BEST PRACTICE GUIDELINE INTERNAL AUDIT
Transcript of BEST PRACTICE GUIDELINE INTERNAL AUDIT
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Issue 2
BEST PRACTICE GUIDELINE
INTERNAL AUDIT
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
July 2008
BRCGS
BEST PRACTICE GUIDELINE
INTERNAL AUDIT
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Liability
BRCGS* publishes information and express opinions in good faith, but accept no liability for any error or omission in any such
information or opinion including any information or opinion contained in this document.
Whilst BRCGS have endeavoured to ensure that the information in this publication is accurate, it shall not be liable for any
damages (including without limitation damages for pure economic loss or loss of business or loss of profits or depletion of
goodwill or otherwise in each case, whether direct, indirect or consequential) or any claims for consequential compensation
whatsoever (howsoever caused) arising in contract, tort (including negligence or breach of statutory duty), misrepresentation,
restitution, or otherwise, in connection with this publication or any information contained in it, or from any action or decision
taken as a result of reading this publication or any such information.
All warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law,
excluded.
Nothing excludes or limits the liability of BRCGS for death or personal injury caused by their negligence, for fraud or fraudulent
misrepresentation or for any matter which it would be illegal for them to exclude or attempt to exclude liability for.
The Best Practice Guideline for Internal Audit and the terms of the disclaimer set out above shall be construed in accordance
with English law and shall be subject to the nonexclusive jurisdiction of the English Courts.
Copyright
© BRCGS 2008
All rights reserved. No part of this publication may be transmitted or reproduced in any form (including photocopying
or storage in any medium by electronic means) without the written permission of the copyright owners. Application for
permission should be addressed to the Director of Global Standards at BRCGS, contact details below. Full acknowledgement of
author and source must be given.
The contents of this publication cannot be reproduced for the purposes of training or any other commercial activity.
No part of this publication may be translated without the written permission of the copyright owners.
Warning: Any unauthorised act in relation to a copyright work may result in both a civil claim for damages and criminal
prosecution.
BRCGS
Second Floor
7 Harp Lane
London
EC3R 6DP
Tel: +44 (0) 20 3931 8150
email: [email protected]
website: brcgs.com
* BRCGS is a trading name of BRC Trading Ltd.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
iii
Contents
Acknowledgements iv
1 Objective of Guideline 1
2 The Importance of Internal Audit 1
3 What is Internal Audit? 1
4 Audit Format 2
5 Planning an Audit Schedule – Risk Assessment 4
6 Auditor Training 6
7 Who Should Carry out Internal Audits? 6
8 Audit Preparation 7
9 Audit Process 8
9.1 ‘Opening Meeting’ 8
9.2 Personnel Involvement 8
9.3 Audit Timing 8
9.4 Review and Inspection 8
9.5 Confirmation of Findings – the ‘Closing Meeting’ 8
10 Conducting an Audit 9
10.1 Look and Listen 9
10.2 Ask 9
10.3 Check 9
11 Audit Findings 9
11.1 Classifying Non-conformities 10
12 Corrective Action 10
13 Documentation 11
14 Review 11
Appendices 12
Appendix 1 Example of a Scored Weekly GMP and Hygiene Audit 12
Appendix 2 Example of a Systems and Procedures Audit 13
Appendix 3 Example of an Unscheduled Audit as Part of a Complaint Investigation 14
Appendix 4 Example of a Risk Assessment for Audit Frequency 16
Glossary 17
Sources of Further Information 18
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
iv
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
Acknowledgements
BRC would like to acknowledge the invaluable input and assistance of the many individuals who have contributed in producing and reviewing this guideline.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
1
1 Objective of Guideline
A comprehensive internal audit system is fundamental to a company’s safety and quality control as it provides confirmation that systems and procedures are operating effectively and identifies areas that require improvement. This guideline promotes best practice for an effective internal audit system. It provides a simple and effective framework to:
n plan an audit schedule
n define the requirements for staff undertaking internal audits
n consider the aspects necessary to conduct an audit
n record audits comprehensively
n give guidance on corrective action to be undertaken
n identify opportunities for continual improvement.
Principles are illustrated by the use of case studies and examples.
