was successfully added to your cart.

questionnaireInternal audits – planning for success!

In this post we’re going to cover clause 3.4.1 of the BRC Food Safety standard, which is all about ensuring that audits are planned effectively. Internal auditing is a fundamental section of the BRC, so it’s really important that we get it right.
An effective internal audit system is the back bone of everything we do – if we look after our internal audits, the internal audits will look after everything else.
“Clause 3.4.1:  There shall be a scheduled programme of internal audits throughout the year with a scope which covers the implementation of the HACCP programme, prerequisite programmes and procedures implemented to achieve this Standard. The scope and frequency of the audits shall be established in relation to the risks associated with the activity and previous audit performance; all activities shall be covered at least annually.”

Reference: BRC Global Standard for Food Safety Issue 7

There are 4 key elements in this clause:
  • Audit program
  • Scheduled throughout the year
  • Audit scope
  • Frequency based on risk
I’m going to go through each one of these, so you can assess your current system against them – to check you’ve got everything covered.

Audit program

The standard clearly states that the program needs to audit HACCP, your pre-requisites and procedures implemented to meet the BRC standard.  So, basically, it’s saying it needs to audit everything in the BRC standard.

I often see an audit program at site when I’m auditing that only covers a handful of the elements in the BRC standard.  I can understand why sites do this, carrying out a lot of audits is a real burden to the site, however – if you don’t audit all the requirements, how can you know that they are working effectively?

The easiest way to ensure that you meet all of the requirements of the BRC standard is to have an audit for each section.  If you don’t do this at the moment, go through the sections of the BRC standard and compare them to your current audit program – are all of the requirements covered?

Scheduled throughout the year

You must have a schedule of your audits.  You can show this using a word or excel file, or you can have a wall planner with them all on.  It just needs to show all the audits that need doing and when each one will be done.  It’s a good idea to use your schedule to also plan who is going to do each audit, and colour code them for when they are due, complete or overdue.

In issue 7 the wording ‘throughout the year’ was added to the clause – this was to stop sites who carried out their internal audit all in one go, scheduling one big audit once a year.  You now need to schedule your audits evenly throughout the year – to prove that you’re always assessing performance.

If you use a consultant to do your audits, you can still continue to do this, but they can’t do it in one hit – you’ll need to book them to do it over the year, I would suggest break them up into quarters (so your consultant audits you once every 3 months).

Audit scope

This is one point that quite often gets missed.  Your audits need a scope.  This means each audit needs to have a documented scope, detailing what is going to be audited.  If you’re using the clauses of the BRC standard, your scope can be all the clauses you’re going to audit against. If you audit to your own procedures, your scope should list the document references of the procedures that you’re going to audit.

Tip – make sure the scope for each audit starts with a point which checks to make sure that the non-conformances from the previous audit have been closed out.

Frequency based on risk

The frequency of your internal audits needs to be based on risk.  Which means you need to carry out a risk assessment and you’ll need to work out a method, for what result = what frequency.  For example, low risk may be annually, medium risk may be 6 monthly and high risk might be quarterly. Make sure that your maximum frequency is annual though, as this is a requirement of the BRC.

What I find sites forget to do however (which is clearly stated in the standard), is risk assessing:
“the risks associated with the activity and previous audit performance”

When it says the risks associated with the activity, the activity is the scope of the audit.  So for example, for calibration (which would include scales for average weights) what would be the risk of calibration not being effective?

It also says the risk associated with the previous audit performance.  So, you need to take into account the number and type of non-conformance’s that were raised on the last type this audit was completed. Which means, if no non-conformance’s were picked up because the systems were found to be effective, you can reduce the frequency of the audit (as long as it’s no less than annual).  Or, if there were a lot of non-conformance’s raised because the systems were found to not be effectively working, then you would want to increase the frequency of the audit.

In the next post I’m going to go through internal audit teams, training and making sure you’re got the right people available for the audit. Any questions or anything specific you’d like me to cover, just let me know by adding your thoughts to the comments below.

Leave a Reply