Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status; certification system conformance (e.g., FSSC 22000, SQF, IFS, BRC); and adequacy of internal controls, potential risks, and best practices.
Most regulations, standards, and certification programs require audits to be conducted with some established frequency. For many food companies, figuring out how to meet these audit requirements among travel restrictions, new company safety protocol, and government quarantines related to COVID-19 has presented a significant challenge.
The Online Alternative
Fortunately, the Global Food Safety Initiative (GFSI) and the benchmarked certification schemes have responded to this challenge, recognizing that online/remote/virtual audits can offer a viable alternative to onsite audits—even when companies are not operating in a pandemic:
- GFSI – In June 2020, GFSI introduced the use of Information and Communication Technologies (ICT) to GFSI-benchmarked certification audits as a means to partially replace aspects of onsite audits, not only during the pandemic but also for the longer term. According to GFSI, the use of remote activities is not mandatory, must be mutually agreed upon between the audited organization and the certification body, and must meet full audit objectives. In most cases, remote activities would include review of food safety policies and procedures, review of some records, and interviews with higher level management staff.
- FSSC 22000 – As of October 5, 2020, all FSSC 22000 certifying bodies can conduct full remote auditing to issue food safety and quality certification, as published in the Remote Audit Addendum. FSSC states that remote auditing (full or partial) is a vital component of the auditing future and anticipates the use of big data solutions, online verification technologies, and ongoing limitations of traveling will have a permanent impact.
- SQF – In compliance with GFSI, SQFI updated its audit policy effective June 25, 2020, to allow for remote activities using ICT during the audit process. SQFI’s approach is intended to allow the auditor to take a risk-based approach to the audit following the SQFI policy in conjunction with GFSI guidelines and best practices. Under SQF, remote activities can account for up to 50 percent of the audit duration.
- BRC – BRC announced in September 2020 two remote audit solutions, including a remote online assessment of documentation followed by a shorter onsite audit and a full remote assessment (not GFSI certified) that includes review of internal audit results, remote documentation review, and video audit of production/storage facilities.
- IFS – IFS developed a voluntary remote surveillance check for IFS certified companies to demonstrate they are maintaining supporting procedures and management processes. In addition, IFS launched its Split Assessment, which applies to recertification of all IFS standards and follows the GFSI benchmarking requirements on the use of ICT. Under IFS, the onsite visit must occur before the remote portion and be at least 50 percent of the entire assessment. The remote assessment is focused on review of documentation and records.
Regardless of the standard or the portion of the audit that is conducted in-person vs. remotely, the ultimate objective of a remote audit remains the same as an onsite audit: To obtain credible audit evidence to accurately assess compliance/conformance with identified requirements/specifications. The difference lies in the means in which that evidence is collected.
Weighing Risks vs. Rewards
As discussed above, audits can be conducted onsite, remotely, or a combination of the two. However, GFSI does not recognize a completely remote audit at this time—at least 50 percent must be conducted in person. This is because there can be some inherent risks to conducting a completely remote audit, particularly since this practice is relatively new to many organizations:
- Observation/technology limits – Observation of site conditions is limited by the ability to direct live stream video remotely. Technology can create limitations. If the camera cannot see it, neither can the auditor. Poor video quality can impede visual clarity. You don’t know what you don’t know.
- Communication confusion – It can be difficult to read body language and/or interpret emails and phone conversations to make sure communication is clear. This can require revisiting topics/findings several times to ensure accurate evidence is collected.
- Time barriers – There may be time zone and associated scheduling barriers depending on the location of the auditor and the facility.
- Legal liability - companies may have strict restriction on used of video and possible recoding because of proprietary information.
In many cases, though, companies may already be having portions of the audit (e.g., document review) done remotely. Moving to the remote world allows credible evidence to be obtained in unique ways that can offer significant benefits to a company when onsite audits aren’t possible—and even when they are:
- Reduced cost – Remote audits eliminate the expenses associated with travel (i.e., mileage, flights, hotels, meals), which can add up depending on the location and duration of the audit.
