There are quite a few changes to issue 6 internal auditing section, for both basic and high hygiene sites, plus an additional clause if you’re a high hygiene site.  We’ll go through them one by one.

Audit frequency

You now need to determine your audit frequency based on risk.  This means you need a documented risk assessment.

The risk assessment needs to take into account two aspects:

  1. the ‘performance’ of that topic over the last 12 months
  2. the severity of the risk if it was to go wrong.


BRC also suggest that you should take into account the number of non-conformances raised on the last audit, but you don’t have to do this – and we would strongly recommend that you don’t. 

By using this method, you are essentially saying that finding non-conformances is a bad thing, because it means you’ll need to do your audits more often.  The result of this means, will be reluctant to raise non-conformances – and we don’t want that, because finding non-conformances is a good thing, as it means that they can be fixed.

We assess the performance of a topic by looking at whether it has created an issue in the last 12 months.  If it has caused any complaints, incidents or withdrawals. If it has, then this means that the topic is not performing well and therefore needs more attention (i.e. auditing more to make sure it works).

So, to do this, you’ll need a scoring system which determines how many complaints for example produce a high risk result, how many a medium risk and how many a low risk result.  Any incidents should really create a high risk result.


It’s best to keep this simple and work out if each topic manages product safety, legality or quality.

Then you can say:

  • product safety = high severity
  • legality = medium severity
  • quality = low severity

Where the topic covers more than one subject, we always go for the worst case.

Performance x severity

Then you need to combine the two scores and work out what the overall risk rating will be and therefore, the frequency at which the audits must be done.  For example, low risk audits you may do annually, medium risk may be done 6 monthly and high risk audits once every 3 months.

And don’t forget, your minimum audit frequency must be at least annually, in order to comply.

A watch out!

When issue 7 of the BRC Food Standard was published in 2015 the internal audit clause was updated to say that internal audits must be scheduled throughout the year.

The ‘throughout’ was important as it meant you could no longer do all of your internal audits in one go.  Some sites were using a consultant to come in and do their internal audits for them, all in one day.  The BRC didn’t want this, as it wasn’t checking that the systems were working all year round.

Then, when issue 2 of the BRC Agents & Brokers standard was published in 2017, the term ‘throughout’ was used for internal audit scheduling again.  So, it seemed that BRC were adding this requirement to all of their Standards.  They also added in the interpretation guidance for internal audits (not into the clause itself) that there should be at least 4 internal audit dates scheduled throughout the year.  So, now you had to do them throughout the year AND you needed to do at least 4 days.

When issue 8 of the BRC Food Standard was published in 2018, the 4 separate audit dates was also included.

So – when the issue 6 internal auditing section of the BRC Packaging Standard was published we expected it to say that you needed to schedule your audits throughout the year with at least 4 audit dates.  But no, that wasn’t the case.

However, a word of caution – the fact that it’s in all of the other Standards sort of sets a precedent and your auditor may expect to see this anyway.  So, it would be our recommendation to follow this requirement anyway.  Or at the very minimum make sure that you do more than one and they are equally spaced across the year.

Audit scope

The scope of the internal audit is basically a documented layout of what you are going to audit.  If you’re auditing to the clauses of the BRC Standard, the clauses would be your scope.

BRC have amended this clause to specify which topics as a minimum you need to cover.  But when you read it, they list out all of the elements of the BRC Standard.  So, basically you have to audit it all.

Auditing against the BRC Standard is the easiest way of ensuring that you are compliant, because then you know if you’ve got it all covered.


Your auditors have to be trained and they have to be able to prove to the auditor that they are competent.  Your auditor will assess this both by looking at their training records, but also by looking at the quality of their audits.

For issue 6 BRC have stated that the auditors must not only be independent from the process being audited, but also from the activity being audited. This is so that they are impartial and there is no conflict of interest.

If you need to train your internal auditors, we have a great course for you to use – our Best Practice Internal Audit course. The course is available in eLearning or distance learning format, or we can even come to your site and train a group of up to 12.

Corrective and preventive actions

When closing out actions, your audit report or action reports need to detail who is responsible for closing out the actions.  This person doesn’t need to actually close out the action themselves, they can delegate it, but ultimately they have to make sure it gets done.  So, go back to your documentation and make sure you’re already doing this and that it’s clear who is responsible for each action.

GMP inspections

If you’re a high hygiene sites then you now also need to put GMP inspections in place. A GMP inspection is a practical type of audit, which looks at the practices in the factory.  It must as a minimum look at hygiene standards, clean as you go and fabrication.

How often you do them, needs to be determined using risk assessment.  If you produce food contact packaging, they would need to be done more often in open product areas, than in enclosed product areas.

To give you some idea of frequencies – the BRC Food Standard says that in open food areas, the GMP inspections must be done at least monthly. Where the product that is being made is high risk, then they would need to be done more than that.

Again, use a similar principle for working out your frequencies, as we did for the internal audit topics.  Think about the amount of complaints or incidents that GMP has caused and also, the severity of what would happen if they went wrong.

There is help at hand

We have developed an issue 6 internal auditing pack, for basic hygiene sites and also, one for high hygiene sites.

For more information, click the product links below…

If you have any questions about this subject, please just pop them in the comments bow below.

Have your say…

Share your thoughts…

Your email address will not be published. Required fields are marked *

We've tagged this article as: , ,