BRC

INTERNAL AUDIT

BEST PRACTICE GUIDELINE INTERNAL AUDIT

ISSUE 2

Issue 2

9011 BRC GL IA NON TSO V0_1.indd 1 17/07/2014 10:28

 BEST PRACTICE GUIDELINE
INTERNAL AUDIT

July 2008
British Retail Consortium

64804_TSO_BRC_BPG_INTERNAL.indd 1 25/07/2014 09:11

 Liability
BRC publish information and express opinions in good faith, but accept no liability for any error or omission in any such
information or opinion including any information or opinion contained in this document.
Whilst the BRC have endeavoured to ensure that the information in this publication is accurate, they shall not be liable for any
damages (including without limitation damages for pure economic loss or loss of business or loss of profits or depletion of
goodwill or otherwise in each case, whether direct, indirect or consequential, or any claims for consequential compensation
whatsoever (howsoever caused) arising in contract, tort (including negligence or breach of statutory duty), misrepresentation,
restitution or otherwise, in connection with this publication or any information contained in it, or from any action or decision
taken as a result of reading this publication or any such information.
All warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law,
excluded.
Nothing excludes or limits the liability of BRC for death or personal injury caused by their negligence, for fraud or fraudulent
misrepresentation or for any matter which it would be illegal for them to exclude or attempt to exclude liability for.

Copyright
© British Retail Consortium 2008
All rights reserved. No part of this publication may be transmitted or reproduced in any form (including photocopying
or storage in any medium by electronic means) without the written permission of the copyright owners. Application for
permission should be addressed to the Director of Global Standards at the British Retail Consortium, contact details below. Full
acknowledgement of author and source must be given.
No part of this publication may be translated without the written permission of the copyright owners.

Warning: Any unauthorised act in relation to a copyright work may result in both a civil claim for damages and criminal
prosecution.

British Retail Consortium

Second Floor
21 Dartmouth Street
London
SW1H 9BP
Tel: +44 (0) 20 7854 8900
Fax: +44 (0) 20 7854 8901
email: brcglobalstandards@brc.org.uk
website: www.brcglobalstandards.com

64804_TSO_BRC_BPG_INTERNAL.indd 2 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

Contents

Acknowledgements iv

1 Objective of Guideline 1

2 The Importance of Internal Audit 1

3 What is Internal Audit? 1

4 Audit Format 2

5 Planning an Audit Schedule – Risk Assessment 4

6 Auditor Training 6

7 Who Should Carry out Internal Audits? 6

8 Audit Preparation 7

9 Audit Process 8
9.1 ‘Opening Meeting’ 8
9.2 Personnel Involvement 8
9.3 Audit Timing 8
9.4 Review and Inspection 8
9.5 Confirmation of Findings – the ‘Closing Meeting’ 8

10 Conducting an Audit 9
10.1 Look and Listen 9
10.2 Ask 9
10.3 Check 9

11 Audit Findings 9
11.1 Classifying Non-conformities 10

12 Corrective Action 10

13 Documentation 11

14 Review 11

Appendices 12
Appendix 1 Example of a Scored Weekly GMP and Hygiene Audit 12
Appendix 2 Example of a Systems and Procedures Audit 13
Appendix 3 Example of an Unscheduled Audit as Part of a Complaint
­Investigation 14
Appendix 4 Example of a Risk Assessment for Audit Frequency 16

Glossary 17

Sources of Further Information 18

© BRC iii

64804_TSO_BRC_BPG_INTERNAL.indd 3 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

Acknowledgements
BRC would like to acknowledge the invaluable input and assistance of the many individuals who have
contributed in producing and reviewing this guideline.

iv © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 4 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

1 Objective of Guideline
A comprehensive internal audit system is fundamental to a company’s safety and quality control as it
provides confirmation that systems and procedures are operating effectively and identifies areas that
require improvement. This guideline promotes best practice for an effective internal audit system. It
provides a simple and effective framework to:

n plan an audit schedule

n define the requirements for staff undertaking internal audits

n consider the aspects necessary to conduct an audit

n record audits comprehensively

n give guidance on corrective action to be undertaken

n identify opportunities for continual improvement.

Principles are illustrated by the use of case studies and examples.

