Let’s Get Serious about Internal Audits
By John G. Surak, Ph.D., and Richard F. Stier
One of the authors was contacted by a colleague who stated that a client had an audit finding that seemed to be beyond the scope of the audit. This finding specifically stated that the internal audit program was not based on ISO 19011. And this was not an International Organization for Standardization (ISO) 22000, Food Safety System Certification 22000 or Global Food Safety Initiative (GFSI) audit. The response from the processor was “What? Another ISO standard, and this one is on auditing.”
This evolved into a lengthy discussion that posed a number of questions, such as “When did certification bodies (or audit firms) start mandating the use of ISO 19011 for internal audits?” Especially since ISO standards 9001, 14001 and 22000 are not nearly as popular or utilized in the United States’ food supply chain as they are in Europe’s or Asia’s. A quick check of a number of standards revealed one interesting note. Clause 8.2.2 (internal audit) in ISO 9001:2008 has a note attached to the requirements, stating, “See ISO 19011 for guidance.” But this raises an additional question. There is no such notation in the ISO 22000:2005 standard, and notes within auditable portions of an ISO standard are not requirements, they are guidance. However, ISO 19011 is referenced in the bibliographic section of ISO 22000, so what does this standard entail?
ISO 19011 – Guidance for Auditing
Perhaps that discussion focused on the wrong concepts. Nonconformities are important parts of any audit, whether the audit is a first-, second- or third-party audit. Three critical pieces of information must be included:
1. A description or reference to the audit criteria, such as specific references to the standard that is being audited, to the site’s documentation or to documentation that was part of the contract between the site and the certification body. The latter can include specific requirements mandated by a customer.
2. A declaration of the nonconformity.
3. The audit evidence that was obtained that generated the nonconformity.
Audit nonconformities should be written in a way that allows an individual to read the nonconformity and understand why it exists, even if the individual did not observe the audit, accompany the auditor or attend the closing meeting.
If, during the closing meeting, employees of the site do not understand why the nonconformity exists, they must ask for clarification and request that the auditor redraft the nonconform-ity so it is more easily understood. The point is to neither argue the nonconformity nor seek a recommendation on how to close the nonconformity, but to truly understand the nonconformity and why it was deemed an issue. This part is critical because the time requirement to address and correct the nonconformity starts the moment the auditor leaves the site. Of course, there is nothing wrong with respectfully challenging an auditor. They are not always perfect and may even have biases.
Now let’s go beyond the immediate audit finding and look at the issues from the 30,000-foot level. Some underlying questions can include:
• What is the function of the internal audit?
• How do you know that the internal audit process is working?
These two questions are important, especially in North America, where ISO standards are not the norm in the food processing industry. The internal audit from the ISO viewpoint is a relatively new paradigm here. Many processors consider an internal audit to be a monthly Good Manufacturing Practices (GMP) checklist or verification activities to ensure that Critical Control Points are being monitored properly. The internal audit is much more than that.
The internal audit is an essential element for the proper functioning of any food safety management system (FSMS). All GFSI-recognized FSMSs include a requirement for an internal audit process. Many of the other GMP/Hazard Analysis and Critical Control Points audit requirements also have the same constraint.
Internal audits are more than a simple GMP checklist and should address:
• Does the site’s FSMS conform to specified requirements?
• Is the FSMS properly implemented, effective and updated?
• Is a systems approach used in internal audits?
• Are the concepts of risk incorporated into internal audits?
• How is it known that the audit reports provide an accurate and precise description of the FSMS? Precision becomes a factor when the number of internal auditors is more than one.
• Are audit results reported to the proper functions or departments?
• Are nonconformities properly addressed, including being closed out?
• Are audit results used as an input to management review?
But what happens when the third-party auditor says, “Today, I will audit the internal audit process.” The response from the site may be, “Audit the audit process?” The quality assurance (QA) manager breathes a sigh of relief and quickly writes a note to the managing director: “It is covered. We did our internal audit four months ago, successfully closed all the CARs [corrective action requests], we have an internal audit procedure and I have the documented internal audit reports. No problem.” Little did the QA manager and the managing director realize that storm clouds were on the horizon.