- Flexible schedule – Remote audits can be conducted on a more flexible time schedule. Auditors do not have to complete work onsite in a set number of days, as is required when traveling to a facility. The auditor can also review areas in question remotely after the audit is technically over. Note that a more flexible time schedule does not necessarily mean less time involved to conduct the audit.
- Social distancing – As CDC guidelines have recommended, it is currently safest to work remotely, when possible, or to remain six feet of social distance to avoid potential transmission of COVID-19. Through the use of technology, remote audits provide a social distancing extreme.
- Improved systems – Preparing for a remote audit provides the “push” some organizations need to improve electronic document management systems. To conduct a remote audit, documents and records must be retained in an organized manner that facilitates easy/quick access. Being able to access all documents remotely is necessary—paper records or documents stored on individual computers/network drives no longer cut it.
Considerations and Best Practices
If a company opts for a remote audit—for any portion and for any reason—there are several considerations and best practices to ensure the audit effectively fulfills its objectives and alleviates the risks outlined above to the extent possible:
- Site familiarity - Remote audits work best if auditors are familiar with the operations. While it is not necessary for the auditor to have visited the site before, that type of familiarity with the facility provides the best-case scenario, as it prepares the auditor to know what to look for (and where) and what questions to ask.
-
Careful planning - Much like onsite audits, remote audits require careful upfront planning on the part of the auditor and the facility—and perhaps to an elevated degree.
- The facility needs to collect all documents and records prior to the audit and determine best way to present that information remotely.
- Interviews are best scheduled in advance to ensure availability; however, they can be conducted on an ad hoc basis as need arises.
- It is best to plot out route and areas of specific focus for the audit ahead of time using a site map as a guide to ensure that all areas are covered and that the audit can be conducted as efficiently as possible using the allocated facility resources. An audit site guide must be assigned who is familiar with the entire facility.
- Technology needs and requirements need to be evaluated, and logistics and access should be tested prior to the audit. It is vital that all cameras, web meetings, shared document space, WiFi, and other technology is working appropriately prior to the audit or a lot of time can be wasted troubleshooting.
- Video - Videos should be live. Site walks should be led by a site guide/employee along the planned route with smart phones, iPads, etc. with live streaming capabilities. It is important to ensure that live streaming works within the facility being audited so auditors have a clear view of site conditions. Auditors can also take advantage of any in-house surveillance cameras (e.g., security or quality systems) to provide additional footage of operations, when necessary. In most cases, surveillance footage cannot replace live video.
- Web meetings - Opening, closing, and daily briefings can be conducted via web meeting. Remote audits provide the flexibility to conduct the audit in segments, with briefings following each segment. This allows the auditor to review video footage, evaluate records, and generate questions to ensure the information collected is accurate and complete.
Companies all over the world right now are continuing to establish what business looks like when it comes to operating practices, employee health and safety, business continuity—and certification and compliance. Audits are one component that can be transitioned somewhat seamlessly to operate in a pandemic-influenced environment. As long as any audit is well planned, appropriately leverages ICT, and is executed by a team who understands the facility and the requirements, it can be very effective.
Roberto Bellavia, M.Sc., is a principal and senior consultant at Kestrel Tellevate LLC, where he manages food safety-related projects and supports clients of all sizes in developing and implementing GFSI schemes, complying with regulatory requirements, and creating supply chain management programs. Roberto leverages is nearly 20 years of food quality experience to provide food safety training for companies and organizations. He has a master’s degree in Animal Production Science from the University of Camerino in Italy.
Jessica Dykun, M.Sc., is a senior consultant at Kestrel Tellevate LLC, with 15 years of experience working in the food and beverage industry, with particular expertise in food safety and microbiology. She has amassed a wealth of experience in food safety and quality to support GFSI certification efforts and regulatory compliance, and has successfully collaborated with federal inspectors to resolve regulatory issues. Jessica has an M.Sc. in food science from Kansas State University.