Unannounced, And Unexpected
Challenges surround unannounced audits of food safety standards
by Nuno M.F. Soares
The etymological origin of the word "audit" is related to the principle of oral examinations of accounts. 1 By this definition, an auditor is the person who receives, listens and examines the accounts.
This association of the word "audit" with listening, in a time in which most of the examinations were essentially a verbal process, may inspire today’s auditors to keep the main focus of their audit activities on understanding the organizations under scrutiny by listening to the people who work there every day.
Anytime there are food recalls or outbreaks of widespread foodborne illnesses, activities surrounding food safety come to the forefront. It is undeniable that food safety—defined by the Codex Alimentarius Commission (CAC)2 as the assurance that food will not cause harm to the consumer when it is prepared and/or eaten according to its intended use—has evolved greatly since the 1960s. In that decade, the building blocks of what would become the hazard analysis and critical control points (HACCP) were created almost simultaneously in Europe and the United States.
Some landmarks of those first steps were the first meeting of the CAC in 1963, the publication of General Principles of Food Hygiene in 1969, and the work between Pillsbury Co. and NASA to provide safe food for military personnel and astronauts during the 1960s, which culminated in an embryonic HACCP system applied to Pillsbury retail products in 1971.
In those early days, the number of organizations that implemented HACCP were few and the assessment of HACCP’s efficacy was done internally. The driving force for auditing food safety systems—at least in a more systematic and frequent way—came years later with the advancement of food safety standards such as the Safe Quality Food (SQF) certification in 1994, British Retail Consortium (BRC) in 1998, the International Featured Standards (IFS) in 2003, as well as when implementation of these HACCP-based standards became mandatory for some large retailers.
Most of the controversy that has been affecting the confidence on the certification by these systems over the years is mostly due to three factors:
- The most common driver for implementation is external (for example, clients).
- The certification body is selected and contracted by the organization that needs to be certified.
- The audits are scheduled in advance, which compromises the spontaneity of the audit day.
In recent years, more organizations have decided to voluntarily join unannounced audits programs. Last March, however, a decisive step was taken to the generalization of this principle when the Global Food Safety Initiative (GFSI) released the new 7.1 version of its benchmarking requirements. Clause 2.5.5 defines as mandatory that the certification program owners "shall ensure that unannounced audits, which can offer a greater degree of assurance compared with announced audits, shall be available as a preferred option in the program offered by the scheme."3
According to Izabela Palgan, senior technical manager at the GFSI, the new requirements "obviously represent a little bit of work for the certification program owners to incorporate new requirements in the next nine months, but certainly, it is not a surprise for them because they participate in the platform that collaborate to prepare the requirements.
"Unannounced audits must be presented as an option—but for the moment, not as mandatory—because we recognize that implementing unannounced audits in some parts of the world bring some challenges and may even be technically problematic for now," Palgan said.
The Global Food Safety Initiative (GFSI) is a non-profit foundation with the mission of providing continuous improvement in food safety management systems to ensure confidence in the delivery of safe food to consumers worldwide. With collaborative efforts by a community of food safety experts in different areas (for example, manufacturing, retail and international organizations, as well as academia), GFSI aims to increase trust in the supply chain while reducing food safety risks and duplicate audit costs.
The approach taken is a benchmarking model in which food safety management schemes are matched to defined requirements in a guidance document. This model allows not only guaranteeing equivalence and convergence between food safety management systems, but also allows organizations to retain control to choose between different schemes.
Once certified—accepted anywhere
This was the proposal that set the tone for the creation of GFSI in 2000.
A yet-to-be completed GFSI efficacy study—intended to assess the efficacy and business impact of the implementation of GFSI-recognized schemes—demonstrates three major benefits:
61% of organizations increase their abilities to produce safe food.
72% said food safety practices were enhanced.
90% said employee awareness and knowledge were raised.
Another interesting conclusion was that the major driver to implement a GFSI-recognized scheme is external. As far as the most important factors leading to certification, 67% defined "Existing customer requirements, to continue doing business with them." The second most common (9%) answer was "Potential new customer requirements, to start doing business with them." —N.M.F.S.
Source: Nuno M.F. Soares, António A. Vicente and Cristina M.A. Martins, Food Safety in the Seafood Industry: A Practical Guide for ISO 22000 and FSSC 22000 Implementation, Wiley-Blackwell, March 2016.
How schemes address unannounced audits
The approach of the food safety schemes regarding unannounced audits has several interesting nuances. At first, these differences are certainly something not expected from schemes that are benchmarked against the same GFSI requirements, but most probably they’ll tend to attenuate as soon as each scheme is updated.
