Jump to content

  • Quick Navigation
Photo

Internal Audit Frequency

Share this

  • You cannot start a new topic
  • Please log in to reply
19 replies to this topic

WACIRU

    Grade - Active

  • IFSQN Associate
  • 15 posts
  • 2 thanks
0
Neutral

  • Kenya
    Kenya

Posted 12 May 2015 - 10:10 AM

Hi All,

 

Please advise me. The last time we did an audit was last year July and this was our first audit. However, the auditors pin pointed that it was not possiblle who us to have done a full internal audit given that we had only prepared for 3 months for the given audit and hence advised us only to report a partial internal audit i.e Section 1 &2 of BRC v.6.

I find this wierd given that our firm is very small. I am just wondering whether it will be prudent to do present two internal audit reports that we have done twice this year?

 

Thanks



Tony-C

    Grade - FIFSQN

  • IFSQN Fellow
  • 4,223 posts
  • 1288 thanks
608
Excellent

  • United Kingdom
    United Kingdom
  • Gender:Male
  • Location:World
  • Interests:My main interests are sports particularly football, pool, scuba diving, skiing and ten pin bowling.

Posted 14 May 2015 - 05:10 AM

Hi WACIRU,

 

You should be carrying out regular audits which cover the whole of your food safety management system during the year at a frequency based on risk.

 

Relevant information from BRC:

 

BRC Global Standard for Food Safety Issue 7

3.4 Internal Audits
3.4.1 There shall be a scheduled programme of internal audits throughout the year with a scope which covers the implementation of the HACCP programme, prerequisite programmes and procedures implemented to achieve this Standard. The scope and frequency of the audits shall be established in relation to the risks associated with the activity and previous audit performance; all activities shall be covered at least annually.
3.4.4 In addition to the internal audit programme there shall be a programme of documented inspections to ensure that the factory environment and processing equipment is maintained in a suitable condition for food production.


BRC Global Standard Food Safety Issue 7 Interpretation Guideline
3.4.1 Interpretation Internal audit programme
A once-a-year check against all the BRC Standard requirements may be of value as a gap analysis when preparing for an audit, but is insufficient to cover the full requirements of an internal audit programme as it will not provide the depth of assessment or level of confidence required.

 

Regards,

 

Tony



Thanked by 2 Members:

trubertq

    Grade - PIFSQN

  • IFSQN Principal
  • 658 posts
  • 281 thanks
137
Excellent

  • Ireland
    Ireland
  • Gender:Female
  • Location:Donegal

Posted 15 May 2015 - 03:10 PM

Risk assess I am attaching a risk assessment template. Each section of your standard at least once per year...

Attached Files


I'm entitled to my opinion, even a stopped clock is right twice a day

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 15 May 2015 - 08:07 PM

It would have been nice to have some idea what the product/process was.

And the result of the BRC/1st audit, eg any NCs with respect to the internal audit(s) which was/were carried out. Only one seems likely.

 

In addition to Tony's quotations might also add from the BRC7 standard's preamble -

 

Manufacturing units that are newly built or ‘commissioned’ must ensure that systems and procedures in place are compliant
before an initial BRC audit is undertaken. It is at the discretion of the company when they wish to invite a certification body to carry
out an audit; however, it is unlikely that full compliance can be satisfactorily demonstrated at an audit undertaken less than 3
months from commencement of operation.

 

and also -

3.4 FUNDAMENTAL
The company shall be able to demonstrate it verifies the effective application of the food safety plan and the implementation of the requirements of the Global Standard for Food Safety.

 

 

I hypothesize that  the auditor’s interpretation of the standard was that a full internal audit demands a total period of > 3 months, regardless of the unknown product/process and any related risk assessment scheme/schedule. Or, if otherwise, that the auditor's risk assessment (somehow) determined 3 months to be inadequate.

 

If "regardless"  was the logic, it might be interesting to know what is considered by BRC to be a  minimum total period.

 

Repeating part of 3.4.1 - There shall be a scheduled programme of internal audits throughout the year ...........

 

In theory the “shall” implies (to me) that the absolute minimum is 1 year. In practice, presumably only the Guidance will reveal BRC’s viewpoint (or not). And user's experiences.

 

As an extension of the above, I predict that the answer to the OP's question is NO (assuming the OP referred to "complete" internal audits). The OP's suggestion does not appear to be expressly forbidden by clause 3.4 but is possibly not within BRC's (qualitative?) interpretation of the "effective" requirement of the "Fundamental".

