Frequency of Internal Audit Based on ISO 22000:2018 Standard
We are audited by SGS and one of the findings is about the frequency of internal audit. We conduct our internal audit annually for each department against all clause applicable to the function of the departments. Once a department failed the internal audit, a reaudit will commence after 3 months to ensure the effectiveness of the department in implementing the organization's FSMS. Now, one of the non-conformity is for internal audit saying
"It was not evidenced that frequency of internal audit was determined based on risk with consideration to importance of processes concerned, changes in FSMS, results of monitoring, measurement and previous audits."
Can somebody give light to me in regard to the SGS finding? I have trouble in making a criteria as to what criteria I will develop, what does it include, and how I will schedule the internal audit throughout these criteria.
Greetings Joseph,
What the auditor wants is to make your procedure more robust, explaining in detail what are the criteria that you use to determine the frequency of your audits. SGS actually helped you the way they phrased it. Some simple examples in each category are:
Consideration to importance of processes: Warehousing of end products generally poses less risk of something failing than the production (always depending on the nature of the product of course).
Changes in FSMS: Changes like an addition / removal of an interested party (chapter 4) is less impactful than a change to the hazards assessment (chapter 8).
Reuslts of monitoring: This you already covered with the 3 month corrective actions period and re-auditing, but you can elaborate a bit more on this, maybe let's say that for critical N/Cs maybe the re-audit can happen in 1 month.
Measurement and previous audits: It's determining if there is a trend through time. If a department is showing more N/Cs in a period of 3 concecutive audits or years than another then the one with the most may need more frequent checks than others.
Regards!
I think your auditor is telling you that your written program for internal auditing is not clear, and your process is probably fine...........your comment reads to me like the auditor is spoon feeding you details from the code that are absent from your program
Hi Joseph,
The auditor should have made it clear this was clause 9.2.2 from ISO 22000:2018 Food safety management systems — Requirements for any organization in the food chain.
Clause 9.2.2 The organization shall:
a) plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes in the FSMS, results of monitoring, measurement and previous audits.
b) etc..
You should be prioritising higher risk areas for more frequent internal audits and also when there are changes and results of monitoring, measurement and previous audits indicate a need for more frequent audits.
Here is an example of audit scheduling but for SQF, the same principle applies and higher risk areas with regards to food safety and legality are audited more frequently.
Audit and Inspection Scheduling.jpg 143.53KB 22 downloads
Kind regards,
Tony
Hi Joseph,
The auditor should have made it clear this was clause 9.2.2 from ISO 22000:2018 Food safety management systems — Requirements for any organization in the food chain.
Clause 9.2.2 The organization shall:
a) plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes in the FSMS, results of monitoring, measurement and previous audits.
b) etc..
You should be prioritising higher risk areas for more frequent internal audits and also when there are changes and results of monitoring, measurement and previous audits indicate a need for more frequent audits.
Here is an example of audit scheduling but for SQF, the same principle applies and higher risk areas with regards to food safety and legality are audited more frequently.
Audit and Inspection Scheduling.jpg
Kind regards,
Tony
Thank you Tony, your inputs are really appreciated. I'm just starting in this career and your inputs helped me a lot.
Greetings Joseph,
What the auditor wants is to make your procedure more robust, explaining in detail what are the criteria that you use to determine the frequency of your audits. SGS actually helped you the way they phrased it. Some simple examples in each category are:
Consideration to importance of processes: Warehousing of end products generally poses less risk of something failing than the production (always depending on the nature of the product of course).
Changes in FSMS: Changes like an addition / removal of an interested party (chapter 4) is less impactful than a change to the hazards assessment (chapter 8).
Reuslts of monitoring: This you already covered with the 3 month corrective actions period and re-auditing, but you can elaborate a bit more on this, maybe let's say that for critical N/Cs maybe the re-audit can happen in 1 month.
Measurement and previous audits: It's determining if there is a trend through time. If a department is showing more N/Cs in a period of 3 concecutive audits or years than another then the one with the most may need more frequent checks than others.
Regards!
Thank you Evans X, this helped in improving our guidelines on internal audit. I really appreciate your help.
We are audited by SGS and one of the findings is about the frequency of internal audit. We conduct our internal audit annually for each department against all clause applicable to the function of the departments. Once a department failed the internal audit, a reaudit will commence after 3 months to ensure the effectiveness of the department in implementing the organization's FSMS. Now, one of the non-conformity is for internal audit saying
"It was not evidenced that frequency of internal audit was determined based on risk with consideration to importance of processes concerned, changes in FSMS, results of monitoring, measurement and previous audits."
Can somebody give light to me in regard to the SGS finding? I have trouble in making a criteria as to what criteria I will develop, what does it include, and how I will schedule the internal audit throughout these criteria.
Hi Ec,
JFI you can find a quite nice, specific, detailed IA Procedure based on Risk in earlier threads on this Forum. Many, many times downloaded. Was developed for BRC but I would anticipate equally acceptable to iso22000. Some similarity to Tony's excellent example but little bit more extended.
PS - after some searching, here is link/thread -