Third-party Audits: What the Food Industry Really Needs
By Richard F. Stier
In the beginning, there was the food plant. And the plant manager saw that it was good.
However, as things became more complex and problems arose, the plant manager realized he needed help to solve problems. So he hired the consultant, who fixed things. And the plant manager saw that it was good.
And, as business grew, the plant manager realized that he needed to improve, so he hired a consultant with special skills in finding not only solutions to problems, but ways to improve. And the operation improved. And the plant manager saw that it was good.
Businesses saw that there was money to be made in offering services, so they created their own standards and imposed these standards on people with whom they worked—standards that included hundreds of questions and were generic to the entire food industry.
And, as the food plant’s commerce continued to grow, the plant manager was told by his customers and clients to abandon those who had helped the company grow. “Thou shalt have an audit,” they said, and the businesses imposed their standards on his plant. And the plant manager saw that it was not good for his operation…
The parable above was created to set the stage for this article on third-party audits. Are such audits the “be all” and “end all” that some think that they are? Are there any real differences between the various audit schemes currently being offered? What do companies, both vendors and customers, really want from these audits? What kind of skills should an auditor have? Hopefully, this article will make people think about the prevalence of third-party audits—which have, for good or for ill, turned into a multibillion dollar global business.
What’s Out There?
There are many different audit formats being used within the food industry. These include true standards—those that do not favor any particular group or nation over another—such as the ISO 9001, 22000 and 14001 standards issued by the International Organization for Standardization (ISO). These standards do not tell processors exactly what they should do, but instead provide a framework for developing and implementing systems to meet certain ends, namely quality, food safety and environmental stewardship.
There are industry standards. These are documents developed by a segment of the food industry to meet a specific need. For example, the Global Food Safety Initiative (GFSI) is a consortium of major market chains from around the world (WalMart, Carrefours, Sainsbury’s, Tesco and others) that wanted to codify the quality, safety and ethical practices of their vendors. Through the use of benchmarking, GFSI has a guidance document that approves several industry standards to meet this need. The approved standards include the British Retail Consortium (BRC), International Food Safety (IFS), Safe Quality Foods (SQF) and the Dutch HACCP program. They have conditionally acknowledged that companies with FSSC 22000, which is derived from ISO 22000, Food safety management systems—Requirements for any organization in the food chain, have satisfactory programs.
There are company standards that have been developed by firms that offer audit services that they call standards. What makes these audits that utilize such standards a concern is that the auditors are all too often acting as auditor, consultant and marketer simultaneously. An auditor is there to observe and record, not to tell a processor that they have failed to meet a standard and what must be done to address the issue. And they should definitely not encourage the company to use their services to address deficiencies. There are many other companies doing audits, each with their own audit program. These same firms also conduct many of the audits designed by different industries.
The National Food Processors Association, which begat the Food Products Association and was absorbed into the Grocery Manufacturers Association, made an effort to develop an audit that would be accepted across the entire food industry. The audit was assembled with industry input, but now appears to be in its death throes. It tried to be all things to all industries, and in the process became too long and too proscriptive.
Some of the best programs are internal audits. These are focused evaluations, designed to ensure continuous improvement within a company and its contract packers. These audits are usually done by persons from corporate headquarters or a sister company, but they may also utilize third parties. Perhaps the best feature of these audits is direct accountability. The company being audited must respond directly to the customer, which includes corrective actions and an improvement plan, and the in-house expectation—nay, requirement—is that all issues be addressed. Unfortunately, an internal audit is not acceptable to buyers, even if it is more rigid, more enforceable and designed not only to find problems but also to ensure continuous improvement.
Why Third-party Audits?
There are a number of reasons why third-party audits are done. These include but are not limited to the following:
• A genuine desire to improve food safety, quality and sanitation
• Customer requirement to verify a vendor’s programs
• Potential marketing advantage
• Looking for a third set of eyes
• Troubleshooting/problem solving
• Not having the resources in-house
The best reason to have an audit is the genuine desire to improve. This harks back to the first part of the parable. This was also how the author learned to audit. During my time with the National Food Processors Association, the late Allen Katsuyama trained a number of us to conduct sanitation and food safety audits. These audits (or more properly, inspections, as they were really consulting trips) focused on identifying areas that failed to comply with current Good Manufacturing Practices, could result in product adulteration or were a precursor to a food safety problem. The audit form had three columns: Observation, Recommended Action(s) and Corrective Actions. The Recommended Actions column could be filled out by the auditor or the company. Ideally, the completed form would be returned to the different groups within the company that had issues, along with instructions to “fix” or solve the problems.
