In this article we’re going to cover how to implement a robust and effective internal audit programme, which is required for compliance to the following standards:
|BRCGS Food Safety Issue 8||3.4 Internal audits|
|BRCGS Packaging Issue 6||3.5 Internal audits|
|BRCGS Agents & Brokers Issue 2||3.5 Internal audit|
|Storage & Distribution Issue 4||3.2 Internal audits|
|FSSC22000 Version 5.1||ISO22000:2018 section 9.2 internal audit|
|IFS Food Version 7||5.1 Internal audits|
|SQF Edition 9||2.5.4 Internal audits and inspections|
Because internal auditing is so important to a compliant management system, it’s a fundamental* requirement of the standards. This means, that failure to comply can have serious consequences, which in the worst case can mean failing your audit.
*BRCGS call it fundamental, SQF call it mandatory and IFS call it a knock out – but they all mean the same thing – if you fail it’s serious!
As we don’t want that to happen, let’s look at the each of the main parts required in detail to comply, which are:
The word scope is used a lot in compliance, so it’s important that we’re clear about what it means. It means you must define what the system is going to cover. What’s included and what’s not included.
To do this, you need to document what your internal audit system is going to audit.
To meet the requirements of your certification, your internal audit system must cover everything that is covered in your Standard.
Many of the standards state examples of what should be audited, but please keep in mind that these are just that – examples. You need to audit those listed as examples, plus everything else in your Standard.
If you don’t cover everything in your internal audit system, then you’re at risk of non-conformances getting picked up in your external audits – which really should have been picked up internally first.
The easiest way to do this, is to create an internal audit system that is built using your standard as the scope. This means, you would use the clauses of the Standard, and literally audit them all.
The other way of doing it is to audit your own procedures. However, please implement this with caution. It means that you’re only auditing what you say you’re going to do, and not what you should be doing. If your Standard changes, then this won’t get picked up if your procedures haven’t been updated.
Tip – make sure the scope for each audit starts with a point which checks to make sure that the non-conformances from the previous audit have been closed out.
Once you’ve got your scope of what you’re going to audit sorted, the next thing you need to do is work out how often you’re going to do each audit.
The frequency of your internal audits needs to be based on risk. This means you need to carry out a risk assessment.
When carrying out the risk assessment to determine frequencies you must work out a method of calculating risk. There must be an input and an output.
We know the output is frequency, so the risk must be related to frequency, for example:
- Low risk may be annually
- Medium risk may be 6 monthly
- High risk might be quarterly
Make sure that your maximum frequency is annual though, as this is a requirement of all the standards.
The input of the risk assessment must provide evidence about the performance of the management system. This is something that is commonly forgotten. So, the risk assessment must include a measurement of the effectiveness of the management system.
BRCGS state that the risk assessment must include “the risks associated with … previous audit performance”.
This implies that you need to take into account the number and type of non-conformances that were raised on the last audit. However, we wouldn’t recommend this because it drives the wrong behaviour. Your auditors are not going to want to raise non-conformances if they know it means that the audit will need to be done more often. And, the auditee will not want to receive non-conformances if they have a negative association to them. This creates a culture where non-conformances are seen as a bad thing, when they should be seen as a good thing. Finding non-conformances means they can be fixed; which means that they won’t get picked up by an external auditor, or even worse, cause a problem.
This is why we use monitoring information about how the management system has performed in the last 12 months, such as complaints, non-conforming product and incident data.
The second point that the input to the risk assessment needs to take into consideration is the impact if the subject to be audited, was to go wrong.
We would use the typical severity risk assessment for this and keep it simple, by assessing each subject for product safety, legality or quality. For example:
- Product safety = high severity
- Legality = medium severity
- Quality = low severity
Where the topic covers more than one subject, we always go for the worst case.
Then you need to combine the two scores for performance and severity and work out what the overall risk rating is – this should then give you a frequency.
Once you’ve worked out what audits are in your scope and the frequency for each of these, you need to plan them out – this is called scheduling. This means they must be pre-planned with dates set. The exact date doesn’t have to be set, but the month or at least quarter it’s to be done must be documented.
