As part of our next topic in the series on the BRC Global Storage and Distribution Standard we examine the need for effective internal auditing, required in clause 3.2.
How can we define “auditing”? Well it could be simply defined as: “An inspection process undertaken to compare condition, processes and practices against the requirements of legislation, code of practice, or standard”, where the standard could be an International or National Standard or internal policy and procedure based on best practice.
The fundamental requirements to effective internal auditing are:-
- Auditors should have appropriate education and / or expertise in the field in which they are auditing. It would be unreasonable to expect anyone to undertake a food safety or GMP audit without some degree of food safety or HACCP knowledge, as this knowledge will underpin the nature of the audit questions they will ask to explore the system or process.
- Auditors should have appropriate training and / or expertise in conducting audits. An effective audit depends on an effective auditor who understands that most processes are linked and that questions should be open, designed to gather information and designed to explore robust links between processes.
- Auditors should be selected so that they are, as far as possible, independent of the process or system they are auditing. This is widely known to be most difficult for smaller companies with limited staff and resources. In this case the internal audit team can be supplemented by competent external auditors, who can conduct internal audits as part of the overall team. The danger in using an internal auditor with overall responsibility for a section, process or system is clear – assumptions will be made based on the day to day working knowledge of the auditor within that section.
- Internal audits must be scheduled based on risk and such that all processes, areas and systems are internally audited over a specified time period, normally one calendar year. What is “basing an internal audit on risk?” Well the easiest way to manage that is to consider, if control of a condition, system or procedure was lost:-
- What would be the likelihood of a hazard then occurring?
- What would be the severity of that hazard – minor inconvenience or product recall?
- How many people (consumers and / or customers) would be affected?
- How much brand damage could occur?
- Has it happened here before, perhaps routinely?
Those systems or procedures coming out as HIGH RISK would then be typically audited perhaps several times a year.
5. Internal audits must be sufficiently detailed exploring and recording areas of compliance as well as noncompliance. The point of recording compliance is that it is encouraging! Encouraging to you and your staff, the auditees and to the board that the investment made to secure food and product safety are paying off and that customers are happy! Noncompliance can then be dealt with, the most serious being prioritised first of course! Noncompliance can, if so wished, be categorised, perhaps in the manner of the BRC Standards – critical, major or minor. Or use a colour coded system perhaps – we’ve seen that sort of system used at Waitrose (Logistics) and it’s very effective. Noncompliance MUST always be recorded with corrective action required, agreed timescale for completion and agreed responsibilities.
6. Internal audits must be reviewed. Regular review of internal audit activity, perhaps at senior management meetings like the annual management review required by all of the BRC Standards and similar GFSI benchmarked standards, is the means by which we can assess:-
- Were all internal audits completed to timescale, according to schedule
- Were all corrective actions closed off and effective?
- Were there any trends as to noncompliances found?
- Were there any hurdles or difficulties in conducting the internal audits such as resources?
- Is there anything we can do better in the audit process?
- Do we remain compliant with legislation / code of practice / our internal standards?
And there you have it! If you need more help or guidance, or want to talk to MQM about internal audit training, or taking part in your internal audit process, just contact us!