2 The Importance of Internal Audit
Internal auditing is a key factor in ensuring continued compliance with company policies and procedures and must be regarded by the senior management of a company as being critical to its operation. Objectives of internal audits are to:
n identify whether systems, processes or procedures meet or do not meet requirements and objectives
n record objective data – whether this shows conformity or non-conformity
n ensure appropriate corrective action is taken when deficiencies are found
n provide useful information that shall be fed back to management for review, assessment and identification of action including provision of resources
n identify opportunities for continual improvement and identify the potential for problems before they occur.
The objectives of internal auditing should be understood by staff throughout the company, so that they understand that auditing is about improvement and not about catching someone doing something wrong. Internal audits should provide meaningful information to be discussed and reviewed at senior management review meetings to allow for resources to be focused on problem areas.
3 What is Internal Audit?
Audit is defined as:
‘A systematic examination to substantiate whether activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.’
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
2
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
There are three types of audit:
n Third-party audits are undertaken by independent auditors such as the certification body responsible for certification of a site to a BRC Global Standard.
n Second-party audits occur where the auditor is associated with the company having a commercial interest, e.g. auditing suppliers.
n First-party or internal audits are audits conducted within a company, whether this involves internal staff or external consultants.
Whichever type of audit is undertaken, the principles for a successful audit are the same. The steps for carrying out an internal audit are illustrated in Figure 1.
4 Audit Format
Audits may be one of two formats:
n An audit of systems (for example, a review of the company’s traceability policies and procedures against the requirements of the BRC Global Standards) establishes whether these systems are adequately designed to meet the requirements. In other words, has the company identified the correct things to do?
n An audit of procedures and practice establishes whether personnel are carrying out procedures correctly against the documented system and whether these procedures are appropriate. For example, establishing whether staff are correctly adhering to the company requirement of hourly metal detection checks.
Audits may be undertaken to investigate all the elements of a system and cover aspects of both system and practice. For example, the BRC Global Standards require that all the elements that constitute the requirements of the Standard shall be regularly audited to a nominated schedule, and should include policy and practice.
Audits may also constitute part of an investigation process and may therefore be unplanned. For example, confirming that the procedure for the cleaning of a specific piece of equipment is carried out correctly when routine microbiological testing of food products reveals an out-of-specification result.
Audits may be planned or unplanned but they should always be sufficiently prepared for.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
3
Figure 1 The internal audit process
Agree audit scope
Develop audit schedulethrough risk assessment
Identify auditor who isappropriately trained and independent
Establish audit timing– when it will be carried out
– how long it will take
Identify audit requirements andprepare checklist
Collect and document objectiveevidence recording conformity as
well as non-conformity
Agree non-conformities andresponsibility and timescale for
corrective action
Verify and document corrective actionsas effectively completed
Communication to senior managementof audit findings for review
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
5 Planning an Audit Schedule – Risk Assessment
Planned internal audits should be carried out to a documented schedule. Consideration of the frequency of audits should be based on the following factors:
n risk
n severity of consequences if the system or compliance with it is inadequate
n potential for changes which would affect these control systems
n historical background to issues within the company
n best practice
n customer requirements
n external requirements such as certification to BRC Global Standards.
It is likely that a more frequent need for internal audit is identified for practices in key areas such as hygiene, good manufacturing practices (GMP) and foreign-body risks – particularly those of glass and controls identified as critical control points (CCP) within any hazard and risk assessment analysis. An example of a simple assessment for audit frequency of glass materials is shown in Appendix 4. Audits may also be undertaken as a result of issues such as customer complaints or out-of-specification results and will therefore be unscheduled (refer to Appendix 3).
Table 1 is an example of a planned systems audit schedule for a consumer product manufacturer. The company also undertakes weekly hygiene audits and glass checks as well as annual policy reviews.
The schedule identifies the resources available to conduct audits – for example, it avoids the busy production period of December and ensures that the internal audit schedule itself is reviewed together with the main points of concern (management review and hazard and risk management) at the beginning of the year. The review of pest control falls before the contract is due for renewal in December and before the end of the company’s capital budget year, to allow for any additional expenditure that is required. Traceability has been an issue within the company and therefore is scheduled to be checked at least twice during the year as well as constituting part of the product recall exercise.
Table 1 is an example of a schedule for a systems review which will include an audit of the policies to confirm whether they still meet the requirements of the company, of legislation, of any certification such as BRC, and of the customers. The review will also include the operation of these policies in practice, i.e. whether staff are correctly interpreting and following the policies and procedures.
