Professional Documents
Culture Documents
INTERNAL AUDIT
Issue 2
July 2008
British Retail Consortium
Copyright
© British Retail Consortium 2008
All rights reserved. No part of this publication may be transmitted or reproduced in any form (including photocopying
or storage in any medium by electronic means) without the written permission of the copyright owners. Application for
permission should be addressed to the Director of Global Standards at the British Retail Consortium, contact details below. Full
acknowledgement of author and source must be given.
No part of this publication may be translated without the written permission of the copyright owners.
Warning: Any unauthorised act in relation to a copyright work may result in both a civil claim for damages and criminal
prosecution.
Contents
Acknowledgements iv
1 Objective of Guideline 1
4 Audit Format 2
6 Auditor Training 6
8 Audit Preparation 7
9 Audit Process 8
9.1 ‘Opening Meeting’ 8
9.2 Personnel Involvement 8
9.3 Audit Timing 8
9.4 Review and Inspection 8
9.5 Confirmation of Findings – the ‘Closing Meeting’ 8
10 Conducting an Audit 9
10.1 Look and Listen 9
10.2 Ask 9
10.3 Check 9
11 Audit Findings 9
11.1 Classifying Non-conformities 10
12 Corrective Action 10
13 Documentation 11
14 Review 11
Appendices 12
Appendix 1 Example of a Scored Weekly GMP and Hygiene Audit 12
Appendix 2 Example of a Systems and Procedures Audit 13
Appendix 3 Example of an Unscheduled Audit as Part of a Complaint
Investigation 14
Appendix 4 Example of a Risk Assessment for Audit Frequency 16
Glossary 17
© BRC iii
Acknowledgements
BRC would like to acknowledge the invaluable input and assistance of the many individuals who have
contributed in producing and reviewing this guideline.
iv © BRC
1 Objective of Guideline
A comprehensive internal audit system is fundamental to a company’s safety and quality control as it
provides confirmation that systems and procedures are operating effectively and identifies areas that
require improvement. This guideline promotes best practice for an effective internal audit system. It
provides a simple and effective framework to:
n identify whether systems, processes or procedures meet or do not meet requirements and
objectives
n provide useful information that shall be fed back to management for review, assessment and
identification of action including provision of resources
n identify opportunities for continual improvement and identify the potential for problems before
they occur.
The objectives of internal auditing should be understood by staff throughout the company, so that they
understand that auditing is about improvement and not about catching someone doing something
wrong. Internal audits should provide meaningful information to be discussed and reviewed at senior
management review meetings to allow for resources to be focused on problem areas.
© BRC 1
n Third-party audits are undertaken by independent auditors such as the certification body
responsible for certification of a site to a BRC Global Standard.
n Second-party audits occur where the auditor is associated with the company having a
commercial interest, e.g. auditing suppliers.
n First-party or internal audits are audits conducted within a company, whether this involves
internal staff or external consultants.
Whichever type of audit is undertaken, the principles for a successful audit are the same. The steps for
carrying out an internal audit are illustrated in Figure 1.
4 Audit Format
Audits may be one of two formats:
n An audit of systems (for example, a review of the company’s traceability policies and procedures
against the requirements of the BRC Global Standards) establishes whether these systems are
adequately designed to meet the requirements. In other words, has the company identified the
correct things to do?
n An audit of procedures and practice establishes whether personnel are carrying out procedures
correctly against the documented system and whether these procedures are appropriate. For
example, establishing whether staff are correctly adhering to the company requirement of hourly
metal detection checks.
Audits may be undertaken to investigate all the elements of a system and cover aspects of both system
and practice. For example, the BRC Global Standards require that all the elements that constitute the
requirements of the Standard shall be regularly audited to a nominated schedule, and should include
policy and practice.
Audits may also constitute part of an investigation process and may therefore be unplanned. For
example, confirming that the procedure for the cleaning of a specific piece of equipment is carried out
correctly when routine microbiological testing of food products reveals an out-of-specification result.
