A production line goes down on a Thursday afternoon. The critical-path supplier for the failed component was qualified 18 months ago: a positive reference call, a folder of scanned certificates, and the procurement manager's informal approval over email. The ISO certification in that folder expired eight months ago. Nobody noticed because there is no process for tracking document expiry on vendor records — there is a shared folder and the implicit assumption that someone is monitoring it. When the certification auditor arrives the following week, the company has an active critical supplier with a lapsed qualification and no approval trail to show.
The gap between policy and practice is entirely predictable. The procurement policy defines qualification requirements clearly: valid certifications, insurance documents, financial stability records, regulatory compliance documentation, and risk classification. The process for collecting and validating those requirements has no consistent owner, no deadline enforcement, and no evidence standard. A vendor gets approved because someone on the committee said yes — not because a structured record shows what was reviewed and who authorized it.
ISO 9001:2015 Clause 8.4 sets an explicit requirement: the organization shall determine the controls applied to externally provided processes, products, and services, and shall establish documented criteria for evaluation, selection, monitoring, and re-evaluation of external providers. In an internal first-party audit, a quality engineer's scoring sheet usually passes review. In a third-party certification audit or a critical enterprise customer's supply chain audit, the required evidence is a qualification record that shows the criteria applied, any nonconformities found, corrective actions taken, and the approval attributed to a named role. 'We have a folder of vendor certificates' is not conformant evidence under this clause.
In Cadenio, vendor onboarding is a Flow with distinct phases: document collection assigned to the procurement analyst, technical and risk review assigned to quality and legal teams, committee approval as a formal gate, and operational registration as the final phase. Each document has a collection owner and a due date. The committee gate requires explicit approval from each member — not a reply-all email. The phase cannot advance until all requirements are met.
Risk classification is where the flow adapts to vendor type. A service provider and a raw material supplier carry different compliance requirements and different audit exposure. Conditional logic in the Flow template activates the requirements appropriate for each vendor category at the point of intake, rather than relying on the analyst to remember which checklist applies.
The ongoing dimension of vendor management is as important as initial qualification. Annual re-qualification, SLA performance reviews, and audit cycles are recurring Flows that tie back to the original supplier record. When a vendor's certification is approaching expiry, Cadenio fires the renewal alert and opens the re-qualification run automatically — without a calendar reminder that may or may not reach the right person.
The commercial implication is underestimated in most procurement teams. Enterprise customers increasingly include supply chain audit requirements as contract conditions — asking suppliers to demonstrate not just that their own suppliers are qualified, but how they were qualified, who approved the decision, and what re-evaluation cadence is maintained. A qualification library built in Cadenio answers that question with a run history, not a policy document. The difference matters: a policy describes intent. A run shows execution. For organizations competing on contracts where supply chain integrity is a vendor selection criterion, the qualification record is part of the commercial proposition.