ASL, AVL, or approved supplier register, the record still needs to show who is approved, for what, on what basis, and until when.

Why an approved supplier list matters

Purchasing from an unapproved supplier is a basic but serious control failure. It means a material, product, service, or subcontractor entered your operation without the checks your business said were required.

The list gives day-to-day teams a clean answer when they need to buy, book, receive, or approve work:

• a clear boundary between approved and unapproved suppliers,
• a way for procurement to buy with confidence,
• evidence for auditors, clients, and regulators,
• a control point for managing risk across the supply base,
• a trigger for ongoing review and reapproval.

Without a current list, approval decisions end up in people's heads, scattered emails, and old spreadsheet tabs. That may work for a while. It stops working when the person who knows the history is away, a supplier document expires unnoticed, or an auditor asks you to match last quarter's purchases against the approved list.

Is an approved supplier list a requirement?

In most regulated and quality-certified contexts, yes.

A documented supplier approval program, with a current list of approved suppliers, is required or expected by:

• ISO 9001 and other quality management standards, which require control of externally provided processes, products, and services,
• GFSI-benchmarked food safety schemes such as BRCGS, SQF, and FSSC 22000,
• FDA supply-chain and Foreign Supplier Verification Program requirements for businesses importing into or manufacturing in the United States,
• construction and infrastructure prequalification and principal-contractor requirements,
• medical device, aerospace, and other regulated manufacturing quality systems.

The wording changes from standard to standard, but the practical test is familiar: show who was approved, show why they were approved, and show that the approval is still current.

What an approved supplier list should contain

A bare list of company names is rarely enough. A useful approved supplier list has enough detail for procurement to act on it, for quality or compliance to defend it, and for the supplier owner to spot what needs attention.

Supplier identification

• Legal company name
• Trading name, if different
• Supplier ID or vendor code
• Supplier type (manufacturer, broker, trader, distributor, subcontractor, service provider)
• Supplier owner and main contact

Scope of approval

• Materials, products, or services approved
• Geographic or site scope
• Intended use
• Any restrictions or conditions on the approval

Why this matters: "ABC Ltd: approved" is too vague. "ABC Ltd: approved for material X from Site Y for projects A, B, and C" gives people something they can actually use.

Risk classification

• Risk category or rating for the supplier and what they supply
• Basis for the risk rating (criticality, hazard profile, fraud vulnerability, country or site risk)

Why this matters: Risk is what stops the list becoming busywork. A supplier of office stationery should not need the same review cycle as a supplier of high-risk ingredients, safety-critical components, or specialist site work.

Approval status and decision

• Status: approved, conditionally approved, pending, or rejected
• Approval date
• Approver name
• Approval evidence reference

Supporting evidence and document status

• Required evidence on file for your industry, such as certification, insurance, accreditation, audit, questionnaire, specification, or test evidence
• Key evidence expiry
• Specification, contract, statement of work, or requirement reference

Review and monitoring

• Last review date
• Review frequency
• Next review date
• Outstanding actions
• Performance, complaint, or incident notes

Here is an example of how the same structure can work across different supplier types. The required evidence changes by industry and risk, but the control stays the same: record what evidence supports the approval, when that evidence expires, and when the supplier should be reviewed again.

Why this matters: Review and evidence expiry fields are often the difference between a live control and a spreadsheet that only looked good on the day it was created.

Approved supplier list vs approved supplier program

These terms are related, but they are not the same thing.

• The approved supplier program is the procedure: how you evaluate, approve, monitor, and remove suppliers.
• The approved supplier list is the record: the current, controlled output of that program.

Auditors usually test the chain. They read the procedure, compare it with the list, then check whether actual purchases or work orders followed the list. If those three do not line up, the finding is not about wording. It is about control.

Industry-specific requirements

The columns on the list stay fairly similar across industries. What changes is the evidence expected behind each entry and the consequences when an approval lapses.

Food and beverage

Food safety schemes put heavy weight on supplier approval because supplier failures can become product safety failures. The list normally needs to tie back to risk assessments, current specifications, certification, and ongoing monitoring.

