As food safety continues to command the stage in federal legislation, all aspects of its implementation and evaluation are being subjected to the spotlight. As a result, the purpose, processes and variances of third-party audits are taking a leading role—sometimes the hero, sometimes the mark.
Even before their pull to center stage, however, there had been ques-tions in the industry as to the behind-the-scenes workings of third-party audits. How are the standards determined? What credentials do the auditors hold? Why are there variances between the companies—and what exactly are the differences?
To bring into the light the ways behind the means of third-party audits, QA magazine went straight to the source. Through a 10-question survey, QA asked key industry auditors for their take on the role and purpose of third-party audits; the standards upon which their audits are based; the expectations and requirements of auditors; and particulars on the audits themselves—scoring, ratings, length, frequency and types. To en-sure equality and maintain objectivity, the survey was conducted in writing, with all participants given the same questions and parameters.
Of the eight auditing companies to whom the survey was sent, responses were received from AIB International, ASI Food Safety Consultants, NSF International/Cook & Thurber, RQA, Specialized Technology Resources Inc. (STR) and TÜV SÜD America Inc.
Silliker Inc. and Lloyd’s Register Quality Assurance (LRQA) were contacted for the article but chose to not participate.
*****
The Auditing Companies
Survey respondents participating in the auditing article include:
AIB International
Manhattan, Kan.
www.aibonline.org
800/633-5137
AIB International was founded as the American Institute of Baking in 1919 as a technology transfer center for the North American baking industry. Its original mission was to “put science to work for the baker”; then in 1948, AIB developed the Food Safety Education/Audit department to extend this commitment to the area of food safety. AIB’s basic theme has since widened to provide science, regulation and best practice-based programs, products and services to food and beverage production and handling facilities and their suppliers worldwide, with customer education always a core element of these activities. Today, AIB audits over 10,000 facilities a year and has steadily expanded its food safety audit and education activities over the past 60 years.
ASI Food Safety Consultants
St. Louis, Mo.
www.asifood.com
800/477-778
ASI Food Safety Consultants, Inc., is a full-service provider of food safety and GMP audits, seminars, international auditing programs, and HACCP design and validation. Its approach to food safety is client-oriented, with a strong emphasis placed on complete and well-documented food safety systems. A family- owned company, ASI originally started in pest control during the Depression, and now has management in its third generation. The company has full-time and part-time auditors located throughout North America, with many retirees continuing to work for ASI part time.
NSF International
Ann Arbor, Mich.
www.nsf.org
800/673-6275
NSF, an independent, not-for-profit organization, helps protect plants by certifying products and writing standards for food, water and consumer goods. Founded in 1944, NSF is committed to protecting public health and safety worldwide. NSF is a World Health Organization Collaborating Centre for Food and Water Safety and Indoor Environment. Additional services include safety audits for the food and water industries, management systems registrations delivered through NSF International Strategic Registrations, organic certification provided by Quality Assurance International and education through the NSF Center for Public Health Education.
RQA, Inc.
Darien, IL
www.rqa-inc.com
630/512-0011
Founded in 1989, RQA is a global leader in strategic product development, quality assurance and crisis management services. Professional field personnel assess product quality and market conditions in 52 countries, and perform consumer complaint and product retrieval, product recall and crisis management services. RQA offers comprehensive manufacturing services including consulting, inspection and remediation. In January of 2009, RQA announced that Intertek had acquired its food safety and quality management systems audit operations to meet the rising demand for global food audits. RQA’s global food safety services now include GFSI audits as part of Intertek-RQA worldwide. RQA’s Crisis Management Services cover the spectrum from policy development and crisis simulation to actual execution in the event of a product recall.
Specialized Technology
Resources, Inc. (STR)
Enfield, Conn.
www.strquality.com
781/821-2200
STR provides quality, safety and risk assessment services to help food retailers, suppliers and manufacturers understand and mitigate the sources of product risk. STR’s quality assurance programs include testing, audits, certification and responsible sourcing services to help ensure clients have the highest level of confidence in the quality and safety of their products throughout their supply chain. The company has a team of 23 food inspectors/auditors.
