Auditing Process and Practical Auditing - II

The Audit

The audit is a process which consists of 4 interconnected steps; that initiates, conduct and evaluate before reporting to the concerned parties.

The 4 Phases of an Audit

Audit preparation – Audit preparation consists of everything that is done in advance by interested parties, such as the auditor, the lead auditor, the client, and the audit program manager, to ensure that the audit complies with the client’s objective. The preparation stage of an audit begins with the decision to conduct the audit. Preparation ends when the audit itself begins.

Audit performance – The performance phase of an audit is often called the fieldwork, which is the data-gathering portion of the audit and covers the time period from arrival at the audit location up to the exit meeting. It consists of activities including on-site audit management, meeting with the auditee, understanding the process and system controls and verifying that these controls work, communicating among team members, and communicating with the auditee.

Audit reporting – The purpose of the audit report is to communicate the results of the investigation. The report should provide correct and clear data that will be effective as a management aid in addressing important organizational issues where audit process may end when the report is issued by the lead auditor or after follow-up actions are completed.

Audit follow-up and closure – According to ISO 19011, clause 6.6,; “The audit is completed when all the planned audit activities have been carried out, or otherwise agreed with the audit client.” Clause 6.7 of ISO 19011 continues by stating that verification of follow-up actions may be part of a subsequent audit.

However, requests for correction of nonconformities or findings are very common, where corrective action is the action taken to eliminate causes of an existing nonconformity, defect, or other undesirable situation in order to prevent recurrence (reactive). Corrective action is about eliminating the causes of problems and not just following a series of problem-solving steps, where preventive action is an action taken to eliminate the causes of a potential nonconformity, defect, or other undesirable situation in order to prevent occurrence (proactive).

Performance versus Compliance/Conformance audits

There are various terms to describe an audit purpose beyond compliance and conformance: value-added assessments, management audits, added value auditing, and continual improvement assessment are some of the very common terms where purpose of these audits goes beyond traditional compliance and conformance audits. The audit purpose relates to organization performance, where the audit, that determine compliance and conformance are not focused on good or poor performance. Yet performance is an important concern for most organizations. A key difference between compliance conformance/audits and audits designed to promote improvement is the collection of audit evidence related to organization performance versus evidence to verify conformance or compliance to a standard or procedure. An organization may conform to its procedures for taking orders, but if every order is subsequently changed two or three times, management may have cause for concern and want to rectify the inefficiency.

Follow-up Audit

A product, process, or system audit may have findings that require correction and corrective action. Since most corrective actions cannot be performed at the time of the audit, the auditor may require a follow-up audit to verify that corrections were made and corrective actions were taken. Due to the high cost of a single-purpose follow-up audit, it is normally combined with the next scheduled audit of the area. However, this decision should be based on the importance and risk of the finding. An organization may also conduct follow-up audits to verify preventive actions which were taken as a result of performance issues that may be reported as opportunities for improvement or sometimes organizations may forward identified performance issues to management for follow-up.

The Auditor’s Concerns

What types of records will an internal auditor review?

Policies and Procedures (SOPs)

Records

Observation of the processes within the scope of the audit

Training records (Anything that can prove ongoing systems are operating as intended and as required)

Health status records

What types of records will an internal auditor not review?

Personnel records

Disciplinary records

Human resource records specific to employees

Accounting records not under the quality/safety management system

What is the role of an internal auditor?

A catalyst

An interface between groups

An advisor

A reporter of facts

An internal auditor can become a type of internal consultant for the organization

Why External/Second Party Audits are Important? 

One organization auditing another with which it either has, or is going to have, a contract or agreement for the supply of goods or services.

Comprehensive evaluation performed by a customer to help ensure that the supplier is operating under a state of control for periodic auditing of annually or biennially.

These audits are performed to help ensure the proper capabilities and quality systems are in place which promotes understanding of expectations of the customer.

This provides an avenue of quality/safety performance information transfer between the supplier and customer, which builds customer confidence regarding compliance to regulations/standards as a good business practice.

What an external auditor will review (not all inclusive)?

Quality manual or performance improvement plan

Organizational charts

Registrations/licenses/accreditations

Policies and procedures (sops)

Records

Observation of the processes within the scope of the audit

Training records

Usually a high level sampling of the above documents

What an external auditor will not review?