4
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Tabl
e 1
Syst
ems
audi
t for
a c
onsu
mer
pro
duct
s m
anuf
actu
rer
Are
aA
ctio
n s
um
mar
y A
ud
ito
r Ja
nFe
bM
arch
A
pri
lM
ayJu
ne
July
Au
gSe
pt
Oct
No
vD
ec
Haz
ard
and
risk
man
agem
ent
Team
to
carr
y ou
t re
view
– e
nsur
e th
at a
ll pr
oduc
ts,
raw
mat
eria
ls a
nd n
ew p
rodu
cts
are
cove
red.
Sch
edul
e to
be
esta
blis
hed
for
mon
thly
rev
iew
to
cove
r al
l crit
ical
poi
nts
and
chec
k th
at n
ew p
rodu
cts
are
corr
ectly
ass
esse
d.
1x
Cus
tom
erfo
cus
Re
view
com
plai
nts
and
key
perf
orm
ance
indi
cato
rs (
KPI
s).
Mee
ting
with
cus
tom
er.
1x
Man
agem
ent
revi
ewRe
view
act
ion
poin
ts f
rom
pre
viou
s m
eetin
g.
2x
Inte
rnal
aud
itRe
view
aud
it sc
hedu
le t
o en
sure
it c
over
s al
l req
uire
dar
eas
and
chec
k al
loca
tion
of a
udito
r re
sour
ce. E
nsur
e al
lau
dits
com
plet
ed t
o sc
hedu
le. S
ampl
e do
cum
enta
tion.
Ana
lyse
dat
a to
pre
sent
to
man
agem
ent
team
.
2x
App
rove
d su
pplie
rs
Revi
ew a
nd u
pdat
e su
pplie
r re
gist
er.
Revi
ew p
erfo
rman
ceda
ta a
nd p
rese
nt t
o m
anag
emen
t te
am.
Plan
hig
h-ris
ksu
pplie
r si
te a
udits
sch
edul
e. R
evie
w d
ocum
enta
tion.
1
x
Raw
mat
eria
lsp
ecs
Revi
ew li
stin
g. E
nsur
e up
date
d sp
ecifi
catio
ns e
xist
for
all
raw
mat
eria
ls.
Revi
ew d
ocum
enta
tion.
Che
ck c
ertif
icat
esof
con
form
ity a
nd a
ny t
est
repo
rts.
3
x
Fini
shed
pr
oduc
t sp
ecs
Ensu
re t
hat
an u
pdat
ed s
peci
ficat
ion
exis
ts f
or a
ll pr
oduc
ts. R
evie
w f
orm
at. R
evie
w d
ocum
enta
tion.
3
x
Trac
eabi
lity
Car
ry o
ut t
race
- bac
k an
d fo
rwar
d ex
erci
se.
Revi
ew p
aper
wor
k an
d m
ake
any
nece
ssar
y ch
ange
s.
1x
x
Reca
llRe
view
any
pro
duct
rec
alls
. In
the
eve
nt t
hat
no r
ecal
l si
tuat
ion
occu
rred
, un
dert
ake
a 'd
umm
y' r
ecal
l exe
rcis
e to
ensu
re f
ull t
race
abili
ty.
1x
Non
-con
for-
min
g po
duct
Re
view
all
non-
conf
orm
ing
prod
uct
pape
rwor
k.Su
mm
aris
e an
d re
port
to
man
agem
ent
team
. 1
x
Com
plai
nts
Ove
rvie
w o
f sy
stem
, re
view
ing
mon
thly
tre
nd a
naly
sis.
Pres
ent
annu
al r
epor
t to
man
agem
ent
team
. 1
Mai
nten
ance
Re
view
mai
nten
ance
list
s.
Sam
ple
proc
edur
es a
nd d
ocum
enta
tion.
Ana
lyse
for
tre
nds.
2
x
Pest
con
trol
Re
view
doc
umen
tatio
n, o
utst
andi
ng a
ctio
n lo
g. R
evie
wm
eetin
g w
ith s
ervi
ce p
rovi
ders
.2
x
Staf
f tr
aini
ng
Revi
ew r
ecor
ds a
nd t
rain
ing
mat
rix.