2 The Importance of Internal Audit

Internal auditing is a key factor in ensuring continued compliance with company policies and procedures
and must be regarded by the senior management of a company as being critical to its operation.
Objectives of internal audits are to:

n identify whether systems, processes or procedures meet or do not meet requirements and
objectives

n record objective data – whether this shows conformity or non-conformity

n ensure appropriate corrective action is taken when deficiencies are found

n provide useful information that shall be fed back to management for review, assessment and
identification of action including provision of resources

n identify opportunities for continual improvement and identify the potential for problems before
they occur.

The objectives of internal auditing should be understood by staff throughout the company, so that they
understand that auditing is about improvement and not about catching someone doing something
wrong. Internal audits should provide meaningful information to be discussed and reviewed at senior
management review meetings to allow for resources to be focused on problem areas.

3 What is Internal Audit?

Audit is defined as:

‘A systematic examination to substantiate whether activities and related

results comply with planned arrangements and whether these arrangements
are implemented effectively and are suitable to achieve objectives.’

© BRC 1

64804_TSO_BRC_BPG_INTERNAL.indd 1 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

There are three types of audit:

n Third-party audits are undertaken by independent auditors such as the certification body
responsible for certification of a site to a BRC Global Standard.

n Second-party audits occur where the auditor is associated with the company having a
commercial interest, e.g. auditing suppliers.

n First-party or internal audits are audits conducted within a company, whether this involves
internal staff or external consultants.

Whichever type of audit is undertaken, the principles for a successful audit are the same. The steps for
carrying out an internal audit are illustrated in Figure 1.

4 Audit Format
Audits may be one of two formats:

n An audit of systems (for example, a review of the company’s traceability policies and procedures
against the requirements of the BRC Global Standards) establishes whether these systems are
adequately designed to meet the requirements. In other words, has the company identified the
correct things to do?

n An audit of procedures and practice establishes whether personnel are carrying out procedures
correctly against the documented system and whether these procedures are appropriate. For
example, establishing whether staff are correctly adhering to the company requirement of hourly
metal detection checks.

Audits may be undertaken to investigate all the elements of a system and cover aspects of both system
and practice. For example, the BRC Global Standards require that all the elements that constitute the
requirements of the Standard shall be regularly audited to a nominated schedule, and should include
policy and practice.

Audits may also constitute part of an investigation process and may therefore be unplanned. For
example, confirming that the procedure for the cleaning of a specific piece of equipment is carried out
correctly when routine microbiological testing of food products reveals an out-of-specification result.

Audits may be planned or unplanned but they should always be sufficiently prepared for.

2 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 2 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

Figure 1 The internal audit process

Agree audit scope

Develop audit schedule

through risk assessment

Identify auditor who is

appropriately trained and independent

Identify audit requirements and

prepare checklist

Establish audit timing

– when it will be carried out
– how long it will take

Collect and document objective

evidence recording conformity as
well as non-conformity

Agree non-conformities and

responsibility and timescale for
corrective action

Verify and document corrective actions

as effectively completed

Communication to senior management

of audit findings for review

© BRC 3

64804_TSO_BRC_BPG_INTERNAL.indd 3 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

5 Planning an Audit Schedule – Risk

Assessment
Planned internal audits should be carried out to a documented schedule. Consideration of the frequency
of audits should be based on the following factors:

n risk

n severity of consequences if the system or compliance with it is inadequate

n potential for changes which would affect these control systems

n historical background to issues within the company

n best practice

n customer requirements

n external requirements such as certification to BRC Global Standards.

It is likely that a more frequent need for internal audit is identified for practices in key areas such as
hygiene, good manufacturing practices (GMP) and foreign-body risks – particularly those of glass and
controls identified as critical control points (CCP) within any hazard and risk assessment analysis. An
example of a simple assessment for audit frequency of glass materials is shown in Appendix 4. Audits
may also be undertaken as a result of issues such as customer complaints or out-of-specification results
and will therefore be unscheduled (refer to Appendix 3).

Table 1 is an example of a planned systems audit schedule for a consumer product manufacturer. The
company also undertakes weekly hygiene audits and glass checks as well as annual policy reviews.