Katsuyama did not truly “score” companies. He used what he called the “p Factor,” which was the probability that an FDA investigator would identify adverse findings. A “p Factor” of 0.5 meant that there was a 50% chance that the company would be reported for adverse findings on an FDA Form 483. Katsuyama also established an Overall Sanitation Rating for the company using the numbers 1 through 4, with 4 being the highest. Only companies that had problems or wanted to improve contacted the Association. At that time, precious few companies required that their vendors be audited by a third party.
This leads to the next reason for third-party audits, which is a customer mandate. The objective is to push the responsibility for food safety and quality back down to the suppliers. Unfortunately, this is the reason why most companies are audited. With the mandate to be audited, many processors not only seek out the least expensive audit, but spend an inordinate amount of time preparing for said audit. A March 6, 2009 article in The New York Times entitled, “Food Problems Elude Private Inspectors,” highlighted the price-shopping issue. Companies know when the audit is due and target that date to ensure that the plant and grounds are clean, problem products are not being run and procedures are up-to-date. Years ago, I was asked to go into a facility unannounced by the corporate office. One finding was that the facility shut down for a full week to prepare for its third-party audit, which it always passed with flying colors and a high score, but at the cost of a week’s production. Many firms will also do pre-audits to help clients identify gaps, thus ensuring they will pass a full-blown audit.
A high score on an audit can be a marketing advantage to a company. Many companies proudly display their certificates trumpeting their Superior, Excellent or Outstanding rating. They also use these documents in their marketing literature. However, these certificates do not always reflect what is going on in the plant. The aforementioned New York Times article noted that the Peanut Corporation of America (PCA) scored a Superior rating from one auditing firm and 91% from another. The latter company acknowledged that the score was low, but it was still passing.
Troubleshooting and problem solving are other reasons to bring in a third party, as they differ slightly from the desire for improvement noted previously. A third-party or government audit might prompt a company to bring in another group to help address problems. Many companies simply do not have the in-house expertise to find and fix problems. Another possibility is that the individuals who have the expertise do not have time to fix the problems, as they are committed to solving more pressing issues. Since many of the third-party audits have been designed with large firms in mind, wise managers of small companies will often seek outside assistance to help them comply with industry demands.
Elements of Third-party Audits
If one were to examine all of the audits that are available to the industry, the likely conclusion would be that they are largely the same. At a recent milling and baking meeting, Jennifer Robinson of Cargill reported that her company had evaluated different audit systems and found that over 90% of the components were the same for each. Third-party audit frameworks generally include but need not be limited to the following areas to be evaluated:
• Quality Systems
• Document Control
• Pest Management
• Water & Hygiene
• Corrective & Preventive Actions
• Chemical Handling & Control
• Purchasing & Vendor Approval
• Good Laboratory Practices
• Good Manufacturing Practices
• Food Safety/HACCP
• Allergen Controls
• Shipping & Receiving
• Weight Control
• Education & Training
• Food Defense
There may be more or fewer elements, depending upon the audit in question. So what’s the problem? This is a huge amount of material that must be observed and commented upon. Since the basis of audits is essentially, “Are you doing what you have written down and have you written down what you are doing?” the audit must entail not only watching what is going on in the facility, but reviewing procedures and records to ensure that these programs are being properly documented, that records are being maintained properly and that management is reviewing records to verify compliance. This is a lot to do in an audit that is often scheduled for only one to two days. With so much material to cover, it is easy to see how some areas could be overlooked and a company could receive a high score on an audit, yet have serious defects.
Issues with Third-party Audits
Can third-party audits be improved? Definitely. The repercussions from the PCA debacle reportedly have affected the way third-party audit firms do business. They are demanding more time (and money) to do audits, have implemented mandatory failures and eliminated the provision that allowed a failing company to switch from a final audit to a pre-audit. There are many issues that must still be resolved, however. Let’s look at some of these.