As shown in Table 1, BRC was the first to introduce the possibility of unannounced audits. The BRC audit protocol for unannounced audits states that this option "provides sites with the opportunity to demonstrate the maturity of their quality systems."4
In this interesting formulation to maintain the importance of unannounced audits, it’s somehow implicit that organizations with less-mature systems should not apply for unannounced audits. Although true, it’s not the lack of maturity of organizations’ food safety schemes that explains why so few of them have chosen to join unannounced audits (6%, according to the BRC technical team) but again, as in the case of the certification itself, clients are defining it as mandatory or not.
Table 2 shows the main characteristics of BRC’s unannounced audit program. What distinguishes it from the other food safety schemes is that organizations can choose between two options. In option one, all the audits are unannounced. In option two, good manufacturing practices are audited first (unannounced), and a second audit is planned to look at documented systems and records.
Despite unannounced audits only being introduced in International Featured Standards (IFS) Food Audit Protocol in February 2016 (to be applied after October 2016), IFS had another program called "IFS Food Checks." The aim of that program was to verify—in a one-day unannounced audit—whether a food producing company complied in daily operations with the processes that were audited during the IFS food audit.
The two main differences between the previous food checks and unannounced audits are:
- Food checks were carried out independently from the certification body (for example, auditors were assigned by IFS Management GmbH).
- Food checks were an extra audit and did not replace the recertification planned audit.
Before each renewal audit (that is, previous to the beginning of the audit time window), the organization must inform the certification body whether the unannounced audit is the chosen option.
Contrary to BRC and IFS, the Food Safety System Certification (FSSC) 22000 mandates that certified organizations have at least one unannounced audit after the initial certification audit and within each three-year period thereafter.
Besides that, there is no "window" definition for the unannounced audit to take place, and the certification body may choose which of the surveillance audits will be unannounced. Although there is no timeframe defined for the unannounced audit, it is mostly expected to be close to the due date (like the other schemes). Otherwise, it would reduce significantly the time of the certification cycle and increase the cost. Keep in mind—audits must be conducted at least annually to ensure that recertification is granted before the certificate expires.
FSSC 22000 version four introduced the most demanding unannounced protocol of the four schemes—not only because it is mandatory (such as SQF, described later), but also because the organization has no way to know the year or period of time when an auditor can knock on the door.
In SQF, like FSSC 2000, at least one of the recertification audits must be unannounced in each three-year cycle. What’s different is that "the unannounced audit year shall be determined between the supplier and the certification body," and within a 60-day window from the initial certification audit anniversary.
Unannounced audits expansion
The unannounced audit train seems to have departed, and it’s unlikely to make a stop anytime soon. The tendency to introduce unannounced audits as a method to better assess how organizations comply with standards now actually goes beyond the food industry sector.
Following a recommendation from European Union Commission, for example, many countries since 2014 have been enforcing the introduction of unannounced audits in the medical device field. A more recent example is CanadaGap—a food safety program for producers and brokers of fruits and vegetables—that introduced an unannounced audit program on April 1, 2017.
The main question is, " How far will unannounced audits expand?" One thing is certain: The speed and evolution of this transformational paradigm in the food sector will be mostly conditioned, similar to the initial implementation of food safety standards brought on by big retailers’ pressure.
Another main driver could be if more official authorities follow the Canadian example and start considering the results of certified external audits. If unannounced certified audits become the common practice and official authorities give them credit (for instance, reducing the amount of controls to the companies that join such programs), it could be an additional incentive to implement unannounced audits.
Reference and Notes
- Online Etymology Dictionary, "Audit," www.etymonline.com/index.php?term=audit.
- Codex Alimentarius refers to a collection of standards, guidelines and codes of practice adopted by the Codex Alimentarius Commission (CAC). The commission is the central part of the Joint Food and Agriculture Organization (FAO)/World Health Organization (WHO) Food Standards Program and was established by FAO and WHO to protect consumer health and promote fair practices in food trade. For more information, visit www.fao.org/fao-who-codexalimentarius/en.
- The Consumer Goods Forum and the Global Food Safety Initiative (GFSI), "GFSI Benchmarking Requirements: GFSI Guidance Document Version 7.1," http://mailchi.mp/theconsumergoodsforum/news-release-version-71-of-gfsis-benchmarking-requirements-furthering-harmonisation.
- British Retail Consortium, Global Standard Food Safety – Issue 7 (BRC Global Standards).
Nuno M.F. Soares is a food product engineer in Portugal. He holds a doctorate in biological engineering from the University of Minho in Braga, Portugal. Soares is coauthor of Food Safety in the Seafood Industry: A Practical Guide for ISO 22000 and FSSC 22000 Implementation (Wiley-Blackwell, March 2016).