Supplier resistant to providing AIB findings report
Hello all you wonderful people,
I was curious what you all think, I have a potential co-packer that I am going through the process of evaluating. They have an AIB cert with a passing score but are very resistant to submitting the findings report. I have worked at co-pack facilities in the past and found this to be a yearly standard practice. Needless to say I find this odd and a bit of a red flag for future communication of issues should there be any down the road.
What do you all think, am I being alarmed by nothing?
Best regards,
Personally I've experienced a mixed bag. Some offer the full report, others don't. Does AIB offer a score on their certificate? Considering they passed their audit, and if they have a respectable score, I don't think it's a dealbreaker that they aren't offering the report. Have you considered doing a site visit? For co-packing that can be a good idea anyway.
If they passed they could just send you a copy of their certificate or tell them you want to stop by and do a site visit for a look around.
We had a co packer that said the same thing and then find out they failed their audit.
Verbal don't go.
Hi WanderingFSM,
I would tell them you are going to do, or arrange, a full audit if they don't hand over the full report.
It is very rare but I have come across a forged certificate so I always ask for an audit report when dealing with medium/high risk suppliers.
Kind regards,
Tony
I would almost NEVER share my audit report because some processes are proprietary and sharing them puts that in jeopardy
Always provide the certificate, and if that's not enough, the can call the CB on their own to verify
The fact that the cert plus onsite isn't enough means that GFSI are no longer meaningful (not that they ever were)
My work in our company's procurement department has us asking every vendor for their GFSI cert and the full audit report. We get about 33/33/33 compliance with that request: either no audit given, only the CAPA's given, or the full audit comes.
There is an attitude that vendors don't like airing their dirty laundry to the world, or like Scampi said they've got some proprietary information concerns (which are sometimes alleviated with NDA's), etc. Based on our product risk assessments, we either accept the passing GFSI certificate as sufficient, or we cite other vendor programs we ask for (allergen management, EMP programs, etc) and deem them sufficient, or we request an in-person audit or visit. Sometimes they're willing to share their audit in person but don't want copies floating around outside of their control.
I would almost NEVER share my audit report because some processes are proprietary and sharing them puts that in jeopardy
Always provide the certificate, and if that's not enough, the can call the CB on their own to verify
The fact that the cert plus onsite isn't enough means that GFSI are no longer meaningful (not that they ever were)
I also don't send out anything but my cert. Nowadays everyone wants a copy of everything in my program. HACCP plan, all internal docs like SOP's, sanitation docs, etc. We don't do that. We're a private company, in all respects.
And I'm in the 'it never was' camp. We used to get inspected by AIB and honestly they looked through the place with a fine toothed comb. GFSI spend 99% of their time looking at paperwork. As far as actually making safe food, it's not as good. It was supposed to be a 'you've got that cert, that pays all' kind of thing, and it isn't....
On to the next exciting failure soon enough, I'm sure....
Jfrey, if you don't mind my asking, why do you ask for the report from vendors? Why isn't the cert enough? Do you guys even look at it? Ever bailed on someone who passed because you didn't like their internals? Just curious...
I also don't send out anything but my cert. Nowadays everyone wants a copy of everything in my program. HACCP plan, all internal docs like SOP's, sanitation docs, etc. We don't do that. We're a private company, in all respects.
And I'm in the 'it never was' camp. We used to get inspected by AIB and honestly they looked through the place with a fine toothed comb. GFSI spend 99% of their time looking at paperwork. As far as actually making safe food, it's not as good. It was supposed to be a 'you've got that cert, that pays all' kind of thing, and it isn't....
On to the next exciting failure soon enough, I'm sure....
Jfrey, if you don't mind my asking, why do you ask for the report from vendors? Why isn't the cert enough? Do you guys even look at it? Ever bailed on someone who passed because you didn't like their internals? Just curious...
I have asked for full reports if the vendor is not in the US ( especially China)or has a score less than 85. I was just curious as to where they are falling behind and I was not going to China to audit a plant.
Jfrey, if you don't mind my asking, why do you ask for the report from vendors? Why isn't the cert enough? Do you guys even look at it? Ever bailed on someone who passed because you didn't like their internals? Just curious...
Short answer: because the boss lady says to :lol2:
We get farm audits from farm level as well as fresh/non-fresh food vendors in GFSI approved schemes. If you've ever dealt with farm audits, they're sometimes laughable: some farm audits don't even require CAPAs, others will flag something egregious but lack the point system to classify it as a critical/major vs minor. So we do have to review them to find when a lettuce vendor is flood irrigating vs sprinkler irrigating.
