Most audit schemes around the world include an internal audit. However, many people are not totally clear on the concept. When I asked whether a company has an internal audit program, the answer is often yes, and the company proceeds to show me a GMP checklist it conducts once a month or so. This is an internal audit of a sort, but it is not what ISO 22000 and most of the Global Food Safety Initiative-approved schemes require.

The internal audit is a crucial element in the verification process. But the mantra for all processors should be develop, document, implement, maintain, update and seek to continually improve their food safety management system. The roles of the internal audit are to verify the system is working as designed (maintenance), see if it is operating as effectively as it should (updating) and provide a base line for improving it (continual improvement).

Section 8.4.1 of the ISO 22000 standard, “ISO 22000: Food safety management systems — Requirements for any organization in the food chain,” reads as follows: “The organization shall conduct internal audits at planned intervals to determine whether the food safety management system a.) conforms to the planned arrangements, to the food safety management system requirements established by the organization, and to the requirements of this International Standard, and b.) is effectively implemented and updated.”

Internal audits should address all elements of the food safety management system which include, but are not limited to, the HACCP plan, prerequisite programs, resource management, programs to ensure the people doing the work are competent (including training and education), communication and management commitment.

Ideally, internal audits should not be checklist audits. There may be a list of different elements the auditor should be reviewing, but he or she should not simply be checking off things. Each element of the food safety management system should include the following:

• Procedures
• Records
• Training, education or a means of showing people doing the work are competent
• Verification activities
• Corrective actions and/or corrections.

 The auditor must understand the procedures being audited and determine whether they are being followed. Many internal auditors take the written protocols to the plant floor and watch people to ensure they are being followed.

 Some elements of the food safety management system include a large number of procedures and take more time to evaluate. For example, cleaning and sanitation and preventive maintenance may have dozens of protocols, especially in a large food processing facility. In such situations, auditors may elect to audit a sampling of protocols rather than each and every one. On the other hand, auditing a company’s water quality management program may be easy since there may be only a few protocols such as backflow device monitoring, water sampling and testing, standards for different applications, chlorination and plumbing diagrams and maintenance. The auditor must also look at records to ensure compliance, whether the persons doing the work are trained or have demonstrated competency and whether corrective actions have been taken when deviations or failures have occurred.

The auditor also must review what happens when a problem occurs in the food safety management system. Employees must know how to recognize when something goes wrong and take proper corrective action. They must also know how to determine if the problem is small or a more serious breakdown of the system.

The result will be a report on the element of the food safety management system that was audited. Were there gaps or adverse findings? Were procedures being followed? Did the audit indicate the current systems could be updated or improved? If there are adverse findings, these should be written up and presented to the person managing that particular element of the food safety management system. If a serious issue has been identified, the manager may be instructed to conduct a root cause analysis. The corrective action program should include a plan to address the issue, a time line to complete the program and a means to evaluate whether the corrections were effective.

Section 8.4.1 of the ISO 22000 standard states, “Selection of auditors and the conduct of audits shall ensure the objectivity and impartiality of the audit process.” This means a company must select and educate a team of auditors to ensure internal audits may be done by a person independent of the area being audited.  For instance, auditors may be drawn from production, quality, engineering or maintenance, human resources, shipping and receiving, warehousing or the laboratory.

Once a company has decided on a pool of internal auditors, it must make sure these people receive the proper education to do the task. Some companies conduct these programs in-house, whereas others elect to send their people to off-site auditor programs. But even if people are trained off site, it is the company’s responsibility to ensure they understand their own internal audit programs.

When designing an internal audit program, processors should not try to audit all the elements within a short period of time. Many set up the program to stretch over the course of a year. This helps ensure each element will not only be audited, but there is time to implement any necessary corrections or corrective actions. Stretching out an audit also helps minimize pressure on the internal audit team members, each of whom will conduct several audits over the course of the year. For example, if a company decides 25 elements of its food safety management system need to be audited, it can stagger these audits throughout the year.

Building an internal audit program takes time and effort, as well as a serious commitment from managers, who must drive the program, select and properly educate internal auditors and allocate the time for the audits to be conducted. And, they must ensure this essential verification activity is incorporated into the management review as part of the company’s continuous improvement program.