1
Tran
spor
t A
udit
docu
men
tatio
n an
d pr
oced
ures
. 2
x
Cal
ibra
tion
Revi
ew s
ched
ule
and
all e
quip
men
t up
-to-
date
.Pr
oced
ures
car
ried
out
corr
ectly
. 2
x
xx
x
x
Refe
r to
App
endi
x 2
for a
n ex
ampl
e of
an
audi
t rep
ort o
f the
syst
em fo
r non
-con
form
ing
prod
uct c
ontr
ol.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
6
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
6 Auditor Training
Auditing is an acquired skill and auditors need to be trained to ensure they are carrying out this function effectively. Training should include auditing skills as well as relevant technical knowledge such as Hazard Analysis Critical Control Point (HACCP) or risk assessment principles together with appropriate product technical knowledge.
Different levels of ‘qualification’ may be required for the two different types of internal audits noted in section 4: ‘systems’ audits and ‘procedure and practice’ audits. Systems auditors must have sufficient knowledge of the broader objectives of the ‘system’ being audited to determine whether the procedures designed to achieve the objectives are suitable, when they are appropriately implemented by trained staff.
Auditors involved in the audit of ‘procedure and practice’ may need less experience in the broader aspects of the objectives of the procedure as their role is primarily to:
n determine whether the procedure is practical to implement (correctly written)
n understand the procedure
n gather objective evidence regarding its practical application in the work environment
n assess the adequacy of training and level of understanding of those staff responsible for its implementation.
Auditors can be trained via external training courses as evidenced by training records. This will often be in the form of a certificate and should include:
n name of the trainee
n confirmation of attendance or successful completion of examination
n date and duration of the training
n course title (where it is an industry-recognised course) or an indication of the contents such as subject headings
n name of the training provider.
Training may also be achieved through an in-house training course, where all the details outlined above should be available. Auditor competence may also be established through on-the-job coaching and experience, and this may be demonstrated through the quality of auditing work. Whether this is acceptable to a third-party auditor would be individually assessed on the evidence available at the time of the audit.
Where the training provider is an ‘independent’ external resource, it is good practice to also retain on record a copy of the trainer’s qualifications with respect to the training provided.
It should be recognised that training of auditors, however this is achieved, is a continual process and planning should allow for contingency and staff turnover.
7 Who Should Carry out Internal Audits?
Auditors shall be independent from the department which they are auditing. This principle is to ensure that the audit is rigorous and thorough and is not influenced by the work which may need to be carried out to effect corrections and improvements. Auditors should not be biased or influenced.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
7
If the company does not have sufficient trained personnel to audit all areas, further resource or expertise may be provided by external consultants. Alternatively, if the company is part of a group, auditors from different sites may audit each other – this is a very good way of sharing knowledge and resolution of problems, as well as providing a ‘fresh pair of eyes’ to look at systems and procedures.
An auditor’s job is to investigate procedures to obtain objective evidence for conformity or non-conformity. The personal characteristics of a good auditor are therefore important and should include:
n good communication skills – ability to look, listen and talk
n assertiveness and objectivity in judgement – ability to analyse the evidence seen and judge its significance whilst ensuring fairness
n being organised, methodical and focused on pertinent details
n self-motivation – ability to ensure all aspects are thoroughly investigated
n being diplomatic in working with people and obtaining the correct information.
Characteristics of poor auditors would be those of poor communicators, for example:
n condescending in attitude
n hostile and aggressive; critical and argumentative
n considering themselves to be expert at everything
n concentrating on details which are not significant
n disorganised and inconsistent in judgements.
8 Audit Preparation
Auditors must ensure that they have a clear understanding of the objective of the audit and the required scope, i.e. what is and is not to be included. Using a checklist ensures that these objectives are met, acting as a prompt to ensure that no elements are missed. It also acts as objective evidence that the audit has been conducted, allowing recording of notes, or it can be used as the documented report itself. Recording this evidence in a standardised format ensures that information is easily referred to for subsequent audits. A structured checklist also aids time management –the list should follow a logical order such as the sequence in which the auditor will walk around the site.
Designing the audit checklist to include corrective action details and sign-off ensures that all aspects of the audit are completed. However, the audit checklist and final audit report may be achieved just as well with the use of two separate documents.
An audit checklist or report template should include the following:
n personnel involved – name of auditor, auditee, accompanied by whom
n date and time
n scope or area assessed
n list of points or procedures to be checked, allowing space for notes to describe the audit findings.
