Third-party Audits: What the Food Industry Really Needs
By Richard F. Stier
In the beginning, there was the food plant. And the plant manager saw that it was good.
However, as things became more complex and problems arose, the plant
manager realized he needed help to solve problems. So he hired the
consultant, who fixed things. And the plant manager saw that it was
And, as business grew, the plant manager realized that he needed to
improve, so he hired a consultant with special skills in finding not
only solutions to problems, but ways to improve. And the operation
improved. And the plant manager saw that it was good.
Businesses saw that there was money to be made in offering services, so
they created their own standards and imposed these standards on people
with whom they worked—standards that included hundreds of questions and
were generic to the entire food industry.
And, as the food plant’s commerce continued to grow, the plant manager
was told by his customers and clients to abandon those who had helped
the company grow. “Thou shalt have an audit,” they said, and the
businesses imposed their standards on his plant. And the plant manager
saw that it was not good for his operation…
The parable above was created to set the stage for this article on
third-party audits. Are such audits the “be all” and “end all” that
some think that they are? Are there any real differences between the
various audit schemes currently being offered? What do companies, both
vendors and customers, really
want from these audits? What kind of skills should an auditor have?
Hopefully, this article will make people think about the prevalence of
third-party audits—which have, for good or for ill, turned into a
multibillion dollar global business.
What’s Out There?
There are many different audit formats being used within the
food industry. These include true standards—those that do not favor any
particular group or nation over another—such as the ISO 9001, 22000 and
14001 standards issued by the International Organization for
Standardization (ISO). These standards do not tell processors exactly
what they should do, but instead provide a framework for developing and
implementing systems to meet certain ends, namely quality, food safety
and environmental stewardship.
There are industry standards. These are documents developed by a
segment of the food industry to meet a specific need. For example, the
Global Food Safety Initiative (GFSI) is a consortium of major market
chains from around the world (WalMart, Carrefours, Sainsbury’s, Tesco
and others) that wanted to codify the quality, safety and ethical
practices of their vendors. Through the use of benchmarking, GFSI has a
guidance document that approves several industry standards to meet this
need. The approved standards include the British Retail Consortium
(BRC), International Food Safety (IFS), Safe Quality Foods (SQF) and
the Dutch HACCP program. They have conditionally acknowledged that
companies with FSSC 22000, which is derived from ISO 22000, Food safety management systems—Requirements for any organization in the food chain, have satisfactory programs.
There are company standards that have been developed by firms that
offer audit services that they call standards. What makes these audits
that utilize such standards a concern is that the auditors are all too
often acting as auditor, consultant and marketer simultaneously. An
auditor is there to observe and record, not to tell a processor that
they have failed to meet a standard and what must be done to address
the issue. And they should definitely not encourage the company to use
their services to address deficiencies. There are many other companies
doing audits, each with their own audit program. These same firms also
conduct many of the audits designed by different industries.
The National Food Processors Association, which begat the Food Products
Association and was absorbed into the Grocery Manufacturers
Association, made an effort to develop an audit that would be accepted
across the entire food industry. The audit was assembled with industry
input, but now appears to be in its death throes. It tried to be all
things to all industries, and in the process became too long and too
Some of the best programs are internal audits. These are focused
evaluations, designed to ensure continuous improvement within a company
and its contract packers. These audits are usually done by persons from
corporate headquarters or a sister company, but they may also utilize
third parties. Perhaps the best feature of these audits is direct
accountability. The company being audited must respond directly to the
customer, which includes corrective actions and an improvement plan,
and the in-house expectation—nay, requirement—is that all issues be
addressed. Unfortunately, an internal audit is not acceptable to
buyers, even if it is more rigid, more enforceable and designed not
only to find problems but also to ensure continuous improvement.
Why Third-party Audits?