Audits may be planned or unplanned but they should always be sufficiently prepared for.
2 © BRC
© BRC 3
n risk
n best practice
n customer requirements
Table 1 is an example of a planned systems audit schedule for a consumer product manufacturer. The
company also undertakes weekly hygiene audits and glass checks as well as annual policy reviews.
The schedule identifies the resources available to conduct audits – for example, it avoids the busy
production period of December and ensures that the internal audit schedule itself is reviewed together
with the main points of concern (management review and hazard and risk management) at the
beginning of the year. The review of pest control falls before the contract is due for renewal in December
and before the end of the company’s capital budget year, to allow for any additional expenditure that is
required. Traceability has been an issue within the company and therefore is scheduled to be checked at
least twice during the year as well as constituting part of the product recall exercise.
Table 1 is an example of a schedule for a systems review which will include an audit of the policies to
confirm whether they still meet the requirements of the company, of legislation, of any certification such
as BRC, and of the customers. The review will also include the operation of these policies in practice, i.e.
whether staff are correctly interpreting and following the policies and procedures.
4 © BRC
Area Action summary Auditor Jan Feb March April May June July Aug Sept Oct Nov Dec
Hazard Team to carry out review – ensure that all products, raw
64804_TSO_BRC_BPG_INTERNAL.indd 5
and risk materials and new products are covered. Schedule to be
management established for monthly review to cover all critical points 1 x x
and check that new products are correctly assessed.
Customer Review complaints and key performance indicators (KPIs).
Meeting with customer. 1 x
focus
Management Review action points from previous meeting.
2 x
review
Internal audit Review audit schedule to ensure it covers all required
areas and check allocation of auditor resource. Ensure all 2 x
audits completed to schedule. Sample documentation.
Analyse data to present to management team.
Approved Review and update supplier register. Review performance
suppliers data and present to management team. Plan high-risk 1 x
supplier site audits schedule. Review documentation.
Raw material Review listing. Ensure updated specifications exist for all
specs raw materials. Review documentation. Check certificates 3 x
of conformity and any test reports.
Finished Ensure that an updated specification exists for all
product specs products. Review format. Review documentation. 3 x
Refer to Appendix 2 for an example of an audit report of the system for non-conforming product control.
25/07/2014 09:11
Best practice Guideline: Internal Audit www.brcglobalstandards.com
6 Auditor Training
Auditing is an acquired skill and auditors need to be trained to ensure they are carrying out this function
effectively. Training should include auditing skills as well as relevant technical knowledge such as Hazard
Analysis Critical Control Point (HACCP) or risk assessment principles together with appropriate product
technical knowledge.
Different levels of ‘qualification’ may be required for the two different types of internal audits noted in
section 4: ‘systems’ audits and ‘procedure and practice’ audits. Systems auditors must have sufficient
knowledge of the broader objectives of the ‘system’ being audited to determine whether the procedures
designed to achieve the objectives are suitable, when they are appropriately implemented by trained staff.
Auditors involved in the audit of ‘procedure and practice’ may need less experience in the broader
aspects of the objectives of the procedure as their role is primarily to:
n gather objective evidence regarding its practical application in the work environment
n assess the adequacy of training and level of understanding of those staff responsible for its
implementation.
Auditors can be trained via external training courses as evidenced by training records. This will often be
in the form of a certificate and should include:
Where the training provider is an ‘independent’ external resource, it is good practice to also retain on
record a copy of the trainer’s qualifications with respect to the training provided.
It should be recognised that training of auditors, however this is achieved, is a continual process and
planning should allow for contingency and staff turnover.
6 © BRC
If the company does not have sufficient trained personnel to audit all areas, further resource or expertise
may be provided by external consultants. Alternatively, if the company is part of a group, auditors from
different sites may audit each other – this is a very good way of sharing knowledge and resolution of
problems, as well as providing a ‘fresh pair of eyes’ to look at systems and procedures.