• BRCGS treats supplier approval as a fundamental requirement and expects a fully risk-based approach, with each supplier linked to a documented risk assessment and continuous performance monitoring rather than one-time sign-off. See our BRCGS compliance overview.
• SQF expects documented approval criteria, evidence of review, and re-evaluation of active suppliers. See the SQF Edition 10 Supplier-Document Gap Checklist and SQF compliance overview.
• FSSC 22000 frames supplier approval as part of the wider management system, with clear links between risk, supplier controls, and material approval. See the FSSC 22000 compliance overview.
• FSVP and FDA supply-chain program require hazard analysis, supplier and food risk evaluation, defined verification activities, and periodic reassessment for importers. See the Foreign Supplier Verification Program checklist and FSMA and FSVP overview.

For the full per-supplier review behind each list entry, see our food supplier approval checklist.

Construction and trades

In construction, the approved supplier list often covers subcontractors and trade suppliers. The documentation focus usually shifts toward safety, insurance, accreditation, and evidence that the business is competent for the work being assigned.

• Public and employer's liability insurance, with current expiry dates
• Trade accreditations and prequalification (for example CHAS, SafeContractor, Constructionline) and licenses
• Health and safety policy and risk and method statements (RAMS)
• Competency and training records for higher-risk work
• Financial and reference checks

Insurance and accreditation dates matter here. A subcontractor may have been fine when they were added, but that does not help if their insurance or prequalification expired before the next job.

Other regulated industries

Manufacturing, medical device, aerospace, and similar sectors usually anchor the list to a quality management system. Expect more emphasis on certification numbers, supplier audit dates, change control, nonconformance history, and re-evaluation records.

How to build an approved supplier list

If you are starting from scratch, resist the temptation to open a spreadsheet and start typing names. The list is easier to maintain if the rules are clear first.

1. Define your approval criteria

Write down what a supplier must meet before it can be approved for each risk category. Otherwise the list becomes a collection of one-off decisions.

2. Inventory your current suppliers

List every supplier you are actively buying from and what they supply. This step often finds the uncomfortable cases: suppliers that are in use, but were never formally approved.

3. Risk-assess each supplier

Assign a risk category so the review effort matches the risk. This is where you decide who needs a light check, who needs a deeper review, and who needs regular reapproval.

4. Gather and review the required evidence

Collect certifications, insurance, licenses, specifications, and conformance evidence. Then actually review them. A certificate sitting in a folder is not the same as an approved certificate.

5. Record the decision and scope

Record the status, scope, approver, approval date, and next review date. If the approval has conditions, write them where procurement and operations can see them.

6. Publish the controlled list

Make sure the people buying, booking, or receiving goods and services can access the current version. A list that lives in a private folder will eventually be bypassed.

How to keep an approved supplier list audit ready

Most approved supplier lists are accurate when they are created. The problems appear three, six, or twelve months later, when documents expire and supplier details change.

• Track every expiry. Certifications, insurance, licenses, and audit cycles all expire. An expired document against an active supplier is a common and avoidable finding. See tracking certificate expiries and renewals.
• Keep specifications current. Approval is tied to what a supplier provides at a given specification. When the specification changes, the approval basis may need to change too. See keeping supplier specs controlled.
• Schedule periodic review. Re-evaluate suppliers on a frequency that matches their risk, and record the review.
• Trigger reapproval on change. Major incidents, audit downgrades, site changes, or ownership changes should all prompt a review.
• Remove or downgrade suppliers that no longer meet requirements, and make sure procurement sees the change immediately.
• Keep a clear audit trail of who reviewed what and when.

Common approved supplier list mistakes

These are the issues that tend to show up when someone tests the list against real purchasing activity.

Managing the list in a disconnected spreadsheet

The list lives in one file, certificates and insurance sit in inboxes, specs are saved somewhere else, and nobody is quite sure which version is current. This gets harder to manage as the supplier base grows. We cover why in the risks of manual supplier document management.

Approving the supplier but not what they supply

A supplier may be acceptable for one material, product, site, or service, but not for another. The list should make that clear.

Treating the list as a static document

Without expiry tracking and scheduled review, the list is accurate only on the day it was made.