 

Logically, the answer to the OP should surely have been considered/informed/requested by/to the auditor after the first audit ?


Kind Regards,

 

Charles.C


Thanked by 1 Member:

Sheilag

    Grade - AIFSQN

  • IFSQN Associate
  • 35 posts
  • 13 thanks
6
Neutral

  • United States
    United States

Posted 11 June 2015 - 12:05 AM

Risk assess I am attaching a risk assessment template. Each section of your standard at least once per year...

You don't how much I appreciate you posting this!  THANK YOU!!!! :gleam:



Thanked by 1 Member:

Thorsteinson@Parrheim

    Grade - Active

  • IFSQN Active
  • 1 posts
  • 0 thanks
0
Neutral

  • Earth
    Earth

Posted 18 June 2015 - 06:15 PM

Long time listener, first time caller. I work for a small, low-risk raw ingredient processor, pea protein flours. We have been BRC for 3 years and are transitioning to a new version for the first time, just in time for our audit against V7.

 

So we have had an internal audit procedure in place, well documented and organised, once per year based on risk assessment. However the new Guide to Key Changes for clause 3.4.1 states that audits shall be completed throughout the year "Wording change to emphasise that the internal audit is expected to consist of a series of audits of parts of the system scheduled through the year rather than a single annual audit".

 

We currently have our internal audit scheduled for July and our BRC audit scheduled for August, it will not be possible for us to conduct more than 1 internal audit for this audit year. So my question is, will a change in procedure to reflect the scheduling of 2 to 3 internal audits per year be sufficient in this transition year, or do you suppose we will earn a non-conformance? Any advice from anyone who has experienced a transition year.



Tony-C

    Grade - FIFSQN

  • IFSQN Fellow
  • 4,223 posts
  • 1288 thanks
608
Excellent

  • United Kingdom
    United Kingdom
  • Gender:Male
  • Location:World
  • Interests:My main interests are sports particularly football, pool, scuba diving, skiing and ten pin bowling.

Posted 19 June 2015 - 04:46 AM

Hi Thorsteinson,

 

Internal Audits are a fundamental requirement of the BRC standard. As you have identified 'A once-a-year check against all the BRC Standard requirements may be of value as a gap analysis when preparing for an audit, but is insufficient to cover the full requirements of an internal audit programme as it will not provide the depth of assessment or level of confidence required.'
 

The auditor will take your new schedule into consideration but I believe will raise a non-conformance probably a minor depending on how thorough your audit in July is and when your previous audit was?

 

Regards,

 

Tony



Thanked by 2 Members:

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 19 June 2015 - 09:01 AM

hi Thorsteinson

 

To my mind, "throughout the year" can  only be legitimately interpreted as "half-year" in present case. BRC's calendar not related to the the auditee.

 

The scope and frequency of the audits shall be established in relation to the risks associated with the activity and previous audit performance; all activities shall be covered at least annually.

 

If yr risk assessment/scope/history can justify 2 audits/year, why not do just that ?.  No minimum frequency is mentioned in the Standard (nor is your word "series",  best stick to "program"  IMO).

 

Let BRC eat cake, but make sure it's top quality cake. :smile:


Kind Regards,

 

Charles.C


Thanked by 2 Members:

mgourley

    Grade - FIFSQN

  • IFSQN Fellow
  • 1,403 posts
  • 997 thanks
274
Excellent

  • United States
    United States
  • Gender:Male
  • Location:Plant City, FL
  • Interests:Cooking, golf, firearms, food safety and sanitation.

Posted 06 November 2015 - 11:02 PM

After reading a later thread, I think what BRC's logic is this:

 

It's not possible/feasible/thorough to do and entire audit of the food safety management all at once,

I think they want you to spread out the clauses throughout the year and do thorough audits on those clauses on a schedule. 

For example:

Clause A, B and C - January

Clause D, E, and F - February

etc.

 

Marshall



Thanked by 2 Members:

GFW01

    Grade - Active

  • IFSQN Active
  • 14 posts
  • 0 thanks
0
Neutral

  • United Kingdom
    United Kingdom

Posted 20 April 2016 - 02:29 PM

Risk assess I am attaching a risk assessment template. Each section of your standard at least once per year...