An auditor’s job is to investigate procedures to obtain objective evidence for conformity or non-
conformity. The personal characteristics of a good auditor are therefore important and should include:
n assertiveness and objectivity in judgement – ability to analyse the evidence seen and judge its
significance whilst ensuring fairness
n being diplomatic in working with people and obtaining the correct information.
Characteristics of poor auditors would be those of poor communicators, for example:
n condescending in attitude
8 Audit Preparation
Auditors must ensure that they have a clear understanding of the objective of the audit and the required
scope, i.e. what is and is not to be included. Using a checklist ensures that these objectives are met,
acting as a prompt to ensure that no elements are missed. It also acts as objective evidence that the
audit has been conducted, allowing recording of notes, or it can be used as the documented report
itself. Recording this evidence in a standardised format ensures that information is easily referred to for
subsequent audits. A structured checklist also aids time management –the list should follow a logical
order such as the sequence in which the auditor will walk around the site.
Designing the audit checklist to include corrective action details and sign-off ensures that all aspects of
the audit are completed. However, the audit checklist and final audit report may be achieved just as well
with the use of two separate documents.
n list of points or procedures to be checked, allowing space for notes to describe the audit findings.
n detail of corrective actions including responsibility and target timescales for completion
n sign-off by auditee or the department manager, denoting agreement with the findings and
timescales for the completion of any corrective actions that may be necessary
© BRC 7
9 Audit Process
Formality is an important feature of a good audit, and it is important to consider including the following
steps as part of the internal audit process.
Establish how long each section of the audit should take – this is good management to ensure that
staff involved can arrange their time effectively and also to indicate how ‘in-depth’ the audit should be.
Sufficient time should be given to ensure a thorough check.
8 © BRC
10 Conducting an Audit
The aim of an audit is to collect evidence of whether company requirements are being fulfilled.
Therefore, the basic principles of conducting an audit are to look, listen, ask, check and record the
findings. The auditor’s role is to collect objective evidence and should therefore not be subject to hearsay,
assumptions or personal bias.
10.2 Ask
Auditors should ask questions of relevant staff, explaining why these questions are being asked. This
may require asking to see some evidence, and it may seem as if auditors don’t believe what they are
being told. Asking a hypothetical question such as, ‘What would you do if the metal detector did not
reject the test piece?’ establishes people’s understanding of procedures.
Auditors are not there to criticise and should not undermine the authority of supervision, but can offer
guidance if required. They should try to find out the reasons why things are as they are.
10.3 Check
The auditor may make notes during the facility inspection or document review, so that they may cross-
check a selection of records at a later stage of the audit, e.g. noting the operator’s name to check that
training records for this person are available.
An audit is a ‘sample’ and can only check the processes that are seen to be carried out on the day, or
check a limited number of documents. How many documents should be reviewed is at the discretion of
the auditor and may initially be a small number if this gives sufficient evidence that things are completed
correctly and under control. However, the sample may be significantly increased if there is evidence
of procedures not being followed or indications of possible issues. For example, if a non-conformity is
highlighted, then further evidence should be sought to confirm the scale of the problem.
It is good practice to ask for specific records rather than being guided by the auditee as this will give an
indication as to the control of the system – for example, if it takes a long time to find the temperature
records for a specific date requested.
11 Audit Findings
Evidence of the audit must be documented and specify conformity as well as non-conformity. Findings
are the result of investigation, therefore they should include details of the specific records that have
been checked or the staff that have been seen to comply with specified procedures. Note that to
protect individuals’ personal data, best practice is to use other identification methods such as employee
numbers on audit records rather than staff names.
Where non-conformities are identified, the details should be agreed with the person responsible for the
corrective action, so that they fully understand the issues and can therefore make a plan for effective
corrective action. Often non-conformities are observations of activities such as someone not washing
© BRC 9
their hands correctly. If the person responsible for corrective actions is guiding the auditor around the
department, they can also observe the evidence of any non-conformities.
n critical – where there is a critical failure to comply with a product safety or legal issue
n minor – where absolute compliance to a requirement has not been met, such as when a procedure
that is usually undertaken has not been completed (e.g. a document is not completed fully and this
is a single lapse or human error).
