At a minimum, the programme shall include at least four different audit dates spread throughout the year. The frequency at which each activity is audited shall be established in relation to the risks associated with the activity and previous audit performance. All activities that form a part of the site’s food safety and quality systems, including those relevant to food safety, authenticity, legality and quality, shall be covered at least once each year.
The scope of the internal audit programme shall include, although this is not an exhaustive list:
• HACCP or food safety plan, including the activities to implement it (e.g. supplier approval, corrective actions and verification)
• prerequisite programmes (e.g. hygiene, pest management)
• food defence and food fraud prevention plans
• procedures implemented to achieve the Standard.
Each internal audit within the programme shall have a defined scope and consider a specific activity or a section of the HACCP or food safety plan.
Interpretation Internal audit programme
The scope of internal audits needs to be established and must ensure that all aspects of the food safety and quality management systems (including the HACCP programme, prerequisite programmes, policies, documentation, hygiene and production), the product safety and quality culture plan, and systems associated with authenticity, product legality and quality management are audited at least annually.
All the internal audits should not be conducted on a single day; nor should every internal audit attempt to cover all aspects of the food safety and quality management system or the Standard. A once-a-year check against all the requirements of the Standard may be of value as a gap analysis when preparing for an audit or confirming the contents of the food safety and quality management systems, but is insufficient to cover the full requirements of an internal audit programme as it will not provide the depth of assessment or level of confidence required.
Development of the internal audit schedule should begin with a risk assessment. The aim of this is to identify:
• all the areas or activities that need to be audited
• the frequency with which each part of the product safety and quality management system needs to be audited. This will be dependent on the risk inherent in each activity or section of the food safety and quality management system. For example, the site should be aware of the consequences of not complying with its own systems, which could lead to hazards not being identified in a timely manner. Therefore internal audits of CCPs are likely to be more frequent than those for less critical activities.
Frequency may also be influenced by known issues within the company or customer requirements. This may result in a site needing to audit an activity multiple times
throughout the year, or developing a programme with more than four internal audit dates (see below)
Interpretation
continued • the most relevant dates for each internal audit; for example, if activities or processes are seasonal (see below) or if specific activities need to be completed more than once a year.
Sites may also find it useful to consider completing internal audits during different shifts, including, for example, nights or weekends.
The majority of sites are likely to benefit from a programme of audit dates spread diversely throughout the year, as this maximises the opportunity to identify any non-conforming processes in a timely manner, allowing correction and minimising the potential for standards to fall between audits. The Standard promotes this concept by requiring a minimum of four audit dates spread throughout the year. However, it does not require all audits to be completed quarterly, as there may be genuine situations where risk assessment shows an alternative frequency. Seasonality is an example; if a site is open only for part of the year, then there is little value in completing internal audits while the site is shut. For seasonal production, the site is not expected to complete a series of internal audits when the site is not operating; however, there must be a system for the management of start-up processes, and internal audits are therefore expected to start before the season commences to ensure the site is ready to start production. For example, the HACCP programme should be audited to ensure that it is up to date and appropriate for the forthcoming production; that hygiene and fabrication are correct; and that staff are appropriately trained. The remaining areas of the internal audit programme should be covered throughout the season. Further information is available in the BRCGS Fresh Produce Guideline available from BRCGS Participate or the BRCGS Store.
Even where a site is open throughout the year, seasonality can affect the internal audit dates; for example, if certain activities, such as the harvest of grapes or bottling of wine, are only completed at certain times, or if there are seasonal changes in production volumes which apply a greater burden on the product safety systems at certain times of year. Where a site is part of a multi-site company, and the company conducts annual corporate food safety audits, it is acceptable for this annual audit to be incorporated into the internal audit schedule. However, additional internal audits that look at specific parts of the food safety and quality system, and compliance with the Standard, should be scheduled throughout the rest of the year.
The most common way of completing an internal audit is by taking documented procedures and work instructions and comparing them with the actual working practices and records.
Note that a tick-box exercise is not sufficient, as it does not provide the rigour or depth that an effective internal audit programme requires.
The use of an external consultant (e.g. by small sites) is acceptable, providing the internal audit programme is scheduled throughout the year and not in a single block of activity.
See clause 1.2.4 and section 3.5.3 for details relating to the requirements for product safety consultants.
BRCGS has produced a guideline to internal auditing which is available on BRCGS Participate or from the BRCGS Store.