 

Hi trubertq, and everyone. I wonder if you can help - we've just had our BRC-7 and picked up a NC against the internal audit schedule, ref. it being based on 'the probability and likelihood of food safety hazards and not the frequency of change and impact on the systems of control'. Now, I can take the point, but we have used an identical rating system as your attachment 'Audit Schedule.doc' on this thread (Post #3, 15 May 2015) and this is the first time this has been raised. Has anyone encountered this previously - more so, how would you go about fixing something that, in principle, is more a matter of terminology than intent (after all, if it's all not about food safety, quality, legality (+authenticity), then what is it about? Thanks in advance for any thoughts.



trubertq

    Grade - PIFSQN

  • IFSQN Principal
  • 658 posts
  • 281 thanks
137
Excellent

  • Ireland
    Ireland
  • Gender:Female
  • Location:Donegal

Posted 20 April 2016 - 03:43 PM

That's the danger of sharing documents. I've never been questioned about that risk assessment. I must go back and read the wording in the standard again! !


I'm entitled to my opinion, even a stopped clock is right twice a day

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 20 April 2016 - 03:53 PM

Hi trubertq, and everyone. I wonder if you can help - we've just had our BRC-7 and picked up a NC against the internal audit schedule, ref. it being based on 'the probability and likelihood of food safety hazards and not the frequency of change and impact on the systems of control'. Now, I can take the point, but we have used an identical rating system as your attachment 'Audit Schedule.doc' on this thread (Post #3, 15 May 2015) and this is the first time this has been raised. Has anyone encountered this previously - more so, how would you go about fixing something that, in principle, is more a matter of terminology than intent (after all, if it's all not about food safety, quality, legality (+authenticity), then what is it about? Thanks in advance for any thoughts.

 

Hi GFW,

 

I assume this is the relevant text -

 

The scope and frequency of the audits shall be established in relation to the risks associated with the activity and previous audit performance; all activities shall be covered at least annually.

 

Appreciate if you could clarify yr post slightly. I'm unsure if the auditor was disagreeing with yr basic method(s)  or commenting that there was  insufficient  detail.

 

The auditor may have wished to see "some" justification/verification  for the values/usage as listed in the "likelihood / consequence / SUM" columns ?

 

Do you know what the auditor meant by "frequency of change" ? eg change of what ? or do you mean the "audit frequencies" ?

 

It is possible the auditor was more familiar with responses such as the retrospective approach shown on  Pg 14 of the attachment in this post -

 

http://www.ifsqn.com...ate/#entry56043

 

I note that yr referenced documents include an  ongoing review assessment as to the suitability of the applied frequencies. Did you do/document this ?

 

In Principle i would have thought that either of the above approaches would be acceptable.


Kind Regards,

 

Charles.C


trubertq

    Grade - PIFSQN

  • IFSQN Principal
  • 658 posts
  • 281 thanks
137
Excellent

  • Ireland
    Ireland
  • Gender:Female
  • Location:Donegal

Posted 20 April 2016 - 05:25 PM

"The site must evaluate the risk inherent in each section and determine the frequency of the audits accordingly. For example, the site should consider the consequences if the system, or compliance with it, is inadequate, and the potential for changes that would affect these control systems. Frequency may also be influenced by known issues within the company, best practice or customer requirements. All activities must be covered at least annually." Interpretation Guidelines.

 

I guess this is what GFW was dinged against.

 

However my Risk assessment doesn't use likelihood and probability, it uses likelihood and consequence , it just doesn't mention the potential for changes.It does have mention of review: "Risks will be reviewed in accordance with audit findings and ratings will be adjusted accordingly."

 

I'll be interested to see what happens on May 9th!!


I'm entitled to my opinion, even a stopped clock is right twice a day

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 20 April 2016 - 05:51 PM

"The site must evaluate the risk inherent in each section and determine the frequency of the audits accordingly. For example, the site should consider the consequences if the system, or compliance with it, is inadequate, and the potential for changes that would affect these control systems. Frequency may also be influenced by known issues within the company, best practice or customer requirements. All activities must be covered at least annually." Interpretation Guidelines.

 

I guess this is what GFW was dinged against.

 

However my Risk assessment doesn't use likelihood and probability, it uses likelihood and consequence , it just doesn't mention the potential for changes.It does have mention of review: "Risks will be reviewed in accordance with audit findings and ratings will be adjusted accordingly."

 

I'll be interested to see what happens on May 9th!!

 

Interesting.

 

AFAI  recall the I.Guidelines are not auditable.