Alternatively, focus may be given to specific areas by the use of scoring. For example, it may be
possible to award high-risk controls such as critical control points (CCP) more or fewer points than
some other issues. An example of a weekly hygiene audit which includes scoring for each aspect is
shown in Appendix 1. This allows a week-by-week comparison of score as well as comparisons across
departments, which can help motivate staff to strive for continual improvement. Graphical display of
results demonstrates an easily communicated performance indicator to staff and senior management
about this aspect of the site’s control system.
12 Corrective Action
Appropriate corrective actions need to be identified and carried out within an agreed timescale. There
may be a requirement for short-term action; for example, if an area is found to be dirty, then this must be
cleaned immediately. However, long-term action may consist of reviewing and amending the cleaning
frequency or undertaking staff training.
Timescales should be agreed, practical, achievable and prioritise issues according to risk. The
responsibility for carrying out the corrective action should be clearly established – this may be the
relevant departmental manager or supervisor, or if it involves other departments such as maintenance or
technical, it would be good practice to ensure that the department supervisor is accountable for work
being completed, e.g. reminding service departments of outstanding work within their department.
The auditor should verify, by physically checking at a later date, that the corrective action has been
completed to a satisfactory standard within the agreed timescale. Particular attention should be paid to
emerging trends and repeated non-conformities as evidence that the root cause of the non-conformity
has not been adequately dealt with. Systems should be put in place to highlight these issues to relevant
senior management so that the problems may be dealt with.
10 © BRC
13 Documentation
Relevant and meaningful documentation is important as it provides the evidence should there be an
issue – for example, if the company is investigated as a result of a consumer complaint. Examples of the
documentation required would be:
n audit checklist
14 Review
The internal audit system should be reviewed to ensure that it fulfils its intended objectives and
continues to encompass the necessary company activities. Provision should be made to ensure that
audit schedules have been adhered to and that auditors have been adequately trained.
Review of key performance indicators (KPIs) such as customer complaints, out-of-specification results,
and incidents of non-conforming products, as well as corrective actions, will help to focus internal audit
activities and highlight areas requiring improvement.
© BRC 11
Total 18 14
Additional comments
Line 1 staff member (clock no 263) has been observed by the auditor as not wearing gloves on line on a
previous occasion at the audit of 24 April – to be monitored by Matthew Manager.
Hygiene standard has improved in the last two weeks.
12 © BRC
The company shall ensure that any Corrective action documented on All non-conformities collated and
non-conforming materials, standard form as detailed in QM 011. analysed for trends – refer to separate
components and product are clearly Corrective actions reviewed – report. To be discussed at
identified, labelled, quarantined, ongoing – discussed at daily and management review on 20/5/08.
investigated and documented. weekly management meetings. Wastage log cross-checked
Analysed for trends on an annual (1/4/08–20/4/08) against records of
basis by the Operations department. non-conformities – disposal of two
rolls fabric on 3/4/08 unaccounted for.
Clear procedures for the control of Procedure QM 011 specifies all Procedure QM 011 dated 11/5/07 v3
non-conforming materials and requirements: that all non- in use.
products, including rejection, conforming products are to be Records for 14/4/08–22/4/08 showed
segregation, acceptance by stored in one of three identified sign-off by approved staff.
concession or re-grading for an areas according to product type,
Random staff – clock nos 357, 260
alternative use, shall be in place and labelled with ‘on hold’, ‘reject’ or
and 100 – queried what they should
understood by all authorised ‘QC pass’ tape. Form to be
do with incorrectly cut piece of fabric.
personnel. completed and attached to each
product, with copy to specified
management. Sign-off by listed
approved staff only.