Audit Length and Complexity – In an effort to be widely applicable, audit questionnaires have expanded year by year. Firms add more questions to keep up with their competitors, yet the time to complete the audit usually remains the same. In addition, most audits do not evaluate the linkages between audit elements. To properly evaluate any one of the items mentioned above requires a review of procedures, viewing of actual practices and verification that the procedures are properly documented. Given that each of the points highlighted above may have several sections, it is hard to envision that even a good quality auditor can complete any evaluation in a day or two.
In addition, most audits are designed with large companies in mind. This is not to say that food safety standards should be different for small and large companies, but all too often the audit fails to account for how a small firm actually does business. In small companies, people wear many hats and may even wear them more efficiently than a large group of people in a large operation.
Auditing Is a Business/Conflict of Interest – Third-party audits are a lucrative business for many. The New York Times article noted that audits made up over 50% of one company’s revenue. Thus, there is an incentive to keep a business going and profitable. According to the Times piece, “Auditors are also usually paid by the food plants they inspect, which some experts said could deter them from cracking down.” I can’t verify that some auditors or audits are more lenient because the firm or auditor wants to keep the business. However, I can say that I have been in plants that have proudly showed me their past audits and bragged about how well they did, yet after I finished my work, I vowed never to eat their products. I guess the bottom line is how ethical a person is, assuming that they have the knowledge to do a good job. Along this line, one company reported that a representative from an audit firm guaranteed that the company would pass if it selected that audit firm. An auditor is not providing the client with good service if he or she fails to do a rigorous audit.
Snapshots – An audit is a snapshot of an operation. The key for the auditor is to be observant enough to ensure that the snapshot reflects actual operations. Companies that prepare for audits pose a problem, because the plant should always be looking its best. There are things that will point to plant operations being a bit different. Two of these are fresh paint and new procedures that were initiated within the previous two weeks. When an auditor sees records indicating recent procedural changes, he or she should always ask for training records to verify that people have been trained on the new procedure(s) and then ask plant employees questions to ensure that the training increased their competencies. Plant management tends to forget to do this, assuming that the new procedure itself will satisfy the audit.
Scoring – Scoring is definitely an issue with third-party audits. As an example, the GMA-SAFE audit, which was designed to describe, in words, an operation’s quality systems, ultimately had to develop a scoring system to be acceptable to certain customers. Managers love numbers, so audits have scores. I learned this firsthand during my time in industry. I brought Mr. Katsuyama’s audit format with me and was asked to create a scored audit. The new format was approved by management and put to use. However, when potential packers began scoring poorly, the response from management was that we should lower the passing score.
Unfortunately, one of the most common questions auditors are asked is, “What do I need to score to pass?” Passing is not the issue—ensuring safety is. It does not take a major sanitation issue to create a problem. As noted earlier, the PCA achieved good audit scores, but had serious problems that were not addressed.
Follow-up/Response – “Even when audits do turn up problems, it is up to the discretion of food companies to fix them.” This is a real problem. Unfortunately, when most auditors complete an audit, their job is done. Follow-up is left in the hands of the processor. However, one element that should be part of all audits is “Corrective and Preventive Actions.” What has that company done to address such problems, be they issues that were found by an outside auditor or picked up by the company itself?
Next, it is important to ensure that the corrective and preventive actions actually solved the root cause of the problem. If there is a history of not following up, it should be obvious to the auditor. In the case of the PCA, third-party audits uncovered a number of problems at the processing plant. It was apparent that the plant did not take the actions necessary to eliminate the root cause of these problems. This is one area where the internal audits developed by large companies have a distinct advantage over all others.
Expertise in the Field, Processes or Product Being Audited – The Times piece noted that one of the persons who audited the PCA plant was “an expert in fresh produce, who was not aware that peanuts were susceptible to Salmonella.” It is absolutely imperative that auditors understand the products and processes that they are auditing, in addition to understanding the audit process itself. How can someone give proper service if they don’t know industry concerns and how they are addressed?
This is the most important issue of all. It is an embarrassment to the industry when a publication such as The New York Times prints a quote such as this from an auditor, “I never thought that this bacteria would survive in a peanut butter-type environment. What the heck is going on?” ConAgra had a recall on peanut butter one year earlier that cost in excess of $100 million. Kraft had a similar problem in Australia in the late 1990s.
