Internal Audits - Tips and Advice
Ann Grace
Internal audits — if conducted the right way — aren’t merely stepping stones to higher-stakes external audits, they’re strategic tools used by the most successful food manufacturers to measure continuous improvement and validate their entire food safety system.
Jeff Strout from Mérieux NutriSciences recently shared his advice in the recorded webinar, “The Magic of Internal Audits: Mistakes, Insights, and Advice from the Experts.” If you asked questions he could not get to during the webinar, here are the answers you’ve all been waiting for! If you want to see what you might be missing in your internal audits, check out our blog post, Best Audit Practices: The Top 10 Auditing Mistakes Manufacturers Make.
Q. What is “The Wow Factor?”
Products can be made with a wide variation of quality parameters being met, and clearly, there are different levels of quality for products. Some of them are unacceptable; some acceptable; some good; some great; and some, amazing, that elicit the reaction, "Wow." I am sure, as a consumer, when you purchase a product, you have come across a product sometime in your life where you tried it and said, "Wow, that was a fantastic product." Companies should determine what factors go into making the products that produce the "Wows". They often begin with the purchase of the purest ingredients or finest raw materials, add in innovative processing aids, equipment, setting up of the equipment, the training of the employees, the recipe or formulations, the batching, mixing, weighing, the correct temperatures, humidity, blend times, viscosity, the packaging material used, the storage temperatures and humidity, the handling, the display, etc. Each one of these factors can transform a good product into one that produces the Wow Factor. Once these factors are identified for each product, then the internal audit team should audit for those parameters to ensure they reach the "Wow" level each time.
Q. How much of your audit advice applies to small manufacturing plants, say between 25-75 people? How many with 20 employees?
All of this applies to small manufacturing companies. There is an expectation that every company will have an effective internal audit system in place. Customers want you to find and fix the problems and not pass them on to them. With 25-75 employees, I would train 7-10 employees on how to perform the internal audits (have one to audit the internal audit system only) and have the rest being the "pool." You can use 3-4 auditors at a time to perform the internal audit every 6 months. Either look at parts each month and review everything at the end of the 6 months or you can take 2-3 days and look at everything at the internal audit during that 6 month period.
With 20 employees, I would train 6-7 employees on how to perform the internal audits (have one to audit the internal audit system only) and have the rest be in the "pool." You can use 2 auditors at a time to perform the internal audit every 6 months and either look at parts each month and review everything at the end of the 6 months or you can take 2-3 days and look at everything at the internal audit during that 6 month period.
It is your choice on how you want to break it up or not. You just need to look at everything within those 6 months. Most requirements are to perform once a year, and I do not recommend that because too much can happen to get a company way off track within that year so most small companies should be able to look at things every 6 months.
Q. How often do you recommend cycling internal auditors?
It depends on the size of the pool of auditors. If you have a large pool, then they can cycle in every 2-3 years (as long as they have some just in time refresher training to get them up to speed on criteria and reporting protocols). Some companies have a smaller pool (only a few extras) , and they cycle them in every other audit to keep them fresher with the criteria and protocols.
Q. What's the best way to communicate negative audit findings in a positive way?
I would report the "best practices" observed (if any); then the preventive actions we need to take; then the positive practices observed; and then those areas where we need to improve (in order of critical findings where we potentially contaminate our products; major were there is a slight risk of contamination and minor where we need to do better). One other point: use the term "we" in all discussions as that term puts us all in the same boat, so to speak. If you use the terms "you" and "me" or "I," then it could be viewed as an attack on someone. Using the term "we" prevents that attack (in most cases). "We" need to do better and NOT "You" need to do better.
Q. How would you audit your traceability program outside of the recall system?
Internal auditors should select different items each time and have the appropriate employees (not the internal auditor) perform the traceability (one back and one forward). Items could include finished products, an ingredient or raw material, a processing aid (like mineral oil) or a packaging item. It could be incorporated into the recall exercise but does not have to be included. It must be documented as accomplishing both exercises. You want to evaluate both capabilities and how effective they were accomplished.
Q. I'm interested in seeing a sample internal audit tool/doc incorporating the "Wow Factor". Will an example audit templates be shared with us?