The audits must be scheduled throughout the year. The word ‘throughout’ is important, as it means the audit dates must be spread across the year – you can’t do them all in one go.
The number of dates that are required throughout the year to complete the internal audits depends on the Standard:
- BRCGS Food Safety Issue 8 is at least 4 dates (clause 3.4.1)
- BRCGS Agents and Brokers Issue 2 is at least 4 dates (interpretation of clause 3.5.1)
- BRCGS Packaging Issue 6 does not specify how many dates or that it should be throughout
- BRCGS Storage & Distribution Issue 3 is at least 2 dates (clause 3.2.1)
A word of caution for BRCGS packaging sites: The standard doesn’t specify that the audits should be scheduled throughout the year or that there must be a minimum number of dates, but the fact that it’s in all of the other Standards sort of sets a precedent. This means that your auditor may expect to see this anyway, so it would be our recommendation to follow this requirement. Or, at the very minimum – make sure that you do more than one and that they’re equally spaced across the year.
Your auditors need to be:
Training can be completed either by completion of:
- An internal training course
- An external training course (which may or may not be accredited)
If you provide an internal (in-house) training course, your training materials will need document control, so you can prove what was taught during the course.
The teacher will also need to have both:
- A teaching qualification
- A qualification in internal auditing.
External courses can be split into three categories:
- Independently certified
An accredited course in the UK means that the training provider and the qualification has been recognised and approved by OFQUAL. This means that the training provider adheres to the OFQUAL Conditions of Recognition. It’s a bit like a manufacturing site being approved to a certification standard – where you’ve got to comply with the clauses of the standard.
Accredited courses in our industry, historically have been preferred but aren’t a requirement of any of the standards. And they do have their disadvantages – which we’ll go through.
It takes a huge amount of work to become recognised and get qualifications approved with OFQUAL, so that they can be labelled as accredited.
An alternative is for training providers to get their course recognised by an official body. This means that the course has been reviewed by the given body and they’ve deemed it to be of a standard that they’re happy with.
The problem with this type of recognition is that the body assessing the course, isn’t necessarily a specialist in the given field. Therefore, they’re not assessing the content. This means you’d need to be pragmatic when looking at recognitions.
The last option is where the training provider approves their own course. This is sometimes the best option – for example, from our own experience we’ve tried and tested both accredited and recognised routes and found that they’re not for us.
To be recognised by OFQUAL, there’s set and stringent standards to comply with – which we love, as we love structure. However, this extends to the content of the course. The courses you provide must be equivalent to what’s already out there and this isn’t what we wanted to do. We wanted to build courses that were fit for the industry today, not to replicate courses that were designed in 1980’s for example.
We also tried getting recognition and went for one of the most well-known providers. Unfortunately, this didn’t add value, we just paid for the privilege and it didn’t drive any improvement. The recognition body even asked for the answers to the test questions, so they could pass without taking any notice of the course content. Which seemed to defeat the object to us.
Which is why we’ve come up with our own certification programme. We have used what we learnt from the OFQUAL recognition process to build a robust course development and approval process.
Which one is best?
There isn’t a best type of course to choose from, the most important thing to take into consideration is the content of the course and the competency of the results it provides. Getting a 100% pass rate doesn’t make it a good course, if the learner hasn’t been taught what they need to do the job right. Competency is key, which we’ll come onto next.
Your auditors have to be trained and they have to be competent. This means they have to do the auditing task correctly and really challenge the system they’re auditing.
This element of the standard would only normally be challenged if your external auditor thought that the internal audits that had been carried out were not reflective of the standards they were seeing during the audit. Basically, if your external auditor doesn’t think the quality of your internal audits are good enough, one of the things they can put this down to is the competency of the auditors.
Competent auditors need:
- Training on how to audit
- An understanding of the subject
- A problem seeking mind
We’ve already covered this. Your auditors need to be trained in internal auditing.
Understanding of the subject
To be able to provide robust audit, the auditor must have a thorough understanding of the subject that they’re auditing.
Think about it:
- Would you ask your doctor to check if your boiler was working correctly?
- Would you ask your car mechanic to give you a health check?