This is not a domestic issue only. There are firms around the world that have been recognized as certifying bodies and are reputed to have the expertise to conduct audits to certify that a company meets the requirements of the International Organization for Standardization. In the food industry, ISO certification is an important part of doing business. Yet, I have been in many food companies that were ISO-certified for quality (ISO 9001), food safety (ISO 22000) and environmental responsibility (ISO 14001), but the auditors who certified them were experts in car batteries and electric light bulbs. This has been a bone of conten-tion with ISO 22000 in particular. How can one audit a food safety program without specific knowledge in that area?
One does not become a good auditor by attending a class and having a few years of experience in the industry. Good auditors have years of experience with a range of products, have seen many different operations and have the ability to find the “skeletons in the closet.” They also make a conscious effort to eliminate biases. Too many auditors tend to focus on an area in which they feel comfortable, and assign too much weight to that area during an audit.
Is There a Solution?
So, is there a solution to the many audits and requirements currently in the market? The solution will have to not only incorporate food quality, safety and sanitation issues, but also consider that auditing is now a big business. Companies that do audits for profit will not want to give up their piece of the pie. As noted, work by food safety professionals at Cargill showed that most audit components are similar. The industry should work together to bring all audits into harmonization. However, the real key is the auditor. How does a company ensure that its auditor is truly competent?
Read the sidebar: Audit Merely Step One in Risk Management Process
Richard F. Stier is a consulting food scientist with international experience in food safety (HACCP), plant sanitation, quality systems, process optimization, GMP compliance and microbiology. Among his many affiliations, he is a member of the Institute of Food Technologists and an editorial advisor to Food Safety Magazine. He can be reached at [email protected].
2. Robinson, J. and M. Overland. 2009. Audits: Concerns, New Challenges and Solutions for the Milling and Baking Industry. AACCI Milling and Baking Meeting, Albuquerque, NM, May 14, 2009.
Audit Merely Step One in Risk Management Process
Managing risks associated with product recalls demands a multi-pronged approach that encompasses the right insurance, as well as effective risk prevention and management strategies.
Food product recalls may stem from deliberate acts of contamination, unintentional introduction of pathogens or false or misleading labels/packaging. While a company’s general liability policy will cover damages the company is legally obligated to pay as a result of another’s bodily injury or damage, product recall insurance is designed to provide coverage for expenses that occur before the food item has resulted in injury or damage to a third party. These expenses include various logistical costs associated with a recall, such as withdrawal of the product from the marketplace and the associated shipping, storage, product destruction and disposal costs; replacement and redistribution costs; management’s and staff’s time to oversee and implement these processes; and potential fines. In worst-case scenarios, food processors have had to shut down a facility or halt an entire production line, at tremendously high cost. When combined with other “soft” costs associated with product recalls (e.g., consultants’ fees for crisis management, repairing the company’s reputation and restoring the product’s brand value), these expenses can be higher than the cost of manufacturing the product.
Effective product-recall insurance anticipates these exposures and any specific company needs. For example, larger, global companies are higher targets for acts of terrorism, which their insurance policies should reflect. Seek advice from your insurance broker, as well as legal counsel and industry experts, to make certain that all conceivable liabilities associated with a potential recall will be covered under the general liability policy, product recall insurance and additional policies and endorsements.
Besides the right coverage, a sound product-recall risk-management program should encompass:
• Prevention and regulatory compliance, including comprehensive Hazard Analysis and Critical Control Point (HACCP) systems, Radio Frequency Identification (RFID) and employee training;
• Understanding the roles of suppliers, manufacturers, processors, distributors and government agencies in ensuring product integrity and communicating about a contaminated or compromised product;
• Damage control, achieved through a strategic crisis management plan, which notifies consumers about the recall and the company’s actions to remove the product and prevent a similar occurrence;
• Support for potential litigation, including establishing expert court testimony.
For assistance in these areas, companies should reach out to risk managers and legal counsel experienced in product recalls, as well as insurance brokers who can access the best coverage and risk-management package.
—Peggy Kass, Account Executive, Cook, Hall & Hyde, Inc.