The "Wow" factor discussions are addressed in the 2 day course and not in the webinar as there is not enough time to cover it all. Most companies will not share the wow factor documents they have as those are confidential. We are making a few fictitious examples for students to use in the 2 day course.
Q. If we look at the recent FDA 483's, some of the observations are not uncommon. Additionally, some of the 483 reports have ALS indicated that these companies have passed the GFSI audit. Can you provide an insight on what the industry need to do further?
Many GFSI audits are not scheduled to include enough time to "find" everything that needs to be evaluated. It is only a snapshot in time for the company. Other reasons include lack of competency for the auditor, distractions of the auditor, company "hiding information" from the auditor as well as others not reported. Audit companies try to train and "standardize" their auditors to audit the same way each time, but auditors are human. It is just like FDA regulators do not inspect or audit the same way each time, and there is great variation in their inspections and FDA Form 483's. A company should NOT rely on outside audits to evaluate everything...the MOST difficult audit a company faces should be their internal audit. It is always best for a company to find ALL of the Good, Bad and Ugly before anyone else can find it.
Q. Does a flow diagram need to be a physical picture with arrows or can it just be a list of the order of the flow
It depends on the complexity of what you are trying to show. Simple flow diagrams can be a list showing the flow of the product or process. The more complex it becomes, then it is best to create a visual of how the flow moves (people, products, process, or whatever you are trying to show movement). This visual usually includes boxes with the wording of the step or action and then an arrow indicating the movement from that box. Some companies use actual small pictures or drawings of that step or action (such as a photo or drawing of that piece of equipment being used at that step or action (such as cutting, forming, cooking, etc.).
Q. If you assign severity to your internal audit findings (Critical, minor, major), is there an appropriate timeframe for closure for each? What is a good corrective action timeline for infractions found?
Yes, critical must be dealt with immediately as there is a potential of unsafe product, and it is against the law to knowingly ship out unsafe products. There might be a temporary correction to ensure safe products and a longer-term corrective action (a new piece of equipment, for example). Majors should be dealt with within a few weeks and up to a month and minors about the same. Keep in mind it should be based on the risks to the products and processes. Also, it depends on using contractors and their availability. It is more important to develop a plan of action that shows the risks to the products and processes and how that risk will be managed while the corrective actions are being performed. Make sure root cause analysis is properly performed, and all roots are found with a corrective action placed against all root causes found.
Q. What are some commonly overlooked items skipped during an internal audit?
Here are some of the most missed items: not following ISO 19011; not having all criteria (customer requirements, local laws, etc.); not having positive, best practices, preventive actions; not finding the costs associated with the preventive, repair and recall associated with the findings; not having the right people assigned; not auditing the relationships between company and suppliers and company and customers; not reviewing the "systems"; not reviewing post-non-compliance findings and follow up such as root cause analysis and corrective actions.
Q. What is the difference between and audit and an inspection?
Typically, the word "inspection" refers to a product or service (being inspected to see if it meets requirements) and the word "audit" refers to evaluating the various levels (task, work instruction, procedure, program and system) are all working together to ensure compliance with laws and other requirements (GFSI, company and customer). An example of inspection might be checking a product to ensure it meets the specification requirements of weight, size, moisture, etc. An audit would look at the task of checking the rodent mechanical traps inside; reviewing the work instructions for checking the traps; reviewing the rodent control procedures to ensure they are being followed correctly; evaluating the overall pest control program (all pests, including insects, rodents, birds, etc.) and what the impact is of the pest control program on the overall food safety system and all of the other programs that are part of it - receiving and shipping, production, maintenance, sanitation, etc. Sometimes the government (FDA/USDA) uses the term inspection when they mean an audit and vice versa. We cannot help that misuse.
Q. You mentioned "confidential" several times, yet third party auditors ask to see our internal audits. We maintain they are confidential. Now we are considering having two sets of internal audits; one sharable and the other candid and honest. Is this OK?
No, that would be an unacceptable practice for the FDA/USDA and GFSI audit schemes. I would be open and honest about my internal audits and be able to show we are improving with each audit. You want to find the "best practices"; the "preventive actions needed"; the positive practices and the non-conformances (areas to improve). These do not need to be confidential, like recipes and formulations.