There are a number of reasons why third-party audits are done. These include but are not limited to the following:
• A genuine desire to improve food safety, quality and sanitation
• Customer requirement to verify a vendor’s programs
• Potential marketing advantage
• Looking for a third set of eyes
• Troubleshooting/problem solving
• Not having the resources in-house
The best reason to have an audit is the genuine desire to improve. This
harks back to the first part of the parable. This was also how the
author learned to audit. During my time with the National Food
Processors Association, the late Allen Katsuyama trained a number of us
to conduct sanitation and food safety audits. These audits (or more
properly, inspections, as they were really consulting trips) focused on
identifying areas that failed to comply with current Good Manufacturing
Practices, could result in product adulteration or were a precursor to
a food safety problem. The audit form had three columns: Observation,
Recommended Action(s) and Corrective Actions. The Recommended Actions
column could be filled out by the auditor or the company. Ideally, the
completed form would be returned to the different groups within the
company that had issues, along with instructions to “fix” or solve the
Katsuyama did not truly “score” companies. He used what he called the
“p Factor,” which was the probability that an FDA investigator would
identify adverse findings. A “p Factor” of 0.5 meant that there was a
50% chance that the company would be reported for adverse findings on
an FDA Form 483. Katsuyama also established an Overall Sanitation
Rating for the company using the numbers 1 through 4, with 4 being the
highest. Only companies that had problems or wanted to improve
contacted the Association. At that time, precious few companies
required that their vendors be audited by a third party.
This leads to the next reason for third-party audits, which is a
customer mandate. The objective is to push the responsibility for food
safety and quality back down to the suppliers. Unfortunately, this is
the reason why most companies are audited. With the mandate to be
audited, many processors not only seek out the least expensive audit,
but spend an inordinate amount of time preparing for said audit. A
March 6, 2009 article in The New York Times entitled,
“Food Problems Elude Private Inspectors,”1 highlighted the
price-shopping issue. Companies know when the audit is due and target
that date to ensure that the plant and grounds are clean, problem
products are not being run and procedures are up-to-date. Years ago, I
was asked to go into a facility unannounced by the corporate office.
One finding was that the facility shut down for a full week to prepare
for its third-party audit, which it always passed with flying colors
and a high score, but at the cost of a week’s production. Many firms
will also do pre-audits to help clients identify gaps, thus ensuring
they will pass a full-blown audit.
A high score on an audit can be a marketing advantage to a company.
Many companies proudly display their certificates trumpeting their
Superior, Excellent or Outstanding rating. They also use these
documents in their marketing literature. However, these certificates do
not always reflect what is going on in the plant. The aforementioned New York Times
article noted that the Peanut Corporation of America (PCA) scored a
Superior rating from one auditing firm and 91% from another. The latter
company acknowledged that the score was low, but it was still passing.
Troubleshooting and problem solving are other reasons to bring in a
third party, as they differ slightly from the desire for improvement
noted previously. A third-party or government audit might prompt a
company to bring in another group to help address problems. Many
companies simply do not have the in-house expertise to find and fix
problems. Another possibility is that the individuals who have the
expertise do not have time to fix the problems, as they are committed
to solving more pressing issues. Since many of the third-party audits
have been designed with large firms in mind, wise managers of small
companies will often seek outside assistance to help them comply with
Elements of Third-party Audits
If one were to examine all of the audits that are available to
the industry, the likely conclusion would be that they are largely the
same. At a recent milling and baking meeting,2 Jennifer Robinson of
Cargill reported that her company had evaluated different audit systems
and found that over 90% of the components were the same for each.
Third-party audit frameworks generally include but need not be limited
to the following areas to be evaluated:
• Quality Systems
• Document Control
• Pest Management
• Water & Hygiene
• Corrective & Preventive Actions
• Chemical Handling & Control
• Purchasing & Vendor Approval
• Good Laboratory Practices
• Good Manufacturing Practices
• Food Safety/HACCP
• Allergen Controls
• Shipping & Receiving
• Weight Control
• Education & Training
• Food Defense
There may be more or fewer elements, depending upon the audit in
question. So what’s the problem? This is a huge amount of material that
must be observed and commented upon. Since the basis of audits is
essentially, “Are you doing what you have written down and have you
written down what you are doing?” the audit must entail not only
watching what is going on in the facility, but reviewing procedures and
records to ensure that these programs are being properly documented,
that records are being maintained properly and that management is
reviewing records to verify compliance. This is a lot to do in an audit
that is often scheduled for only one to two days. With so much material
to cover, it is easy to see how some areas could be overlooked and a
company could receive a high score on an audit, yet have serious
Issues with Third-party Audits
Can third-party audits be improved? Definitely. The
repercussions from the PCA debacle reportedly have affected the way
third-party audit firms do business. They are demanding more time (and
money) to do audits, have implemented mandatory failures and eliminated
the provision that allowed a failing company to switch from a final
audit to a pre-audit. There are many issues that must still be
resolved, however. Let’s look at some of these.
