Third Party Audits in Food Processing

Part 4 in our 5-part series:

We have discussed Internal Audits as well as Second Party Audits, but now we want to focus on a tough one – the Third Party Audit. These audits are oftentimes performed by an outside, unbiased organization so that they are done as fairly as possible. Their purpose is to stress-test a company’s Food Safety Plan – many times for certification purposes. All food safety professionals know that, though. To get some insider details, we went to Certified Supplier Quality Auditor, Advancedboard certified entomologist SQF Practitioner, PCQI, and Board Certified entomologist, Shannon Sked.

Q: Thanks again for talking to us about the different kinds of audits in food processing. The Third Party Audit seems a little more complicated than the first two. Is that correct?

A: Third Party Audits can be a little more complicated, but that is more because of the variety in what they include rather than the audit itself. Third Party Audits are designed to evaluate a company’s Food Safety Plans (and in some cases Quality Plans) to see if they conform to standards that are developed by an accredited third-party body. These outside standards are commonly referred to as “schematics,” and the schematics of various accrediting bodies can vary – in some cases, vastly. Some examples include SQF, BRC, AIB, Primus, FSSC 22,000, etc. While some are similar in scope and requirements, others are very different.

There are several that have schematics approved by a higher accreditation group and are known as GFSI (Global Food Safety Initiative), which have similar schematics since they all must meet the benchmarks set by GFSI for their standards. Currently there are 10 third party schematics that meet these benchmarks, and some that are relatively common in our part of the world include SQF, BRC Global Standard, FSC 22,000, and Primus GFS. These standards are risk-based, decision-making model standards. Other standards are common in our area as well and may not be benchmarked to GFSI; these include AIB, NSF, and Mérieux. This doesn’t mean one is better than the other. Rather, it just shows the variety in food safety schematics.

To make things even more complicated, some of the companies that design these standards offer auditing, and some of the auditing can be performed against a different set of standards. For example, it’s not uncommon for a food manufacturer to hire an NSF auditor to conduct their Third Party food safety audits against an SQF schematic. In these cases, what is important to understand is the schematic’s benchmarks that are being audited against rather than the company/brand conducting the audit.

So, yes, there is a lot of complexity. What is crucially important to understand, though, is that there is not any audit that the FDA has said would automatically meet FSMA. In other words, regardless of your third-party audit certification, the FDA can and will audit your facility as well in order to measure your facility’s compliance to regulations according to FSMA. So, at the end of the day, you could pass a Third Party Audit and still receive a warning letter from the FDA for FSMA non-compliance. The Third Party Audit is more of a market-driven food safety standard, while FSMA is a regulatory requirement. If you want to do business with certain customers, you’ll need to comply with certain third-party standards, while if you want to hold FDA registration, you need to be FSMA compliant. Therefore, FSMA should always be in mind. Successful companies are those that create a Food Safety Plan that both conforms to FSMA and meets the expectations of their Third Party Audit schematic.

Q: Knowing all of that, why would a Third Party Audit be done? Since we have Second Party Audits from vendors, Internal Audits that are self-imposed, and Regulatory Audits, what’s the reason for a Third Party Audit?

A: Third Party Audits, historically and still today, are primarily developed and driven by markets and business relationships. For example, GFSI (that large organization that benchmarks audit schematics) began in the early 2000s due to findings that customers of retail food had very low confidence in food safety. This caused retail organizations to look at how they can improve the confidence of their customers. One glaring conclusion from that initiative was that if they could get better assurance from their suppliers, then they would likely improve end-user confidence. So, standards began to be developed where manufacturers would have to meet certain benchmarks to obtain certification, and that certification was needed if they wanted to supply their goods to ABC Retail Company.

But this runs through the entire global food chain. That food manufacturer, in order to meet those standards, had to demand certain food safety standards further back from their suppliers as well. Ingredient companies now had to obtain certain certifications. Then, those ingredient companies saw they had to put requirements on their suppliers, so they held their importers to those standards. It was a domino effect. This would go on and on through the markets so that there is a flow of food safety, predominantly market driven, throughout the supply chain.

