13 replies to this topic

[WorkingFromWork]

Hello, this is one part of the BRCGS Standard that has confused me for some time.

 

I created an internal audit program with a schedule for internal audits that is based on risk and previous audit performance. I listed each of the requirements for the standard in that schedule. Do I need to include more audits than these?

 

Do I need to also include a section in the schedule for processes that are audited aside from the list of requirements in the standard?

 

I feel like I've been told that we need to audit our specific work instructions, like "did the worker wrap the pallet around 3 times?" but I do not see where that is a requirement. 

 

Really could use some insight as to how this works. Really appreciate any help. Thank you.

[GMO]

Hi WorkingfromWork (great name by the way).  How I've always approached BRCGS auditing internally was to take the standard, check the standard was replicated into our procedures and then check those procedures were being applied.

 

So for example, let's take a section at random:

 

5.3.2 which is about identifying and listing allergen containing ingredients and materials on site.

 

You'd expect that to be reflected into an SOP on allergen control which would include the specifics about how materials are labelled (e.g. with a tag) which you'd then look into the factory for examples of conformity, non conformity and talking to staff, their level of understanding.

 

You might have a situation where your internal procedure goes further than BRCGS requires, for example, specific coloured tags for specific allergens and find non conformances against that.  To my mind for best practice, you should still raise it against an internal BRCGS scope audit because you've then gone against your procedure.  The reason I think even a BRCGS auditor may expect that is the catch all fundamental clause in section 6.1 about the site operating to work instructions and procedures.

 

Whether your wrapping of the pallet is a non con?  As with all things "it depends".  Are you getting a lot of product damage in store?  Is 3 layers critical for the stability of the pallet?  If it shifted slightly are there quality or even health and safety concerns?  Only knowing your product will you be able to confirm.

 

You could probably get away without doing the above internally as long as procedures are compliant with reality the day of audit but if you want a really good quality system that's working in practice, I'd say it's best practice to do that multi level audit, i.e.:

 

• What does it say in BRCGS?
• Is there a statement of intent, policy or procedure (if required, not needed for all sections.)?
• Is it in an SOP?
• Are all documents compliant or above BRCGS requirements?
• Are we then actually doing it in practice in the factory?  Both in a way compliant with BRCGS and our internal procedures?
• Do people understand the requirements and why in the factory?
• Are they formally trained against the SOP in the factory?

 

Remember even internal audits are sampling exercises.  So you need to look for evidence on each clause but you won't necessarily be expected to look at huge numbers of examples.  A sample is fine.  Then going into more depth on that sample is quite helpful I think.

[WorkingFromWork]

Thank you for your advice GMO, but I am still confused. Also, this is for packaging materials and not food.

 

 

I guess I will word my questions like this:

1. If we have a procedure that is not used to fulfil a requirement of the BRCGS Standard, does it need to be audited? If so, why?

 

2. If we have a procedure that is used to fulfil a requirement of the BRCGS Standard, does it need to be audited beyond that the requirement of the standard is being followed? If so, why? Like do I need a non-conformance report where the scope of the audit is "SOP for doing this thing that is partly used to fulfil part of the standard requirements"?

 

Right now, my audit schedule is just a long list of all the requirements in the standard like this as an example:

1.1 - Jan

1.2 - Feb

1.3 - Mar

 

But do I need to audit any processes outside of this, like 

 

1.1 - Jan

SOP-1 - Jan

SOP-2 - Jan

1.2 -Feb

SOP-3 - Feb

1.3 - Mar

SOP-4 Mar

 

This is what I thought I had to do for some reason, but I am not seeing why based on a standard requirement. It significantly increases the number of audits and we are a small company, so I want to make sure. Sorry if this is confusing or a bad question. I am new to these things.

[GMO]

Oops, missed it was packaging but I think the same principles apply.

 

No I wouldn't audit the SOPs separately but just take the SOPs associated with that section and audit them at the same time as part of the same audit.  So your SOP on, say, goods receipt is audited at the same time as your internal audit against that section.  Auditing your procedures are compliant with the standard and complied with is, to my mind, part of any audit.

[jfrey123]

Thank you for your advice GMO, but I am still confused. Also, this is for packaging materials and not food.

 

 

I guess I will word my questions like this:

1. If we have a procedure that is not used to fulfil a requirement of the BRCGS Standard, does it need to be audited? If so, why?

 

2. If we have a procedure that is used to fulfil a requirement of the BRCGS Standard, does it need to be audited beyond that the requirement of the standard is being followed? If so, why? Like do I need a non-conformance report where the scope of the audit is "SOP for doing this thing that is partly used to fulfil part of the standard requirements"?

 

I'm not as familiar with BRCGS specifically, but I have thoughts to your questions in general from a GFSI mindset.

 

1.  If it's part of your FS-QMS, I would audit it.  It may not have a direct tie into your BRC requirements, but if it's part of your food safety program overall then I would want to review that the procedure is being performed correctly and has the intended result.  I kind of struggle to think of a single program I've seen with my companies that didn't somehow in some small way tie into the GFSI codes we were under.

