Food Safety Auditing: An Industry in Transition

FSMA’s Preventive Controls rules also require that food companies verify their supply chain for raw materials and ingredients, and require an audit of any supplier that controls a serious hazard not otherwise controlled downstream in the supply chain. FSMA dictates that the audit must cover the applicable regulations, be performed by a “qualified auditor,” and verify that the suppliers’ controls for the hazard identified are effective and used consistently. This also applies to imported foods under FSMA’s Foreign Supplier Verification Program (FSVP) rule. As supplier verification audits must cover all regulations applicable to the suppliers’ products, this process can involve using more than one type of audit document.

“A great deal of confusion seems to persist regarding the difference between HACCP and Preventive Controls despite FDA’s education and outreach efforts,” says Crawford. While FSMA’s preventive controls approach to controlling hazards incorporates the use of risk-based HACCP principles in its development, it goes further in many regards such as requiring a recall plan for each product for which a hazard requiring a preventive control has been identified.

Crawford also stresses that by this September, most of the FSMA compliance deadlines, which were staggered over a series of years based on risk and operation size, will have passed. And while she says FDA has used its discretion on what to enforce while the industry becomes more familiar with the new requirements, inspections and enforcement of FSMA rules such as preventive controls, FSVP, and produce safety have already begun.

“At this point, industry should already be complying and analyzing their food safety program and documentation for gaps in compliance, as well as identifying and mitigating weak points in their supply chain,” says Crawford.

Auditing Gets a New Role

While auditing has always served to assist food companies with identifying and correcting gaps in their safety practices, third-party auditing now has a new role. Designed to help FDA expand its regulatory reach on imported foods, FSMA’s Accredited Third-Party Certification rule outlines that third-party certification bodies that meet FDA’s accreditation criteria can conduct audits and issue certifications on foreign suppliers of FDA-designated high-risk foods.

These third-party certification audits fall into two categories: consultative and regulatory. Consultative audits can serve as readiness audits that assist foreign companies in understanding gaps in practice that need to be addressed to become compliant with the appropriate FSMA regulations. A regulatory audit of foreign facilities is required for FDA certification, and can also be used for verifying compliance of a company’s supply chain under FSVP. These certification audits are the basis for participating in FSMA’s Voluntary Qualified Importer Program (VQIP), which offers importers expedited review and entry of food into the U.S.

In addition to the new auditing opportunities that FSMA presents, third-party auditors continue to audit food facilities against safety program schemes such as GFSI, which are still recognized internationally and are required by some retailers. “It isn’t that GFSI audits weren’t comprehensive, in fact they have made tremendous strides in improving food safety, but they lack a required reporting feature that documents the detail that FDA wants to see,” says Patricia “Trish” A. Wester, CEO, The Association for Food Safety Auditing Professionals (AFSAP).

In fact many in the industry recommend companies striving to be FSMA compliant make sure they are GFSI certified, which will get their operation 80 percent of the way there. “Regulators all over the world, not just in the U.S., are struggling with implementation of regulation,” says Véronique Discours-Buhot, the director of GFSI. “We are all short on resources and an organization like GFSI can be part of the solution.”

In the meantime, FSMA compliance is creeping its way into the existing GFSI food safety standards. “What we’re seeing as a certification body is that when, for instance, FSSC 2200 was last updated, it now encompasses many of the FSMA requirements,” says Jennifer Lott, senior food safety auditor at SGS. “So in the new version of FSSC, you now have to look at vulnerability assessments, food defense, and how you’re meeting all those extra requirements of the FSMA law and all of its regulations.”