This ended up being a large shift in the way food safety was approached. No longer was there a standard for a standalone company, but rather it was an entire chain. This become known as the “farm to fork” standard where food safety was followed all the way back to the sources. Therefore, a main driver of third-party audits in today’s world is based on market competition. When contracts are determined, the criteria will include food safety certifications as well as price, logistics, brand awareness, and other market competition aspects.

It should also be mentioned that FSMA, which was passed in 2011, amended the Food Drug and Cosmetic Act (1938) in a way that aligned with this same concept. It integrated site-specific hazard analysis, risk management, risk control (backed by validation, evaluation, and verification processes), and traceable corrective action processes into regulatory food safety – all packed into a Food Safety Plan. Part of those plans require Supplier Verification processes and Foreign Supplier Verification Programs, similar to the market driven aspect of certification mentioned above. Therefore, Third Party Audits can now be part of the FSMA-required Food Safety Plan (although, again, FDA is clear that it’s not an automatic pass on one of their inspections). Now, Third Party Audits will both document market-driven standards through certification (independent schematics) and regulation (FSMA compliance).

Q: Now that we know why those audits exist, what can/should a food processing plant do if they fail a Third Party Audit?

A: While a food processor never wants to fail an audit, one thing that can come out of a failure is a set of specific issues that the food processor can target to bring their food safety program up to standards. Auditing is steeped heavily in documentation today. Almost all audits will offer a resultant report that will show a QA Manager the specifics of what non-conformities were found and the corresponding schematic code that describes why a certain aspect audited did not meet that standard. This is a map of how to turn the program around, case by case, to bring a food safety program up and into compliance.

Some parts of failures loom large, though. There are different types of non-conformities that can be found. These are categorized differently based on the certifying body that is being audited against; however, most are something like this:

  • OFI (Opportunity for Improvement): Often a non-point-reducing observation that can be improved upon but poses no immediate safety risk and doesn’t go directly against any required standard of the schematic.
  • Minor Non-Conformity: Points will be taken off the final score. While there was an aspect found that does not meet the standard of the schematic, typically the finding was not egregious enough to make the food management system fail.
  • Major Non-Conformity: Points will be taken off the final score. This is usually an issue where the observed compliance failure will affect the overall food management system but not to the point where there is an imminent threat to food safety.
  • Critical Non-Conformity: Typically, this is an automatic failure since a critical non-conformity is often due to an observed compliance failure that may pose a threat to food safety or when the observed practice may not be legal. This can be a stop-work issue and is very serious when it does occur.

So, as you can see, depending on the reason for failure, this can be a great tool to get a plan into shape (if OFIs and minors were there). However, they also can be incredibly impactful to business (multiple Major Non-Conformities or even a single Critical Non-Conformity). The reason for this tiered system is that if the infraction poses imminent risk to food safety, the immediate need is to prevent that risk from causing potential illness to the general public first and foremost.

The best advice I can give any company that has struggled with an audit is to look at two things first. (1) What does your management buy-in to the Food Safety Plan look like? And (2) Do you have a strong Food Safety Consultant to support your initiatives? Management buy-in is key and required nowadays. With the criminal prosecution of certain cases across the country in recent years, I think the message is out that food safety is a seriously important part of food processing. One thing a good consultant can do is show the return on investment of food safety to help management see the benefits of it rather than treat it as a simple necessary cost for business. When management and consultation are both in place, a process plant is on the right track! The remainder is the work of the QA Manager conducting root-cause analyses, creating corrective actions from those analyses, and finally implementing those changes for a solid score on the next audit!

Well, this is exactly the information a food processing professional, whether you are a Quality Manager or Sanitarian, would need. Especially since audits will always be a part of the food processing industry. For good reason – the safety of our food is paramount.