SMB Validation

Is an audit of a vendor enough to ensure that the technical controls (in their product) are all present and compliant?

In addition to a vendor audit, one must scrutinize the product itself and its implementation in your facility. Do not forget that validation of the applicable systems in your own environment is the user responsibility (not to mention implementing the procedural and administrative controls for complete adherence to Part 11.)