University of Idaho - I Banner

Visit UI

Learn about the many reasons the University of Idaho could be a perfect fit for you. Schedule Your Visit

Student Life

Fill your college experience with memories and connections that will define you as an individual and empower you for a lifetime. Explore

Parents on campus during orientation

Parent Newsletter

Keep up on campus events and information involving your Vandal student. Sign Up

UI Retirees Association

UIRA has a membership of nearly 500 from every part of the University. Join Today

BUL 996

An Introduction to Third-Party Auditing in a Food-Manufacturing Facility

Janna Verburg-Hamlett

Food Safety Audit

Introduction

Imagine that you’ve developed a stupendous recipe. Because all your friends and family say it is awesome and encourage you to sell it, you shuffle your family, friends, and personal-time commitments. After making the product at home or in a licensed commercial kitchen and experimenting with selling it at local farmers markets, you find that that approach is not fiscally sustainable.

Next, you target local grocery stores as another sales outlet. They agree to sell small amounts. Soon the product starts selling well; word of mouth spreads. As a result, you decide to expand your business, which involves developing some regional kind of distribution agreements with larger grocery stores like Whole Foods, Costco, Albertsons, etc. You also discover that you may need to work with a co-packer or a larger facility, and thus hire additional people, among many other distribution-related decisions. While reviewing your business plan, these larger distribution contacts suddenly inform you that among other requirements, your business must undergo a third-party audit. But you have no idea what that is or how to get one started. This publication fills in all those details and more, including how much it costs and who conducts them.


The Third-Party Audit

Definitions

There are three levels of auditing: first-party, second-party, and third-party auditing (Figure 1). First party is an internal audit—you audit your own business. Every food company should conduct a first-party audit to ensure it is complying with its own programs and standards. Second-party audits are customer audits, in which someone else, unassociated with the company under review, audits a facility and its programs. Because customers have a vested interest in businesses they patronize—and whose loyalty those businesses want to retain—these kinds of audits can be very useful to business owners. Last, the third-party audit involves an independent auditor who reviews a company’s manufacturing programs.

Audit levels
Figure 1. Audit levels.

Purposes

The main purpose of a third-party audit is to get an unbiased evaluation of a business’ manufacturing process, including its physical facility and policies and programs. This is crucial for food manufacturers, since foodborne illnesses can kill people. Indeed, the Centers for Disease Control and Prevention (CDC) estimates that of the 48 million people who get sick annually because of a foodborne illness, 128,000 require hospitalization and 3,000 die (Centers for Disease Control and Prevention 2020). Thus food-business buyers/customers want proof of a product’s quality and safety and verification that the company partners with reputable manufacturers—they want the assurance that a third-party audit provides.

If the health consequences aren’t enough of a reason to require audits for food businesses, recalls are another. They are quite expensive. In 2012, then-named Grocery Manufacturers Association (now Consumer Brands Association) and the Food Marketing Institute found that the average recall cost in just direct costs (a product’s retrieval and disposal) alone within the food industry was $10 million (Ostroff 2018). Indirect costs, like brand reputation and lost sales, were even more disastrous, estimated in the billions. Consequently, manufacturers, retailers, and distributors definitely want to make sure they are buying food products from a reputable manufacturer.

Other purposes of a third-party audit include:

  • Provides a marketing advantage. It enables a business to market a product as approved or certified by a third party.
  • Troubleshoots a production or quality problem.
  • Ensures that a facility is following industry best practices (continuous improvement activity).
  • Alternative to an internal audit. Some manufacturers may Iack the time or skills to conduct their own audit, so a third-party audit provides a good baseline.

To make things a little more complicated, the purpose or focus of some third-party audits differ as well. Remember our original scenario? Now imagine that your customer specifically requests your company undergo a GFSI-recognized third-party audit. GFSI is an international agency that started in 2000 (for more information, see https://mygfsi.com/). But it is not an auditing company. Instead it creates a “benchmark” document that offers broad recommendations to the food industry (Global Food Safety Initiative 2021). Certification program owners (CPOs) use the document to create their own audit code requirements, such as those used by SQFI (Safe Quality Foods Institute, https://www.sqfi.com/), BRCGS (https://www.brcgs.com/), FSSC22000 (https://www.fssc22000.com/), and Primus GFS (http://primusgfs.com/). There are currently twelve CPOs recognized by GFSI (https://mygfsi.com/how-to-implement/recognition/). These CPOs have their own audit code or checklist that meets all the requirements of the GFSI benchmark document.

Although GFSI’s work has been influential, not all third-party audits are based on it specifically. Many audit companies focus on other aspects, for example, HACCP (Hazard Analysis Critical Control Point), GMP (Good Manufacturing Practice), or GAP (Good Agricultural Practices). Hence, when you talk with a customer about an audit, clarify what kind of audit they need. Many may not require a GFSI audit. Ask if they have a preferred vendor list of third-party audit companies and codes they will accept. You don’t want to spend money and time getting a third-party audit only to find out later that your customer doesn’t recognize or approve of that audit scheme.

