10 replies to this topic

[Mmmm_food]

Hi

 

I know there are a number of forum discussions on determining internal auditing frequency and I have read these but they tend to recommend monthly to annual audits depending on the area and risk assessment.

 

What I want to know, is it acceptable to audit areas far less frequently, say every two years? I'm not talking about GMP or the regular inspections that must be done but for auditing our pre-requisite programs for example, do you think it is ok to audit only every two years?

 

This was actually suggested by our last ISO 9001/ FSSC 22000 auditor. Since we never have many non conformances surface from internal audits, usually only a few improvement opportunities, and we are a bit stretched for willing auditors, it might be a more valuable use of resources to audit the areas only every two years. There would still be some kind of risk assessment such as ensuring certain areas are audited annually if required by a customer or increasing frequency if there is a non conformance raised during an external audit.

 

The potential risks I can see with going to two yearly are 1) if an issue arises, it may be a long time before it is noticed and 2) another auditor may not agree with the method. If an issue arose that was important, I think it would be picked up before an audit anyway. And if we have a documented risk assessment to support the audit frequency I think that should be sufficient for an auditor given that ISO standards do not specify frequency.

 

Appreciate your thoughts on the matter.

 

Chobbsy

 

 

[Charles.C]

Dear Chobbsy,

 

I presume the relevant standard is FSSC22000.

 

Offhand, 2 years sounds "prodigious".

 

Prerequisite programs are a fundamental part of the HACCP system.

 

Does the standard make any comments regarding audits of the HACCP system (or FS system), eg  a maximum interval between audits ?. Most FSMS standards do, usually max. <=1 yr from memory.

 

Rgds / Charles.C

[Mmmm_food]

I presume the relevant standard is FSSC22000.

 

Offhand, 2 years sounds "prodigious".

 

Prerequisite programs are a fundamental part of the HACCP system.

 

Does the standard make any comments regarding audits of the HACCP system (or FS system), eg  a maximum interval between audits ?. Most FSMS standards do, usually max. <=1 yr from memory.

 

Hi Charles

 

Yes FSSC 22000 is the relevant standard. We are aware that prerequisite programs are important but we have a good track record and never have too many problems so based on risk I think two yearly internal audits may be appropriate.

 

PAS 220/ ISO 22002 sets out the detailed requirements for PRPs but does not specify that any audit or review of them is required. The other part of FSSC 22000, ISO 22000 only states that PRPs and the HACCP plan are included in verification planning and the frequency must be defined.

[Charles.C]

Hi Charles

 

Yes FSSC 22000 is the relevant standard. We are aware that prerequisite programs are important but we have a good track record and never have too many problems so based on risk I think two yearly internal audits may be appropriate.

 

PAS 220/ ISO 22002 sets out the detailed requirements for PRPs but does not specify that any audit or review of them is required. The other part of FSSC 22000, ISO 22000 only states that PRPs and the HACCP plan are included in verification planning and the frequency must be defined.

 

Dear Chobbsy,

 

have you checked ISO22004 ? I seem to remember this mentions a maximum interval for "total system" audit.? (or maybe "verification planning" as per yr previous post)

 

Rgds Charles.C

 

PS - and from memory, it's annual.

[cazyncymru]

Hi Chobbsy

 

what does your Risk Assessment say??

 

Cazx

[Mmmm_food]

 

have you checked ISO22004 ? I seem to remember this mentions a maximum interval for "total system" audit.? (or maybe "verification planning" as per yr previous post)

 

 

Hi Charles

 

You are right, ISO 22004 does mention that verification/ audit of the entire FSMS should be done annually at a minimum. I must remember to refer to ISO 22004 more often.

 

Thanks for the advice!

 

Chobbsy

[Mmmm_food]

what does your Risk Assessment say??

 

Well risk assessments can always be manipulated to say what you want them to can't they???  

 

Our operations are fairly low risk and we have good staff that manage things well so that as well as historically having few non conformances from both internal and external audits would have made the risk low

[FSQNNow]

I am looking at the same situation.
We have a thorough program for different angles covering the full FSSC in a 2-3 year cycle (so all elements are covered every year, but with different emphasis).

The FSSC has in 2013 ammended their guidance and given a diffinition for "Periodically reviewed: periodically reviewed includes minimum annually." in their Terms and Definnitions.    BUT

But in clause 8.4.1. for internal audits (ISO 22000) they then write "The organization shall conduct internal audits at planned intervals", without using the word "periodically".
Following the cross reference table in ISO 22004, you have to look for 8.4.1. (22000) in clause 7.3 (22004. Specific to Internal Audit you will not find a description of frequency, only when it comes to verification you will read:
"The periodic verification activities (e.g. at least, every 12 months) involve the overall assessment of the system. This is usually performed during a management review meeting, and all the above evidence over a period of time is reviewed to ascertain if the system is functioning as planned and if updating or improvement is necessary. Notes of the meeting should be kept and should include any decisions made regarding the system."
So this is a more "holistic" overall view, of course taking the element of internal auditing into account, but that is by far not the only focus of the verification activities for a management review.
 
Or should you now think that it is in the "spirit" of the standard that internal audits should take place yearly?
 
We will now be in discussion with our certification body.....
 
Very interested in comments, feedback and especially if you have your answer or experince with your certification body or auditor.

Edited by FSQNNow, 19 February 2015 - 06:38 PM.

[mgourley]

"minimum annually" and "(e.g. at least, every 12 months)"

 

I think that's a pretty clear indication that the standard requires review and/or verification activities annually (as a minimum).

 

Marshall

[Charles.C]

Dear FSQNN,
 

 

"The periodic verification activities (e.g. at least, every 12 months)

I presume the above quote is from the latest version of ISO22004 (?)  since the 1st edition has -

 

At a minimum, verification of the entire system in this manner should take place on an annual basis.

 

Due to the "e.g.", it is unclear to myself whether the intended meanings are identical or not. The lower is clearly not ambiguous.

 

A question for ISO's semantics department perhaps.

(or perhaps the translation section)

 

Rgds / Charles.C

 

PS - posted simultaneously with previous post.

[Charles.C]

Dear FSQNN,

 

There is a tenuously analogous  thread here -

 

http://www.ifsqn.com...000/#entry81195

 

The popular interpretation there was split between annual and undefined.

 

Maybe borrow the procedure of Post #7

 

Rgds / Charles.C