Internal audits 3.4 for an initial BRC certification audit
Hello everyone!
I am a consultant working in helping food plants getting ready for certifications such as BRC. I have been through many audits and auditors have different interpretation of BRC clause 3.4 (internal audits). I wanted to get your opinion on the following:
For already certified plants, it is expected that they covered each clause of the BRC standard, through out the previous year. That's fine.
For first time applicants, some of the auditors are satisfied if the plant has a planned schedule, based on risk, but has not gone through all the clauses before the initial audit. I was at a client last week where the auditor required that they had fully completed their internal audits before the initial audit. It means that they should have assessed each clause, write down evidence of conformity and non-conformity, corrective actions for NC's, etc which I think is not feasible if you are still implementing procedures and systems to get ready for a BRC certification.
My interpretation is that once you are certified, then you can start verifying the effectiveness of the Standard implementation.
I am curious to see if anyone has experienced diverging opinions with auditors regarding internal audits...
Regards,
Marie-France
I would suggest that if you haven't completed a full internal audit of your implementation, you are not ready for an external audit as you have no evidence that the standard has been implemented, just the words to show the intention. As they say "fine words..."
We had an implementation follow up checklist, which stated what needed to be implemented before the audit for each clause. It was not in the form of an «official» audit report with evidence, corrective actions, timescale, verification of actions, etc.
We have all of our clients handle their internal audits from start to finish at the end of implementation phase and just prior to certification audit.
That way no pants pulled down!
Hi,
No full internal audits, no certificate granted.
KOKO
You should be able to fit all internal audits into 6 months ( I can) with those sections requiring more than one audit at the back end of the schedule.
You need to have at the very least 3/4 months worth of records before a certification audit is viable.
When I start developing BRC with a company I always begin with the Internal audit schedule. It helps us get to grips with the standard in bite sized chunks and when we're finished we have a full set of Internal audits completed with, non-conformances, corrective actions timeline reports and follow ups.
I'm attaching a generic IA schedule, along with the risk assessment so you can see what I mean.
Attached Files
I've been doing a section every day or so for the past 4 or 5 weeks (with 3 a week minimum) to ensure we have audited against v7 for the first time.
Covering new sections slightly easier than revamped old sections though!!
To put it mildy, i would assume you have under V6 been part of the enrolment program? or V7 the global markets programm which aims to set you up for the bare bones aspect of the standard?
Assuming that, then V7 Page 57 1.2 Self assessment of compliance with the standard states:
" it is essential that the site is assessed against the current issue of the standard; this can be checked on the BRC Global Standards website"
THEN more importantly
"The standard should be read and understood and preliminary self-assessment should be conducted by the company against the standard to prepare for the audit any areas of non-conformity should be addressed by the site"
To me this means using the self assessment tool priot to the actual audit which would a) cover whole standard prior to an audit and b) in part or maybe complete compliance to 3.4 because it doesnt say the tool can not be used or that in addition to this tool for 1st certification audit.
I actualy have a excel sheet using some nice VBA that allows me to essentially conduct my own BRC audit on my site the same way they do. i find it very handy.
ODD i cant edit my last post, but i was going to say i looked at link charles posted and also wanted to add that:
the interpretation states that: ( and i must say that interpretation is NOT what we are audited against!!! that
"the use of external consultants by small buisnesses is acceptable , providing the internal audit programme is scheduled throughout the year and not in one block activity."
This to me is interesting because if we were audited agaisnt this interpretation and i suppose on the intent of the clauses we might be, then i would say that there is no issue in doing it in time frames stated.
i resceived a minor NC this year but never before at our site because out annual schedule was from audit to audit which works with the assessment of audits using the results etc and they claimed it needs to be calendar yearly.
This would sugest that if you were audited in September and had a plan in place based on your gap analysis or self asessment tool step and had only conducted parts of this years plan up to september. you would be compliant!
and i would definately have argued the point they made.
Just to add this little bit.
Issue 7 changed the requirements for internal audits to "scheduled" and "throughout the year".
Since Issue 7 became auditable from July 1st of this year, I suppose you could argue that if you have a schedule of audits, spread out throughout the year, and you have completed the audits you have scheduled from July forward, you would be in compliance.
Marshall
Thank you all for your inputs and valuable feedback!
Marie-France
Just completed our last one on Friday!! BRC next Wednesday/Thursday, so just in time. We have 2 more 'fundamental' repeats (6 monthly) in December post BRC......
To start, everyone has valuable feedback. I went thru my certification audit in April and used my Consultant's GAP analysis for my internal audits. The issue occurred during my audit, where there was different interpretation by my Consultant versus the standard.
I ended up squeezing by with a C grade on my first audit. The Auditor did not have any issues with the internal audit, but had issues with the consultant's interpretation (LAST TIME I USE A CONSULTANT).
I was re-audited in September and took charge of the program and all internal audits (within a 5 month period). I was able to score a A grade.
The insight I received from the auditor is that you can use the your GAP by consultants as your internal audit but you should change the format to your company's header. The auditor will ask who did the internal audit, and you can state your consultant and his background.
Overall, just know there will be different interpretations but thats why we have ifsqn for! People here will help you understand the standards.
GOOD LUCK ON YOUR FIRST AUDIT!
It depends on the consultant..... we're not all bad.....
Does anyone have a sample of an internal audit form for the BRC v7? The auditors told us that the form we had (only boxes with checks and comments) is not what the standard wants.
Does anyone have a sample of an internal audit form for the BRC v7? The auditors told us that the form we had (only boxes with checks and comments) is not what the standard wants.
As per Post 14, para 4, one answer is an "approximation" to the free-to-download "self-assessment" form available on the BRC website. Maybe this is what you used ? (note the specific IA caveat in the intro to the original self-assessment form).
the standard also needs forms like those in post 6.
IMO the standard fundamentally requires you to fulfill the text in clause 3.4, namely "verifies" the eff. application etc, presumably as interpreted by the following sub-clauses in 3.4.
Hello All,
Internal audit is an evidence that your site is ready for certification. Once your internal audits finds your FSMS not function well better to "fine tuned" it before going to any food safety certification.
regards,
redfox
I would say the schedule should show the status of the audit too. Not just when its going to occur. i.e. did it occur? is it closed or are the some NC still outstanding.
I use a simple box with a diagonal to say its planned , a cross when its completed and a green circle in the box when the NC are close
Se attached key.
Sharon
Who can help me complete the internal assessment plan (including terms, frequency and departments are evaluated for that clause )?
Trubrty - would you be willing to share/describe your documentation for your internal audits? I'm stuck here and wondering if simply creating a table with the requirements of the program being inspected and how the requirements are met is sufficient.
You should be able to fit all internal audits into 6 months ( I can) with those sections requiring more than one audit at the back end of the schedule.
You need to have at the very least 3/4 months worth of records before a certification audit is viable.
When I start developing BRC with a company I always begin with the Internal audit schedule. It helps us get to grips with the standard in bite sized chunks and when we're finished we have a full set of Internal audits completed with, non-conformances, corrective actions timeline reports and follow ups.
I'm attaching a generic IA schedule, along with the risk assessment so you can see what I mean.
Trubrty - would you be willing to share/describe your documentation for your internal audits? I'm stuck here and wondering if simply creating a table with the requirements of the program being inspected and how the requirements are met is sufficient.
Did you see the attachments ??
I'll upload again later as I'll have to remove identification ...oops as Charles has pointed out the audit schadule and risk assessment are already there. I then use an audit checklist which is just a checklist made uo of each of the caluses for the particular section I am auditing, and then a report if there are any non-conformances.