Internal audit reports

Other organizations audit reports

Personnel records

Health records

Disciplinary records

Human Resource records specific to employees

Accounting records not under the quality management system

May inquire about last FDA audit findings

Why External/Third Party Audits are Important? 

Verify compliance to specific regulations or standards 

Required by law:  FDA, State, OSHA, EPA, Financial 

Voluntary: AATB, ISO, AOPO, EBAA

What a Third Party Auditor will review (not all inclusive)?

Food safety/Quality Manual or Performance Improvement Plan

Organizational Charts

Records including training records

Observation of the processes within the scope of the audit can review the schedules and procedures for management review and for internal and external (audits usually a high level sampling of the above documents)

All the critical control points and OPRPs

HACCP studies

Previous Internal audit files

NCR/CAR reports

Continuous Improvements

Internal or external audit reports

Management review outputs  

 The external auditors (second/third) as well as internal audits will consider following areas for their audit mandates   

System – A review of the theory behind the processes (can be a food safety/quality system

audit) and a high level review of an organizations systems; document control, training programs, control of measurement and test equipment which usually spans multiple departments and includes processes.

  

Process – The practices of the organization, the flow and inter-relationships within systems always a part of a systems audit but process audits can be performed separately. This is where the organizations procedures are validated. How effective are the communications between processes and the systems are also very important.

  

Product – The results of the processes; assessment of the final product evaluated against the requirements (specs, inspection records, procedural requirements) which could be final inspection. There can be a complete breakdown of the final product that verifies the paperwork trail, inspection and test results, and that the specs were all met this can be used internally but often used in a Second Party audit of a supplier of specific products.

Documentation – Paper trail of compliance or documented overview of organizations systems. Paper audit or desktop audit as well as survey can be used to pre-qualify a supplier but best to perform an on-site prior to accepting product

What a Third Party Auditor will not review?

Personnel records

Health records

Disciplinary records

Human Resource records specific to employees

Accounting records not under the quality management system

Internal audits

When developing your audit schedule base the need on risk and do not just try to comply with the requirements. The risk can be further categorized as health risk, process risk, business risk and compliance risk.

Tips on how to prepare for the audit

Assure your critical documents reflex current practices within the organization

Assure your SOPs are developed, reviewed, approved, revised and archived

Documented procedures for all core requirements and critical processes

Corrective and preventative action mechanisms with prompt and effective responses

Training and education of personnel – current and documented

Environmental monitoring – current and complete

Record maintenance – up to date

Product deviation investigation – system in place

Audit program – continuous

Food Safety Auditing

One of the keys to any successful food safety auditing program is to know who you are buying from. In order to do this, food suppliers' facilities should be inspected on a regular basis either by your own auditors, approved 3rd party auditors or combinations of the two methods which are external audits. This must be done in a comprehensive but cost effective manner. All of the supplier’s facilities and processes, as well as those vendors and suppliers who service your food material, warehousing and transportations needs should be evaluated on a regular basis by buyer’s auditors or third party hired auditors.

However, adequate and up to date standards and requirements can only be verified through approved 3rd party audits. Combinations of these two methods are the best way to protect you against unexpected safety or quality incidents. At the same time, the process must be accomplished in a comprehensive, yet cost effective manner where buyer needs to develop, implement and validate/verify supplier-auditing programs. Supplier auditing optimization (review of current programs and recommendations for modifications, if needed) can be carried out by developing and helping to implement new programs (includes guidelines for selecting third party auditors, role of consumer complaint monitoring and cost implications to you and your suppliers) in addition conducting triage audits in cases where recalls or consumer complaints are involved will be very important which can be further improved by developing risk-based auditing instruments

Third Party Audits and Food Safety Inspection

Third party audits provide a credible verification of system to the entire food processing industry including retail environments, meat, fish, and poultry, vegetable as well as produce suppliers. Having a HACCP plan in place is often a first step to a successful food safety program, but it is not entirely enough to ensure that food safety standards are being adhered to on a consistent basis. Purchasing food products from an outside source may directly impact on the success of your business, if your vendor does not adhere to the same strict sanitation standards as maintained in your operations.