No clear owner

When quality assumes procurement owns the list and procurement assumes quality owns it, updates get missed.

The list and reality disagree

If you purchased from a supplier that is not current on your list, the control has failed regardless of how good the document looks.

From spreadsheet to system

A spreadsheet can hold an approved supplier list. The harder part is keeping it connected to the evidence behind each approval.

When the list and the documents are separate, you get version confusion, missed expiries, and weak audit traceability. A better setup connects the list to the records behind it:

• one place to store supplier records and their approval status,
• the certifications, insurance, licenses, and specifications linked to each supplier,
• automatic visibility into what is current, missing, expiring, or overdue,
• a review workflow with owners, status, and dates,
• an audit trail that shows what was reviewed and approved.

That is when the list becomes more than a document. It becomes a working view of the supplier approval program.

Final thoughts

An approved supplier list is not valuable because it has supplier names on it. It is valuable because it shows the current decision: who can be used, what they can supply, what evidence supports that decision, and when the decision needs to be reviewed.

If the list cannot survive being compared with certificates, insurance, specifications, and actual purchases, it is not really under control.

Evidash helps compliance-driven businesses keep supplier records, documents, and specifications in one place, track expiries and review status automatically, and maintain a clear audit trail across supplier approval and ongoing monitoring. Instead of manually rebuilding the approved supplier list before every audit, teams can work from a list that reflects the records underneath it.

If you are building or tightening your approved supplier list, take a look at Evidash's supplier management software and expiry tracking to see how it can support a more robust program.

If you want to see the workflow before committing, explore the interactive demo.

Frequently asked questions

Is an approved vendor list the same as an approved supplier list?

Yes. They describe the same control: a register of organizations you have reviewed and authorized to buy from. "Supplier" is more common in manufacturing, food, and quality teams, while "vendor" is more common in procurement, finance, and software teams. Whichever term you use, the record needs to show who is approved, for what, on what basis, and until when.

Who is responsible for the approved supplier list?

Ownership usually sits with quality, technical, or compliance, often shared with procurement. The important thing is that one function clearly owns it. When quality assumes procurement maintains it and procurement assumes quality does, updates get missed and the list drifts out of date.

How often should an approved supplier list be reviewed?

Review frequency should match risk. Higher-risk suppliers are typically reviewed more often than low-risk ones, and most programs set a defined review cycle per risk category. Beyond the schedule, certain events should trigger an immediate review: an expired certificate or insurance policy, a major incident or recall, an audit downgrade, or a change of site or ownership.

What documents should an approved supplier list track?

That depends on your industry and risk, but common ones include certifications (quality, safety, or scheme-specific), insurance certificates, licenses or accreditations, current specifications, and conformance evidence such as Certificates of Analysis. The list should record both the document and its expiry date so nothing lapses unnoticed.

Is an approved supplier list a legal or audit requirement?

In most regulated and quality-certified contexts, yes. A documented supplier approval program with a current approved supplier list is required or expected under ISO 9001, GFSI-benchmarked food safety schemes such as BRCGS, SQF, and FSSC 22000, FDA supply-chain and FSVP rules, and construction prequalification requirements. The common thread is that you must use only approved suppliers, show how they were approved, and keep that approval current.

Approved supplier list template

Use this as a starting point and adapt the columns to your industry, risk profile, and audit requirements. Each row is one supplier and scope of approval.

Supplier identification

• Legal name
• Trading name (if different)
• Supplier type (manufacturer, broker, trader, distributor, subcontractor, service provider)
• Supplier ID or vendor code
• Supplier owner
• Main contact

Scope of approval

• Approved materials, products, or services
• Site or region scope
• Intended use
• Restrictions or conditions

Risk

• Risk category
• Basis for risk rating

Approval

• Status (approved, conditionally approved, pending, rejected)
• Approval date
• Approver
• Approval evidence reference

Supporting documents

• Required evidence on file
• Key evidence expiry
• Specification, contract, or requirement reference

Review and monitoring

• Last review date
• Review frequency
• Next review date
• Outstanding actions
• Performance, complaint, or incident notes