FAQ in BRC Food 7 become requirement in BRC Food 8.
As we know that FAQ in BRC Food 7 become requirement in BRC Food 8.
"Where the supplier audit is completed by a second or third party, the company shall be able to
:–– demonstrate the competency of the auditor
–– confirm that the scope of the audit includes product safety, traceability , HACCP review and good manufacturing practices
–– obtain and review a copy of the full audit report "
I am thinking about general data protection regulation. Information in supplier site is very risky to be distributed as in full audit report may contain some confident commercial information. Confidential disclosure agreement between third party auditor are well aware, but full audit report is very risky to be spread out by customer site. In case of violence, it is not easy to prove that information was spread by customer or third party auditor. Information security policy between customer and supplier may need to be concerned. Third party auditor should think more on content in audit report preparation.
In term of competency of auditor, CAB which accredited by IAF AB should be recognized. Assignment of competent auditor is the must for such CB. Some personal information of auditor can be disclosed if CV or competency review information sent to customer without any control.
What do you think?
Jack.
Principal Witness Assessor
Hello,
The way we tackled this topic in our company was by creating an SOP/document that we could all reference to.
1) Written definition of a competent auditor. Take a look at CFR 117.3 (below in blue) and modify it as per your needs (black).
Qualified auditor means a person who is a qualified individual and has technical expertise obtained through education, training, or experience (or a combination thereof) necessary to perform the auditing function. Examples of potential qualified auditors include:
(1) A government employee, including a foreign government employee; and
(2) An audit agent of a GFSI certification body.
In other words, if the audit report is presented by an auditor that falls into a) or b) then you have demonstrated competency, and you don't need any extra documentation. If not, then c) you have to ask the auditor for their credentials that match the definition of qualified auditor. An ASQ Certified HACCP auditor with the PCQI / FSVP certificate will suffice this requirement.
2) Confirm the scope: We added two visual examples to the SOP: One Audit report summary of an audit that was performed per a GFSI agency and one audit report summary by another agency. Is very clear and obvious that the GFSI standard included all needed listed by you and the other agency did not.
3)Obtain a full copy of the audit report. This is been our "headache" for a while, but little by little, companies have noted they have no choice but to share. We have involved our procurement team in this process and they are making sure that we have a CDA in place, so they feel better sharing. If they definitely don't want to share, then we are the ones auditing that facility. Someone has to go and come back with a report. Management commitment is vital. Also, we have been involving IT and making sure the information is only available for a handful of employees, its backed up and protected. While we want the information protected, we also need it available in case the FDA shows up and asks. Last thing you want is to show the FDA that the information is impossible to access.
As long as we all start demanding from the suppliers, this will be easier and easier as the time goes.
Hope this helps!
As we know that FAQ in BRC Food 7 become requirement in BRC Food 8.
"Where the supplier audit is completed by a second or third party, the company shall be able to
(1):–– demonstrate the competency of the auditor
(2)–– confirm that the scope of the audit includes product safety, traceability , HACCP review and good manufacturing practices
(3)–– obtain and review a copy of the full audit report "
I am thinking about general data protection regulation. Information in supplier site is very risky to be distributed as in full audit report may contain some confident commercial information. Confidential disclosure agreement between third party auditor are well aware, but full audit report is very risky to be spread out by customer site. In case of violence, it is not easy to prove that information was spread by customer or third party auditor. Information security policy between customer and supplier may need to be concerned. Third party auditor should think more on content in audit report preparation.
In term of competency of auditor, CAB which accredited by IAF AB should be recognized. Assignment of competent auditor is the must for such CB. Some personal information of auditor can be disclosed if CV or competency review information sent to customer without any control.
What do you think?
Jack.
Principal Witness Assessor
Hi Jack,
Not sure what you meant by "FAQ" -
As i understand, (1.2) above is specifically stated in BRC7 already.
(3) was interpreted as in this 2016 Consultant clip -
supplier aproval.png 89.44KB 1 downloads
The basics look much the same to me ?
"Where the supplier audit is completed by a second or third party, the company shall be able to
:–– demonstrate the competency of the auditor
–– confirm that the scope of the audit includes product safety, traceability , HACCP review and good manufacturing practices
–– obtain and review a copy of the full audit report "
The requirements have been amended to recognise that some supplier audits may be completed by third parties. These audits may be accepted in the absence of the site completing its own audit, providing that:
• the competency of the auditor is appropriate for the type of product and standard of audit conducted
• at a minimum, the scope of the audit addresses product safety, traceability, HACCP and Good manufacturing practices
• a copy of the full audit report is available – not just a certificate.
BRC Participate perhaps ?
I deduce you are agreeing my comment.