Every food product and service company has an obligation to its customers to provide safe and quality food. A well-designed and well-executed food safety auditing program—with data trend analysis—provides an important tool for ensuring food safety. Auditing captures compliance status, Food Safety Management System conformance, adequacy of internal controls, potential risks, and best practices.

Combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and information technology systems and tools helps to ensure that food companies have the resources needed to get the most out of their food safety audits.

These resources may include:

• A reliable tool for conducting certification audits
• A systematic method of tracking audit status, schedule, and auditor capabilities
• Detailed audit and nonconformance data trending to help focus on risk areas for improvement
• Tracking of corrective actions
• Reports on performance metrics that allow the company to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions

The goal should be to effectively capture and analyze audit data and then use that information to improve food safety and quality, achieve certification requirements, and enhance overall business performance.

Technology Integration: Case Study

The following case study shows how integrating information technology into the auditing process can enhance data collection, analysis, and reporting capabilities.

This food manufacturer wanted to better track and manage its audit status and use the data collected to help focus on risk areas for improvement. Working with Kestrel’s food safety and IT experts, the company decided to use dynaQ™, Kestrel’s web-based assessment tool.

Kestrel took the following project approach to ensure that the company would be able to efficiently conduct its audits and, just as important, analyze audit data to uncover areas of nonconformance and opportunities to improve performance and reduce business risks.

Part 1: Project Kickoff – Identify and define initial dynaQ™ configuration, customization, training, and implementation scopes. Kestrel customized the existing platform to create nearly custom software to meet the organization’s needs.

Part 2: Project Launch and Training – Provide intensive training to ensure key staff knows how to conduct relevant inspections and are versed on reporting and data trends. At the end of the training session, staff was ready to work independently with dynaQ™.

Part 3: Implementation and Project Support – Continue training users on the dynaQ™ auditing process and provide ongoing support. The key factor in any audit program’s success is staff adoption. Ongoing support ensures that the company realizes maximum benefit.

Implementation has involved using dynaQ™ to facilitate a number of activities:

• Collect and analyze data from:
  • Daily pre-op and ATP inspections
  • Monthly GMP and glass & brittle plastic inspections
  • Twice daily operations inspections
  • ISO 22000 conformance audits under FSSC22000
  • ISO/TS22002-1 conformance audits
• Create a new form and process to facilitate the nature of quality evaluations, using dynaQ™ to compile the results
• Track noncompliance records (NRs) as the plant is notified

By integrating information technology into the auditing process, this two-month pilot project has resulted in the following benefits to the company:

• More effective pre-op
• Increased line utilization
• Immediate QA evaluation capability
• Improved efficiency and speed of data collection and report generation
• Enhanced ability to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions
• Improved data security

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations, to industry codes, to system standards (e.g., ISO), to internal corporate requirements. Audits offer a systematic, objective tool to assess compliance across the workplace and to identify any opportunities for improvement.

Routine internal audits are becoming a larger part of organizational learning and development. They provide a valuable way to communicate performance to decision makers and key stakeholders. Even more importantly, audits help companies identify areas of noncompliance and opportunities for improvement.

For some audits, a company may work with a third-party auditor. This can be valuable in getting an objective assessment of overall compliance status if executed effectively. Here are some best practice tips to help prepare for an internal audit—and ensure that it goes smoothly:

1. Audit scope: Make sure that the scope of the audit is well defined and documented (i.e., regulations, management system standards, company policies). This also involves identifying which areas and functions onsite are included. For example, if contractors are leasing space, are their areas in scope or out? What about other onsite lessees, if any?
2. Documents, plans, and records: Prior to the audit, ask the auditor for a list of documents they may be looking for (e.g., OSHA logs, past audit findings). Depending on the nature of the audit, it can be an extensive list and knowing ahead of time will save time and money. If possible, collect all records in advance and have them easily accessible. If corporate policy allows, it is often advisable to send current versions of all facility-specific plans, permits, and other documents to the auditor in advance of the audit to aid in preparation and create a more efficient use of time onsite. When the auditor arrives, make sure you know where relevant records are and that they are available to the auditor (i.e., not locked up in someone else’s office). Records should be organized by type in separate folders and sorted by date. Not only does that save time, it creates less likelihood of a record being overlooked. In most cases, electronic versions of records are sufficient, as long as they can be easily retrieved and viewed on the computer.
3. Interviews: Advise individuals who may be interviewed during the audit about the purpose of the audit. Communicate well in advance of the audit so that employees aren’t caught off guard when they see an individual walking around taking notes and pictures. Prepare your employees; encourage them to cooperate and provide helpful information when asked. Every employee should:
   • Be aware of the company quality/environmental/safety/food safety policy and able to state it in their own words.
   • Be aware of the quality/environmental/safety/food safety objectives the company has set for the current time period (i.e., what the company is working on to improve the current “state”).
   • Understand how they “make a difference” (i.e., how just by doing their jobs, they are following company policy and objectives and impacting performance).
   • Be knowledgeable about the procedures and practices required for doing their job properly.
4. Schedule: Ask for an audit schedule. This can help you plan for when certain “in-the-know” people need to be available. This can save valuable time—especially for those individuals—and help ensure that those you absolutely need for the audit are available when you need them.
5. Be available: Questions often arise during an audit. It is helpful to assure that qualified and knowledgeable personnel are available to answer questions and clarify information during the audit, in addition to being present during the audit debriefing.
6. Housekeeping: Good housekeeping puts auditors at ease. Conversely, lax housekeeping is often a harbinger of compliance issues and may put auditors on heightened alert.
7. Care of a third-party auditor: Make sure there is adequate work space available for the auditor to review records and other documents—with power, a desk or table, good lighting, and access to internet/email to exchange documents during the audit.
8. Confidentiality: If the audit scope involves regulatory compliance and the company has elected to employ audit privilege mechanisms, make sure that all parties are aware of the means to be taken to ensure that audit privilege is preserved (e.g., marking notes and documents, limiting distribution of output, adhering to state-specific requirements).

Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. Addressing all (or those specified in the applicable regulation) of the eight compliance functions outlined below can be instrumental in establishing or improving a company’s capability to comply.

1. Inventory means taking stock of what you have. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
   • Activities and operations (i.e., what you do – raw material handling, storage, production processes, fueling, maintenance, etc.)
   • Human resources (i.e., who does what)
   • Emissions
   • Wastes
   • Hazardous materials
   • Discharges (operational and stormwater-related)

The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities.

2. Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
3. Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
4. Training follows once you have your permits and plans in place. It is crucial to train employees to follow the plans so they can effectively execute their responsibilities and protect themselves and the community. Training should cover operations, safety, security, and environment.
5. Practices in place involve doing what is required to follow the terms of the permits and related plans. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required process.
6. Monitoring & inspections provide compliance checks to ensure that the site is operating within the required limits/parameters and that the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping and process efficiency.
7. Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
8. Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with the regulatory agency on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, or spill.

Reliable Compliance Performance

Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). This documentation helps create process standardization and, subsequently, consistent and reliable compliance performance.

In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:

• Helps improve the company’s capability to comply on an ongoing basis
• Enhances confidence in compliance practices by others, providing an indication of commitment, capability, and reliability
• Creates a strong foundation to answer auditors’ questions (agencies, customers, certifying bodies, internal)
• Establishes compliance practices for when an incident occurs
• Helps companies know where to look for continuous improvement
• Reduces surprises and unnecessary spending on reactive compliance-related activities
• Informs management’s need to know

On August 14, the U.S. Food and Drug Administration issued guidance to clarify that a waiver to the Food Safety Modernization Act (FSMA) Sanitary Transportation of Human and Animal Food final rule (Sanitary Transportation rule) covers retail food establishments that sell food for humans, including those that sell both human and animal food, but does not apply to establishments that only sell food for animals.