Additionally an audit report would include:
n detail of corrective actions including responsibility and target timescales for completion
n sign-off by auditee or the department manager, denoting agreement with the findings and timescales for the completion of any corrective actions that may be necessary
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
8
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
n verification of completed action sign-off
n a final review of the corrective actions at an appropriate timescale following implementation, to assess whether they have been effective in minimising the likelihood of the fault or non-conformity recurring. This final review should ideally be signed off by the original auditor.
9 Audit Process
Formality is an important feature of a good audit, and it is important to consider including the following steps as part of the internal audit process.
9.1 ‘Opening Meeting’ Confirm the scope and process of an audit with those personnel involved – this may simply consist of informing the relevant supervisor and staff that the auditor is present within a department and that they are there to conduct the weekly hygiene audit.
9.2 Personnel Involvement It is good practice for the person responsible for a department (the auditee) to accompany the auditor during the facility inspection or document review. This is so they may:
n agree the comments made on the audit report
n fully understand any non-conformities identified
n agree appropriate corrective action and timescales.
9.3 Audit Timing Persons responsible for departments should be made aware of the timing of the audit shortly beforehand. Bear in mind, however, particularly with routine hygiene audits, that times should be varied to ensure that a complete picture of the site standards is ascertained. Although the purpose of the audit is not to ‘catch out’ staff, it would be more beneficial if practices were not changed as a result of a known audit taking place in the near future.
Establish how long each section of the audit should take – this is good management to ensure that staff involved can arrange their time effectively and also to indicate how ‘in-depth’ the audit should be. Sufficient time should be given to ensure a thorough check.
9.4 Review and Inspection The audit should consist of a review of documentation, where appropriate, as well as reviewing the practical implementation of the systems and interview of personnel. For example, the facility should be thoroughly inspected for evidence of standards of hygiene.
9.5 Confirmation of Findings – the ‘Closing Meeting’The audit findings should be reviewed to identify and agree the non-conformities; if possible, the corrective action required in the short term should be agreed between the auditor and the auditee – in effect, the ‘closing meeting’ of the audit. If this discussion is not possible at the time of the audit, then agree a time when the auditor can run through the findings with the relevant personnel. Back this up with a copy of the audit, identifying comprehensive notes detailing non-conformities so that issues can be clearly understood and appropriate action taken.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
9
10 Conducting an Audit
The aim of an audit is to collect evidence of whether company requirements are being fulfilled. Therefore, the basic principles of conducting an audit are to look, listen, ask, check and record the findings. The auditor’s role is to collect objective evidence and should therefore not be subject to hearsay, assumptions or personal bias.
10.1 Look and Listen The auditor should watch what is being done; for example, observing that an operator carries out the metal detection check procedure in practice as is stated within the documented procedure, to which the auditor will refer.
10.2 Ask Auditors should ask questions of relevant staff, explaining why these questions are being asked. This may require asking to see some evidence, and it may seem as if auditors don’t believe what they are being told. Asking a hypothetical question such as, ‘What would you do if the metal detector did not reject the test piece?’ establishes people’s understanding of procedures.
Auditors are not there to criticise and should not undermine the authority of supervision, but can offer guidance if required. They should try to find out the reasons why things are as they are.
10.3 CheckThe auditor may make notes during the facility inspection or document review, so that they may cross-check a selection of records at a later stage of the audit, e.g. noting the operator’s name to check that training records for this person are available.
An audit is a ‘sample’ and can only check the processes that are seen to be carried out on the day, or check a limited number of documents. How many documents should be reviewed is at the discretion of the auditor and may initially be a small number if this gives sufficient evidence that things are completed correctly and under control. However, the sample may be significantly increased if there is evidence of procedures not being followed or indications of possible issues. For example, if a non-conformity is highlighted, then further evidence should be sought to confirm the scale of the problem.
It is good practice to ask for specific records rather than being guided by the auditee as this will give an indication as to the control of the system – for example, if it takes a long time to find the temperature records for a specific date requested.
11 Audit Findings
Evidence of the audit must be documented and specify conformity as well as non-conformity. Findings are the result of investigation, therefore they should include details of the specific records that have been checked or the staff that have been seen to comply with specified procedures. Note that to protect individuals’ personal data, best practice is to use other identification methods such as employee numbers on audit records rather than staff names.
Where non-conformities are identified, the details should be agreed with the person responsible for the corrective action, so that they fully understand the issues and can therefore make a plan for effective corrective action. Often non-conformities are observations of activities such as someone not washing
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
10
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
their hands correctly. If the person responsible for corrective actions is guiding the auditor around the department, they can also observe the evidence of any non-conformities.
