BRC-3.4.1 Internal Audits

Hi khanhhuyen,

This is how it's done in my workplace.

Open the Word document I attached to see the severity table, likelihood table, the matrix, and outcome decision criteria. (it will all make sense when you're looking at it) 

Firstly, you'll need to organise a list of the departments, then you can assess them. (Let me know if you need help with this too)

You need to assess the severity or consequence of NOT auditing each department.

Then assess the likelihood of NOT auditing the department.

Even though we always do our internal audits, we chose C (possible) because there is always that possibility that something can get in the way of you doing your job. Although, nothing has ever gotten in the way - internal audits are super important and if you don't get them done, your external auditor will be checking and you'll get an NC. 

After assessing each department and giving them a score (all ours are scored at either 13 or 18, which means the frequency is 6 monthly for ones scored at 13, and yearly for ones scored at 18), you can now plan your audits based on risk.

Hope this helps. Let me know if you have any questions.

Hi khanhhuyen,

I would start with a basic system of 3 x 3 risk assessment for each element of the standard as shown in the attached example where a high severity (3) would be an unsafe or illegal product and high possibility of failure (3) gives a significance of 9 (High Risk).

BRCGS Food Internal Audit Scheduling.pdf   745.81KB   234 downloads

Then schedule high risk internal audits quarterly, medium risk every 6 months and low risk annually.

Kind regards,

Tony

thanks everyone

Hi khanhhuyen,

For your information, the IFSQN offers a Practical Internal Auditor Training for Food Operations that does include internal audit risk assessment and scheduling.

This is a 4-hour training session plus exam that is live on Friday, December 02, 2022 or can be taken at your own leisure via the previous recording.

This interactive online training webinar enables participants to develop practical knowledge of the principles of internal auditing so that they can participate as part of your internal audit team. The webinar provides instruction on how to implement an Internal Audit system and how to prepare, conduct and report on an internal audit.

The course is delivered in 8 sections:

1. Introduction to Internal Auditing

2. Auditing Documentation

3. Audit Scheduling and Risk Assessment

4. Internal Audit Procedure including preparation, reporting and practical audit examples

5. Guidelines for Auditing Management Systems based on ISO 19011

6. GFSI and GFSI Benchmarked Standards Internal Audit Requirements

7. Internal Audit Exercise

8. Online test consisting of 25 multiple choice questions covering the topics taught in the course.

Kind regards,

Tony

Hi khanhhuyen,

 

This is how it's done in my workplace.

 

Open the Word document I attached to see the severity table, likelihood table, the matrix, and outcome decision criteria. (it will all make sense when you're looking at it) 

 

Firstly, you'll need to organise a list of the departments, then you can assess them. (Let me know if you need help with this too)

 

 

You need to assess the severity or consequence of NOT auditing each department.

Then assess the likelihood of NOT auditing the department.

 

Even though we always do our internal audits, we chose C (possible) because there is always that possibility that something can get in the way of you doing your job. Although, nothing has ever gotten in the way - internal audits are super important and if you don't get them done, your external auditor will be checking and you'll get an NC. 

 

After assessing each department and giving them a score (all ours are scored at either 13 or 18, which means the frequency is 6 monthly for ones scored at 13, and yearly for ones scored at 18), you can now plan your audits based on risk.

 

 

Hope this helps. Let me know if you have any questions.

Hi Adele

I believe the risk assessment concerns the risk associated with the activity, not a failure to audit an activity - see the attached screenshot.

An easy way of approaching it would be to say fundamental requirements are high-risk activities because a loss of control in those areas could jeopardise food safety, quality, legality and/or authenticity... While non-fundamental requirements are not addressing activities with as high a risk association.... So you could call activities associated with fundamental clauses higher risk, and increase your auditing frequency to reflect that.

Similarly, with previous audit performance, you could look at the previous year's audits and identify a selection of audits that yielded a comparatively high level of non-conformance, and increase your auditing frequency to reflect that.

The standard isn't looking for an assessment of risk associated with failing to carry out audits. 

Hope this helps.

 

Determine the terms to be evaluated for each department

Does anyone have a manual for this part?

 

Hi khanhhuyen,

See the methodology  here -

http://www.ifsqn.com...dit/#entry95362