TÜV SÜD America Inc.
Peabody, Mass.
www.tuvamerica.com
800/888-0123
One of the first registrars in North America to receive accreditation to the SQF Program, TÜV SUD offers a range of services geared to the food industry to ensure an organization is maintaining and surpassing regulatory and statutory food safety requirements. Through TÜV SÜD AG, Management Service GmbH, TÜV SÜD also offers ISO 22000:2005 certification to companies located in the NAFTA region. The full suite of services also includes traceability solutions and nonbiased examinations in accordance with international standards such as ISO 9001, HACCP, EUREGAP, International Food Standards (IFS), and British Retail Consortium (BRC). TÜV SÜD has been at the forefront of food safety initiatives in Europe for years, and now offers food safety and security services NAFTA-wide.
*****
The Purpose. Although each auditing company had its own take on the primary purpose behind audits, there was also a great deal of similarity. As such, if one were to combine all responses into a single statement, the purpose of the third-party audit could be said to be: To provide an invaluable, non-regulatory component of food safety through an impartial, comprehensive assessment of a plant’s compliance with specified standards or requirements, with a goal of contin-uous improvement.
“An audit is all about continuous improvement,” explained NSF in its response. “The third-party audit provides an independent assessment of an operation’s food safety and quality management systems for their effectiveness, by design and in execution, in controlling the hazards of concern. As such, they bring a measure of arm’s length objectivity to the process by virtue of utilizing a combination of reg-ulatory and generally accepted good manufacturing practices criteria.”
“The third party audit’s primary purpose,” NSF continued, “is there-fore to measure an operation’s performance against those criteria and clearly identify areas of noncompliance.”
In doing so, responds TÜV SÜD, the audit must establish that the organization:
1. complies with requirements of the standard.
2. can demonstrate intent of the standard.
3. can demonstrate control and effectiveness of processes.
4. complies with all regulatory and statutory requirements.
5. can demonstrate improvement via consistency and uniformity.
While certain goals, such as con-tinuous improvement and regulatory compliance, can apply to all audits, no two audits will be exactly the same. This is not only due to the differences between plants, but also because each is generally being assessed against an individual standard or intended purpose. To this end, RQA responded, “The primary role is to provide an independent, comprehensive and educated assessment of the operation’s quality and food safety management systems to determine their adequacy and effectiveness for their intended purpose, and to assess the operation’s compliance with these programs and procedures.”
In addition, audits will vary based on the organization itself. For example, the purpose of the NSF Cook & Thurber GMP audit is also “to pro-vide expert consultation, based upon auditors that have over 20 years of experience in the industry, to help processors achieve improvements.” This is because this audit is highly consultative.
*****
How the Audits Are Scored
AIB
20% (200) Operational Methods/
Personnel Practices
20% (200) Cleaning Practices (CP)
20% (200) Integrated Pest
Management (IPM)
20% (200) Maintenance for Food
Safety (MS)
20% (200) Adequacy of the
Pre-requisite and Food Safety Programs (AP)
RQA
35% Food Safety Processes/
Practices
25% Food Quality Processes/
Practices
10% General Processes/Practices
5% Sanitation
5% Pest Management
5% Structure/Equipment
Maintenance
5% Traceability, Recall, Crisis
Management
5% Food Defense
3% Employee Practices
2% Warehousing
STR
33% (126) Food Safety Processes/
Practices
13% (52) Food Quality Processes/
Practices
12% (48) Structure/Equipment
Maintenance
11% (41) Employee Practices
10% (37) General Processes/Practices
9% (35) Sanitation
6% (22) Pest Management
6% (23) Warehousing
TUV SUD
20% Food Safety Processes/
Practices
10% Food Quality Processes/
Practices
10% General Processes/Practices
10% Sanitation
10% Pest Management
10% Structure/Equipment
Maintenance
10% Employee Practices
10% Warehousing
10% Documentation
NSF-Audits encompass all of the
categories (in the question),
but the points vary
depending on the program.
ASI-Audit categories are
dependent, to a certain extent, on the industry
segment.
