Let’s start with an Audit Definition from ISO 19011:*
A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
Internal audits should be conducted at planned intervals to determine whether the food safety quality management system:
- conforms to the organizations policies, objectives and procedures
- is effective in ensuring product compliance with customer, regulatory and statutory requirements
- is effectively implemented, improved and updated
* ISO 19011:2011 Guidelines for auditing management systems - provides guidance on the management of an audit program, on the planning and conducting of an audit of the management system as well as on the competence and evaluation of an auditor and an audit team.
Food Safety System Process Diagram
Audit Scheduling and Risk Assessment
Audits should planned, taking into consideration the importance of the processes and areas to be audited and the results of previous audits. A designated qualified person should be responsible for allocating the audits as per the schedule to an independent auditor.
ISO 19011 Guidelines for Auditing Management Systems clause 5 Managing an audit program states:
Priority should be given to allocating the audit program resources to audit those matters of significance within the management system. These may include the key characteristics of product quality or hazards related to health and safety, or significant environmental aspects and their control.
Given some history the Internal Audit Schedule should be based on the following criteria:
- Risk associated with the procedure or activity
- Results of Previous audits
- Number of Corrective Actions raised or outstanding
- Customer Complaint Analysis
- Number of Preventative Actions raised or outstanding
- Results of the Management Review
Auditing Documentation (Including Document Control and Record Control)
An important aspect of a management system is control of documents. In order to ensure the correct current authorized documents are in place and available most standards require a process of document control.
A typical system of document control will include the following controls:
- All documentation is reviewed for adequacy before approval be authorized personnel
- Document amendments show evidence of change or modification. Deleted words are denoted with strike-through. Changes are highlighted. *
- Identification of reasons for changes and revision codes
- Issuing new or amended documents to point of use
- Maintaining legibility of issued documents
- Ensuring controlled status of externally sourced documents
- Identification and recording of the disposition of obsolete documentation
- Periodic document review
- Documents are re-issued after a practical number of changes have been made
- Only approved documentation is used in the Food Safety Management System
- A Master List of documents is be kept to identify status of all documentation
Record Control will be similar to Document Control but with additional requirements:
- Records will need to be checked to ensure that they are being completed correctly
- Completed records need to be checked and signed off
- The information recorded needs to checked to ensure compliance with specified parameters
Auditing Documentation - Whenever an audit is conducted the scope of the audit should be defined. The auditor should be aware of relevant documents, procedures and records to use in preparation for the audit. The auditor should ensure that they are familiar with these documents and check that they are being used and applied correctly during the audit. The auditor should also ensure that document and record control elements are being applied to the documentation they check.
ISO 19011 Guidelines for Auditing Management Systems In clause 6.4.3 Performing document review while conducting the audit the guidelines state ‘The auditors should consider if the information in the documents provided is: — complete — correct — consistent — current‘
Internal Audit Procedures
Whenever an audit is conducted the scope of the audit should be defined. For each audit the Auditor should be briefed on the scope of the audit, audit criteria and a list of items to be audited (including follow up of previous audit findings and corrective actions).
There should be an internal audit procedure detailing the correct method for completing internal audits. This procedure will include:
- Defining the scope
- Agreeing a time and date
- Preparing a checklist
- Instructions on conducting the audit
- Reporting requirements
- Follow up
- Relevant documents
- Records standards
- Relevant records
- Relevant customer requirements
- Relevant legislation requirements
- Areas identified during previous audits
- Previous non compliances
- Customer complaints
- Results of management review
- Opening meeting
- Review HACCP documents
- Review Quality plans
- Review relevant procedures
- Confirm relevant records to be checked
- Interview Operator
- Observe Operation
- Check procedures
- Check completed records
- Any further investigation
- Summarize findings
- Closing meeting report
- Introductions and thanks
- Audit scope and objectives - Agreement on scope and objectives
- Audit plan
- Agreement on the planned approach – Confirm any adjustments to the plan
- Confirm arrangements for logistics and resources
- Confirm arrangements and timings for closing meeting
- Audit methods and procedures
- Clearly explain investigation activities
- Respond to questions - Be prepared to handle questions from the auditees
- Depart for the tour of the facility
Objective evidence comes in three forms:
- Reading (document review)
- Listening (interview)
- Watching (observation)
Audits are an objective comparison of conditions and circumstances against requirements, the result of the comparison should also be objective.