That’s why you shouldn’t ask internal auditors to audit subjects that they’ve no understanding of. Auditors need training in the subject matter that they’re going to audit. Really, if you think about it – internal auditors should be the most knowledgeable people on site. They’ll need to really know the detail of each part of the standard, because if they don’t, they won’t know whether what they’re looking at is right or not.
If you’re on the HACCP team you’ll know what a complicated subject it is and how much you need to know and remember to pass a HACCP course. So asking someone to complete a HACCP audit who hasn’t passed a HACCP course is a lot to ask. It would be right to assume that in these circumstances you wouldn’t get a thorough audit and that you’d then get non-conformances on your HACCP audit by an external auditor.
Internal auditors are superstars, so we think of the audit team this way. They protect your site from product contamination issues and from non-conformances from external auditors. Your internal audit system will work much better when you train them in their subject matter, so that they can do their job properly.
Provide your internal auditors with the best training. In both internal auditing and also in the subjects that they’re going to audit.
We want to change how internal auditors are trained so that they can be equipped with the knowledge they need, to be able to audit their systems really, really well. This is so that, there are no non-conformances left behind for external auditors to find.
That’s why we’ve developed an internal auditing course which teaches your internal auditors how to audit to a best practice standard, but it also teaches them the standard in detail, so they know the content of what they’ll need to audit. Our Best Practice Internal Auditing course, teaches how to audit internal audits, corrective and preventive actions, root cause analysis, senior management commitment (including culture), training and document control.
After this training, your internal auditors can take their training further if they want to go on to audit other parts of your standard, such as HACCP. We’re building and launching mini trainings that your auditors can complete, before they audit the various parts of the management system.
A problem seeking mind
You’ll have heard many external auditors say that they’re looking for compliance, not non-compliance. When you’re carrying out internal audits, your auditor needs to look for problems.
Finding a problem is not a bad thing, that’s what an internal audit is for – the aim of the game is to find the problems before someone else does (such as a customer or a third-party auditor) or before things go wrong and cause a real-life problem.
Remember, a non-conformance found on an internal audit is an opportunity to improve, and one less possible non-conformance on your external audits.
Finding problems comes with experience. Below is a list of things that the most experienced auditors do:
- Don’t be rushed when in the factory. Stop and look around. Look up to see if there’s anything that could fall and contaminate the product. Look behind things, under things and on top of things. Look inside cupboards, or anything can be opened safely. Watch what people are doing. Train yourself to see things, as if you’re seeing them for the first time. If you rush, you’ll not see what’s right in front of you.
- Auditing is no longer just about the risk to food safety, it’s wider than that now. Product integrity is really important too so think about what the customer’s perception of the production area would be. One technique is to think about what your mum would think (as a typical consumer) if they could see what you can see. Another useful technique is to frame what you’re looking at with your hands, like you’re framing a photo. Once you’ve framed it with your hands, think about what the implications would be, if that photo was to make it into the media. It’s a really good way of seeing things clearly, exactly as they are in front of you.
- Always ask for evidence. If you can’t prove something happened, in the auditing world, it may as well have not happened. Ask for records to prove the clause that you’re auditing.
- Process, process, process! If a process is required to complete a check or carry out a task – is it written down? If not, how do people know the right way to do it? A great auditor will think to themselves – “if I was having to do this job, would the information given to me – be enough for me to know what to do?”
- Always check training. Just like with evidence, you can have all the best procedures, but you’ll need to be able to prove that the people who are carrying out these tasks are trained. Pick one or two procedures from each audit, look at the records from the procedure in question and then pick a couple of people who completed them – then follow their training through.
- Follow your nose. An experienced auditor won’t audit every single clause of an audit, one-by-one, they follow their instincts. They’ll start auditing against the clauses, but then if something doesn’t feel right, they’ll deep dive into that particular element. If something doesn’t feel right to you, follow your instincts and look into it further.
- Walk and talk it through in practise. Ask operators to actually carry out their tasks for you, rather than just explaining them to you. While they’re doing it, ask them to explain it to you, as if they were teaching you to do it. Compare what they’re doing to the procedure as they do it. You’ll find that this highlights lots of problems with the procedures and the interpretation of what’s required.
- Always check the document control. Every procedure or record form should have document control – so a great auditor will check it on every document they look at. Compare it to the document control log to see if the one in use is the current version.
