Surviving A Second Party Audit

Part 3 in our 5-part series:

Also known as proprietary audits or customer audits, Second Party Audits are inevitable in the food industry. Since we already spoke about Internal Audits, we thought it was time to discuss this next audit. Whether you’re a manufacturer, distribution center, warehouse, or food transporter, you have customers you want to keep – and ideally, you’d like to get more. As a Certified Supplier Quality Auditor, Advanced SQF Practitioner, and PCQI, we thought Shannon Sked would be a wealth of information about this topic. It also helps that he’s a Board Certified entomologist.board certified entomologist

Q: Shannon – thanks again for talking with us. Our first question for you is what exactly is a Second Party Audit?

A: I think the way to consider Second Party Audits is by starting with what they are not: specifically, they are not an internal audit (first party), nor are they a third party audit, which are done by a non-business related enterprise such as a certification body. Most commonly, Second Party Audits are customer audits. They have a vested business interest in that they are storing their product at your facility or you supply them with your product for their manufacturing/shipping/distribution operations.

Although these audits have been around for a very long time, they have taken on a different element in the era of FSMA. Under this new regulation, customers are often auditing your facility for safety and quality standards, not just for contractual obligations anymore, but also as part of their Supplier Verification program in their Food Safety Plan or as part of their Foreign Supplier Verification system (if they are a global company). Either way, these audits are now looking for three primary aspects of your Food Safety and Food Quality Plans:

  1. Are you meeting the safety and quality standards as established in your contract you have with them?
  2. Does your Food Safety Plan ensure that the requirements for inbound shipments in their Food Safety Plan are met (including food security, intentional adulteration for economic gain, etc.)?
  3. Does your supply chain meet the standards in #1 and #2 above as well?

One of the things that FSMA did to the supply chain was to ensure that the markets are driving food safety through supplier verification systems. Customer audits often include this aspect in today’s auditing systems

Q: That explains it. Our second question is can a business actually be ready for a Second Party Audit?

A: The two questions any company needs to ask themselves to be prepared for these audits are:

  1. Is my Food Safety Plan in place and well documented?
  2. Do my Food Safety and Food Quality systems ensure I am meeting the contractual obligations I have with my customers?

This brings to mind the terminology that everyone in quality and safety should have ingrained in them at this point, “Always be audit ready.” The systems that are part of these plans should have validations (pre-execution justification for why the systems were chosen), verification (post-execution assurance that they are working as planned), and root cause analysis with corrective actions outlined. The internal audit (first party) is really designed to test those systems and ensure that all parts are being deployed in normal operations. If so, then a plant should be always audit ready. However, if you find there is a considerable amount of preparation needed prior to conducting an audit, then there are likely gaps in the plans that need to be addressed.

A simple example of this is if you find that an intensive cleaning of biofilms on equipment is taking a considerable amount of time to prepare for an expected audit, then that step may have a gap. While it’s a good thing that this risk is being addressed, the purpose of an audit is not to get a facility “into shape.” Rather, it’s to see what shape the facility is in during normal operations. So, if you find that biofilm cleaning is intense prior to an audit, it would be a good idea to evaluate the Sanitation Prerequisite program, find gaps, and conduct a root cause analysis with a corrective action. That way, the next time you’re getting ready for an audit, you should find that this is no longer a time-consuming preparation step. The same is true for Pest Prevention Prerequisites; if your trend analyses are not already in place and there is a good amount of time spent cleaning up your pest control equipment prior to an audit, then you should assume you’re not “always audit ready” and the program should be evaluated for gaps with corrections similarly.

Q: That is definitely helpful information. Last question for you. What can a business do if they fail a Second Party Audit?

A: My first suggestion would be to increase your internal audits in both frequency and in scope. In this way, you should be able to find non-conformities before a customer or third-party auditor does. The purpose of internal, first party audits is to find the issues and correct them proactively. Increasing this internal program will help find issues moving forward.

However, I would also suggest conducting an intensive root cause analysis as to what non-conformities were found. This will highlight any gaps in the Food Safety Plan. There are a lot of ways to conduct root cause analyses, such as fishbone analysis, etc. However, one thing I always implement in root cause analysis is a Lean Management principle; the “Five-Why.” Five-Why simply states that in most cases, you need to ask yourself “why” at least five times to determine what the true root cause was to a problem. Here’s an example:

  1. Why did our current rodent monitoring system fail to prevent rodent droppings from being found along the south perimeter wall during the inspection?
    1. The rodent stations were spaced too far apart from one another to monitor the entire wall effectively (e.g. 50′).
  2. Why did we have the rodent stations placed so far apart?
    1. During the contract negotiations, the awardee was one of the low bid options. The low bid resulted in less rodent equipment being used.
  3. Why did we go with one of the lower bidders in the contract bid process?
    1. Funding was limited at the time of rebidding pest control services.
  4. Why was funding limited?
    1. We were scheduled to spend money on new capital projects for equipment replacements on the process line.
  5. Why did we opt to replace equipment?
    1. The production improvement would increase production rates and allow us to meet the production requirements for a new contract/customer that we’ve been trying to obtain.

So, in this example, we can see that the root cause had nothing to do with rodent. It was based on a business decision made to improved growth; which is a great thing! But the unintended consequences resulted in a non-conformity in pest prevention. Who would’ve thought?!

This is actually a real-world example that I was involved in some years back where I was contacted by a company that was looking for pest control bids again after the failure. I remember having a conversation with management where the QA team and I were able to show that allocating a small portion of the return on capital investment into improved monitoring systems (about 1.5% of the ~20% expected return on the capital project) allowed them to keep their customer with documented corrective action. Had they not done that, there was a chance they would have lost everything on that capital improvement project as the customer it was intended to serve might not have stayed with them due to food safety risks. Once we all agreed on the solution to the root cause (funding allocations) and presented it to their customer as well, we resolved the problem, updated the Food Safety Plan, and resolved the rodent issue to maintain a customer of theirs.

The main take away from this detailed example is that root causes analyses are really important to solve non-conformities. If QA Managers combine both an increase in their internal audit structure (frequency and/or scope) along with using sound root cause analysis principles into anything found during internal audits, then they will be audit ready for any customer, second party audit that comes their way. And by being audit ready, we all keep our customers happy and our businesses going strong!

This is all great information. Audits are just another day in the life of a Quality Manager or Sanitarian. Being ready for them is everything. Thanks so much to Shannon for all the information he provided here for us today on Second Party Audits. We hope it helps someone in the industry pass those audits that we all know will come.