Determining Internal System Audits

Hi all. 

When it comes to internal system audits - how are you determining what is audited?

I used to always complete internal system audits according to sections of whatever Standard I am working with, e.g., 

Section 1 - Senior Management Commitment

Section 2 - HACCP

Section 3 - Food Safety and Quality Management System

I would audit against each clause in the standard, section by section (spread out over the year). 

I have received a copy of a schedule from someone internally and I can't make sense of it - the internal system audits have been broken down to clauses (or bits?) instead of sections (which is fine) but not all clauses are covered and it means auditing clauses from different sections at the same time. There is no RA / justification with the schedule for me to figure out why.

It feels like random clauses / topics have been pulled out (45 clauses / topics) and decided we'll audit this bit - but what about all the other clauses that aren't included?

Would this mean having to risk assess each clause rather than each section? 

I hope this makes sense!!

Thanks 

Kinda sounds like trying to reinvent the wheel for no reason.   

I have only ever created internal audit scopes and schedules from the checklists / standards (like it sounds you have done in the past).  That way you are certain you are not missing anything. 

If you are using BRCGS and missing items / clauses  - im not sure how you get around -  " The frequency at which each activity is audited shall be established in relation to the risks associated with the activity and previous audit performance. All activities that form a part of the site’s food safety and quality systems, including those relevant to food safety, authenticity, legality and quality, shall be covered at least once each year."

Perhaps ask for more clarification.   Are you able to just make your own schedule / redo the program so it makes sense to you? 

Thanks for replying Kingstudruler1 - 

I can do what I want essentially - however, as this has come from somebody with more experience, I thought there could be some clear reasoning that I was missing. 

I have attached what they have done. 

Does BRC actually require you to run an IA on ALL clauses?   The person prior may not have felt the omitted clauses were worth the work?

Maybe they tried to group things together that made sense to them or made sense for other reasons.  

Its no big deal if you jump around.   It looks (to me) like most of the items are on there.  Which ones clauses did you feel are missing?  as thats a different story.  I couldnt find anything glaring that was missing (but its hard to tell quickly because its not in order).   

Definitely not how I would have layed it out, but I dont see thats its glaringly wrong or non-compliant.   

Would this mean having to risk assess each clause rather than each section? 

I risk assess each clause.   But if "they" did each "section" thats probably fine as well.   

I just want to do whatever is best practice - I know my way of doing it isn't the best way it's just the simplest way but it is quite time consuming.

I'll spend some more time thinking about how to best group them. 

Thanks for your help!

Hi FoodSafetyAPP,

It looks like the BRCGS standard requirements have been covered although 3.6 Specifications is on the first list but not the schedule.

Other than HACCP & Prerequisites, the schedule has not considered the requirement of the standard for the audit schedule to be based on both the risks associated with the activity and previous audit performance. The logic of the risk assessment and decisions should also be documented.

BRCGS Global Standard Food Safety (Issue 9) Section 3.4 Clause 3.4.1:

There shall be a scheduled programme of internal audits.

At a minimum, the programme shall include at least four different audit dates spread throughout the year. The frequency at which each activity is audited shall be established

in relation to the risks associated with the activity and previous audit performance. All activities that form a part of the site’s food safety and quality systems, including those relevant to food safety, authenticity, legality and quality, shall be covered at least once each year.

etc…..

BRCGS Guidance:

Development of the internal audit schedule should begin with a risk assessment. The aim of this is to identify:

• all the areas or activities that need to be audited

• the frequency with which each part of the product safety and quality management system

needs to be audited. This will be dependent on the risk inherent in each activity or section of the food safety and quality management system. For example, the site should be aware of the consequences of not complying with its own systems, which could lead to hazards not being identified in a timely manner. Therefore internal audits of CCPs are likely to be more frequent than those for less critical activities.

Frequency may also be influenced by known issues within the company or customer requirements. This may result in a site needing to audit an activity multiple times throughout the year, or developing a programme with more than four internal audit dates

When you revisit the schedule I would order it as per the requirements of the standard so that it is easier to see what is covered and what isn’t. I also match my procedure numbering to match the standard for ease of implementation and understanding, although that isn't a requirement it just makes it easier to see how the BRCGS standard's requirements are covered. See attached example below.

BRCGS IA Schedule with Risk Rating.png   571.57KB   1 downloads

Kind regards,

Tony

Thanks Tony - this makes complete sense and actually how I started to map it out last night. I now have some reassurance.

Thanks again. 

I have taken sections which make sense to be audited together before and then also even before it was a requirement decided frequency on previous audit performance and also on risk.  That list looked fine to me to be honest.  I wouldn't personally try and do all of section 3 in one go for example as it's enormous.  It does look like they've put together more paperwork / leadership type audits together.  Makes kind of sense.

I am inclined (if there is time) to at least try to cover the whole standard at least the first year after standard issue.  You don't have to but I have a personal aversion to a system based non conformance when externally audited so I like to know that the information is easily retrievable and that a nuance hasn't been missed.  I also tend to dial back on stuff we're auditing monthly anyway for GMP audits.  So I won't do system audits on something we already do somewhere else.  Also cover some higher risk areas more than once a year.  I think based on risk we used to do this for HACCP and training as a minimum and you must must must have it spread over a year.*

As always with BRCGS, record it, record your justification for it and follow it and you'll generally have a happy auditor.

*Once when I was an interim, I got engaged in a role for 2 days to "help them with some auditing".  Turned out they'd done no internal audits all year and this was pre unannounced so they knew BRCGS was in a month.  Back then you could get away without spreading them out but I've never got through so many BRCGS based internal audits so quickly. I think I did the entire standard over 10 days in the end.  Were they my best?  Nope.  But it got rid of the worst issues and got them through the audit with a (then) max grade of an A.

This "requirement" blows my mind

It's always been a requirement to "reassess" your HACCP Plan...........one would assume everyone would understand that is not just forms 1-10

GFSI changed the language and suddenly its a new thing

This "requirement" blows my mind

 

It's always been a requirement to "reassess" your HACCP Plan...........one would assume everyone would understand that is not just forms 1-10

 

GFSI changed the language and suddenly its a new thing

Sorry Scampi I'm not getting your point?  This is about auditing including auditing your HACCP plan not reviewing it?

A reassessment is EXACTLY the same as auditing your program  not reviewing

A reassessment is EXACTLY the same as auditing your program  not reviewing

Sorry it might be differences in use of language between UK and Canada.  I would never call an audit a "reassessment". 

Reason would be if I was an independent auditor auditing a HACCP plan I would not be recalculating the risk assessments within the plan or changing any outcomes but just reviewing the efficacy of the plan in being an effective system to control food safety and being compliant with legislation and standards.  No offence was intended.

Yes, standards long before GFSI existed required audit.  Many of us started on ISO 9001 before adopting GFSI.

There seems to be a lot of anger at GFSI at the moment.  Any reason?  I don't think they set out to be an organisation who suggests revolutionary principles but rather evolves and tries to encourage improved food safety standards globally.

 

There seems to be a lot of anger at GFSI at the moment.  Any reason?  I don't think they set out to be an organisation who suggests revolutionary principles but rather evolves and tries to encourage improved food safety standards globally.

You could probably start a whole new post on that one   :roflmao:

 

 

There seems to be a lot of anger at GFSI at the moment.  Any reason?  I don't think they set out to be an organisation who suggests revolutionary principles but rather evolves and tries to encourage improved food safety standards globally

Where do I start!!!!!

Oh yes, at the beginning

These were created SOLELY to protect GROCERS bottom line         these were NEVER driven by the industry

and recalls have NOT dropped since, so goal 100% unachieved