In this webinar, AIB International’s Dimitra Sandrou offered expertise on how to prepare for the recently introduced FSSC 22000 split audit process using Information & Communication Technologies (ICT).
As a result of the pandemic, The FSSC Foundation recently published a new annex that allows the use of ICT (Information and Communication Technology) tools to complete the FSSC 22000 audits. The ICT audit approach consists of a two-step process, including a remote audit focused on document review, followed by an onsite audit to verify implementation of the FSSC 22000 scheme requirements.
This approach can also be used in the future as a regular audit method; however, the process will need to be mutually agreed upon by the Certification Body and the audited organization. Prior to the audit, the audited organization will also need to submit a documented risk assessment, conducted to understand the feasibility and comfort level with using the approach, including use of the ICT platforms to conduct the remote portion of the audit.
This risk assessment will consider the food safety management system of the audited organization and its performance history. For instance, if the company had major non-conformities in a past audit, that could be a reason to avoid the remote audit. It will also be important to assess the capability of the organization to participate, including the availability of electronic files, ICT tools, data protection and security measures. It is also a requirement that the auditor and company representative speak the same language to ensure clear communication between them. The split process will also impact the duration of the process, as participants will need breaks during the remote session, which will need to be factored into the planning.
In advance of the remote portion of the audit, the audited organization and Certification Body will need to test the chosen platform to ensure a number of key factors:
- Appropriate internet connection;
- Documented training of the audit team;
- Data security and confidentiality agreements; and,
- Sufficiently detailed audit plan
When planning for the audit duration of the two stages, the remote portion should be scheduled for approximately half of one day, while the onsite portion cannot be less than one day.
The time between the remote audit and the on-site portion should be no more than 30 days, unless there is a serious event like the pandemic that causes disruption, in which case this can be extended to 90 days.
Should the audit objectives not be met or if the audit integrity is compromised, the process should then be aborted. The audit will then need to be performed completely onsite.
For initial Certification audits, the first stage can be conducted remotely with livestreaming of the facilities, while the second stage should be conducted onsite only. For surveillance audits, both stages will need to be completed within the same calendar year, irrespective of the time allowance between stages. For recertification audits, both stages will need to be completed prior to expiration of the certificate. For unannounced audits, the onsite audit will be first, followed by the remote audit within 48 hours.
Audit Process – Remote
During the remote stage, a desktop review will take place, assessing documents and procedures of the organization. Key changes from the last audit will also be reviewed, along with HACCP plans, food safety management systems objectives, KPIs, management reviews, and internal audits. The auditor will also perform interviews with management and key personnel, largely focusing on an assessment of the organization’s understanding of the ISO 22000 requirements.
Audit Process – Onsite
The onsite audit will focus on the physical inspection of the facility, including prerequisites and HACCP implementation. The auditor will also need to close any open issues from the remote audit, such as documentation that was unavailable during the desktop review or non-conformities from the remote portion of the audit.
FSSC has requested that the same auditor is used for remote and onsite portions of the audit to ensure continuity. They do, however, accept different auditors during the pandemic, as the same auditor may not always be available due to travel restrictions.
Management of Non-Conformities
Both the remote and onsite portions of the audit may result in non-conformities, with those from each stage needing to be closed separately, as per the scheme rules. Organizations will have 28 days to submit their root cause analysis, corrections and corrective action plan. If there are pending issues from the remote audit, they can be addressed during the onsite audit, or upgraded if there are systemic failures found. Critical issues require a follow-up audit, which is typically one day.
The Audit Report
Following each stage of the audit, a non-conformity report will be generated. Following the closure of any non-conformities, an independent technical review will ensure the accuracy of a full audit report, which will be generated and uploaded to the FSSC 22000 portal within two months of the onsite audit.
As you have questions or need additional insights, please contact us at firstname.lastname@example.org.