Kind Regards,

 

Charles.C


Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 25 April 2016 - 10:40 AM

Hi GFW,

 

Any further comments ?


Kind Regards,

 

Charles.C


GFW01

    Grade - Active

  • IFSQN Active
  • 14 posts
  • 0 thanks
0
Neutral

  • United Kingdom
    United Kingdom

Posted 25 April 2016 - 11:01 AM

Hi all.

 

A belated thanks for your replies. 

 

trubertq - yes, the RA introduced to us by our internal auditor was precisely the same as yours, and likewise used likelihood and consequence.

+

Charles C. is correct in thinking the auditor, I think, was looking for some justification for the detailed frequencies of audits against each section of the standard (which he termed 'frequency and impact') - e.g. should there be changes in processing methods and risk factors, then it might be appropriate, for instance, to audit the HACCP more frequently - which is reasonable enough.

 

We're in process of reviewing what we have to adequate summarise the justifications for the frequencies based on previous audit performance and any anticipated changes that may affect this for a given forward period (as per the guidelines and auditor's comments).  (Having said that, only the clause itself (3.4.1) can be directly audited, and this I thought we were answering adequately!).

 

Good luck to all who are yet to face their first '7' audit.



GFW01

    Grade - Active

  • IFSQN Active
  • 14 posts
  • 0 thanks
0
Neutral

  • United Kingdom
    United Kingdom

Posted 25 April 2016 - 12:30 PM

Hi GFW,

 

I assume this is the relevant text -

 

 

Appreciate if you could clarify yr post slightly. I'm unsure if the auditor was disagreeing with yr basic method(s)  or commenting that there was  insufficient  detail.

 

The auditor may have wished to see "some" justification/verification  for the values/usage as listed in the "likelihood / consequence / SUM" columns ?

 

Do you know what the auditor meant by "frequency of change" ? eg change of what ? or do you mean the "audit frequencies" ?

 

It is possible the auditor was more familiar with responses such as the retrospective approach shown on  Pg 14 of the attachment in this post -

 

http://www.ifsqn.com...ate/#entry56043

 

I note that yr referenced documents include an  ongoing review assessment as to the suitability of the applied frequencies. Did you do/document this ?

 

In Principle i would have thought that either of the above approaches would be acceptable.

 

Thanks again Charles C. Having looked at the retrospective approach (p.14) on the BRC6, I agree that the auditor may have had this in mind. The remaining question is whether the RA need be conducted for every section / key clause of the standard, or whether only the Fundamentals (as indicating the greatest risk to product safety, quality or legality? 



Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 25 April 2016 - 02:30 PM

Hi GFW,

 

IMO it all depends on what actually happened at yr audit. And perhaps how this clause is integrated with the adjoining clauses, eg 3.4.4

 

If there was only a small thing missing and the auditor was generally happy, i would think most people would go for a direct correction.

 

The BRC-recommended (albeit not intended to be auditable) solution is probably nestling in the I.guidelines. Some ideas about other people's experiences and possible BRC thoughts are  viewable in these posts/threads -

 

http://www.ifsqn.com...lly/#entry67864

 

http://www.ifsqn.com...dit-life-cycle/

 

http://www.ifsqn.com...sk-assessments/


Kind Regards,

 

Charles.C


Thanked by 2 Members:

Steffie

    Grade - Active

  • IFSQN Associate
  • 13 posts
  • 22 thanks
0
Neutral

  • Netherlands
    Netherlands

Posted 26 June 2018 - 07:23 AM

Hi all,

 

Thanks for all your shared info. It is worth a lot!

 

I have one question.

 

Can the audit frequency (program) for BRC Packaging HHC be based on a calendar year (jan-dec) or must it be based on the certification cycle (fi. nov-okt)?

 

We have had some discussion. Can anyone clarify this?

 

Thanks a lot!

 

Steffie



mgourley

    Grade - FIFSQN

  • IFSQN Fellow
  • 1,403 posts
  • 997 thanks
274
Excellent

  • United States
    United States
  • Gender:Male
  • Location:Plant City, FL
  • Interests:Cooking, golf, firearms, food safety and sanitation.

Posted 26 June 2018 - 10:21 AM

BRC is moot on that point. They just say "predefined audit dates throughout the year".

 

I have always done mine based on a calendar year and have never had any issues at audit.

 

Marshall



Thanked by 1 Member:


Share this


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users