The schedule identifies the resources available to conduct audits – for example, it avoids the busy
production period of December and ensures that the internal audit schedule itself is reviewed together
with the main points of concern (management review and hazard and risk management) at the
beginning of the year. The review of pest control falls before the contract is due for renewal in December
and before the end of the company’s capital budget year, to allow for any additional expenditure that is
required. Traceability has been an issue within the company and therefore is scheduled to be checked at
least twice during the year as well as constituting part of the product recall exercise.

Table 1 is an example of a schedule for a systems review which will include an audit of the policies to
confirm whether they still meet the requirements of the company, of legislation, of any certification such
as BRC, and of the customers. The review will also include the operation of these policies in practice, i.e.
whether staff are correctly interpreting and following the policies and procedures.

4 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 4 25/07/2014 09:11

 Table 1 Systems audit for a consumer products manufacturer

Area Action summary Auditor Jan Feb March April May June July Aug Sept Oct Nov Dec
Hazard Team to carry out review – ensure that all products, raw

64804_TSO_BRC_BPG_INTERNAL.indd 5
and risk materials and new products are covered. Schedule to be
management established for monthly review to cover all critical points 1 x x
and check that new products are correctly assessed.
Customer Review complaints and key performance indicators (KPIs).
Meeting with customer. 1 x
focus
Management Review action points from previous meeting.
2 x
review
Internal audit Review audit schedule to ensure it covers all required
areas and check allocation of auditor resource. Ensure all 2 x
audits completed to schedule. Sample documentation.
Analyse data to present to management team.
Approved Review and update supplier register. Review performance
suppliers data and present to management team. Plan high-risk 1 x
supplier site audits schedule. Review documentation.
Raw material Review listing. Ensure updated specifications exist for all
specs raw materials. Review documentation. Check certificates 3 x
of conformity and any test reports.
Finished Ensure that an updated specification exists for all
product specs products. Review format. Review documentation. 3 x

Traceability Carry out trace-back and forward exercise.

1 x x
Review paperwork and make any necessary changes.
Recall Review any product recalls. In the event that no recall
situation occurred, undertake a 'dummy' recall exercise to 1 x
ensure full traceability.
Non-confor- Review all non-conforming product paperwork.
ming poduct Summarise and report to management team. 1 x

Complaints Overview of system, reviewing monthly trend analysis. x

1
Present annual report to management team.
Maintenance Review maintenance lists.
Sample procedures and documentation. Analyse for trends. 2 x

Pest control Review documentation, outstanding action log. Review

2 x
meeting with service providers.
Staff training Review records and training matrix. 1
Transport Audit documentation and procedures. 2 x
Calibration Review schedule and all equipment up-to-date.
Procedures carried out correctly. 2 x x x

Refer to Appendix 2 for an example of an audit report of the system for non-conforming product control.

25/07/2014 09:11
 Best practice Guideline: Internal Audit www.brcglobalstandards.com

6 Auditor Training
Auditing is an acquired skill and auditors need to be trained to ensure they are carrying out this function
effectively. Training should include auditing skills as well as relevant technical knowledge such as Hazard
Analysis Critical Control Point (HACCP) or risk assessment principles together with appropriate product
technical knowledge.

Different levels of ‘qualification’ may be required for the two different types of internal audits noted in
section 4: ‘systems’ audits and ‘procedure and practice’ audits. Systems auditors must have sufficient
knowledge of the broader objectives of the ‘system’ being audited to determine whether the procedures
designed to achieve the objectives are suitable, when they are appropriately implemented by trained staff.

Auditors involved in the audit of ‘procedure and practice’ may need less experience in the broader
aspects of the objectives of the procedure as their role is primarily to:

n determine whether the procedure is practical to implement (correctly written)

n understand the procedure

n gather objective evidence regarding its practical application in the work environment

n assess the adequacy of training and level of understanding of those staff responsible for its
implementation.

Auditors can be trained via external training courses as evidenced by training records. This will often be
in the form of a certificate and should include:

n name of the trainee

n confirmation of attendance or successful completion of examination

n date and duration of the training

n course title (where it is an industry-recognised course) or an indication of the contents such as

subject headings

n name of the training provider.

Training may also be achieved through an in-house training course, where all the details outlined above
should be available. Auditor competence may also be established through on-the-job coaching and
experience, and this may be demonstrated through the quality of auditing work. Whether this is acceptable
to a third-party auditor would be individually assessed on the evidence available at the time of the audit.