11.1 Classifying Non-conformities It may be useful to classify non-conformities as to their severity, which will help in prioritising the corrective action that needs to be taken and establishing appropriate timescales. As an example, the following classification may be used:
n critical – where there is a critical failure to comply with a product safety or legal issue
n major – where there is a substantial failure to meet a requirement
n minor – where absolute compliance to a requirement has not been met, such as when a procedure that is usually undertaken has not been completed (e.g. a document is not completed fully and this is a single lapse or human error).
Alternatively, focus may be given to specific areas by the use of scoring. For example, it may be possible to award high-risk controls such as critical control points (CCP) more or fewer points than some other issues. An example of a weekly hygiene audit which includes scoring for each aspect is shown in Appendix 1. This allows a week-by-week comparison of score as well as comparisons across departments, which can help motivate staff to strive for continual improvement. Graphical display of results demonstrates an easily communicated performance indicator to staff and senior management about this aspect of the site’s control system.
12 Corrective Action
Appropriate corrective actions need to be identified and carried out within an agreed timescale. There may be a requirement for short-term action; for example, if an area is found to be dirty, then this must be cleaned immediately. However, long-term action may consist of reviewing and amending the cleaning frequency or undertaking staff training.
Timescales should be agreed, practical, achievable and prioritise issues according to risk. The responsibility for carrying out the corrective action should be clearly established – this may be the relevant departmental manager or supervisor, or if it involves other departments such as maintenance or technical, it would be good practice to ensure that the department supervisor is accountable for work being completed, e.g. reminding service departments of outstanding work within their department.
The auditor should verify, by physically checking at a later date, that the corrective action has been completed to a satisfactory standard within the agreed timescale. Particular attention should be paid to emerging trends and repeated non-conformities as evidence that the root cause of the non-conformity has not been adequately dealt with. Systems should be put in place to highlight these issues to relevant senior management so that the problems may be dealt with.
Records of completed corrective actions and verifications should be kept.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
11
13 Documentation
Relevant and meaningful documentation is important as it provides the evidence should there be an issue – for example, if the company is investigated as a result of a consumer complaint. Examples of the documentation required would be:
n auditor training records
n internal audit schedule with trained auditor allocation
n audit checklist
n corrective-action report with designated responsibilities
n verification of corrective action
n management review records.
14 Review
The internal audit system should be reviewed to ensure that it fulfils its intended objectives and continues to encompass the necessary company activities. Provision should be made to ensure that audit schedules have been adhered to and that auditors have been adequately trained.
Review of key performance indicators (KPIs) such as customer complaints, out-of-specification results, and incidents of non-conforming products, as well as corrective actions, will help to focus internal audit activities and highlight areas requiring improvement.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
12
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
Appendix 1 Example of a Scored Weekly GMP and
Hygiene Audit
Date Friday 8 May 2008 Time 10.20-11.00 am Auditor David Detail Accompanied by Matthew Manager
Hall 1
Audit parameter
Max score
Score awarded
Auditor comments
Corrective action taken
Completed by
Date Verified by
Date
Floor and drains clean
1 1
Walls and ceilings clean
1 1
Waste bins not overfull
1 1 Emptied during break
Strip curtains clean
1 0 Curtains at entrance dirty
Immediately cleaned
James Mop cleaning supervisor
8/5/08 David Detail
8/5/08
Staff washing hands correctly
2 2 Six staff observed entering hall following tea-break
Staff correctly dressed
2 0 Line 1 staff member (clock no 263) not wearing gloves on line
Staff requested to wear gloves – immediate
Matthew Manager
8/5/08 David Detail
8/5/08
No jewellery evident
2 2 Staff (clock nos 174 and 263) randomly checked
Beard snoods worn
1 1 Two staff (clock nos 174 and 243) correctly wearing snoods
Correct factory pens in use
1 0 Staff member (clock no 174) observed using incorrect pen to document CCP checks
Pen confiscated. Staff reminded of correct style of pen
Matthew Manager
8/5/08 David Detail
8/5/08
No equipment on floor
2 2
Room temperature within spec 8–12°C
3 3 Checked with thermometer no 15 and found to be 11°C
Maintenance issues
1 1
Total 18 14
Percentage 77.8% Target > 80%
Additional commentsLine 1 staff member (clock no 263) has been observed by the auditor as not wearing gloves on line on a previous occasion at the audit of 24 April – to be monitored by Matthew Manager.
