One of the standard questions one should ask when conducting an audit is, "Do you have an internal audit program?" In many cases, the answer is something like, "Of course; we do monthly sanitation checks," or something along those lines. An internal audit is much, much more than that. It is (or should be) an intensive assessment of all elements making up the food safety management system (FSMS); it is not merely an "audit." 

All audits should incorporate an assessment, but they often do not. In fact, it is a sad fact that many third-party audits have developed into simple "checklist" audits. A checklist audit is easier to do and takes less time. The auditor simply "checks the box." The facility has a pest control program—check. It has a program for cleaning and sanitizing—check. The list goes on. 

An assessment, on the other hand, is an integral element of the Food Safety Modernization Act (FSMA) and the ISO 22000 standard, "Food Safety Management Systems—Requirements for Any Organization in the Food Chain." Both call for assessments of the system, which means it is up to the auditor to not only "check the box," but also dig down, look at the different elements, and determine whether the program is not only effective, but is also being followed as developed, documented, and implemented. In other words, the auditor must determine if the program is being properly maintained.1

The best description of what is expected of an internal audit program may be found in the original ISO 22000 standard as issued in 2005, in Section 8.4.1. The standard reads as follows:

The organization shall conduct internal audits at planned intervals to determine whether the food safety management system

a)    Conforms to the planned arrangements, to the food safety management system requirements established by the organization, and to the requirements of the International Standard, and
b)    Is effectively implemented and updated.

An audit program shall be planned, taking into consideration the importance of the processes and areas to be audited, as well as updating actions resulting from previous audits (see 8.5.2 and 5/8/2). The audit criteria, scope, frequency and methods shall be defined. Election of auditors and conduct of the audits shall ensure the objectivity and impartiality of the audit process. Auditors shall not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records, shall be defined in the documented procedure.

The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected non-conformities and their causes. Follow-up actions shall include the verification of actions taken and reporting of the verification results.2

So, what is expected of a food processor when it comes to developing, documenting, and implementing an internal audit program? The program must be designed to audit each element making up the FSMS. The program should include, but need not be limited to, the following:

  1. HACCP/food safety
  2. Good Manufacturing Practices (GMPs)
  3. Personal hygiene
  4. Clothing
  5. Water quality and safety
  6. Document control
  7. Process operations (plant dependent)
  8. Calibration
  9. Non-conforming product
  10. Positive release
  11. Allergen control
  12. Chemical handling and storage
  13. Pest control
  14. Traceability
  15. Receiving
  16. Shipping
  17. Laboratory operations
  18. Corrective and preventive actions
  19. Incident reporting
  20. Preventive maintenance
  21. Cleaning and sanitation
  22. Change management
  23. Education and training
  24. Food defense.

Other areas may need to be included in the program.

Audit forms or checklists, as well as procedures for evaluating each area of the plant being audited, shall be developed. These shall reference the procedures to be audited by name and/or number, records to be reviewed, verification activities that are subject to audit, education and training for persons working in the area, and how observed deviations or issues shall be reported. Audit forms shall be reviewed and updated, as required, to ensure that they are consistent with procedures.

Audits shall be conducted by in-house personnel. Auditors may be trained in-house or through an outside agency, such as an ISO certifying body, industry expert, or other agency. Training records documenting that persons designated as internal auditors must be maintained. Additional training on in-house programs shall also be established. The processor must also establish enough internal auditors so that each area of the FSMS can be evaluated independently. As the ISO standard states, "Auditors shall not audit their own work."2 This can be a challenge with very small companies; such operations routinely cross-train their employees so they can perform other tasks. In such cases, independence will be a challenge. This will need to be acknowledged and documented as part of developing the program.

Once the company has established a cadre of auditors and has determined what programs make up the FSMS, it is up to the company to establish an audit schedule. The manager of the internal audit program shall prepare a schedule to ensure that all areas subject to audit are audited at least once a year. There may be areas that the manager of the program and the food safety team deem to be high risk. These areas may be subject to the internal audit two or even three times per year. This schedule shall be prepared yearly. When a third-party audit is finished, the entire program is subject to being audited within a short time frame. The internal audit program may be scheduled throughout the year. This allows time to audit and assess each area making up the program, prepare a report, and take steps to address any deviations or areas where problems were noted.

The internal auditors will utilize forms or checklists when conducting the audits. They shall make sure that workers are following the documented procedures for the area being audited. This includes the actual tasks as documented, as well as maintenance of records. Auditors shall take their time and observe how the tasks are performed over extended periods. The more one watches, the greater the chances of finding issues. 

An example of how watching an operation is important: A colleague was asked to audit a facility. The person found a perch above production and stayed there for several hours. The plant manager walked by a few times and was not pleased to see the person not moving. After three hours, he beckoned, and my colleague came down. The plant manager started to complain, and was stopped when the auditor showed him a three-page list of issues that were observed. 

The auditor shall also evaluate the documented protocols and note whether they can be improved. The program should not be designed to simply evaluate whether the protocols are being followed, but also whether the program can be improved. This is why these audits are deemed an assessment and an integral element of a company's continuous improvement program.

Any non-conformities noted during internal audits shall be written up and subject to corrective and preventive actions (CAPA) in compliance with the company's CAPA program. The nonconformities will be reviewed with management and the individual responsible for managing the area being audited. The manager will be tasked with developing a corrective action program with timelines and a budget (if needed) for each issue. The corrective action program will be presented to the management team and auditor for review and updating, as needed. The manager of the internal audit program will need to verify that nonconformities have been properly addressed (i.e., that the corrections were made), were effective, and helped improve overall operations.

Internal audits are a fairly new concept in the food industry. They are an excellent tool for ensuring that the food safety management system is functioning as designed (i.e., that it is properly maintained). These types of audits should be an integral element of the verification program and, as noted, an important tool for continually improving a company's FSMS.

References

  1. Park, D.K. "The Difference Between a Food assessment vs. a Food Audit." Food Quality & Safety. May 15, 2019. https://www.foodqualityandsafety.com/article/difference-between-food-assessment-vs-food-audit/.
  2.  International Organization for Standardization (ISO). "ISO 22000: Food Safety Management Systems—Requirements for Any Organization in the Food Chain." Geneva, Switzerland. 2005.