Where the training provider is an ‘independent’ external resource, it is good practice to also retain on
record a copy of the trainer’s qualifications with respect to the training provided.

It should be recognised that training of auditors, however this is achieved, is a continual process and
planning should allow for contingency and staff turnover.

7 Who Should Carry out Internal Audits?

Auditors shall be independent from the department which they are auditing. This principle is to ensure
that the audit is rigorous and thorough and is not influenced by the work which may need to be carried
out to effect corrections and improvements. Auditors should not be biased or influenced.

6 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 6 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

If the company does not have sufficient trained personnel to audit all areas, further resource or expertise
may be provided by external consultants. Alternatively, if the company is part of a group, auditors from
different sites may audit each other – this is a very good way of sharing knowledge and resolution of
problems, as well as providing a ‘fresh pair of eyes’ to look at systems and procedures.

An auditor’s job is to investigate procedures to obtain objective evidence for conformity or non-
conformity. The personal characteristics of a good auditor are therefore important and should include:

n good communication skills – ability to look, listen and talk

n assertiveness and objectivity in judgement – ability to analyse the evidence seen and judge its
significance whilst ensuring fairness

n being organised, methodical and focused on pertinent details

n self-motivation – ability to ensure all aspects are thoroughly investigated

n being diplomatic in working with people and obtaining the correct information.
Characteristics of poor auditors would be those of poor communicators, for example:

n condescending in attitude

n hostile and aggressive; critical and argumentative

n considering themselves to be expert at everything

n concentrating on details which are not significant

n disorganised and inconsistent in judgements.

8 Audit Preparation
Auditors must ensure that they have a clear understanding of the objective of the audit and the required
scope, i.e. what is and is not to be included. Using a checklist ensures that these objectives are met,
acting as a prompt to ensure that no elements are missed. It also acts as objective evidence that the
audit has been conducted, allowing recording of notes, or it can be used as the documented report
itself. Recording this evidence in a standardised format ensures that information is easily referred to for
subsequent audits. A structured checklist also aids time management –the list should follow a logical
order such as the sequence in which the auditor will walk around the site.

Designing the audit checklist to include corrective action details and sign-off ensures that all aspects of
the audit are completed. However, the audit checklist and final audit report may be achieved just as well
with the use of two separate documents.

An audit checklist or report template should include the following:

n personnel involved – name of auditor, auditee, accompanied by whom

n date and time

n scope or area assessed

n list of points or procedures to be checked, allowing space for notes to describe the audit findings.

Additionally an audit report would include:

n detail of corrective actions including responsibility and target timescales for completion

n sign-off by auditee or the department manager, denoting agreement with the findings and
timescales for the completion of any corrective actions that may be necessary

© BRC 7

64804_TSO_BRC_BPG_INTERNAL.indd 7 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

n verification of completed action sign-off

n a final review of the corrective actions at an appropriate timescale following implementation, to

assess whether they have been effective in minimising the likelihood of the fault or non-conformity
recurring. This final review should ideally be signed off by the original auditor.

9 Audit Process
Formality is an important feature of a good audit, and it is important to consider including the following
steps as part of the internal audit process.

9.1 ‘Opening Meeting’

Confirm the scope and process of an audit with those personnel involved – this may simply consist of
informing the relevant supervisor and staff that the auditor is present within a department and that they
are there to conduct the weekly hygiene audit.

9.2 Personnel Involvement

It is good practice for the person responsible for a department (the auditee) to accompany the auditor
during the facility inspection or document review. This is so they may:

n agree the comments made on the audit report

n fully understand any non-conformities identified

n agree appropriate corrective action and timescales.

9.3 Audit Timing

Persons responsible for departments should be made aware of the timing of the audit shortly beforehand. Bear
in mind, however, particularly with routine hygiene audits, that times should be varied to ensure that a complete
picture of the site standards is ascertained. Although the purpose of the audit is not to ‘catch out’ staff, it would
be more beneficial if practices were not changed as a result of a known audit taking place in the near future.

Establish how long each section of the audit should take – this is good management to ensure that
staff involved can arrange their time effectively and also to indicate how ‘in-depth’ the audit should be.
Sufficient time should be given to ensure a thorough check.