One approach to minimizing problems during the third-party audit is to use ISO 19011 as the basis for developing the internal audit process (see “Content of ISO 19011:2011: Guidelines for Auditing Management Systems,” below left). This standard was developed by ISO to describe a systematic process for conducting both internal and external audits.2 It does not define new techniques in conducting management system audits but defines current good practices for developing, managing and performing audits.
Case Study – Auditing Internal Audits
In this section, we will look at a series of questions and potential responses that can be used if a third-party auditor starts to audit the internal audit process. These questions go beyond those such as “Do you conduct internal audits?” and “May I see the audit reports?”
At this site, the QA manager is responsible for the internal audits, and the auditor is a third-party auditor.
The auditor starts:
I would like to audit the internal audit process. Can you briefly explain the internal audit process?
The auditor is trying to obtain a basic understanding of the approach the site is using for internal audits and may be trying to answer questions such as:
• Does the site conduct the internal audit once a year or several times a year?
• How many internal auditors are present at the site?
There are no correct or incorrect responses to these questions. ISO 22000 does not mandate how internal audits are to be conducted. However, the standard states internal audits shall be conducted at planned intervals to determine if the FSMS conforms to planned arrangements and is implemented, effective and updated. Nothing specifically states how many internal auditors a site must have. Instead, the standard states that auditors shall not audit their own work. This implies that a site needs at least two auditors or has a system to ensure that the person responsible for internal audits does not audit him- or herself. The auditor wants to know who audits the QA managers since the QA manager is responsible for internal audits.
The auditor may now determine the specific nature of the internal audit process. Areas that can be probed include how does the site ensure consistency of the audit data, information and knowledge that is present in the audit reports? The auditor may ask:
• How do you select auditors and ensure auditor competence?
Auditors must have the knowledge and skills to achieve intended results. These competencies include ability to conduct audits and to evaluate the FSMS performance to ensure the system is effective.
• How do you know that the audit report is accurate and precise?
Accuracy asks whether the internal audit report provides a true description of the state of the FSMS. Precision will focus on the lack of variation between auditors in assessing the same process. Precision becomes important when the internal audit team is more than a single person. Another way to probe precision is to ask if auditors come to the same conclusions with regards to whether the FSMS is in compliance and effective.
• How are the audit results used by the functions being audited and by the site’s management?
Audit reports are an important assessment of the functioning of the site’s FSMS. The reports are used in a number of ways, including providing feedback to the specific process being audited, input into both the FSMS updating system and input into management review.
• How are audits conducted?
Audits should be more than just a checklist that is designed to determine compliance with a set of requirements. Audits should be designed to determine whether the FSMS is effective and efficient using a process approach.
• How do you improve the internal audit process?
An important theme of ISO 22000 is the concept of continuous improvement and updating the FSMS. These activities apply to the entire FSMS, which includes internal audits. So an auditor may be trying to determine how the site is making the internal audit process more effective and efficient.
• How does the company know that the frequency of the internal audits is adequate to ensure that the system is functioning properly?
The expectation in ISO 22000 is that internal audits will be done at least once a year. However, it is also expected that the internal audit program will be based on food safety risks. If a company has had significant problems or issues in one or more areas that potentially affected food safety, a risk assessment might indicate that those areas be subject to an internal audit more frequently.
These are not the only questions an auditor can ask while auditing the internal audit process. See “Questions for Thought,” below left, for additional questions.
The internal audit process is an important part of all FSMSs. To have a useful internal audit process, the audits must be done systematically. ISO 19011 provides guidance on how to accomplish this. Therefore, it is recommended that the internal audit process be based on ISO 19011. Currently, conformance to ISO 19011 is not mandated by GFSI-recognized audit schemes. One may debate whether the original finding was acceptable. Internal audits are part of the FSMS. Thus, the process used to conduct internal audits is subject to third-party audits. As part of this process, the auditee needs to demonstrate that internal audits are implemented, effective and updated; auditors are competent; and the audit reports present information that can be used to improve functions within the site and used for management review.
John G. Surak, Ph.D., is the principal of Surak and Associates.
Richard F. Stier is a consulting food scientist.
1. For this article, the authors are using the ISO 22000:2005 as the reference FSMS document.
4. ISO. 2011. ISO 19011:2001. Guidelines for auditing management systems.
For tips on how to meet ISO 19011 standards, click here.