Audit Length and Complexity – In an effort to be
widely applicable, audit questionnaires have expanded year by year.
Firms add more questions to keep up with their competitors, yet the
time to complete the audit usually remains the same. In addition, most
audits do not evaluate the linkages between audit elements. To properly
evaluate any one of the items mentioned above requires a review of
procedures, viewing of actual practices and verification that the
procedures are properly documented. Given that each of the points
highlighted above may have several sections, it is hard to envision
that even a good quality auditor can complete any evaluation in a day
In addition, most audits are designed with large companies in mind.
This is not to say that food safety standards should be different for
small and large companies, but all too often the audit fails to account
for how a small firm actually does business. In small companies, people
wear many hats and may even wear them more efficiently than a large
group of people in a large operation.
Auditing Is a Business/Conflict of Interest – Third-party audits are a lucrative business for many. The New York Times
article noted that audits made up over 50% of one company’s revenue.
Thus, there is an incentive to keep a business going and profitable.
According to the Times piece, “Auditors are also usually paid
by the food plants they inspect, which some experts said could deter
them from cracking down.” I can’t verify that some auditors or audits
are more lenient because the firm or auditor wants to keep the
business. However, I can say that I have been in plants that have
proudly showed me their past audits and bragged about how well they
did, yet after I finished my work, I vowed never to eat their products.
I guess the bottom line is how ethical a person is, assuming that they
have the knowledge to do a good job. Along this line, one company
reported that a representative from an audit firm guaranteed that the
company would pass if it selected that audit firm. An auditor is not
providing the client with good service if he or she fails to do a
Snapshots – An audit is a snapshot of an operation.
The key for the auditor is to be observant enough to ensure that the
snapshot reflects actual operations. Companies that prepare for audits
pose a problem, because the plant should always be looking its best.
There are things that will point to plant operations being a bit
different. Two of these are fresh paint and new procedures that were
initiated within the previous two weeks. When an auditor sees records
indicating recent procedural changes, he or she should always ask for
training records to verify that people have been trained on the new
procedure(s) and then ask plant employees questions to ensure that the
training increased their competencies. Plant management tends to forget
to do this, assuming that the new procedure itself will satisfy the
Scoring – Scoring is definitely an issue with
third-party audits. As an example, the GMA-SAFE audit, which was
designed to describe, in words, an operation’s quality systems,
ultimately had to develop a scoring system to be acceptable to certain
customers. Managers love numbers, so audits have scores. I learned this
firsthand during my time in industry. I brought Mr. Katsuyama’s audit
format with me and was asked to create a scored audit. The new format
was approved by management and put to use. However, when potential
packers began scoring poorly, the response from management was that we
should lower the passing score.
Unfortunately, one of the most common questions auditors are asked is,
“What do I need to score to pass?” Passing is not the issue—ensuring
safety is. It does not take a major sanitation issue to create a
problem. As noted earlier, the PCA achieved good audit scores, but had
serious problems that were not addressed.
Follow-up/Response – “Even when audits do turn up
problems, it is up to the discretion of food companies to fix them.”
This is a real problem. Unfortunately, when most auditors complete an
audit, their job is done. Follow-up is left in the hands of the
processor. However, one element that should be part of all audits is
“Corrective and Preventive Actions.” What has that company done to
address such problems, be they issues that were found by an outside
auditor or picked up by the company itself?
Next, it is important to ensure that the corrective and preventive
actions actually solved the root cause of the problem. If there is a
history of not following up, it should be obvious to the auditor. In
the case of the PCA, third-party audits uncovered a number of problems
at the processing plant. It was apparent that the plant did not take
the actions necessary to eliminate the root cause of these problems.
This is one area where the internal audits developed by large companies
have a distinct advantage over all others.
Expertise in the Field, Processes or Product Being Audited – The
Times piece noted that one of the persons who audited the PCA plant was
“an expert in fresh produce, who was not aware that peanuts were
susceptible to Salmonella.” It is absolutely imperative that auditors
understand the products and processes that they are auditing, in
addition to understanding the audit process itself. How can someone
give proper service if they don’t know industry concerns and how they
This is the most important issue of all. It is an embarrassment to the industry when a publication such as The New York Times
prints a quote such as this from an auditor, “I never thought that this
bacteria would survive in a peanut butter-type environment. What the
heck is going on?” ConAgra had a recall on peanut butter one year
earlier that cost in excess of $100 million. Kraft had a similar
problem in Australia in the late 1990s.
