Food for thought
How do you interpret ‘previous audit performance’?
We’d like to share with you how we interpret ‘previous audit performance’ from clause 3.4.1 of BRCGS Food (this applies to the other standards too).
It would be great to hear your views on the interpretation and if you agree.
Internal audit frequency risk assessment
The BRCGS Food Safety Issue 9 standard states that the frequency of internal audits must be based on risk, which takes into account previous audit performance. This document explains how ‘previous audit performance’ has been interpreted for audIT.app and why this interpretation provides a more robust solution.
BRCGS Food Safety, Issue 9 – Clause 3.4.1:
“There shall be a scheduled programme of internal audits. At a minimum, the programme shall include at least four different audit dates spread throughout the year. The frequency at which each activity is audited shall be established in relation to the risks associated with the activity and previous audit performance.”
The definition of ‘previous audit performance’
The standard states that a risk assessment must determine how often audits must be completed, which makes perfect sense. The problem is that it then goes on to state that this must include consideration of the ‘previous audit performance’.
One way of interpreting audit performance is to look at the audit result. If you have a good audit, the frequency in the future can be reduced. And reversely, if you have a bad audit, then the frequency of subsequent audits should be increased.
The issue with this interpretation of the standard, is that it promotes a culture where identifying non-conformances is a bad thing. Because if you do, then you’ll need to complete more audits. However, if you don’t look too closely and complete the audits without finding any non-conformances, then you don’t have to do any more audits. This clearly isn’t what the standard wants, as it doesn’t promote continuous improvement.
The other problem with previous audit performance is that if you complete the risk assessment once per year, it means that a ‘poor’ audit result could wait a further 11 months before it’s actioned. And, if the audit is completed poorly, so that no non-conformances are raised (even when they should have been), then the result is even worse.
The alternative interpretation
If you think that about what the standard is trying to achieve here, when interpreting ‘previous audit performance’, you can apply a different approach.
Let’s look at it differently – the standard is asking you to determine how the auditor performed when they carried out the previous audit:
- Did the auditor do it well and identify the applicable non-conformances?
- Did the auditor perform poorly and not identify the non-conformances that should have been picked up?
What the standard is aspiring to, is for you to monitor the performance of the topic that’s being audited, to determine if the audit was carried out effectively, and to do this – you have to look to other non-conformances.
In audIT.app we use non-conformances which indicate an issue with the topic, to drive the risk assessment. This means, that complaints, incidents, and non-conforming product provide the measurement you need to establish if a topic is performing.
Because this is a lagging indicator, it wouldn’t be adequate for you to carry out this risk assessment annually, as the standard currently defines. Which is why audIT.app does it monthly. That way, the system can react immediately to any issues. These lagging non-conformances identify a problem quickly, which then increase the frequency and if the problem persists, then additional audits are completed.
To really achieve continuous improvement though, the information from the lagging non-conformances is used to establish the problem. This is then used, to identify which parts of the audit needs to be audited again – and rather than just repeating the audit, a deep dive of that part of the audit is completed.
In our opinion, looking at the auditor’s performance of the previous audit, provides a much more robust process. It also gives a clear continuous improvement method to apply, as you can dive deeper into areas that need improvement.
What are your thoughts?
Our Audit team conduct audits to a monthly schedule ensuring that all sections of the standard are covered at least once annually. Internal auditors are always given the previous audit to ensure that any NC’s and OFI’s are closed out/considered.
We summarize all our audits to a corrective action/suggested action listing of audits which have had issues, showing root cause analysis,action and preventative actions and completion date./signed off. This way we can then keep track of it all and also see if there are any patterns for improvement.
Within our risk assessment for internal audits, we state:
Normal audit frequency will be 1 audit annually. If a major N/C is raised a re-audit is to be undertaken
within 1 month and the audit frequency to be suitably increased until satisfactory compliance is found. 3
monthly/ 6 monthly.
Repeated minor N/C will also result in audit frequency review increasing to 6 monthly /3 monthly until
consistent compliance found.
We feel that this has worked within our company to monitor previous audit performance and continue to follow this as it has been so far very effective.
My interpretation is that internal audits are both re-active and pro-active. Re-active discovers the non-conformance and an immediate corrective action takes place. But in defining the root cause of the non-conformance, we establish pro-active preventive actions. I find that identifying a non-conformance is not the end to a successful internal audit. Re-evaluation is necessary to ensure the corrective/preventive action has eliminated or reduced the reoccurrence of the non-conformance. Just because it works once, doesn’t necessarily mean it will work all the time. Continued improvement is the goal of any internal audit. Risk analysis establishes the schedule for the internal audits to be conducted. Further risk analysis verifies and/or validates whether the identified non-conformance from the internal audit is successful in promoting continued improvement.
My opinion is that the previous audit performance should always be taken into consideration and reviewed.
In my 47 years of manufacturing companies often just focus on the here and now and when they close out an issue never return to check.
If an issue has arisen previously then it is clear it was not being measured or managed correctly or even at all .Sense checking frequently continually improves a business and protects product and business safety.
My team conduct quarterly internal audits (i.e. every 3 months) and will continue with that frequency, regardless of the audit result. There’s no harm in sticking with that frequency, even off the back of an excellent audit result. You tend to find that certain processes and procedures aren’t adhered to, so by continuing with the quarterly audits helps with continuous improvement.