- Cross check! Wherever there are key pieces of information, settings or specification limits written in more than one place, cross check each document to make sure they’re all the same.
Auditors must be independent from the process being audited, and also from the activity being audited. This is so that they’re impartial and there’s no conflict of interest.
The standards are very clear that auditors cannot audit their own work – as they’d be biased. For small teams this can be a challenge; when members of the team wear many hats – and they do, in some cases this means that external assistance to complete some of the audits is required. If you use external auditors to help you, make sure that you get copies of their training qualifications.
The standard not only states that you shouldn’t audit your own work, but you also shouldn’t audit work that you’re responsible for. This means that you can’t audit your own work and you also can’t audit any work that a member of your team has completed if there’s a conflict of interest.
Think about how you’ll apply this requirement for GMP inspections too – as a GMP inspection covers so many areas and responsibilities, which means finding someone that’s independent can be tricky.
When writing the audit up, you’ll need to write about compliance and non-compliance (for systems audits, this doesn’t apply to GMP inspections – which we’ll come onto).
This means that you’ll need to say what was right (compliance) and what was wrong (non-compliance) and you’ll need to provide evidence of what you audited. This is to stop audits being carried out as a tick box exercises.
Recording evidence means that you’ll need to record things like:
- Who you spoke to,
- the document reference and version you audited,
- the date and document reference of the records you audited,
- the date that someone was trained
- what document reference they were trained to
- and photos etc.
Basically, you’ll need to make sure that if an auditor checks the audit, they can see the same documents that you were auditing and come to the same conclusions about the result.
In order to make an internal audit system effective, it’s really important that the right people are involved. They’ll also need to be really engaged in the process. It’s easy to focus on just getting the internal audits done and to forget to involve those that are responsible for what’s being audited.
Without involving the auditee, they’re not engaged in the process and this will massively reduce the effectiveness of the audit – it’s a bit like only carrying out half an audit, because only half of the people needed are actually involved.
When organising internal audits, make sure that you organise not only the person that’s going to carry out the audit, but also the person who’s being audited. This helps to drive improvement – for both the auditee, because they understand more about what is required and also the for the auditor as they learn more about practical aspects of the topic. It also helps to make sure that the auditee understands any non-conformances that are raised, as this will help to ensure that the correct element of the audit is rectified.
When closing out actions, your audit report or action reports need to detail who’s responsible for closing out the actions. This person doesn’t need to actually close out the action themselves, they can delegate it, but ultimately they’ll have to make sure it gets done.
Once a non-conformance has been completed it must be verified before it can be closed. This is the part of the system that is frequently forgotten and it’s the main reason why the same non-conformances get raised again and again. The person who verifies the non-conformance must be impartial from the person that completed the action.
If you’re a food site, a high hygiene packaging site or a storage and distribution site, you’ll need to do GMP inspections.
A GMP inspection, isn’t a systems audit, so you don’t have to record evidence of compliance and non-compliance. It’s a more practical assessment, hence why we call it an inspection (not audit) and you can use more of a tick box exercise to show whether the points are compliant or not. And then, where there’s a non-compliance, then you’ll need to provide more detail of what was wrong and what needs doing to correct it.
As a minimum GMP inspections must look at hygiene standards, clean-as-you-go and fabrication.
How often you do them, needs to be determined using risk assessment. If you produce food contact packaging, they’d need to be done more often in open product areas, than in enclosed product areas.
To give you some idea of frequencies – the BRCGS Food Standard says that in open food areas, the GMP inspections must be done at least monthly. Where the product that’s being made is high risk, then they’d need to be done more often than that.
Our best practice internal audit course is definitely your next step if you’re looking to improve your internal audit system or need to train your own auditors. The course comes in different formats so there’s a course that will suit the learning style you’re looking for here.
Check out our video to find out more.
We've tagged this article as: Internal audits
If you've enjoyed this post why not try these related articles…
Remote auditing tools
In this article we look at the software and hardware that can be used for remote auditing.
Is this the future of internal audits?
In this article we look at what internal auditing could look like in the future and how a transparent supply-chain could provide huge benefits for sites, customers and retailers.