What is Quality and Food Safety Auditing?

Auditing

Auditing is a systematic, independent and documented process for obtaining audit evidence (records, statements of fact or other information which are relevant and verifiable) and evaluating it objectively to determine the extent to which the audit criteria such as set of policies, procedures or requirements are fulfilled. Audit evidence is used to evaluate how well audit criteria are being met. Audits must be objective, impartial, and independent and the audit process must be both systematic and documented. Several audit methods may be employed to achieve the audit purpose. There are three discrete types of audits: product (which includes services), process and system. However, other methods such as a desk or document review audit may be employed independently or in support of the three general types of audits. Some audits are named according to their purpose or scope. The scope of a department or function audit is a particular department or function. The purpose of a management audit relates to management interests such as assessment of area performance or efficiency. An audit may also be classified as internal or external, depending on the interrelationships among participants.

Product audit – is an examination of a particular product or service (hardware, processed material, software) to evaluate whether it conforms to requirements (that is, specifications, performance standards, and customer requirements).

Process audit – A verification that processes are working within established limits. It evaluates an operation or method against predetermined instructions or standards to measure conformance to these standards and the effectiveness of the instructions. Such an audit may: Check conformance to defined requirements such as time, accuracy, temperature, pressure, composition, responsiveness, amperage, and component mixture. Examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions) followed, and the measures collected to determine process performance. Check the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, and training and process specifications.

System audit – An audit conducted on a management system. It can be described as a documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements. I.e. a quality management system audit evaluates an existing quality program to determine its conformance to company policies, contract commitments, and regulatory requirements.

There are three types of audits: first-party, second-party and third-party. First-party audits are internal audits. Second and third party audits are external audits. Organizations use first party audits to audit themselves. First party audits are used to confirm or improve the effectiveness of management systems. They're also used to declare that an organization complies with an ISO standard (this is called a self-declaration). Of course, such a declaration is credible only if first party auditors are genuinely independent and free of bias. If you decide to use first party auditors to make a self-declaration of compliance, make sure that they aren't auditing their own work. Second party audits are external audits. They’re usually done by customers or by others on their behalf. However, they can also be done by regulators or any other external party that has a formal interest in an organization. Third party audits are external audits as well. However, they’re performed by independent organizations such as registrars (certification bodies) or regulators. The third party audits are very important sometimes because Global regulatory agencies (including the FDA, EMA, HC, TGA, etc.) require manufacturers to conduct internal audits to verify the suitability of their QMS systems. In addition, many companies have routine third-party audit programs where an independent organization verifies that a company’s systems and processes meet the appropriate standards and regulations.

First party audit – is performed within an organization to measure its strengths and weaknesses against its own procedures or methods and/or against external standards adopted by (voluntary) or imposed on (mandatory) the organization. A first-party audit is an internal audit conducted by auditors who are employed by the organization being audited but who have no vested interest in the audit results of the area being audited. First-party audits are often called internal audits. This is conducted when someone from the organization itself will audit a process or set of processes in the quality management system or food safety management system to ensure it meets the procedure that the company has specified. This person can be an employee of the organization or someone hired by the organization to perform the internal audits, such as a consultant, but the important thing is that the person is acting on behalf of the company rather than a customer or certification body. This type of audit is focused not only on whether the company processes meet the requirements of a standard, but all rules the company has set for itself. The audit will look for problem areas, areas where processes do not align with each other, opportunities for improvement, and the effectiveness of the quality management system. By design, these audits can and should be much more in depth than the other audits, since this is one of the best ways for a company to find areas to improve upon.

Second party audit – is an external audit performed on a supplier by a customer or by a contracted organization on behalf of a customer. A contract is in place, and the goods or services are being, or will be, delivered. Second-party audits are subject to the rules of contract law, as they are providing contractual direction from the customer to the supplier. Second-party audits tend to be more formal than first-party audits because audit results could influence the customer’s purchasing decisions. A second-party audit is conducted when a company performs an audit of a supplier to ensure that they are meeting the requirements specified in the contract. These requirements may include special control over certain processes, requirements on traceability of raw materials (knowing which raw materials/ingredients are used in which products), requirements for special cleanliness/hygiene standards, requirements for specific documentation, or any of a host of other items of special interest to that customer. These audits can be done on-site by reviewing the processes or even off-site by reviewing documents submitted by the supplier. The customer can audit all or part of the contract – whatever they see a need to audit. It is important to understand that a second-party audit is between the customer and the supplier and has nothing to do with becoming certified. Many people thought that second-party audits would not be necessary once a company is certified to ISO 9001/ISO 22000 by a certification body, but this is not necessarily true. Even if you are certified by a third-party audit, any of your customers may still want to perform a second-party audit to look at elements of their contract, especially if these elements are not the same as the ISO 9001/ISO 22000 requirements. This is not required by all customers, and is not required to be certified to ISO 9001/ISO 22000 by a certification body, but it is specified in some contracts and there are some customers that choose to perform these audits.

Third party audit – is performed by an audit organization independent of the customer, supplier relationship and is free of any conflict of interest. Independence of the audit organization is a key component of a third-party audit. Third-party audits may result in certification, registration, recognition, an award, license approval, a citation, a fine, or a penalty issued by the third-party organization or an interested party. A third-party audit occurs when a company has decided that they want to create a quality management system (QMS) or a food safety management system (FSMS) or environmental management system (EMS) that conforms to a standard set of requirements, such as ISO 9001/ISO 22000/ISO 14001. Then hire an independent company to perform an audit to verify that the company has succeeded in this endeavor. These independent companies are called certification bodies or registrars, and they are in the business of conducting audits to compare and verify that the QMS/FSMS/EMS meets all the requirements of the chosen standard, and continues to meet the requirements on an ongoing basis. They then provide certification to companies that they approve. This can be used to give customers of the certified company confidence that the QMS/FSMS/EMS meets the requirements of the chosen standard. There are three types of audits used in this process, called certification audits, maintenance or surveillance audits, and re-certification audits.

Purposes of audits

An auditor may specialize in types of audits based on the audit purpose, such as to verify compliance, conformance, or performance. Some audits have special administrative purposes such as auditing documents, risk, or performance or following up on completed corrective actions.

Certification; Companies in certain high-risk categories such as toys, pressure vessels, elevators, gas appliances, and electrical and medical devices—wanting to do business in Europe must comply with Conformité Europeënne Mark (CE Mark) requirements. One way for organizations to comply is to have their management system certified by a third-party audit organization to management system requirement criteria (such as ISO 9001). On the other hand, some products can be exported to certain markets if they are certified with given certifications such as HACCP or HACCP based food safety management systems. 

Customers may suggest or require that their suppliers conform to ISO 22000, ISO 9001, ISO 14001, or safety criteria such as OHSA, as well as federal regulations and requirements may also apply. A third-party audit normally results in the issuance of a certificate stating that the auditee organization management system complies with the requirements of a pertinent standard or regulation.

Third-party audits for system certification should be performed by organizations that have been evaluated and accredited by an established accreditation board in the given country or territory.