Hygiene standard has improved in the last two weeks.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
13
Appendix 2 Example of a Systems and Procedures Audit
Control of Non-conforming Product Annual Review Audit
Date 12–14 May 2008 Auditor Ann Checker
Copied to Managing director, operations manager, production manager, hygiene manager
BRC requirement Company policy Evidence
The company shall ensure that any non-conforming materials, components and product are clearly identified, labelled, quarantined, investigated and documented.
Corrective action documented on standard form as detailed in QM 011.
Corrective actions reviewed – ongoing – discussed at daily and weekly management meetings. Analysed for trends on an annual basis by the Operations department.
All non-conformities collated and analysed for trends – refer to separate report. To be discussed at management review on 20/5/08.
Wastage log cross-checked (1/4/08–20/4/08) against records of non-conformities – disposal of two rolls fabric on 3/4/08 unaccounted for.
Clear procedures for the control of non-conforming materials and products, including rejection, segregation, acceptance by concession or re-grading for an alternative use, shall be in place and understood by all authorised personnel.
Procedure QM 011 specifies all requirements: that all non-conforming products are to be stored in one of three identified areas according to product type, labelled with ‘on hold’, ‘reject’ or ‘QC pass’ tape. Form to be completed and attached to each product, with copy to specified management. Sign-off by listed approved staff only.
Procedure QM 011 dated 11/5/07 v3 in use.
Records for 14/4/08–22/4/08 showed sign-off by approved staff.
Random staff – clock nos 357, 260 and 100 – queried what they should do with incorrectly cut piece of fabric.
In the event of the presence of non-conforming materials and products, all non-conforming products shall be handled or disposed of according to the nature of the problem and/or the specific requirements of the customer.
Specified in procedure QM 011 as detailed above.
Records comply with disposal conditions.
Actual instances of non-conformities audited in practice:
13/4/08 (1.5 kg excess fastenings) seen to be clearly labelled with reject stickers, stored in segregated area and authorised for disposal by purchasing manager.
Non-conformities Identified
Non-conformity Action Responsibility Due by Verified as complete
Staff numbers 260 and 100 were unclear of procedure.
Retraining to be carried out against procedure QM 011
Production manager 18/5/08 Ann Checker 21/5/08
Wastage log cross-checked (1/4/08–20/4/08) against records of non- conformities – disposal of two rolls fabric on 3/4/08 unaccounted for.
Investigate Production manager 21/5/08 Ann Checker 21/5/08
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
14
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
Appendix 3 Example of an Unscheduled Audit as Part of a
Complaint Investigation
The following gives an example of an ‘unscheduled’ audit as part of an investigation into a consumer complaint. Although this is not audited against a checklist, it should still contain all of the details of a scheduled audit, detailing what was checked and what actions need to be taken.
Date Tuesday 13 May 2008 Time 10.30–11.45 am
Auditor Ian Spector Accompanied by Mabel Miggins, John Wells
Audited area Packing Hall 1
Reason for Audit
Customer complaint received of a blue plastic foreign body in jar of pickled onions with a best-before date
June 2008. Objective of audit is to confirm practices in bottling area are carried out correctly and check fabric
of area to identify any potential sources of foreign bodies.
Audit Findings Summary
The source of the foreign body cannot be established since it does not match any plastic observed as being
used within the packing hall (further details contained within complaint documents). Staff were observed to
be correctly dressed within the packing hall and observing hygiene procedures such as hand-washing. Raw
materials were correctly checked before use on the line. The condition of the building fabric was satisfactory
and the equipment well maintained other than the minor non-conformities noted below. Although not
related to foreign-body risk, it was noted that pasteurisation records were not being consistently completed.
Non-conformities
Rating Non-conformity detail Corrective action Target timescale
Responsibility
Major Pasteuriser verification not being consistently carried out daily as per procedure QA23.
Retrain staff and sample. Instigate regular checks, checking daily for first week and then sampling after this to ensure that pasteurisation records are being completed.
7 days Line supervisor Mabel Miggins
Minor Line covers (clear plastic) are in poor state of repair. The cracked covers are potentially a source of foreign bodies. This has been noted on regular audits.