One thing to consider is the use of SafetyChain's secure profile, "Auditor View." Auditor View provides FSQA managers full control of what, when, and how auditors can view relevant records.
Q. You stated the FDA could review internal audits. I was under the impression FDA could review the program/procedure, but could not review actual audits, as well as associated findings and CAPAs.
The FDA can review and copy anything food safety-related (SOPs, work instructions, and records), including video tapes and photos of the facility work, and this includes internal audits (records). They can look at root cause analysis, corrective, and preventive actions as well as customer complaints. It is essential to be open and honest and show improvement in your systems. It is always best to find the issues and get them corrected. There is only a problem when you find the issue and do nothing about it. Then the FDA might take action against you for you not taking appropriate actions to correct non-conformances with the laws.
Q. Do you use risk assessment tools for the internal audit program? What would that application look like?
Yes. An auditor must determine the risk of hazards found throughout the facility. Most companies use risk matrices, much like HACCP, Preventive Controls and GFSI schemes like SQF uses, where there is a severity on one axis and probability on the other axis. We show this in the 2 day course as well. It is important to understand the risks associated with the situation found in the internal audit and be able to quantify that risk and explain it to others.
Q. Is it okay to digitize my audits on excel after completing a paper copy? I usually hand these out to our staff as they are more legible than my handwriting.
Yes - as long as you keep the paper copy as your original documents. An excel spreadsheet does not meet the electronic record requirement for food safety records under the law. People can change the data without the software keeping a document trail listing who made the change, what the change was, time and date change was made etc. Just like you have to on a paper record and documents have to be verified and signed off by person performing and person verifying - electronic records have to do the same). If you contact SafetyChain, their software can help get you set up with electronic documentation the right way. Then you won’t ever need paper again.
Q. How would you audit your traceability program outside of the recall system?
Internal auditors should select different items each time and have the appropriate employees (not the internal auditor) perform the traceability (one back and one forward). Items could include finished products, an ingredient or raw material, a processing aid (like mineral oil), or a packaging item. It could be incorporated into the recall exercise but does not have to be included. It must be documented as accomplishing both exercises. You want to evaluate both capabilities and how effective they were accomplished.
Is there a link to the ISO 19011:2018? How can we review this to ensure we are doing the right thing?
There is a link to the ISO 19011:2018. The cost is $185.00 for non-members. Click here for details.
Training and Finding the Right Auditor
Q. How often do you think an internal auditor should be trained on internal audits or inspections?
Initially trained on criteria, ISO 19011 protocols, company auditing procedures, hazards, and determining risks. Refresher training should be done periodically (annually or every two years) depending on how often they audit. Add other topics into the training schedule such as critical thinking, descriptive writing, hazard-specific topics, industry knowledge, etc. as needed. A formal update once every 5-6 years for someone on the team is recommended and having them share the updated information with the rest of the team.
Q. How much training do you feel an internal auditor should have? Should this include college courses or a specific quantity of hours? What kinds of training are available for Internal Auditors. Is it better to bring in a trainer, in your experience?
The minimum is to have a training course that uses ISO 19011 as its core. These are usually 2-4 days and have exercises for students to learn and apply what they have learned in the plant. We have a 2 day course with 6 exercises built to help students apply the concepts of ISO 19011 into their everyday internal audits, but we include the "best practices", good practices, preventive actions, non-conformances as well as the "wow" factor that are not found in other internal auditing courses. The best approach is to train the entire team together, so they go through the stages of team building (forming, storming, norming, and performing) quicker to get to performing as fast as possible. Having a college course for pathogens, radiological hazards, etc. is always “nice to have” if you can budget for them, but they are not required. There are good online courses for these types of topics, or having an instructor come in with a custom-designed course is also a possibility to get the team on the same page - your choice.
There are several training courses available in the market place. I would not recommend online training as it is very limited just to the didactic (wording of the ISO 19011 and some tips) training. You miss the ability to get questions answered easily, and you miss the nuances of internal auditing as well as the practical application of the protocols. The absolute best way to train the team is to bring in a trainer and train the entire team together with several exercises where you perform a mini internal audit and write up the findings and report the findings to the leadership team. You also work on the criteria to use in the internal audit and establish some objectives of what you want the team to accomplish with the internal audits. The best result is team building for the internal audit team - to work together towards the objectives. You also get to develop some of the "wow" factors for your products/processes.