3.4.2 Internal audits shall be carried out by appropriately trained, competent auditors. Auditors shall be independent (i.e. not audit their own work).
Part II Appendic es
Interpretation Auditor training and independence
Good auditing is a thorough, evidence-based assessment of an activity or system, completed by an independent auditor. It should ultimately contribute towards the site’s continuous improvement.
Auditing is therefore an acquired skill and auditors need to be trained and competent to ensure they are carrying out this function effectively. Training should include:
• auditing skills, such as how to complete an effective audit
• relevant technical knowledge of the activity to be audited, such as HACCP or appropriate product technical knowledge. This may be by work experience in the sector or specific training
• soft skills associated with auditing.
Internal auditors must be able to show via training records (clause 7.1.6) that they have received formal training on internal auditing, via either attendance at an external course or training within the company.
Training should also cover the planning and scheduling of the internal audits, preparing audit reports in the company’s agreed format, the correct use of audit techniques (e.g.
documentation and process auditing, audit trails and discussions with colleagues) and follow-up of audit findings (see clause 3.4.3).
Training must be of sufficient duration and depth to ensure that auditors can complete robust, consistent audits.
External auditors may be used where internal resources are insufficient, providing the requirements of clause 3.4.1 can be met (for scheduling audits throughout the year). The site should refer to clause 1.2.4 and section 3.5.3 for the requirements for the management of food safety consultants.
Internal auditors must be independent of the process being audited. This is to ensure that there is no conflict of interest (i.e. that the audit is rigorous and thorough) and that any work needed to make corrections or improvements can be identified by an auditor who is not biased or influenced by working in the area. Internal auditors may not audit their own work or any programmes for which they are immediately responsible. It is not acceptable, for example, for workers on one shift to audit the work of another shift completing the same work, as they are not independent of the operation.
During the BRCGS audit, the auditor may discuss the process with internal auditors to establish their level of competence.
Sites may find it useful to calibrate their internal auditor team (e.g. at the beginning of the year, before a new schedule of internal audits begins) to ensure that there is a consistent approach across the company.
A number of sources of further guidance and training for internal auditors are available including:
• BRCGS guideline on internal auditing (see BRCGS Participate or BRCGS Store)
• BRCGS internal auditor training
• ISO 19011 Guidelines for auditing management systems.
3.4.3 The internal audit programme shall be fully implemented. Internal audit reports shall identify conformity as well as non-conformity and include objective evidence of the findings.
The results shall be reported to the personnel responsible for the activity audited.
Corrective and preventive actions, and timescales for their implementation, shall be agreed and their completion verified. All non-conformities shall be handled as detailed in section 3.7. A summary of the results shall be reviewed in the management review meetings (see clause 1.1.4).
Interpretation Internal audit records and corrective actions
The management review processes (see clause 1.1.4) must ensure that the internal audit programme operates effectively and that necessary corrective or preventive actions are appropriately completed. As a result, the internal audit process will often contain a number of steps. For example:
• internal audit completed
• corrective actions agreed
• corrective actions completed and signed off
• completion verified
• root cause analysis used to identify any necessary preventive actions
• preventive actions completed and reviewed
• overall management review completed.
Each internal audit must examine the process or activity in detail and will usually include a number of activities such as:
• observing how activities are completed
• asking relevant staff how an activity is completed or why it is completed in a specific way
• reviewing procedures and records to confirm whether the activity has been completed and recorded correctly.
In addition to the actual internal audit, it is important that appropriate reports are
completed, clearly indicating what was audited, the actions that are agreed and the review of these actions.
Reports must show evidence of conformity as well as non-conformity, with objective supporting evidence (e.g. what documents or actions were observed). Some sites have also found it useful to include recommendations for improvement, where the audit can highlight any that are noted during the audit.
Tick lists showing that items have been assessed will not normally be accepted as the only form of evidence; information showing how the audited items have fulfilled the requirements, or how they are non-compliant, is required. This is important, as recording conformity is documenting evidence that due diligence is taking place; in other words, that required procedures are taking place, and have been observed by auditors who are independent of the process. This may subsequently be useful, for example, in the event of an incident, or for answering questions from regulatory authorities or customers.
Part II Appendic es
Interpretation
continued Notes, references or copies of the documents and records should be kept as evidence of aspects that have been examined, to allow an independent reviewer to reach the same conclusion as the internal auditor. For example, the dates and titles of records that were inspected should be noted in sufficient detail to allow them to be traced; if any records are non-compliant, precise details of the non-compliance should be given. The listing of records reviewed also ensures that a wide range of records are considered (e.g. training records of a variety of staff rather than repeated audits of the same records). Records will also confirm whether anything has changed since the last audit.
