In today’s complex global supply chain and environment of ever-expanding market requirements, it has become common to rely on third-party audits to help assure the safety of one’s supplies. Not only are food safety regulations driving this uptick, but retailers and other buyers are demanding it to reduce risk to consumer and brand value. Third-party audit schemes, such as those benchmarked by the Global Food Safety Initiative (GFSI), build confidence in the supply chain. Companies in compliance with such schemes have appropriate and comprehensive food safety controls in place to address hazards expected within their operation and for their specific product type.
Third-party audits provide companies with an objective assessment of their programs and practices, enable them to identify opportunities for continuous improvement, and delineate gaps in their practices from industry best practices or regulatory requirements. Use of such audit schemes aid companies in minimizing food safety risks by ensuring implementation of the practices and programs necessary to reduce foodborne illness. A key factor in ensuring the integrity of scheme implementation and compliance is auditor competence. An auditor’s interpretation of food safety audit standards is critical to ensuring the rigor of the audit scheme. Experienced auditors with the appropriate training and education provide objective and thorough assessments of the evidence gathered during the audit.
The Audit Era
The Food Safety Modernization Act (FSMA) emphasizes prevention and accountability across the supply chain to ensure the safety of foods consumed within the U.S., irrespective of where the food is produced. Seven regulations have been finalized and issued by the U.S. FDA as part of FSMA, four of which address auditing in some manner.
Specifically, the Preventive Controls for Human Food (PCHF) and Foreign Supplier Verification Program (FSVP) rules highlight the use of audits as an appropriate, and in some cases, a required supplier verification activity. These rules explicitly state that auditing must be conducted by a “qualified auditor” for those instances in which it is used as a supplier verification activity. Qualified auditors must have the technical expertise—obtained through education, training, experience, in any combination—to perform the auditing function as required. Audits may be conducted by the processor or FSVP importer, provided they employ individuals who meet FDA’s definition of a qualified auditor.
Serious hazards that the processor or FSVP importer cannot mitigate through its own control measures may be identified as reasonably foreseeable for raw materials and ingredients. In such cases, annual onsite audits must be conducted to verify the adequacy of supplier controls to address the identified hazards. A hazard is considered “serious” where exposure to that hazard through food will result in serious adverse health consequences or death—i.e., hazards that would result in “Class I” recalls. In general, under these two rules, the processor or FSVP importer will determine appropriate verification activities based on the hazard of concern and the supplier’s practices and food safety performance. For instance, appropriate verification activities may include audits conducted by a “qualified auditor,” sampling and testing, or review of records and other related food safety documentation. Audits by third-party certification bodies can be used to achieve verification; such audits assess an operation’s hazard analysis and implementation of preventive controls to ensure they meet the requirements of the regulations and are conducted by a “qualified auditor.”
The food industry has relied on private audits for years to ensure compliance with purchasing requirements. Given FSMA’s supply chain provisions, reliance on third-party audits and the use of third-party auditors who meet the “qualified auditor” definition is likely to grow even more. The FDA refers to the use of private third-party audit schemes, such as the GFSI benchmarked schemes, to foster compliance with the Produce Safety Rule issued as part of FSMA. This is consistent with FDA’s stated intention to work with the produce industry and other government and private partners to improve the rigor and reliability of private audits.
Under the FSMA Accredited Third-Party Certification Rule, the FDA now has the option of contracting with third-party certification bodies that meet its accreditation criteria to conduct audits on its behalf. These audits could either be regulatory audits of foreign facilities or consultative audits that assist companies in understanding gaps in practice that need to be addressed to come into compliance with the pertinent FSMA regulations. This is an important development, giving FDA the capacity now to cover more of the regulated industry, particularly foreign suppliers, and enabling industry to utilize more tools to identify gaps in their practices before they undergo a regulatory audit or inspection.
Additionally, foreign suppliers may seek certification from accredited third-party certification bodies to establish their eligibility for participation in the Voluntary Qualified Importer Program, which offers expedited review and entry of food into the U.S. Third-party certification bodies and auditors may also be contracted to conduct assessments against certification criteria for cases in which high-risk food categories are offered for import. If the FDA has reason to be concerned about the safety of products from certain countries, territories, or regions with increased food safety risks, it now has the discretion under FSMA to require import certification as a condition of entry. Though this new authority has not been activated by FDA yet, it could be at any time, and could require the use of third-party audits or third-party certification bodies to conduct assessments per FDA’s specific requirements.
The passage and implementation of FSMA will have a significant influence on the use of audits and auditors. Private food safety audit schemes will likely modify their requirements to incorporate FSMA provisions. This has already begun with some GFSI benchmarked schemes, which have created tools to help stakeholders understand the gaps between their provisions and FSMA requirements, and understand how to use their provisions to achieve compliance with the FSMA regulations.
Given FDA’s requirement to conduct audits in some cases for supply chain verification and its identification of audits as an appropriate supply chain verification activity, it would not be surprising to see the use of third-party audit schemes increase in the coming years. Moreover, FDA’s ability to use third-party certification bodies and auditors to assess compliance of foreign suppliers and approval of accredited third-party certification bodies to conduct consultative audits for industry will probably result in growth of this practice and the auditing industry. While this is a positive development, it likely will not be without growing pains and complications, as third-party certification bodies and auditors, tasked with maintaining their objectivity and independence, interface with both FDA and its regulated industry. In addition, FDA’s focus on ensuring that certain activities are performed by “qualified individuals,” and that auditing is conducted by “qualified auditors,” will undoubtedly increase focus on ensuring auditor competence.
FSMA underscores the role and importance of audits and “qualified auditors” in a functional preventive controls system. It remains to be seen how this will transform the private food safety audit industry; however, it is safe to say it will likely raise the bar for private auditing performance, given industry and FDA’s reliance on this work for assessing and ensuring regulatory compliance.
Dr. Crawford, senior technical trainer for food safety at SCS Global Services, has over 14 years of experience in developing, implementing, and evaluating food safety systems across the supply chain. She also served as a food microbiology and produce safety expert for the development of FDA’s FSMA regulations, policies, and programs. Reach her at email@example.com.