Food Safety Audits: Frequently Asked Questions
Thursday, April 15, 2021
By Stephanie Baker, FAPC Quality Management Specialist, and Andrea Graves, FAPC Business Planning and Marketing Specialist
All food companies must comply to basic food safety regulations and use good manufacturing practices as designated by the state health department, state department of agriculture, Food and Drug Administration, and/or United States Department of Agriculture. This statement applies to both human food and animal food companies.
At some point, food companies may receive a request from one of their customers, which includes a company or entity they sell their food to (not just the end user or the one who consumes the food product), for a food safety audit. This audit contains a list of additional requirements that goes above and beyond what the law requires.
Often, these audits are required if food companies want to sell to a certain business. Initially only the “big box stores” required these audits. As topics such as genetically modified organisms, the COVID-19 pandemic, animal welfare, sustainability and ethical sourcing become more important to consumers and retailers, additional audits are being requested, no matter the size of the food companies.
Additionally, larger customers were developing their own unique auditing guidelines and conducting their own audit of the food companies. It was not unusual for food companies to have multiple audits throughout the year, and, as a result, this became costly and strenuous for food companies all over the world.
The Global Food Safety Initiative was created with the primary goal to create a single audit guideline with accredited standards that would be accepted globally and reduce the number of repetitive audits for manufacturers.
GFSI began in 2000 and is an organization that approves or benchmarks the food safety audit criteria for companies called Certification Program Owners. Examples of CPOs are Safe Quality Foods, British Retail Consortium, PrimusGFS and others. When choosing a CPO, it is important to research the benefits of each. Although they are all benchmarked to GFSI, they are not all exactly the same.
When customer requests an audit and the manufacturing company contracts an auditor to conduct the audit, it is referred to as a third-party audit. The three parties are the manufacturer, auditor and customer. GFSI audits are an example of a third-party audit.
If a manufacturing company is going to conduct a GFSI audit, it must first choose a program to implement from the list of CPOs. Then, the company needs to choose a Certification Body. The CB manages the audit certification process and provides an auditor to visit the manufacturer. Examples of CBs are NSF International, Mérieux NutriSciences, HACCP Consulting Group and Eagle Certification Group. It is recommended to shop around to get multiple quotes and negotiate pricing, if possible, when looking at CBs.
Another example of a third-party audit is a larger customer contracting an auditing company to audit the manufacturer with the customer specific requirements. If the manufacturer is new to auditing, it may choose to schedule a Good Manufacturing Practices, Food Safety Modernization Act, Hazzard Analysis and Critical Control Points, or food safety audit with a provider of its choosing.
GMPs are a pre-requisite to a HACCP plan (food safety plan), and the HACCP system is a pre-requisite to GFSI compliance.
Specialized third-party audits are available as well, such as gluten free, ethical sourcing, quality systems and more. The CBs able to conduct GFSI audits also can provide non-GFSI audits and specialty audits.
A second-party audit is an audit from a group with financial interest in the company being audited. Commonly, second party audits are a customer auditing a supplier, also called a supplier audit.
This type of audit varies greatly in length and detail from a couple hours with a site tour to two days with the customer’s own specific quality management system requirements. Findings from supplier audits can impact purchasing decisions. Regulatory inspections are another example of a second-party audit because there are two parties involved.
A first-party audit also is known as an internal audit or self-assessment. This type of audit may be conducted by employees of the company to assess the company’s own food safety system. Corporate quality representatives may conduct internal audits of multiple facilities owned by the same parent company. A company may enlist a consultant to assess its own food safety system. For smaller companies, it is not recommended for a person to audit his or her own work.
Internal audits are required by GFSI benchmarked codes. The schedule can be more flexible, broken into sections to be completed throughout the year, or the company may choose to mimic the second- or third-party schedule by conducting the entire audit over the course of a few days.
The general process for first-, second- and third-party audits is similar. Once food companies have established what type of audit will be conducted, they need to read the specific steps required by the code. The management team needs to have a thorough understanding of the guidelines in the code, be committed to implementing the entire system and lead by example. Generally, the manufacturing facility will cover the fees and expenses incurred for the audit.
The typical process includes identifying the scope and products covered, choosing a date, choosing an auditor, preparing the documents, and having records available for review. The manufacturer will need to identify an employee and a backup employee who will be responsible for managing the details of the audit.
How can the facility prepare for the audit? Work to be audit ready at all times, stay up to date on changes and update the programs accordingly. Also, conducting an effective internal audit is the best preparation for the real thing.
As for the work area, set up an area or room where the auditor can use a computer with internet connection. Have documents and records organized and readily accessible and provide snacks, beverages and a light lunch on site. Creating a welcoming atmosphere and having a positive attitude establishes a comfortable tone for the audit tasks.
What happens during the audit?
- Senior management will introduce people who will be involved with the audit and review exclusions during an opening meeting.
- The auditor will set up the workspace and get basic information about the facility.
- The auditor will have his or her preferred list of documents to look at first. This typically will include the HACCP plan.
- The auditor may decide to walk through the site after reviewing the food safety plan.
- It is common for an auditor to request to see the process, starting with receiving raw materials and follow the process through shipping. In a ready-to-eat facility, a path should be followed to prevent cross-contamination.
- The walk-through tour will likely include asking employees a few questions as a way for verifying procedures and training through interview.
- The auditor will use records, interviews and observations as evidence to support compliance or their decision to issue nonconformances.
- Each auditor will have his or her own process of touring, interviews and reviewing documents.
- Virtual audits are being held using technology when facilities are enforcing no visitor policies.
- The auditor will review the nonconformances with the practitioner prior to the closing meeting.
- A closing meeting with senior management will be held.
- Each audit will have a different length, varying from two hours to a few days.
What happens if there is a nonconformance found? Three levels are typically defined by the code: minor, major and critical. Corrections can be completed during the audit, but preventive action reports will need to be submitted for review. Each audit will have a different grading scale or criteria for “passing.”
What is in a corrective action report?
- Code element.
- Observation of nonconformance.
- Immediate corrective action.
- Root cause analysis.
- Preventive action.
- Date completed.
- Person responsible.
- Reviewed by technical person.
When is the certificate issued? Each program owner will set his or her own time period for the certificate to be issued. A recertification audit is required annually for GFSI codes, and some non-GFSI certificates will cover two to three years.
What do all audits have in common? The goal is to drive continuous improvement.
- PLAN what you are going to do.
- DO what you say you are going to do.
- CHECK the records and product.
- ACT to correct and improve the process.
For more information or on-site help, contact FAPC for assistance with mock audits or the programs needed to maintain an audit-ready food safety system.