9.4 Review and Inspection

The audit should consist of a review of documentation, where appropriate, as well as reviewing the
practical implementation of the systems and interview of personnel. For example, the facility should be
thoroughly inspected for evidence of standards of hygiene.

9.5 Confirmation of Findings – the ‘Closing Meeting’

The audit findings should be reviewed to identify and agree the non-conformities; if possible, the
corrective action required in the short term should be agreed between the auditor and the auditee – in
effect, the ‘closing meeting’ of the audit. If this discussion is not possible at the time of the audit, then
agree a time when the auditor can run through the findings with the relevant personnel. Back this up
with a copy of the audit, identifying comprehensive notes detailing non-conformities so that issues can
be clearly understood and appropriate action taken.

8 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 8 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

10 Conducting an Audit
The aim of an audit is to collect evidence of whether company requirements are being fulfilled.
Therefore, the basic principles of conducting an audit are to look, listen, ask, check and record the
findings. The auditor’s role is to collect objective evidence and should therefore not be subject to hearsay,
assumptions or personal bias.

10.1 Look and Listen

The auditor should watch what is being done; for example, observing that an operator carries out the
metal detection check procedure in practice as is stated within the documented procedure, to which the
auditor will refer.

10.2 Ask
Auditors should ask questions of relevant staff, explaining why these questions are being asked. This
may require asking to see some evidence, and it may seem as if auditors don’t believe what they are
being told. Asking a hypothetical question such as, ‘What would you do if the metal detector did not
reject the test piece?’ establishes people’s understanding of procedures.

Auditors are not there to criticise and should not undermine the authority of supervision, but can offer
guidance if required. They should try to find out the reasons why things are as they are.

10.3 Check
The auditor may make notes during the facility inspection or document review, so that they may cross-
check a selection of records at a later stage of the audit, e.g. noting the operator’s name to check that
training records for this person are available.

An audit is a ‘sample’ and can only check the processes that are seen to be carried out on the day, or
check a limited number of documents. How many documents should be reviewed is at the discretion of
the auditor and may initially be a small number if this gives sufficient evidence that things are completed
correctly and under control. However, the sample may be significantly increased if there is evidence
of procedures not being followed or indications of possible issues. For example, if a non-conformity is
highlighted, then further evidence should be sought to confirm the scale of the problem.

It is good practice to ask for specific records rather than being guided by the auditee as this will give an
indication as to the control of the system – for example, if it takes a long time to find the temperature
records for a specific date requested.

11 Audit Findings
Evidence of the audit must be documented and specify conformity as well as non-conformity. Findings
are the result of investigation, therefore they should include details of the specific records that have
been checked or the staff that have been seen to comply with specified procedures. Note that to
protect individuals’ personal data, best practice is to use other identification methods such as employee
numbers on audit records rather than staff names.

Where non-conformities are identified, the details should be agreed with the person responsible for the
corrective action, so that they fully understand the issues and can therefore make a plan for effective
corrective action. Often non-conformities are observations of activities such as someone not washing

© BRC 9

64804_TSO_BRC_BPG_INTERNAL.indd 9 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

their hands correctly. If the person responsible for corrective actions is guiding the auditor around the
department, they can also observe the evidence of any non-conformities.

11.1 Classifying Non-conformities

It may be useful to classify non-conformities as to their severity, which will help in prioritising the
corrective action that needs to be taken and establishing appropriate timescales. As an example, the
following classification may be used:

n critical – where there is a critical failure to comply with a product safety or legal issue

n major – where there is a substantial failure to meet a requirement

n minor – where absolute compliance to a requirement has not been met, such as when a procedure
that is usually undertaken has not been completed (e.g. a document is not completed fully and this
is a single lapse or human error).

Alternatively, focus may be given to specific areas by the use of scoring. For example, it may be
possible to award high-risk controls such as critical control points (CCP) more or fewer points than
some other issues. An example of a weekly hygiene audit which includes scoring for each aspect is
shown in Appendix 1. This allows a week-by-week comparison of score as well as comparisons across
departments, which can help motivate staff to strive for continual improvement. Graphical display of
results demonstrates an easily communicated performance indicator to staff and senior management
about this aspect of the site’s control system.