The Standard is not prescriptive regarding the format of the internal audit reports; for example, they may be hand-written, stand-alone electronic documents or uploaded into a company database. Good practice is to retain any auditor notes that are completed during the audit, as well as the final report. Figure 9 shows a typical example of a completed audit report.
The results of audits need to be communicated to the relevant staff; i.e. those who are responsible for the area or activity, and corrective actions, root cause and preventive actions and timescales for their completion agreed. This may be achieved via operational or review meetings, or via an update at the end of the audit combined with documentation such as a memo or a copy of the audit report. Responsibility for corrective actions must be documented – for example, by being recorded on the audit record sheet. Full details for handling non-conformities, including corrective and preventive actions, are provided in section 3.7.
Note that finding a non-conformity during an internal audit should not necessarily be viewed as a negative, since it allows the site to implement action before the non-conformity becomes a more serious problem.
Where non-conformities have been identified, effective completion of corrective and preventive action must be verified. Good practice is to ensure that a nominated member of staff with the appropriate authority checks that the action has been taken within the agreed timescale, and that this has rectified the problem sufficiently to prevent recurrence.
The nominated staff member should not be the person responsible for completion of the actions; ideally this should be the original auditor.
Good practice is to complete a review of the internal audit programme; for example, looking at the outputs and trends, and any insight these provide. A summary of the programme and results will also be required for the management review meeting (see clause 1.1.4).
A non-conformity will be raised against clause 3.4.3 if there is a non-conformity in the operation of the internal audit programme itself. Examples include if the audit schedule is not properly implemented or if corrective and preventive actions are not completed within the agreed timescales.
Where the site consistently obtains negative results (i.e. no non-conformities are identified throughout the scheduled programme) good practice is to review the programme to ensure it is operating robustly; for example, to:
• consider if all activities are correctly incorporated into the programme
• review rigour, robustness and consistency of the internal audits.
Interpretation
continued Full records of all internal audits and the results, including conformities and non-
conformities and verification of corrective and preventive actions, must be kept for a defined period, typically 2 years.
BRC REQUIREMENT SITE POLICY EVIDENCE COMPLIES
The site shall ensure that any out of specification product is effectively managed to prevent unauthorised release.
Procedure QM11 & form QRec11. All non-conformities trended for inclusion in management review meetings (log reviewed and management report for
1/9/21) Y
Waste disposal records checked (Sept – Dec 21) against records of non-conformities – disposal of outer packaging
on 1/1/22 unaccounted for. N
There shall be documented procedures for managing non-conforming products.
Procedure QM11 – specifies all requirements – non-conforming products are stored in identified area and labelled
‘on hold’, ‘reject’ or ‘QC pass’. Form to be completed and
specified management. Sign off approved staff only.
Form QRec11 for recording information.
Procedure QM11 version 3 dated 1/2/22 in use. Y Records for Aug 21 – Dec 21 checked and indicated correct
sign off. Y
Random staff check on staff numbers 94, 157 & 196 – queried what they should do with incorrectly baked
product. N
Records of the decision on use or disposal and records of destruction where product is destroyed for food safety reasons.
Form QRec11 for recording information. Records comply with disposals instructions. Y One pallet of product (failed customer quality checks)
segregated for disposal, correctly labelled and authorised
for disposal. Y
Records for 12/1/22 reviewed – correctly completed. Y AREA REQUIREMENT: Control of Non-Conforming Product DATE: 14 February 22 AUDITOR: A Checker
NON-CONFORMITIES IDENTIFIED:
NON-CONFORMITY ACTION RESPONSIBILITY DUE BY VERIFIED AS
COMPLETE
Staff numbers 157 & 196 were unclear of procedure. Retraining to be completed against QM11.
Production Manager
21/2/22 A Checker 22/2/22
Waste disposal records checked (Sept – Dec 21) against records of non-conformities – disposal of outer packaging on 1/1/22 unaccounted for.
Investigate cause and introduce corrective action.
Ensure staff aware of procedure.
Production Manager
24/2/22 A Checker 25/2/22
Figure 9 An example of a completed audit report
BRCGS has produced a guideline to preventive action and root cause analysis which may be purchased from the BRCGS Store or viewed online at BRCGS Participate.