 

2.  Kinda along the point I made above, I think an effective internal audit addresses both that your SOP is working as intended and also whether it meets the BRC standard.  I tend to review the programs individually during the year, documenting how we've audited the program worked as written and whether legislation or GFSI updates require us to update the program.  But then before our SQF audits, we do a full self-assessment against the standard to make sure we're compliant (because they require it).  So realistically, I'd be auditing our SOP's a few at a time each month, then doing the one big assessment prior to our unannounced windows opening.  I think that would be acceptable for BRC as well, but happy to be corrected if someone has a more experienced view.

[Aboutaleb10]

What About Sharing your internal Audit plan , to see How you activate it ?

[kingstudruler1]

You may be thinking of it in a different way than I am use to.   No that it is a bad way, just different.   You seem to be looking for "what" to audit and not "How" to audit.  The  scope / "what" is already given to you - it is the standard.   

 

For instance, when you audit 1.1.1, you should be asking your self "how" do I prove that I meet this requirement?   In doing so, you would review the management commitment statement and make sure it meets the requirments,  verify where it might be posted, and possibly even question employees on its existance and thier familiarity with it.  ive never created a checklist of everything I feel I need to look at in order to acheive compliance.   That just seems like a alot or work - if im understanding your thought pattern correctly.   

 

If your procedure is needed to achieve compliance with some portion of the standard, it will be included in your audit.  

 

I feel like I've been told that we need to audit our specific work instructions, like "did the worker wrap the pallet around 3 times?" but I do not see where that is a requirement.   

 

You would probably review these written work instructions in 1.3.2.  I would not say you have to go to the line a verify that is what they are doing.   If you happened to see it not happening during a walkthrough, you could consider it a minor non conformity.  Or if you happened to witnees it being done corrrectly it could be considered evidence that the work instructions are being followed correctly.    Some people may choose to visually watch employees completing work instructions as a form of training verification.  (6.1.2)  There are other way to verifiy training effectivenes.  

[beautiophile]

Thank you for your advice GMO, but I am still confused. Also, this is for packaging materials and not food.

 

 

I guess I will word my questions like this:

1. If we have a procedure that is not used to fulfil a requirement of the BRCGS Standard, does it need to be audited? If so, why?

 

2. If we have a procedure that is used to fulfil a requirement of the BRCGS Standard, does it need to be audited beyond that the requirement of the standard is being followed? If so, why? Like do I need a non-conformance report where the scope of the audit is "SOP for doing this thing that is partly used to fulfil part of the standard requirements"?

 

Right now, my audit schedule is just a long list of all the requirements in the standard like this as an example:

1.1 - Jan

1.2 - Feb

1.3 - Mar

 

But do I need to audit any processes outside of this, like 

 

1.1 - Jan

SOP-1 - Jan

SOP-2 - Jan

1.2 -Feb

SOP-3 - Feb

1.3 - Mar

SOP-4 Mar

 

This is what I thought I had to do for some reason, but I am not seeing why based on a standard requirement. It significantly increases the number of audits and we are a small company, so I want to make sure. Sorry if this is confusing or a bad question. I am new to these things.

1. No and maybe yes. For example, an HR department takes care of training and payroll control.

- If you audit solely against BRCGS, the payroll control procedures are excluded.

- If you conduct an operation audit at HR for the sake of business governance, you have to use all HR procedures. This overlaps the training part of BRCGS.

 

2. Like the one above but in a smaller context (sub-procedures in procedure)

BRCGS-focus or extended audit, it's your choice as long as you can convince Auditors that you cover all BRCGS requirements.

[WorkingFromWork]

Thank you all for the explanations. This is helping me to understand better.

 

So to clarify based on what you have all been trying to tell me:

 

We audit our conformance against the BRCGS standard. How we do that may involve auditing SOPs but it would still be part of auditing one of the requirements. Therefore, additional audits specifically for SOPs are not required?

 

I hope that this is correct, as that makes sense to me and I would like to do it this way.

[jfrey123]

We audit our conformance against the BRCGS standard. How we do that may involve auditing SOPs but it would still be part of auditing one of the requirements. Therefore, additional audits specifically for SOPs are not required?

 

I hope that this is correct, as that makes sense to me and I would like to do it this way.

 

I looked at a copy of a standard, and at the intro to 3.2 Internal Auditing it states:   "The company shall audit those systems and procedures that are critical to product safety, legality, and quality to ensure they are appropriate and complied with."

 

Back to my post above, you have to audit yourself against BRCGS, making sure your programs are compliant to the standard.  That's one aspect of self-audits.  But you also have to audit your actual programs.  There's a difference between the program meeting the standard vs the program functioning as intended.  So in short, yes, audits specifically for your SOP's should be required by your own program.

 

If scheduled correctly, it can speed your prep for your third party audits.  My company is more geared toward SQF, but we audit our internal programs throughout the year to ensure the programs are operating as intended and written.  Then once a year we audit our programs to the SQF standard, ensuring our programs still meet the SQF standards, making sure any changes we made were compliant when made and also meet the standard before our third party shows up.  Having already audited our programs makes checking against the standard much quicker.