12 Corrective Action
Appropriate corrective actions need to be identified and carried out within an agreed timescale. There
may be a requirement for short-term action; for example, if an area is found to be dirty, then this must be
cleaned immediately. However, long-term action may consist of reviewing and amending the cleaning
frequency or undertaking staff training.

Timescales should be agreed, practical, achievable and prioritise issues according to risk. The
responsibility for carrying out the corrective action should be clearly established – this may be the
relevant departmental manager or supervisor, or if it involves other departments such as maintenance or
technical, it would be good practice to ensure that the department supervisor is accountable for work
being completed, e.g. reminding service departments of outstanding work within their department.

The auditor should verify, by physically checking at a later date, that the corrective action has been
completed to a satisfactory standard within the agreed timescale. Particular attention should be paid to
emerging trends and repeated non-conformities as evidence that the root cause of the non-conformity
has not been adequately dealt with. Systems should be put in place to highlight these issues to relevant
senior management so that the problems may be dealt with.

Records of completed corrective actions and verifications should be kept.

10 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 10 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

13 Documentation
Relevant and meaningful documentation is important as it provides the evidence should there be an
issue – for example, if the company is investigated as a result of a consumer complaint. Examples of the
documentation required would be:

n auditor training records

n internal audit schedule with trained auditor allocation

n audit checklist

n corrective-action report with designated responsibilities

n verification of corrective action

n management review records.

14 Review
The internal audit system should be reviewed to ensure that it fulfils its intended objectives and
continues to encompass the necessary company activities. Provision should be made to ensure that
audit schedules have been adhered to and that auditors have been adequately trained.

Review of key performance indicators (KPIs) such as customer complaints, out-of-specification results,
and incidents of non-conforming products, as well as corrective actions, will help to focus internal audit
activities and highlight areas requiring improvement.

© BRC 11

64804_TSO_BRC_BPG_INTERNAL.indd 11 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

Appendix 1 Example of a Scored Weekly GMP and

Hygiene Audit
Date Friday 8 May 2008 Time 10.20-11.00 am
Auditor David Detail Accompanied by Matthew Manager
Hall 1
Audit Max Score Auditor Corrective Completed Date Verified Date
parameter score awarded comments action by by
taken
Floor and drains 1 1
clean
Walls and 1 1
ceilings clean
Waste bins not 1 1 Emptied during
overfull break
Strip curtains 1 0 Curtains at Immediately James Mop 8/5/08 David 8/5/08
clean entrance dirty cleaned cleaning Detail
supervisor
Staff washing 2 2 Six staff observed
hands entering hall
correctly following
tea-break
Staff correctly 2 0 Line 1 staff Staff Matthew 8/5/08 David 8/5/08
dressed member (clock no requested Manager Detail
263) not wearing to wear
gloves on line gloves –
immediate
No jewellery 2 2 Staff (clock nos
evident 174 and 263)
randomly checked
Beard snoods 1 1 Two staff (clock
worn nos 174 and 243)
correctly wearing
snoods
Correct factory 1 0 Staff member Pen Matthew 8/5/08 David 8/5/08
pens in use (clock no 174) confiscated. Manager Detail
observed using Staff
incorrect pen to reminded of
document CCP correct style
checks of pen
No equipment 2 2
on floor
Room 3 3 Checked with
temperature thermometer no
within spec 15 and found to
8–12°C be 11°C
Maintenance 1 1
issues

Total 18 14

Percentage 77.8% Target > 80%

Additional comments
Line 1 staff member (clock no 263) has been observed by the auditor as not wearing gloves on line on a
previous occasion at the audit of 24 April – to be monitored by Matthew Manager.
Hygiene standard has improved in the last two weeks.

12 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 12 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

Appendix 2 Example of a Systems and Procedures Audit

Control of Non-conforming Product Annual Review Audit

Date 12–14 May 2008 Auditor Ann Checker

Copied to Managing director, operations manager, production manager, hygiene manager

BRC requirement Company policy Evidence

The company shall ensure that any
non-conforming materials,
components and product are clearly
identified, labelled, quarantined,
investigated and documented.
Corrective action documented on
standard form as detailed in QM 011.
Corrective actions reviewed –
ongoing – discussed at daily and
weekly management meetings.
Analysed for trends on an annual
basis by the Operations department.
All non-conformities collated and
analysed for trends – refer to separate
report. To be discussed at
management review on 20/5/08.
Wastage log cross-checked
(1/4/08–20/4/08) against records of
non-conformities – disposal of two
rolls fabric on 3/4/08 unaccounted for.