In the event of the presence of non- Specified in procedure QM 011 as Records comply with disposal
conforming materials and products, all detailed above. conditions.
non-conforming products shall be Actual instances of non-conformities
handled or disposed of according to audited in practice:
the nature of the problem and/or the
13/4/08 (1.5 kg excess fastenings)
specific requirements of the customer.
seen to be clearly labelled with reject
stickers, stored in segregated area
and authorised for disposal by
purchasing manager.
Non-conformities Identified
Non-conformity Action Responsibility Due by Verified as complete
Staff numbers 260 and 100 Retraining to be Production manager 18/5/08 Ann Checker 21/5/08
were unclear of procedure. carried out against
procedure QM 011
Wastage log cross-checked Investigate Production manager 21/5/08 Ann Checker 21/5/08
(1/4/08–20/4/08) against
records of non-
conformities – disposal of
two rolls fabric on 3/4/08
unaccounted for.
© BRC 13
Non-conformities
Major Pasteuriser verification not Retrain staff and sample. 7 days Line supervisor
being consistently carried out Instigate regular checks, Mabel Miggins
daily as per procedure QA23. checking daily for first
week and then sampling
after this to ensure that
pasteurisation records are
being completed.
Minor Line covers (clear plastic) are Photograph covers to keep 28 days to Line supervisor
in poor state of repair. The with audit records to confirm Mabel Miggins and
cracked covers are potentially establish whether damage action maintenance
a source of foreign bodies. is getting worse. Evaluate plan and supervisor John Wells
This has been noted on whether there is a short- timescales
regular audits. term solution to improving
condition. Long-term to
agree capital expenditure
and replacement.
Minor Filter change on the jar rinser, Retrain staff and sample 28 days Maintenance
not documented by some documents to check supervisor John Wells
maintenance team. records are continually
being completed.
14 © BRC
Agreed line cover to be replaced by end of July and monitored in the meantime.
© BRC 15
The company’s documented glass control policy states that all glass, plastic and brittle materials are listed and
their condition checked at a frequency based on risk assessment. The following is a simple example of such a risk
assessment where the identified hazard is the potential for glass contamination of product.
Production – Packing machine Close contact with open product Very high Line start-up checks
Line 1 every shift
Packing area Windows Area with open product High Daily area checks
(protected)
Raw Lights (protected) Area with raw materials – both High Daily area checks
materials open and sealed
storage
Dispatch Lights (protected) Area with finished product – Medium Weekly area checks
sealed
Offices Lights (protected) Remote to production area, no Low Monthly area checks
contact with products. Personnel
changing procedures to minimise
potential foreign body risks from
external areas
16 © BRC
Glossary
Certification Procedure by which an accredited certification body, based on an audit and assessment of a
company’s competence, provides written assurance that a company conforms to a standard’s
requirement.
Company The person, firm, organisation or other entity with whom a confirmed purchase order is placed,
or who owns premises where products are being manufactured.
Customer A business or person to whom a product has been provided, either as a finished product or as a
component part of the finished product.
Non-conformity The non-fulfilment of a specified product safety, legal or quality requirement or a specified
system requirement.
Procedure/practice Agreed method of carrying out an activity or process which is implemented and documented in
the form of detailed instructions or process description (e.g. a flowchart).
Validation Confirmation through the provision of objective evidence that the requirements for the specific
intended use or application have been fulfilled.
Verification Confirmation through the provision of objective evidence that specified requirements have
been fulfilled.
© BRC 17
BRC Guidelines
A series of best practice guidelines; these include complaint handling, foreign body detection, product recall, pest
control and traceability.
www.brcbookshop.com
Note: Links and references are made to websites which are intended to help the user with further
information. The BRC cannot, however, be responsible for the content or continued existence of any external
website. It should also be noted that legislation and standards change frequently and a user should confirm
for themselves that any references are current and still applicable.
18 © BRC
INTERNAL AUDIT
Issue 2