[WorkingFromWork]

I looked at a copy of a standard, and at the intro to 3.2 Internal Auditing it states:   "The company shall audit those systems and procedures that are critical to product safety, legality, and quality to ensure they are appropriate and complied with."

 

This is not the correct standard, but I looked at the equivalent requirements in the BRCGS Packaging Materials Issue 7 standard. It specifies auditing various things that are all covered directly under the requirements of the standard but nothing more. 

 

I understand that auditing our SOPs and other such things will help with improvement, but what I am most concerned with at this time is fulfilling BRCGS requirements for internal audits. Our operation is quite simple; we have 1 raw material.

[jfrey123]

I pulled the standard you mention, Packaging Materials Issue 7, and found this:

 

3.5 Internal Audits

Fundamental

The company shall be able to demonstrate that it verifies the effective application of the HARA, implementation of the requirements of the Standard, the site's product safety and quality management system and any applicable module through internal audits.

 

3.5.2

As a minimum, the scope of the internal audit programme shall include:

-HARA

-product safety and quality management system, including the activities to implement it (e.g. supplier approval, corrective actions and verification)

-prerequisite programmes (e.g. housekeeping, pest control, maintenance)

-product defence and product fraud prevention plans

-procedures implemented to achieve the Standard and modules.

 

Each internal audit within the programme shall have a defined scope and consider a specific activity or section of the HARA or product safety and quality management system.

 

 

I'm not a BRC guy but based on that, I think they're asking for more than only auditing things "covered directly under the requirements of the standard."  Usually the phrase "product safety and quality management system" is used to describe your entire program manual as a whole, and I'm reading the requirement to be it be audited at least annually under 3.5.1.

Edited by jfrey123, Today, 04:37 PM.

[WorkingFromWork]

I pulled the standard you mention, Packaging Materials Issue 7, and found this:

 

3.5 Internal Audits

Fundamental

The company shall be able to demonstrate that it verifies the effective application of the HARA, implementation of the requirements of the Standard, the site's product safety and quality management system and any applicable module through internal audits.

 

3.5.2

As a minimum, the scope of the internal audit programme shall include:

-HARA

-product safety and quality management system, including the activities to implement it (e.g. supplier approval, corrective actions and verification)

-prerequisite programmes (e.g. housekeeping, pest control, maintenance)

-product defence and product fraud prevention plans

-procedures implemented to achieve the Standard and modules.

 

Each internal audit within the programme shall have a defined scope and consider a specific activity or section of the HARA or product safety and quality management system.

 

 

I'm not a BRC guy but based on that, I think they're asking for more than only auditing things "covered directly under the requirements of the standard."  Usually the phrase "product safety and quality management system" is used to describe your entire program manual as a whole, and I'm reading the requirement to be it be audited at least annually under 3.5.1.

 

When reading the standard, under Product Safety and Quality Management System it says: "The Standard requires the company to document the framework of management policies and procedures by which it will achieve the main requirements of this Standard." 

To me this means that the product safety and quality management system they are referring to is the documented policies and procedures by which we meet the requirements of the standard. Hence, this is some of what we use as evidence of conformance during internal audits of the requirements.

 

It continues to say "It also expects the company to maintain an environment with appropriate levels of housekeeping and operational conditions that are necessary for the manufacture of safe, legal and quality products."

This just mentions that prerequisite programs are also necessary, which are part of the requirements that we already need to internally audit against.

 

The effective application of the HARA is already in our requirements for Hazard Analysis and Risk Assessment in Clause 2, so I don't see why I would need to audit it beyond that.

 

Maybe I am missing something, but doesn't "procedures implemented to achieve the Standard and modules" mean any procedures that we implement in order to meet the requirements of the standard? So if we audit those requirements we will need evidence of conformance with those requirements, hence the procedures are audited?

 

I really see no fault in what I am saying based on the information provided to me in the standard, unless the standard is just poorly written and does not explain itself at all.

Is the product safety and quality management system not what is covered in Clause 3? If I do not have any NC in all of Clause 3 I can still fail in my implementation of our product safety and quality management system? Then what is the point of auditing clause 3 to begin with?

[jfrey123]

I've never done BRC, so I can't say if I'm right or your right.  But when I look at 3.5.2 it lists five different things and states, at minimum, they must be internally audited.  One of the 5 things is the product safety and quality management system, which I take to mean your entire written food safety program.  They also separately call out that the PRP's must be audited, and I take that to mean the PRP's in their entirety.  I think it's fair to say some of us have PRP's that aren't expressly covered by a GFSI requirement but are part of our food safety or quality goals and still must be checked for effectiveness via internal audit.  

 

Taking pest control as an example as its named under the PRPs: 4.11 already details all the things you must have in place for pest management.  Checking that your program meets what the standard says is one thing; checking that your program is being followed as written and is effectively doing its job is the place for an internal audit.

 

Again, admittedly, I could be out in left field here since my experience is primarily tied to SQF.  But everywhere I've worked so far, we audit our entire FS-QMS in chunks over the year to make sure we're following our own programs as written.