Clear procedures for the control of
non-conforming materials and
products, including rejection,
segregation, acceptance by
concession or re-grading for an
alternative use, shall be in place and
understood by all authorised
personnel.
In the event of the presence of non-
conforming materials and products, all detailed above.
non-conforming products shall be
handled or disposed of according to
the nature of the problem and/or the
specific requirements of the customer.
Procedure QM 011 specifies all
requirements: that all non-
conforming products are to be
stored in one of three identified
areas according to product type,
labelled with ‘on hold’, ‘reject’ or
‘QC pass’ tape. Form to be
completed and attached to each
product, with copy to specified
management. Sign-off by listed
approved staff only.
Specified in procedure QM 011 as
Procedure QM 011 dated 11/5/07 v3
in use.
Records for 14/4/08–22/4/08 showed
sign-off by approved staff.
Random staff – clock nos 357, 260
and 100 – queried what they should
do with incorrectly cut piece of fabric.
Records comply with disposal
conditions.
Actual instances of non-conformities
audited in practice:
13/4/08 (1.5 kg excess fastenings)
seen to be clearly labelled with reject
stickers, stored in segregated area
and authorised for disposal by
purchasing manager.

Non-conformities Identified
Non-conformity Action Responsibility Due by Verified as complete

Staff numbers 260 and 100 Retraining to be Production manager 18/5/08 Ann Checker 21/5/08
were unclear of procedure. carried out against
procedure QM 011

Wastage log cross-checked Investigate Production manager 21/5/08 Ann Checker 21/5/08
(1/4/08–20/4/08) against
records of non-
conformities – disposal of
two rolls fabric on 3/4/08
unaccounted for.

© BRC 13

64804_TSO_BRC_BPG_INTERNAL.indd 13 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

Appendix 3 Example of an Unscheduled Audit as Part of a

Complaint Investigation
The following gives an example of an ‘unscheduled’ audit as part of an investigation into a consumer complaint.
Although this is not audited against a checklist, it should still contain all of the details of a scheduled audit,
detailing what was checked and what actions need to be taken.

Date Tuesday 13 May 2008 Time 10.30–11.45 am

Auditor Ian Spector Accompanied by Mabel Miggins, John Wells
Audited area Packing Hall 1

Reason for Audit

Customer complaint received of a blue plastic foreign body in jar of pickled onions with a best-before date
June 2008. Objective of audit is to confirm practices in bottling area are carried out correctly and check fabric
of area to identify any potential sources of foreign bodies.

Audit Findings Summary

The source of the foreign body cannot be established since it does not match any plastic observed as being
used within the packing hall (further details contained within complaint documents). Staff were observed to
be correctly dressed within the packing hall and observing hygiene procedures such as hand-washing. Raw
materials were correctly checked before use on the line. The condition of the building fabric was satisfactory
and the equipment well maintained other than the minor non-conformities noted below. Although not
related to foreign-body risk, it was noted that pasteurisation records were not being consistently completed.

Non-conformities

Rating Non-conformity detail Corrective action Target Responsibility

timescale

Major Pasteuriser verification not Retrain staff and sample. 7 days Line supervisor
being consistently carried out Instigate regular checks, Mabel Miggins
daily as per procedure QA23. checking daily for first
week and then sampling
after this to ensure that
pasteurisation records are
being completed.

Minor Line covers (clear plastic) are
in poor state of repair. The
cracked covers are potentially
a source of foreign bodies.
This has been noted on
regular audits.
Photograph covers to keep 28 days to Line supervisor
with audit records to confirm Mabel Miggins and
establish whether damage action maintenance
is getting worse. Evaluate plan and supervisor John Wells
whether there is a short- timescales
term solution to improving
condition. Long-term to
agree capital expenditure
and replacement.

Minor Filter change on the jar rinser, Retrain staff and sample 28 days Maintenance
not documented by some documents to check supervisor John Wells
maintenance team. records are continually
being completed.