Then there’s regulatory audits. Unlike basic third-party audits, these determine how well a manufacturer is following government regulations. Both the USDA (United States Department of Agriculture) and FDA (Food and Drug Administration) audit to ensure that food manufacturers are complying with all relevant food regulations. In addition to the federal entities, many local health districts and states have their own food codes and thus audit to ensure compliance with those regulations as well.

One of the main differences between a third-party audit and a regulatory audit involves its power regarding nonconformance (when a facility fails to meet a regulation). If the USDA or FDA finds you in violation of regulations that could cause a public health hazard, rule-making legislation gives them the legal right to require a recall and close a facility (stop production) until corrections are made (USDA 2015; USFDA 2018). A third-party auditor, however, has less punitive power. Even though a third-party auditor can fail the manufacturer or refuse to give a certification in the case of an egregious finding, e.g., a food-safety issue occurring during the audit, they cannot require a recall, and in most cases, because of confidentiality agreements, cannot inform the regulatory bodies of their findings.

Nevertheless, if you fail a third-party audit, and thus have not been recalled nor closed down, keep in mind that one of your customers may have required the audit. If you don’t have a successful report to give to them as part of their supply-chain program, they may no longer purchase your product.

Types and Review Elements

There are many different types of third-party audits that a customer could require. Some common examples include

  • Quality Systems Audits
  • Financial Audits
  • Environmental Audits
  • Employee Welfare Audits
  • Animal Welfare Audits
  • Employee Health and Hygiene Audits
  • Identity Preserved Audits (e.g., Kosher, Organic, Halal)

Most of the time though, an audit will evaluate a facility’s quality and food-safety systems. In a quality and food-safety system audit, an auditor looks at the overall structure of a facility and makes sure it meets the hygiene requirements of GMP and sound sanitary design practices. The auditor also reviews the policies and programs involved in a food-safety management system. Although the following list is not exhaustive, the following are common review elements:

  • Document Control
  • Pest Control
  • Good Laboratory Practices
  • Allergen Control Management
  • Sanitation Program Management
  • Training Program
  • Your Approved Supplier or Supply Chain Management
  • Your Food-Safety Plan
  • Environmental Monitoring Program
  • Chemical Control Program
  • Calibration Program
  • Internal Auditing Program
  • Food Defense/Intentional Adulteration Program

Codes/Checklists. Each third-party audit has their own code or checklist that helps to certify that the programs and procedures implemented in a facility meet industry requirements. The code or checklist is based on industry best standards, relevant legislation, and possibly GFSI-benchmarked items. In order to be prepared for the audit, review the code or checklist and complete a gap analysis of your facility and documentation in order to be in compliance with the required elements.

Who Conducts a Third-Party Audit

Auditors work for a third-party audit company, like SGS (https://www.sgsgroup.us.com/), NSF (https://www.nsf.org/), Food Safety Net Services (https://fsns.com/), or ASI (https://asifood.com/). When you contact the preferred vendor, make sure to discuss your business plans, identify the products you make, and identify the purpose of the audit, because each audit company has its own requirements and contract elements. Develop a good working relationship with them, because the audit company has decision-making capabilities that impact your certification status or whether or not you will receive the completed audit report.

Length and Complexity

The length of an audit can differ widely, depending on the type of audit and audit company. A facility’s size (square footage), the number of products and food-safety plans being audited or certified, the number of employees, the number of manufacturing lines, and the overall complexity of a manufacturing process are all influential factors. Small facilities with only a few product lines could expect half to a full day before an audit is completed. An audit of large facilities with many product lines and several hundred employees, however, could take five to seven days. Consequently, you will want to discuss audit length when determining a preferred audit vendor. Additionally, COVID-19 and the travel and health restrictions it has created have altered some practices (many audits have gone at least partially virtual). In fact, even after the coronavirus pandemic safely abates, including the lifting of travel restrictions, virtual audits will likely continue. Hybrid auditing practices may develop—for example, you might exchange programs, policies, and procedures with an auditor ahead of time, via an online platform, and then later the auditor arrives onsite for a reduced period of time to complete the audit.

Costs

Costs are highly variable depending on the type of audits and depending on the audit vendor. Short cGMP audits, in which the letter c means current, can be as economical as $300 or less. However, standard GFSI audits are often several thousand dollars. Of course, other services, like consults, which some auditing companies offer, add further costs. Undoubtedly, third-party audits are an investment in both time and money.

Frequency

GFSI audits are conducted at least annually, unless there are several nonconformances, in which case you may receive a follow-up visit around the six-month time period. Each CPO has their own requirements. Other third-party audits can be conducted depending on your needs and/or your buyer’s requirements. However, many retailers and distributors require an annual third-party audit. If your product is considered low risk, they may allow a longer time frame between audits. This will depend on your customer’s approved supplier program requirements.