Q. What should be the training frequency?
All auditors should be trained on the criteria, auditing protocols of ISO 19011, and the reporting protocols, as well as the hazards and risks associated with your products/processes at orientation. Annually, they should have topics to help them improve. If you use a pool of auditors and they audit only periodically (some choose to audit every other audit or some audit every two years) then they should have refresher training just-in-time to get them ready to audit. You want to ensure they are effective at auditing. Many companies offer topics either every 6 months or, some as often as quarterly to keep their auditors current and competent. They will rotate topics such as 1. criteria for audits; 2. protocols of ISO 19011; 3. Descriptive writing; 4. critical thinking; 5. hazards and risks of our products; 6. deeper learning about our industry and products; etc.
Q. Should internal auditors necessarily be a part of the HACCP or Food Safety Team? Should every member of the food safety team be an internal auditor?
At least one or two Food Safety Team members should be on the internal audit team. Just make sure every internal audit team member has the right skills to perform the internal audits and are willing to ask questions and tell someone that their work program "baby" is ugly - if it is, in fact ugly. They need to call findings like they see them and not "sugar coat" things. Of course, it is okay to have the entire food safety team on the internal audit team, as many companies have larger numbers of internal auditors than the food safety team. Keep in mind that food safety team members cannot audit the food safety team areas (plans, controls etc.), as it has to be someone not responsible for food safety. You need to have one person to audit the internal audit function that is not a formal internal auditor for other areas, their sole job is to audit the internal audit area.
We struggle with finding staff that is qualified to perform audits, AND have the time needed to perform the audits. Do you have any recommendations to help with this challenge?
First, senior leadership MUST view internal audits as a MUST HAVE. They have to see the value the audits have for the overall operation. Second, they need to know that the audit looks at everything in the business with regard to food safety and quality, and covers both effectiveness (meaning we meet the laws, GFSI requirements, customer requirements and internal requirements) and efficiencies (are we doing things the best way and most cost efficient way). You can estimate the cost of the audit (time and salary and equipment/supplies used) and gage it against current costs of waste, down time, loss of yield, returned product, customer complaints, etc. Adding the cost of prevention, cost of repair and cost of a potential recall are all data points the leadership can use to help run their business. Internal audits just make great business sense to perform.
Q. Is it required for the Audit Team members to be certified?
If the regulator (FDA, USDA, CFIA, etc.) asks about your effectiveness of performing internal audits, it is best to show them a certificate from a formal training program (outside course and not just internal training from someone who has not been trained properly). If someone has been trained from a course designed on ISO 19011, then they can train the rest of the people on the team if they know how to teach the appropriate materials and can answer questions.
Q. Is there an internal auditing course for labs?
This is something that can be easily customized for labs. The concepts, protocols, and procedures are the same or very similar. It is more about the application of those to the specific lab and the operations conducted at that lab (micro versus chemical or other analytical testing). The major difference is knowing the requirements and capturing them all in the audit, then ensuring all auditors know how to review it and evaluate against it and understand the risks associated with the findings. The "best practices", preventive actions, good practices, non-conformances are all the same, and the "wow" factor principles are the same just applied to a different process or set of processes. We can create this for you if you have the need.
Q. How to select a team in a small plant. For example, same people work in different departments.
There is an expectation that every company will have an effective internal audit system in place. Customers want you to find and fix the problems and not pass them on to them. With a small company with few employees, I would train 3-4 employees on how to perform the internal audits (have one to audit the internal audit system only) and have the rest be in the "pool". You can use 1-2 auditors at a time to perform the internal audit every 6 months ( or yearly) and either look at parts each month and review everything at the end of the 6 months (or yearly) or you can take 2-3 days and look at everything at the internal audit during that 6 month period (or twelve month period). It is your choice on how you want to break it up or not...you just need to look at everything within those 6 months. Most requirements are to perform once a year, and I do not recommend that because too much can happen to get a company way off track within that year so most small companies should be able to look at things every 6 months.