14 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 14 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

Actions Verified as Complete

Daily review of pasteuriser checks carried out by technical department and completed satisfactorily. Staff
training records checked on 20 May and deemed satisfactory.

Agreed line cover to be replaced by end of July and monitored in the meantime.

Engineering staff retrained.

Signature Ian Spector Date 11 June 2008

© BRC 15

64804_TSO_BRC_BPG_INTERNAL.indd 15 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

Appendix 4 Example of a Risk Assessment for Audit

Frequency

The company’s documented glass control policy states that all glass, plastic and brittle materials are listed and
their condition checked at a frequency based on risk assessment. The following is a simple example of such a risk
assessment where the identified hazard is the potential for glass contamination of product.

Area Equipment Hazard Risk rating Audit frequency

Production – Packing machine Close contact with open product Very high Line start-up checks
Line 1 every shift
Packing area Windows Area with open product High Daily area checks
(protected)
Raw Lights (protected) Area with raw materials – both High Daily area checks
materials open and sealed
storage

Dispatch Lights (protected) Area with finished product – Medium Weekly area checks
sealed

Offices Lights (protected) Remote to production area, no Low Monthly area checks
contact with products. Personnel
changing procedures to minimise
potential foreign body risks from
external areas

16 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 16 25/07/2014 09:11

 www.brcglobalstandards.com Best practice Guideline: Internal Audit

Glossary

BRC Global BRC Global Standard for Consumer Products

Standards BRC Global Standard for Food Safety
BRC Global Standard for Packaging and Packaging Materials
BRC Global Standard for Storage and Distribution

Certification Procedure by which an accredited certification body, based on an audit and assessment of a
company’s competence, provides written assurance that a company conforms to a standard’s
requirement.

Certification body Provider of certification services, accredited to do so by an authoritative body.

Company The person, firm, organisation or other entity with whom a confirmed purchase order is placed,
or who owns premises where products are being manufactured.

Corrective action Action to eliminate the cause of a detected non-conformity deviation.

Customer A business or person to whom a product has been provided, either as a finished product or as a
component part of the finished product.

Non-conformity The non-fulfilment of a specified product safety, legal or quality requirement or a specified
system requirement.

Procedure/practice Agreed method of carrying out an activity or process which is implemented and documented in
the form of detailed instructions or process description (e.g. a flowchart).

Schedule Plan of an activity or event.

System A set of policies and documented procedures to achieve an objective.

Validation Confirmation through the provision of objective evidence that the requirements for the specific
intended use or application have been fulfilled.

Verification Confirmation through the provision of objective evidence that specified requirements have
been fulfilled.

© BRC 17

64804_TSO_BRC_BPG_INTERNAL.indd 17 25/07/2014 09:11

 Best practice Guideline: Internal Audit www.brcglobalstandards.com

Sources of Further Information

BRC Global Standards

A series of globally recognised certification standards for manufacturers and storage and distribution companies.
www.brcglobalstandards.com

BRC Guidelines
A series of best practice guidelines; these include complaint handling, foreign body detection, product recall, pest
control and traceability.
www.brcbookshop.com

International Register of Certificated Auditors (IRCA)

An organisation with a mission to promote best practice in auditing.
www.irca.org

The ISO9001 Auditing Practices Group

An informal group of quality management system (QMS) experts, auditors and practitioners, drawn from the ISO
Technical Committee 176 Quality Management and Quality Assurance (ISO/TC 176) and the International Accreditation
Forum (IAF). The Index of Guidelines for Auditing by the ISO9001 Auditing Practices Group can be found at:
www.isotc.iso.org

Note: Links and references are made to websites which are intended to help the user with further
information. The BRC cannot, however, be responsible for the content or continued existence of any external
website. It should also be noted that legislation and standards change frequently and a user should confirm
for themselves that any references are current and still applicable.

18 © BRC

64804_TSO_BRC_BPG_INTERNAL.indd 18 25/07/2014 09:11

 BRC

INTERNAL AUDIT

BEST PRACTICE GUIDELINE INTERNAL AUDIT

ISSUE 2

Issue 2

9011 BRC GL IA NON TSO V0_1.indd 1 17/07/2014 10:28