*****
Limitations and Benefits. While third-party audits can be valuable in identifying strengths and weaknesses of a food or beverage plant’s practices and processes, it is prudent to remember a few key points about third-party audits and auditors.
• An audit is just one component of a program. Whether the audit is assessing a plant’s internal food safety practices or being used in a supplier approval program, the audit should be just one component of a thorough, integrated program.
• Audits are non-regulatory, volun-tary and paid by the customer. As AIB explained, third-party audits are not regulatory and do not replace regulatory inspections. In fact, the AIB response said, audits are “voluntary tools that rely on openness and full disclosure to be fully successful.”
• However, third-party audits do provide an impartial assessment. As described by STR, “The role of third-party auditing agencies is to conduct unbiased audits by qualified auditors based upon agreed to standards.”
• Audits provide an extra set of eyes. In fact, ASI quotes managers of food processing/distribution facilities managers as saying, “We look at these audits as ways for us to improve.” It does help to have a new pair of eyes looking at a facility, ASI added, as man-agers are often so involved in their daily operations they don’t notice deficiencies that auditors are trained to look for.
• Specific requirements and parameters can be set by the business itself or its upstream customers. A third-party audit can assist an organization in assuring that its primary business processes and practices are in line with parameters defined by regulatory standards, its own internal requirements, or a customer’s mandates. This, in turn, can help them achieve objectives in line with quality, food safety, environment, security or other targets.
• Because audits are often announced and rarely take place more than twice a year, they provide a snapshot of a moment in time. While the goal of an audit is to assess the ongoing processes and practices to provide for continuous improvement and corrective action of any deficiencies, the auditor can only assess the environment of the audit timeframe and cannot know if it is truly indicative of day-to-day operations. As such, RQA noted, “Third-party auditing firms should identify critical food safety and quality risks that may be observed in an operation at the time of the audit or can be determined from documentation.”The Audit. Responses to the survey indicate that frequency of audits is typically once or twice a year, depending on type of certification or client request. Length of time for an audit to be completed varies from a single day up to a week. This is most often dependent on the facility size, number of employees, standard(s) being assessed, and risk or complexity of plant processes.
While documentation is often perceived to be the pivot point upon which audits revolve, none of the auditing companies put any particular stress on documentation—in and of itself. Rather, as STR noted, “Documentation is not a separate category, but included as evidence of compliance within each of the [categories] through procedures and records.”
It is the review and assessment of a plant’s ongoing documentation that takes it beyond the “snapshot” aspect, and enables tracking of the plant’s qual-ity and safety over time. Its viability is also based on the plant’s own ethics, thoroughness and commitment to open assessment. As AIB noted, “As a voluntary activity with no legal status, the audits depend on openness and disclosure to accomplish their full function. They are not meant to uncover deceit or fraud.”
Of the third-party auditors who answered the question, all conduct announced audits, with four of the companies also offering the option of unannounced audits. The decision on announced or unannounced is generally up to the plant itself or requirements of an upstream customer, and both have value.
As further explained by AIB, “Announced audits provide the best opportunity to train onsite personnel to validate the effectiveness of onsite self-inspection and to transfer the best practices from one firm to another. Unannounced audits provide the best day-to-day view of the operations.”
It should be remembered, however, that a completely unexpected audit inspection can also be intrusive to an operation and difficult to complete if key personnel are not available, secured
areas or documentation are not accessible, or the product within the scope (e.g., of a upstream customer) is not being manufactured at that time.Training, or “mock,” audits tend to be a low percentage of overall audits, but most of the companies will perform
these at a customer’s request. The primary purpose of training audits is education of the plant on its strengths and weaknesses in order to drive im-provement without fear of reprisal. Training audits are often followed up by scored audits once the plant has taken any need-ed corrective action.Standards basis. While each audit company has its own specific processes, emphasis and reporting, and no two are based on exactly the same standards, there are many commonalities in their foundations, in that the standards:
• incorporate U.S. and/or international regulatory compliance as a key component of assessment;
• are a consolidation of various regulations, guidance and/or industry standards (such as HACCP, ISO, GFSI);
• vary according to the industry segment being assessed as well as the international location of the customer or supplier;
• can be customized to a customers’ requirements.