This habit of reviewing farm audits made my boss want to review GFSI audits when we can. So we do actually read them, and we have observed major findings related to risky areas like allergen handling and sanitation, and she likes to see what they've done to mitigate these higher risk findings. And when we notice repeated findings in the same area, it does generate conversation as to whether we want to keep working with that vendor.
I know the forum has talked at length about what GFSI was supposed to do, and be the audit to end all audits, but we all know some level of shenanigans be afoot between the different CB's and individual auditor preferences, yada yada. I used to be of the opinion that a GFSI audit should be good enough, but seeing some of our vendors have repeated issues in the same area (though not always the exact same clause, which prevents those repeats being escalated to major findings in a scheme like SQF), it has shown me that we can't become complacent in our vendor approvals.
Hello,
Thank you all for your input. To be honest, I have always been the one at the co-pack site and this is my first time on the other side. They did send their cert with a score of 825 and we have done our own audit. After follow up visits, we haven't seen much improvement. They have offered to show us the report on site but have always failed to produce it even though we have been back 3 times. My viewpoint is this is an indicator of open communication and a look at the quality culture of the facility. Are they unwilling to admit when things are going wrong and work on continual improvement? I understand the need to protect yourself, but I also know that a co-pack site can make your life miserable if they are unwilling to communicate honestly and make improvements. I know of a few people that love working for their company but because of a difficult co-packer are looking for employment elsewhere. Though ultimately the decision to move forward is not up to me but those much higher above.
Ultimately I have my answer though. Handing over the findings report is not as common as I thought. Thank you all again for your input.
Best regards
Hi Folks,
For those referring to GFSI, AIB Consolidated standard is not a GFSI benchmarked standard and therefore the AIB certificate is not typically recognised by GSFI Benchmarked Certification Schemes.
You can see some thoughts on the AIB standard and why it lost some ground in terms of respectability in this topic: Benefits of AIB?
Some comments from members I would recommend:
Post 14 by Marshall
It's been years since I have been audited to an AIB Standard. "Back in the day" (late 90's early 2000's) they were a great resource because they have always been more oriented to what's going on out on the production floor.
My personal take on their auditing scheme is that it is now irrelevant. It's not GFSI approved, and while I guess "useful" for people that are not ready to certificate to a GFSI scheme, it does not seem helpful because they do double count findings.
Also, all the really good auditors that they had years ago have moved on.
Marshall
Post 16 by kfromNE
I worked at a company with AIB but were in the process of becoming SQF certified. The problem, it's a GMP audit and not GFSI audit. We could get by showing we had a AIB audit certificate for our customers but I knew it wasn't going to cut it for very much longer.
You need to do what your customer demands and in the USA at least, that's usually a GFSI audit.
Post 24 by Marshall
I have not been audited against the AIB standard for years, simply because the world has moved on to things like BRCGS or SQF or other like GFSI benchmarked standards.
Back in the day (early to late 90's) AIB audits were (generally) the industry standard, in that they audited the general things that should be audited as a food processor. They were generally more inspection oriented and were light (somewhat) on documentation.
They took a big hit when the whole Peanut Corporation of America recall happened.
Is their Standard and inspection criteria good? I guess, but it's not GFSI approved. Which, today, is really what matters.
Are their auditors any good? Don't know. Again, back in the day the auditors I had were very good, auditing against "their" Standard.
Marshall
Also note that more information than just a certificate is typically required for example SQF Food Safety Code: Food Manufacturing:
2.3.4 Approved Supplier Program (Mandatory)
2.3.4.2 The approved supplier program shall be based on the past performance of a supplier and the risk level of the raw materials, ingredients, processing aids, packaging, and services supplied, and shall contain at a minimum:
i. Agreed specifications (refer to 2.3.2);
ii. Reference to the level of risk applied to raw materials, ingredients, packaging, and services from
the approved supplier;
iii. A summary of the food safety controls implemented by the approved supplier;
iv. Methods for granting approved supplier status;
BRCGS requires you to independently confirm the certificate status and scope of certification.
The whole idea of GFSI benchmarking and FSMS Certification Schemes was to reduce the number of audits so the release of an audit report is not too much to ask, in fact some customers request this as part of the contract. For sensitive information, I would request through the certification body that it is redacted or limited in the full report.
If I’m managing a supplier and you are reluctant to send me your audit report without a reasonable explanation then that would raise my suspicions and I’m far more likely to come and audit you.
Kind regards,
Tony
We will share reports during a site visit, but prefer not to send it electronically. There are exceptions based on who the customer is. There is so much information about processes in the report that we just don't want them "out there."
As for AIB vs. GFSI I see the good and bad of both and still have customers that want visits or audits even for our GFSI sites while some are fine with the sites with no audit at all based on the product we supply (low risk).
