Internal auditing is undertaken to monitor and measure the company’s compliance against statutory and regulatory requirements and the company’s conformity with the requirements of the food safety management system (FSMS).
Internal audits are scheduled on a planned basis and conducted by trained internal auditors, whose findings are reported to management for review and action. If the audit findings highlight problems, the auditee is required to provide a commitment to addressing and resolving the issues.
The internal auditor seeks evidence of the effective implementation of the subsequent actions of the auditee.
The results of the internal audits and the overall effectiveness of the internal audit program are reported at the management review meeting
The food safety manager has the responsibility to create and manage the internal audit process. This involves establishing initial contact with the auditee(s) and reaching agreement on the following:
- Audit objectives, scope, criteria, methods, and audit team composition, including any technical experts
- Provide relevant information for planning, including information on the risks and opportunities the organization has identified and how they are being addressed
- Agree on the dates of the audit Identify the resources needed to complete the audit, including access to the required people, processes, activities, and documentation
- Assess the statutory and regulatory requirements during the audit
- Confirm the agreement with the auditee on the extent of the disclosure and the treatment of confidential information
- Confirm any location-specific arrangements for access, health and safety, security, confidentiality, or other
- Gauge the need for observers or guides
- Determine any specific areas of concern for the auditee
The output of this phase is the development of an audit program outlining the audits to be completed over a defined period. The process may also identify the internal auditor assigned to the audit. Once completed, the program will be published and communicated across the company.
Each individual internal auditor is responsible for creating the following:
- An audit plan, including audit objectives, scope, and criteria
- An audit checklist or audit protocol
- The auditing methods to be used, including the extent to which audit sampling is needed to obtain sufficient evidence for the audit Audit plans, checklists, and trails will be based on templates to ensure consistency.
Audit planning should consider the risks of the audit activities on the auditee’s processes and provide the foundation for agreement among the interested parties based on the information in the audit program and the documented information provided by the auditee.
Once documented by the internal auditor, the audit plan will be communicated to the relevant auditee(s).
Some audits will be unannounced, as directed by the food safety manager. If this is the case, no audit plan may be produced.
However, the food safety manager will fully brief the internal auditor on the objectives, scope, and criteria of the audit.
The internal auditor will conduct the audit in accordance with the plan. Audit checklists or audit
trails will be used by the auditor to record audit evidence. Audits will be conducted using interview,
observation, reviews of records and documents, and analysis of data.
Trend analysis and tests may also be utilized to gather evidence as required. The details to be recorded on the checklist or audit trails include information on the requirement that is being checked, the evidence gathered, the conformance indication, and the identification of the auditee.
In the event that an internal auditor identifies a nonconformity based on objective evidence, the internal auditor will inform the process owner/head of department about the issue and explain the nature
of the nonconformity, why it is a nonconformity, and the requirement that has not been fulfilled.
The internal auditor will document the nonconformity in the checklist or audit trail and obtain the
signature of the auditee signifying the auditee’s acceptance of the issue and the commitment to rectify
the issue. The internal auditor will classify the audit finding as major, minor, or an opportunity for
improvement based on the risk.
It is solely the responsibility of the process owner/head of department, if audit findings highlight
problems, to rectify the issues. Correction must be undertaken; a root cause analysis using a recognized root cause analysis methodology, for example, 5 whys, a fishbone diagram, and so on, must be
completed, and corrective action identified and implemented.
A response plan must be submitted to the internal auditor by the auditee within an agreed time frame of the audit. It must outline the correction, root cause analysis, and corrective action(s), including a risk assessment. The internal auditor will review the response plan and approve or reject it. Thus, if there is no root cause analysis, the root cause analysis is inadequate, and so on. If the plan is rejected, the auditee must correct the response plan and resubmit it for approval.
All audit findings should be closed out within 12 weeks of the issuance of the findings. Exceptions may be granted, subject to the approval of the internal auditor and the food safety manager/management representative. As appropriate, the auditee should keep the individuals managing the audit program or the audit team informed of the status of these actions.
The outputs of this phase should be that the audit objective has been achieved, the audit plan has
been carried out, the checklists/audit trails have been completed, if applicable, and audit findings and
a response plan have been received from the process owner/head of department.
The internal auditor will prepare an audit report outlining the audit conclusions. The conclusions are
based on a comparison of all the audit findings against the audit objective.
The report will be detailed and cover the following points at a minimum:
▪ Identification of the audit objective, scope, and criteria
▪ Identification of the auditor and process owner(s)/head of department
▪ The audit conclusions
▪ An executive summary
▪ The audit findings on strengths, weaknesses, opportunities, and threats (SWOT)
▪ A description of the process, critical process parameters, and process performance
▪ The number and classification of the audit findings
▪ The audit findings in detail
▪ Sample/confidentiality statement
▪ Audit follow-up
▪ Audit checklist or audit trail, as an attachment
The audit report will then be released to the food safety manager and the process owner/head of department.
The audit is completed when all planned audit activities have been completed or otherwise agreed
with the process owner. For instance, there may have been an unexpected event that prevented the
audit plan from being completed.
The food safety manager will review the audit report to ensure that all technical aspects of the audit
plan have been covered, the evidence gathered is objective and related to the audit criteria, and the
audit conclusions reached are correct.
The food safety manager will also manage any appeals raised by the process manager/head of department in relation to an audit finding.
If agreement cannot be reached between the food safety manager and the process owner/head of department, the food safety manager will elevate the issue to the executive management team for resolution.
Based on the response plan submitted by the process owner and the agreed closure time frame, the
internal auditor will follow up to ensure that all audit findings have been effectively closed out. This
will be achieved through the evaluation of the risk assessment and effectiveness checks.
The effectiveness checks must be completed before the corrective action risk assessment can be closed.
The purpose of these follow-up checks is to ensure that the stated actions have been implemented
and that they have been effective in solving the stated problem. If satisfied, the internal auditor will
close the audit findings.
If the internal auditor does not agree to close the audit findings, agreement on the actions to be taken
will be determined between the internal auditor and the auditee.
The following documentation will be maintained as evidence that the audits have been performed:
▪ Audit plan
▪ Audit checklist/audit trail
▪ Audit report
▪ Root cause analysis data/response plan