Photograph covers to keep with audit records to establish whether damage is getting worse. Evaluate whether there is a short-term solution to improving condition. Long-term to agree capital expenditure and replacement.
28 days to confirm action plan and timescales
Line supervisor Mabel Miggins and maintenance supervisor John Wells
Minor Filter change on the jar rinser, not documented by maintenance team.
Retrain staff and sample some documents to check records are continually being completed.
28 days Maintenance supervisor John Wells
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
15
Actions Verified as Complete
Daily review of pasteuriser checks carried out by technical department and completed satisfactorily. Staff
training records checked on 20 May and deemed satisfactory.
Agreed line cover to be replaced by end of July and monitored in the meantime.
Engineering staff retrained.
Signature Ian Spector Date 11 June 2008
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
16
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
Appendix 4 Example of a Risk Assessment for Audit
Frequency
The company’s documented glass control policy states that all glass, plastic and brittle materials are listed and their condition checked at a frequency based on risk assessment. The following is a simple example of such a risk assessment where the identified hazard is the potential for glass contamination of product.
Area Equipment Hazard Risk rating Audit frequency
Production – Line 1
Packing machine Close contact with open product Very high Line start-up checks every shift
Packing area Windows (protected)
Area with open product High Daily area checks
Raw materials storage
Lights (protected) Area with raw materials – both open and sealed
High Daily area checks
Dispatch Lights (protected) Area with finished product – sealed
Medium Weekly area checks
Offices Lights (protected) Remote to production area, no contact with products. Personnel changing procedures to minimise potential foreign body risks from external areas
Low Monthly area checks
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Best practice Guideline: Internal Audit
© BRC
www.brcglobalstandards.com
17
BRC Global BRC Global Standard for Consumer Products Standards BRC Global Standard for Food Safety BRC Global Standard for Packaging and Packaging Materials BRC Global Standard for Storage and Distribution
Certification Procedure by which an accredited certification body, based on an audit and assessment of a company’s competence, provides written assurance that a company conforms to a standard’s requirement.
Certification body Provider of certification services, accredited to do so by an authoritative body.
Company The person, firm, organisation or other entity with whom a confirmed purchase order is placed, or who owns premises where products are being manufactured.
Corrective action Action to eliminate the cause of a detected non-conformity deviation.
Customer A business or person to whom a product has been provided, either as a finished product or as a component part of the finished product.
Non-conformity The non-fulfilment of a specified product safety, legal or quality requirement or a specified system requirement.
Procedure/practice Agreed method of carrying out an activity or process which is implemented and documented in the form of detailed instructions or process description (e.g. a flowchart).
Schedule Plan of an activity or event.
System A set of policies and documented procedures to achieve an objective.
Validation Confirmation through the provision of objective evidence that the requirements for the specific intended use or application have been fulfilled.
Verification Confirmation through the provision of objective evidence that specified requirements have been fulfilled.
Glossary
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
18
Best practice Guideline: Internal Audit www.brcglobalstandards.com
© BRC
Sources of Further Information
BRC Global StandardsA series of globally recognised certification standards for manufacturers and storage and distribution companies.
www.brcglobalstandards.com
BRC Guidelines A series of best practice guidelines; these include complaint handling, foreign body detection, product recall, pest control and traceability.
www.brcbookshop.com
International Register of Certificated Auditors (IRCA) An organisation with a mission to promote best practice in auditing.
www.irca.org
The ISO9001 Auditing Practices Group An informal group of quality management system (QMS) experts, auditors and practitioners, drawn from the ISO Technical Committee 176 Quality Management and Quality Assurance (ISO/TC 176) and the International Accreditation Forum (IAF). The Index of Guidelines for Auditing by the ISO9001 Auditing Practices Group can be found at:
www.isotc.iso.org
Note: Links and references are made to websites which are intended to help the user with further information. The BRC cannot, however, be responsible for the content or continued existence of any external website. It should also be noted that legislation and standards change frequently and a user should confirm for themselves that any references are current and still applicable.
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
Downlo
aded
from
Libr
ios IM
S (http
s://b
rcgs
parti
cipat
e.co
m).
(c) C
opyr
ight L
ibrios
IMS 2
022.
All R
ights
Reser
ved.
Subsc
riber
: ; D
ate:
Frid
ay, J
anua
ry 7
, 202
2 21
:42
9 781784 901134
ISBN 978-1-78490-113-4