The International Organisation for Standardisation (ISO) describes audits as follows: a systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives. The documented food safety management system on a farm can be of the highest quality, but if it is not implemented correctly and consistently and if its prescriptions and procedures are not followed, it is of no real value at all. Internal audits are used to monitor and probe the integrity of the food safety management system continuously and to thereby ensure that it is implemented as prescribed.
The internal auditor conducts regulatory system audits to verify that an establishment's food safety management system, such as the HACCP system and its prerequisite programs, HACCP plans and reassessment procedures, is implemented as described and is continuously effective.
An organisation’s approach to internal audits consists of the policies and procedures that govern its internal audit functions, including auditing schedules. There are no hard and fast rules that prescribe exactly how internal audit systems for food safety should be designed and executed and the approach to conducting an internal audit is often closely related to the quality management system.
There are certain common elements that occur in all internal audit systems, being:
Audit Charter: A mission statement or audit charter outlines the purpose, objectives, organisation, authorities, and responsibilities of the internal auditor, audit staff, audit management, and the audit committee.
Risk Assessment: Process A risk assessment process describes and analyses the risks inherent in a given line of business. The level of risk should be one of the most significant factors considered when determining the frequency of audits. Auditors should update the risk assessment at least annually, or more frequently if necessary, to reflect changes to internal control or work processes, and to incorporate new lines of business.
Audit Cycle: An audit cycle identifies the frequency of audits. Auditors usually determine the frequency by performing a risk assessment, as noted above, of areas to be audited. While staff and time availability may influence the audit cycle, they should not be overriding factors in reducing the frequency of audits for high-risk areas.
Audit Plan: The audit plan details the internal audit budgeting and planning processes. The plan describes audit goals, schedules, staffing needs, and reporting. The audit plan should cover at least 12 months and should be developed by combining the results of the risk assessment and the resources required to result in the timing and frequency of the planned audit cycle. The audit committee should formally approve the audit plan annually, or review it annually in the case of multi-year audit plans. The internal auditors should report the status of planned versus actual audits, and any changes to the annual audit plan, to the audit committee for its approval on a periodic basis.
Audit Work Programs: Audit work programs that set out for each audit area the required scope and resources, including the selection of audit procedures, the extent of testing, and the basis for conclusions. Well-planned, properly structured audit programs are essential to strong risk management and to the development of comprehensive internal control systems.
Audit Reports: Written audit reports inform the board and management of an individual department or division compliance with policies and procedures. These reports should state whether operating processes and internal controls are effective, and describe deficiencies as well as suggested corrective actions. The audit manager should consider implementing an audit rating system approved by the audit committee. The rating system facilitates conveying to the board a consistent and concise assessment of the net risk posed by the area or function audited.
Requirements for Audit Documentation: The requirements for audit work paper documentation should be clearly described in the audit policies and procedures, including work paper retention policies. This ensures clear support for all audit findings and works performed.
Follow-Up Processes: Follow-up processes require internal auditors to determine the disposition of any agreed-upon actions to correct significant deficiencies.
Professional Development Programs: Professional development programs must be in place for the institution’s audit staff to maintain the necessary technical expertise.
Click here to download a handout the explains pre-harvest internal audits.