The companies list the standards of their audits as based, in whole or part, on:
• AIB – Food, Drug and Cosmetic Act of 1938, cGMPs, Codex Alimentarius and European legislation.
• ASI – USDA/FDA regulation, Bioterrorism Preparedness Act of 2002, CTPAT (Consumer Trade Partnership Against Terrorism), Organic Trade Association, customer-specific requirements.
• NSF – GMPs, FDA/USDA regulation, Best Industry Practices, Global Food Safety Initiative (GFSI)-benchmarked standards, HACCP, among others.
• RQA – FDA/USDA regulations, appropriate regulations in other countries, GFSI accredited standards (such as BRC and IFS), GMPs, HACCP, GMA-SAFE, International Standards (such as ISO 22000 and PAS 220), client and proprietary standards.
• STR – cGMPs (21 CFR 110); FDA/USDA regulations and guidance for HACCP, Allergens, Food Security and Good Lab-oratory Practices; Federal Food Code; ISO 22000; GFSI principles.
• TÜV SÜD – GMPs, SQF, HACCP.
Scores and Ratings. One of the greatest differences between companies are the ratings and certifications that are awarded for audits. RQA responded that the question was not applicable; NSF noted that scoring is dependent on the type of auditing being performed; and TÜV SÜD stated simply that a passing score would give the plant certification.
Providing further detail as to scores required for specific ratings were AIB, ASI and STR.
AIB – Scores are based on number of points attained, but also take serious discrepancies into consideration. Thus (of a possible 1,000 points):
Superior = 900-1,000 points with no serious items
Excellent = 900-1,000 points with a serious item; or 800-895 with no serious items
Satisfactory = 800-895 points with a serious item
Pass = 700-795 points
Unsatisfactory = less than 700 points attained; or any one observation scor-ing less than 140.
ASI – The numerical scores for ratings of Very Good or below (Good, Fair, Poor, Critical) can deviate be-tween audit formats, and are often based on client requirements. Superior and Excellent, however, remain firm across formats:
Superior = two successive scores of Excellent
Excellent = generally a score of 95% or higher.
STR – Scores are based on percent achieved, but if any of the five audit sections are unacceptable, the highest possible score that can be given is Marginally Compliant. Otherwise
Compliant = a score of 80% or higher
Marginally compliant = 75 – 75.9%
Non-compliant = less than 75%.
Re-inspections. All respondents do offer follow up to audits, including corrective action and re-inspection opportunities, however these are not mandated unless required by the standards of the audit (e.g., an upstream customer or the plant’s own requirements).
As explained by AIB, “an Unsatisfactory often generates a request for a re-inspection, [but] it is the decision of the facility or their customer.” Sim-ilar statements were expressed by TÜV SÜD who noted that “major non-conformities” drive re-inspections; NSF: “This is driven by the standard’s owner and client requirements”; and STR: “Client requirements [drive] follow up or re-inspection of initial audit findings requiring corrective action.”
Discussing the process in greater depth, ASI described the role of plant management in such decisions: “If a company has had a once-in-a-lifetime critical failure, they may require a follow-up inspection. If specific deficiencies had been noted in a facility, often the management will send documented corrective actions to the auditor (digital photos, contractor work orders for structural or equipment defects, etc). To a certain extent, this depends on their management philosophy, and their willingness to pay for a second audit.”
Although the auditing agencies do not have regulatory authority, and are at the behest of the customer in many aspects, they do hold authority over the certification itself. That is, a lack of corrective action on a non-conformance issue and/or refusal to allow re-inspection can cause a loss of certification.
As industry, national and international associations and commissions continue to push for standardization, as relates to food safety assessments in particular, audit practices and processes will most likely follow suit—to a certain extent. You can expect some variance will always remain as differ-ences will always exist among plants and products, industry will continue to evolve, and upstream customers will vie to stay a step ahead.
The author is managing editor of QA magazine. She can be reached at llupo@giemedia.com.
Explore the November 2009 Issue
Check out more from this issue and find your next story to read.