This is not a domestic issue only. There are firms around the world
that have been recognized as certifying bodies and are reputed to have
the expertise to conduct audits to certify that a company meets the
requirements of the International Organization for Standardization. In
the food industry, ISO certification is an important part of doing
business. Yet, I have been in many food companies that were
ISO-certified for quality (ISO 9001), food safety (ISO 22000) and
environmental responsibility (ISO 14001), but the auditors who
certified them were experts in car batteries and electric light bulbs.
This has been a bone of conten-tion with ISO 22000 in particular. How
can one audit a food safety program without specific knowledge in that
One does not become a good auditor by attending a class and having a
few years of experience in the industry. Good auditors have years of
experience with a range of products, have seen many different
operations and have the ability to find the “skeletons in the closet.”
They also make a conscious effort to eliminate biases. Too many
auditors tend to focus on an area in which they feel comfortable, and
assign too much weight to that area during an audit.
Is There a Solution?
So, is there a solution to the many audits and requirements
currently in the market? The solution will have to not only incorporate
food quality, safety and sanitation issues, but also consider that
auditing is now a big business. Companies that do audits for profit
will not want to give up their piece of the pie. As noted, work by food
safety professionals at Cargill showed that most audit components are
similar. The industry should work together to bring all audits into
harmonization. However, the real key is the auditor. How does a company
ensure that its auditor is truly competent? ?
Read the sidebar Audit Merely Step One in Risk Management Process
Richard F. Stier is a
consulting food scientist with international experience in food safety
(HACCP), plant sanitation, quality systems, process optimization, GMP
compliance and microbiology. Among his many affiliations, he is a
member of the Institute of Food Technologists and an editorial advisor
to Food Safety Magazine. He can be reached at firstname.lastname@example.org.
2. Robinson, J. and M. Overland. 2009. Audits: Concerns, New Challenges
and Solutions for the Milling and Baking Industry. AACCI Milling and
Baking Meeting, Albuquerque, NM, May 14, 2009.
Audit Merely Step One in Risk Management Process
Managing risks associated with product recalls demands a
multi-pronged approach that encompasses the right insurance, as well as
effective risk prevention and management strategies.
Food product recalls may stem from deliberate acts of contamination,
unintentional introduction of pathogens or false or misleading
labels/packaging. While a company’s general liability policy will cover
damages the company is legally obligated to pay as a result of
another’s bodily injury or damage, product recall insurance is designed
to provide coverage for expenses that occur before the food item has
resulted in injury or damage to a third party. These expenses include
various logistical costs associated with a recall, such as withdrawal
of the product from the marketplace and the associated shipping,
storage, product destruction and disposal costs; replacement and
redistribution costs; management’s and staff’s time to oversee and
implement these processes; and potential fines. In worst-case
scenarios, food processors have had to shut down a facility or halt an
entire production line, at tremendously high cost. When combined with
other “soft” costs associated with product recalls (e.g., consultants’
fees for crisis management, repairing the company’s reputation and
restoring the product’s brand value), these expenses can be higher than
the cost of manufacturing the product.
Effective product-recall insurance anticipates these exposures and any
specific company needs. For example, larger, global companies are
higher targets for acts of terrorism, which their insurance policies
should reflect. Seek advice from your insurance broker, as well as
legal counsel and industry experts, to make certain that all
conceivable liabilities associated with a potential recall will be
covered under the general liability policy, product recall insurance
and additional policies and endorsements.
Besides the right coverage, a sound product-recall risk-management program should encompass:
• Prevention and regulatory compliance, including comprehensive Hazard
Analysis and Critical Control Point (HACCP) systems, Radio Frequency
Identification (RFID) and employee training;
• Understanding the roles of suppliers, manufacturers, processors,
distributors and government agencies in ensuring product integrity and
communicating about a contaminated or compromised product;
• Damage control, achieved through a strategic crisis management plan,
which notifies consumers about the recall and the company’s actions to
remove the product and prevent a similar occurrence;
• Support for potential litigation, including establishing expert court testimony.
For assistance in these areas, companies should reach out to risk
managers and legal counsel experienced in product recalls, as well as
insurance brokers who can access the best coverage and risk-management
—Peggy Kass, Account Executive, Cook, Hall & Hyde, Inc.
© 2009 The Target Group, Inc. All rights reserved.