Unannounced Food Safety Audits

What is an Unannounced Food Safety Audit?

Creating a 24/7 audit-ready operation is all about cultivating a food safety culture with an understanding of the importance and appropriate implementation of prerequisite programs and the implications of the food safety management system which will help to ensure organization would be ready whenever unannounced visit began. The unannounced audits are additional audits for which Notified Bodies (NBs) do not announce the date to manufacturers, which means the auditors commissioned by the notified body will arrive on the sites to be audited and proceed to the audit without giving the manufacturer prior notice. This type of audit comes in addition to the initial, surveillance or renewal audits of the three-year certification cycle. I.e. European Commission Recommendation 2013/473/EU defines their objectives and procedures for execution as from September 24, 2013, as a result of the breast implant scandal, after which the demand emerged to check medical device manufacturers not only in the context of the ISO 13485, but also to take unannounced and random samples to ensure that the requirements of the QM system are met in everyday work. That requires manufacturer has to be performed at least once every three years, which should last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.

Many industries are moving toward unannounced third-party certification audits and the food industry is no different, because there are a number of benefits to unannounced audits, most importantly is their positive impact on a company’s food safety culture and how they prepare facilities to face sudden inspections If regulatory audits are unannounced, why is the food industry reluctant to adopt unannounced third-party audits?. Typically, regulatory audits such as FDA are always unannounced. Unannounced audits for food are required for many third-party certification audits, because unannounced audits help demonstrate compliance and provide confidence to all stakeholders that your manufacturing sites are operating on the same GMP level, day to day, shift to shift, for every day your organization is manufacturing and distributing food products. Nonetheless with announced audits, companies tend to prepare for them before they occur. However, if there is a significant amount of difference between your sanitary operations prior to and during an announced audit versus normal operating conditions, you are sending your employees the wrong message.

FDA are already practicing unannounced audits for some time and most current example of the unannounced audit official integration is FSSC 22000 version 4.1. Hence, the unannounced audits are mandatory for any organization that is certified under FSSC 22000 version 4.1., whereas the new guidelines, the unannounced audits can be conducted in a period of between 3 and 12 months after the previous audits. While the certification body holds the decision of which audits will be unannounced, the guidelines state that the initial audit and recertification audit can never be unannounced. Thus, this will be soon integrated in to other food safety certifications such as ISO 22000:2018, or even in the ISO audit models where food safety landscape is moving towards a positive direction to improve the health conditions of the food as well as prevention strategies of the food processing industry.

Although there are differences between certification schemes, the GFSI third-party unannounced audits usually have a 40 to 60 day window.  Within the period, the audit must be completed to allow the certification body to complete technical reviews and review corrective actions so that the certificate does not lapse. Hence, if it is a surveillance audit, then the audit is more likely to be truly unannounced, but a company still has the option of using blackout dates and the auditor will verify that the request was necessary. The bottom line is most companies have a certain time frame when they know unannounced audits will occur.

Considerations of an Unannounced Audit

The standard/regulatory body usually publishes their own recommendation on how these audits should be carried out, but an aggravation applies to unscheduled audits by notified bodies. For example, the following is to be checked:

Is there a precise intended use description?

Is the product correctly classified?

Are the general performance and safety requirements met?

Are the hazards determined?

Are risks minimized as much as possible?

Is there an acceptable risk-benefit ratio?

A representative of a notified body reported that they would take care, especially in unannounced audits, to check whether the documentation is up to date and whether the products actually comply with the criteria. The first point concerns the development a lot more, the second the production. This prioritization is understandable because, regulatory organizations wants to ensure that food/medical device manufacturers do not, in preparation for regular audits, bring everything to order and in doing so, not comply with the requirements of its own quality management system, or even deliberately violate them. However, with an unannounced audit the manufacturer has no chance, to update or improve outdated or missing developing documents or to conceal missing product tests and to falsify records of product testing.

The Impacts

The biggest impact on third-party audits is when the audit score is directly related to financial incentives for employees, which motivates employees to pursue activities to achieve the maximum score, not directly related to food safety. On the other hand, activities may include significant audit preparation to eliminate or reduce GMP deficiencies, reduce or control the auditor’s access to records or areas of known plant deficiencies and to appeal any audit finding that lowers the score. Hence, switching auditors or appealing findings can be legitimate tools to correct a system when auditors make errors in judgement or behavior. Thus, choice of activities to achieve the highest score should be reasonably governed because they could take away from the primary goal to operate in a food safe mode.

The goal of an internal audit program is to be compliant with regulatory inspections and third-party certification requirements which should be risk-based to actually determine what factors present the most risk to an organization and then align internal audits with those risks. Thus, conducting an unannounced audit to perform well on a regulatory audit should be a primary concern. If your food safety system is primarily audited by FDA, they usually perform unannounced inspections, if it is FSSC 22000, then there will be an opportunity for you to calculate the time line of unannounced auditing time, however in both cases it would seem necessary to have your food safety system, prerequisite programs and operations in a constant state of readiness to mitigate the risk of potentially unsafe food in commerce resulting in a recall.

Self-Evaluation

One way to evaluate organization’s food safety culture is to anonymously survey employees at all levels of the organization to gather information on attitudes and opinions about food safety and institute changes to improve organization’s position. Nonetheless, it is advisable to initiate change by instituting unannounced audits on all manufacturing shifts as a form of internal audits with mandatory participation by all departments in the audit function to move away from QA-centric food safety verification systems. The significant change is that all departments would be involved as an auditor and responsible for maintaining regulatory compliance. For some companies, the inclusion of all departments of the facility in the audit function has moved the needle in the goal to improve their food safety culture. It is also important to enhance food safety culture through adhering to GMPs all the time, while educating the importance of accurately completing and verifying food safety records, and fostering consensus between departments on the severity of food safety non-conformances requiring prompt corrective actions.

For food safety purposes, maintaining GFSI certification is an excellent way to achieve food safety requirements for compliance with FDA unannounced inspections. Although not specifically required by GFSI, another application of your internal audit program is to review your regulatory policy by performing a mock FSSC 22000 inspection to identify any gaps in hazard analysis, identify preventive controls including the supply chain controls, accurately complete food safety records, and provide examples of corrective actions when preventive controls were not completed properly, and environmental corrective actions. On the other hand, if organization decides to perform a mock FDA inspection of the processing facility, do not forget to include the FDA Guidance document criteria, as it is important to understand what the FDA expects to see when they are evaluating FSMS implementation. Organization’s internal audit program is a proactive program to note non-conformances before they become full blown problems, so don’t be afraid to use it to its fullest extent.