Findings should be supported by audit evidence clearly stating:
- The condition observed
- A statement of the requirement
- A statement of the discrepancy between the observation and the requirements
If you find non-conformances then point them out at the time, do not wait until the closing meeting or the audit report. It is not important to declare a non conformance at the time, but it is important to inform the auditee of your findings. The auditee should then be given an opportunity to respond to the points you are making.
All of the detail regarding the areas audited, the evidence gathered, the scope of the audit and the principal participants must be part of the audit report. It must also contain the information that supports the audit findings, conclusions and recommendations.
Notes should be kept as evidence to allow an independent reviewer to reach the same conclusion as the internal auditor. For example, the date and title of documents and records that were inspected should be noted in sufficient detail to allow them to be traced.
The report should be a fair and accurate presentation of the current state of the food safety management system that was audited. The report should also indicate the demonstrated level of conformance of the part of the food safety management system that was audited.
Process of collecting and verifying information
Customer, Statutory and Regulatory Requirements
The organization should demonstrate that customer, statutory and regulatory requirements applicable to its products/services have been properly identified, are available and easily retrievable. Auditors need to be aware of the general and specific customer, statutory and regulatory requirements applicable to the products/services included within the scope of the FSQMS. The auditor should seek evidence that specific information regarding customer, statutory and regulatory requirements has been taken into account.
Internal Audits Corrective Actions
Non-conformances and the corresponding corrective action can be managed via the audit report. For significant non-conformance some people may prefer to use a Corrective Action Request Form. There is a sample completed form available below. It is good practice to ensure that a nominated independent member of staff checks that the action has been taken within the agreed timescale, and that this has rectified the problem sufficiently to prevent recurrence.
GFSI and GFSI Benchmarked Standards Internal Audit Requirements
Internal auditing is included in Food Safety Management Requirements of the Global Food Safety Initiative (GFSI) Guidance Document Sixth Edition Version 6.4 and as such is a compulsory element of GFSI benchmarked standards including BRC, SQF, IFS and FSSC 22000. The fourth part (Part IV: Scheme Scope and Key Elements) of the Guidance Document specifies the requirements for the recognition of food safety schemes. As an example Section 1 - Food and Feed Safety Management Requirements includes the following requirement:
FSM 11 Internal audit The standard shall require that the organization has an internal audit system in place to cover the scope of the food safety system, including the HACCP Plan or the HACCP based plan.
The benchmarked standards themselves are far more demanding and specific regarding internal audit requirements, the typical evidence required to demonstrate an effective Internal Audit System includes:
- There is an internal audit procedure and schedule that adequately covers all the food safety system elements
- Sufficient resources are allocated to conduct internal audits as per schedule
- Staff conducting internal audits are adequately trained
- Staff conducting internal audits are independent of the area being audited
- Corrections and corrective actions of identified deficiencies are correctly allocated, followed up, and completed
- Internal audit results are communicated to relevant management and staff
- Internal audit reports and their follow-up are reviewed as part of the management review process
- Records are kept of internal audits and the corresponding corrective actions.
Good Practice Audits such as Good Agricultural Practice Audits, Good Manufacturing Practice Audits and Good Distribution Practice Audits are also a type of internal audit and are required by GFSI benchmarked standards. They are inspections of operations to ensure that they adhere to company standards and that the standards of hygiene and housekeeping are maintained.