Typical Audit Activities

In many cases, the first action you take because of an impending audit is to send documentation to the audit company prior to the actual event, such as food-safety plans, quality-program policies, and maybe some production-related documents (Figure 2). The auditor(s) then meet with you to go over the schedule for the audit. In this opening meeting the auditor(s) discuss what documentation is needed, if any interviews with employees will be required, the time frames for the audit, if any specific activities need to be observed (for example, a pre-operation inspection on pieces of equipment), or other pertinent requirements. The opening meeting is the basic preparation for the rest of the audit.

Audit activities
Figure 2. Audit activities.

After this initial meeting, the auditor begins the audit, reviewing the documentation, procedures, policies, and all the paperwork that helps you to manage the food-safety and food-quality systems in your facility. The auditor also physically observes your facility and processing area. If you have any critical food-safety steps (for example, pasteurizing, heating/cooking, metal detection, or use of X-ray equipment), they may ask to observe those activities. The auditor(s) may also interview some of your employees. Normal queries include questions about their work positions and activities and what kinds of training they receive, e.g., basic employee hygiene from GMPs.

Once the audit is complete, an exit meeting is held, where the auditor discusses the findings with management. The results might involve delving into levels or severities of nonconformances, but because most audits have a scoring mechanism, you will be provided an overall score.

All nonconformances found during an audit must be corrected. Some audits mandate specific time frames in which underperforming items must be fixed in order to be rated as in compliance. Consequently, prior to receiving a certificate or completed audit report, you need to respond to the third-party auditor about how the facility is going to correct the issue. Documentation on what policies or procedures are going to be put in place to prevent the issue from occurring again (corrective actions) are also required. Once the preventative corrective actions have been reviewed and approved by the audit company, the audit is complete. As long as your score is high enough, you will receive a certificate or at least a completed audit document that you can share with your buyer/customer.


Summary

Third-party audits can be very beneficial for any food manufacturer, even those that are relatively small and that explore expansion into new markets. They can provide an independent, unbiased viewpoint about whether or not your manufacturing facility and programs meet industry best standards. Additionally, many customers—whether they are other manufacturers, retailers, or distributors—may require one before agreeing to stock your food product(s). However, not all audits are the same. Costs and time frames for audits vary, depending on the type of audit and the size and scale of your manufacturing process. So be prepared. Make sure you understand customer requirements so that you don’t spend unnecessary time and money participating in an audit that they won’t accept.

Audits are very useful, because they ensure you are making a safe product and following industry best practices. Although preparing for and enduring a third-party audit is a lengthy process, having the correct practices in place saves time and money. If you need help preparing for one, there are many free resources online and your Extension professionals can help as well. Good luck!


References

Centers for Disease Control and Prevention [CDC]. 2020. “Foodborne Germs and Illnesses.” Food Safety. https://www.cdc.gov/foodsafety/foodborne-germs.html.

Global Food Safety Initiative. 2021. “Collaborating Across Borders and Barriers.” Overview. https://mygfsi.com/who-we-are/overview/.

Ostroff, S. 2018. “The Costs of Foodborne Illness, Product Recalls Make the Case for Food Safety Investments.” Food Safety Magazine. June 20. https://www.foodsafetymagazine.com/magazine-archive1/junejuly-2018/the-costs-of-foodborne-illness-product-recalls-make-the-case-for-food-safety-investments/.

United States Department of Agriculture. 2015. “Understanding FSIS Food Recalls.” https://www.fsis.usda.gov/food-safety/safe-food-handling-and-preparation/food-safety-basics/understanding-fsis-food-recalls.

United States Food and Drug Administration. 2018. “FDA Finalizes Guidance on Mandatory Recall Authority: Constituent Update.” https://www.fda.gov/food/cfsan-constituent-updates/fda-finalizes-guidance-mandatory-recall-authority.


About the Author

Janna Verburg-Hamlett—University of Idaho Extension Food Processing Specialist, Animal and Veterinary and Food Sciences

Cover Photo

Photo courtesy of Adobe Stock.


Issued in furtherance of cooperative extension work in agriculture and home economics, Acts of May 8 and June 30, 1914, in cooperation with the U.S. Department of Agriculture, Barbara Petty, Director of University of Idaho Extension, University of Idaho, Moscow, Idaho 83844. The University of Idaho has a policy of nondiscrimination on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity/expression, age, disability or status as a Vietnam-era veteran.

University of Idaho Extension

 

Physical Address:
E. J. Iddings Agricultural Science Laboratory, Room 10
606 S Rayburn St

Mailing Address:
875 Perimeter Drive MS 2332
Moscow, ID 83844-2332

Phone: 208-885-7982

Fax: 208-885-9046

Email: calspubs@uidaho.edu

Location

Barbara Petty

Email: extdir@uidaho.edu