Lastly, I will echo that I believe the large majority of customers I supply questionnaires and/or reports to don't read them. I would expect more follow up from them if they did.
I agree with others on here, I never send out the full report as there is confidential and proprietary information on it. Do it with GFSI and have done it with AIB. The certificate should be enough. AIB does score the audit, so the certificate should show you the score. I am not very fond when people demand the full report and act poorly when you don't provide, it is our company's and our company's alone business what is in the full audit report and we have a right to decide who can see it. The point of being issued a certificate is the prove compliance. Also not fond when asked for the HACCP Plan and specific SOPS and procedures.
BRCGS requires the entire audit report if the audit is not GFSI recognized. One reason why people might ask for and audit report.
or • supplier audits, with a scope to include product safety, traceability, HACCP review, the product security and food defence plan, the product authenticity plan and good manufacturing practices. The audit shall ensure that these plans form part of the supplier’s product safety management system and that any resultant actions are implemented. The supplier audit shall be undertaken by an experienced and demonstrably competent product safety auditor. Where the supplier audit is completed by a second or third party, the company shall be able to: • demonstrate the competency of the auditor • confirm that the scope of the audit includes product safety, product security and food defence plan, product authenticity, traceability, HACCP review and good manufacturing practices • obtain and review a copy of the full audit report
Hi Folks,
I can see a reluctance to release a report if you are producing your own Branded Products and that there may be confidential and proprietary information in the report so that would be an example where it may be justified.
Otherwise you are making your customer’s life difficult especially when they may need specific information as per the requirements of their certification scheme, SQF is an example of this as I posted previously:
2.3.4.2 The approved supplier program ……shall contain at a minimum:
iii. A summary of the food safety controls implemented by the approved supplier;
Kind regards,
Tony
You can ask for a description of the suppliers food safety controls without receiving the full audit report. That is how we have it for our questionnaire and requests for documents. We ask them to provide a summary of their food safety controls. There are ways to get the information required without having the full audit report. Otherwise, I would believe the standards would specifically spell out that the full audit report is required for approval if it was indeed needed.
As people can probably tell I have some time on my hands this week due to an injury. So apologies for all the replies!
I'm with Tony on this. If you've supplied retailers in the UK there is a certain amount of expectation of sharing reports and the same for your suppliers into you. I'd also argue that I've never read a report which provides information within it which is significant enough to be a commercial risk to someone knowing your processes. I don't agree that's a true objection.
What might be a risk is that the non conformances are read by someone without context (or read genuinely and you just happen to have some howlers on there). That could be a commercial risk to it being leaked to the press etc., especially if you're a branded organisation. But there are ways around that and would be implications for the receiving company if that happened.
Recently I was in a site who refused to publish their SMETA / SEDEX report. For those who don't know the system, this doesn't make it public but it does make it visible to people you are "linked" to and have allowed access. I.e. normally your direct customers. When I came into the business, they had received about 3 SMETA audits over 6 years, none of which had been published and, guess what, none of the actions had been done properly either. Within 3 months I'd got agreement for them to publish and the actions properly closed out with the team.
The problem is that if you're embarrassed by your audit reports, doesn't that say something? And I'm not saying I've never been in that situation by the way! This is not me with my judge-y pants on. But if your MD or site director knew that the audits you have will be shown to external parties, that might help get the resource and support you need to genuinely improve standards. If you're feeling a bit "I don't want anyone to see this" then what's your plan to not have it recur? That's where I'd put my energy.
Also if there is something which is absolutely secret on there, redact it. It's unlikely to be in the non con section anyway. As an occasional supplier auditor, a supplier not willing to share the audit report or at least the non con list is going to be greeting me on their doorstep soon.
Last point though on sharing audits, some audits, often retailer ones, are not classed as your property and auditors will often say they will be shared with the customer but should not be shared by sites.
As for Tony's point on the value of AIB audits... agreed, they're not GFSI and auditors have sadly got patchy in the last few years as the older more experienced team members retire. But I also agree that for those sites who don't have something like BRCGS (which has got tougher and more factory based in recent years), or who aren't on the "every year" unannounced scheme, it's not bad. It has some value.
It's especially tough on pest management and maintenance which are areas often neglected in other standards I've found. The level of machine inspection you have on AIB audits can be as much as 10x that of a BRCGS auditor. So if you have doubts about your site standards, it's not a bad scheme to choose, especially unannounced and one which can sit alongside a GFSI standard to really challenge your GMP until you have a more mature culture. The scoring is odd though and I hate businesses that target a number with strict RAG ratings around it. But if you or your team walk round with an experienced AIB auditor and I guarantee you will learn something about doing better internal GMP audits.