Inspections should include:
- Hygiene inspections to assess cleaning and housekeeping performance
- Fabric inspections to identify risks to the product from the building or equipment
According to ISO 19011 Guidelines for Auditing Management Systems the guidance given in Clauses 5 to 7 (Managing an audit program, Performing an audit and Competence and evaluation of auditors) is based on six principles:
a) Integrity: the foundation of professionalism
b) Fair presentation: the obligation to report truthfully and accurately
Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit activities.
c) Due professional care: the application of diligence and judgment in auditing
d) Confidentiality: security of information
e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
f) Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process
The knowledge and skills required of auditors should include:
- Audit principles, procedures and techniques
- Management system and reference documents
- Organizational situations
- Applicable laws, regulations, and customer requirements
- Food safety and hygiene standards
- Quality standards
- Products, including services, and operation processes
Be warned! Some people are frightened by auditors! In order to get the best information from the auditees, auditors should conduct themselves in a respectful and polite manner. If auditees are not at ease they may not provide the information required in order to carry out a useful internal audit.
The purpose of an internal audit is to confirm compliance with the food safety management system. By all means raise areas of concern and non-conformances if appropriate.
Audit results must be documented, clearly showing what was audited.
The results of audits need to be communicated to relevant staff and corrective actions and timescales agreed. This may be achieved via operational or review meetings, or via an update at the end of the audit combined with documentation such as a memo or a copy of the audit report.
Responsibility for corrective actions must be demonstrated – for example, by being recorded on the audit record sheet.
Where non-conformities have been identified, it must be verified that corrective action has been completed effectively.
Adding value to your Internal Audit System
Audits should be proactive so auditors shouldn’t be afraid to make recommendations or suggestions. Identifying areas for improvement is a major part of internal auditing.
Remember the policies and objectives of the company when conducting your audit. It may be that there is insufficient or excessive documentation.
If you believe there are gaps in the FSQMS documentation then highlight it in your audit report.
If you think something is unnecessary discuss this with the Department Manager and Audit Manager.
Whilst confirming your food safety management system is effective in meeting customer statutory and regulatory requirements, an effectively implemented and managed internal audit system can add significantly more value to your business.
Internal auditing is not just about identifying compliance and non-compliance, by taking a proactive approach your internal auditors can contribute to the performance of your business by identifying areas for improvement. By empowering internal auditors and ensuring they are aligned with the business objectives you have an enlightened team looking to take the business forward. These are the people who as part of their role can identify areas for improving controls, processes, procedures, performance and for reducing costs.
Typical areas for improvement are the removal of inefficiencies (such as duplication or unnecessary processes and documentation), identifying current and emerging risks to the business and how systems can be improved to work more effectively.
Ideally staff involved in internal audits should:
- Propose solutions when non-conformance/opportunity for improvement challenges are encountered
- Assist in implementing corrective actions if necessary
- Actively seek out opportunities for improvement
- Identify risks
Tony Connor, Chief Technical Advisor, IFSQN
Tony received an honors degree in Molecular Biology and Biochemistry from Durham University before embarking on a successful 20 year career in the UK food industry in a variety of roles including Laboratory Manager, Production Manager, Quality Assurance Manager, Technical Manager, Technical Development Manager and Group Technical Manager. Tony qualified as a Lead Audit Assessor in 1994. Since 2009 Tony has been Chief Technical Advisor to the International Food Safety & Quality Network.
IFSQN Practical Internal Auditor Training for Food Operations
Tony Connor and IFSQN recently conducted a four hour training webinar Practical Internal Auditor Training for Food Operations. The training course builds on the article content and shows your team how to implement an effective Internal Audit system.
The webinar replay has now been made available so that you can take the course at a time of your convenience.
All trainees receive:
- PDF copies of all training materials including PowerPoint presentations and audit documentation and templates
- Personalized IFSQN Training Academy Certificate awarded on successful completion of the course and end test
- 30 day access to the webinar recording
- Jun 07 2016 06:13 AM
- by Tony-C