The vendor audit can be done onsite, however the audit can also be done as a bench audit, commonly referred to as a postal audit. If you’re doing the audit remotely, a lot of organizations will start with questionnaires that they send to the vendor to get any documentation and information about certifications the vendor does have. There’s typically some formal management meeting that is conducted to review the quality management system and SDLC documentation that the vendor does have. In speaking to that, it is common practice to allow auditors to view quality system documents and policies on-site; however, most organizations will not allow copies of these documents off-site. Vendors may allow viewing of such documents remotely via a web meeting. Regardless, they should be able to speak to those documents, as well as highlight items such as the table of contents and identify that they do have a process in place for SDLC processes, training their users, personnel management, etc. so you can satisfy that requirement. So, it’s really your organization’s decision based on risk to identify if you do want to have an in-person audit, onsite, or if you do a remote visit. Both are applicable when creating those audits for a vendor.