Can we have 100% remote audits?
Shawna Wagner (on SQF): SQF does not permit a full remote audit yet, unless it is a document review audit only. Audits using ICT can be up to 50% offsite for the total audit time. Audits using ICT are not mandatory.
Isabella D’Adda (on FSSC 22000): Yes, 100% remote audits are now allowed also for FSSC 22000. On the 5th of October, 2020 FSSC published a new document called “Full Remote Audit Addendum” that explains the conditions and the rules for conducting FSSC 22000 audits fully remotely. This document is valid and applicable only, when a certified organization cannot be accessed due to a serious event – as in the case of a pandemic.
The FSSC 22000 full remote audits are completed using Information and Communication Technology (ICT); these will be accredited audits, which will not be recognized by GFSI – the transparency of the certification process is always granted, that’s why the certificate that will be issued after these kind of audits will have a specific reference that a Full Remote Audit was conducted.
Before conducting a 100% remote audit, a certification body must evaluate an impact of the serious event on the current certificate and certification status, and conduct a feasibility assessment with the certified organization in order to verify that a full remote audit is an effective and practical option.
The FSSC 22000 full remote audits can be done when annual announced surveillance/periodical or recertification audits cannot take place on-site. But not for Stage 2 Initial audits. Note: even during the 100% Remote audits, auditors need to spend about 50% of the time on documents and records evaluation, and the rest of the audit time on performing video plant tours and interviews.
The addendum to the standard called “FSSC 22000 Annex 9” is still valid in cases where a certification body and an organization agree that it is more appropriate and effective to conduct an audit in two steps: document review and interviews with key personnel remotely, using information and communication technology (ICT), then audit implementation and perform verification of the food management system on-site, with a time-lapse between the two steps.
In the case of the first certification, the FSSC 22000 Annex 9 can be applied and the whole stage 1 audit can be conducted remotely, while the subsequent stage 2 audit will be conducted on-site at least within 6 months after stage 1. For all other audits, according to Annex 9, part of an audit can be conducted remotely, and the rest of the activity completed onsite, considering that the onsite audit cannot have a duration less than 1 day and shall be at least 50% of the total audit duration.
Veronica Ramos (on BRCGS): The rules have been changing recently for the BRCGS standards. These rules are published in the Position Statement BRCGS 078, 080 and 086 (www.brcgs.com) – and these are applicable only for already certified sites. Currently, all certified sites, whose certificates can be affected due to COVID-19 in respect to travel restrictions and internal rules of receiving external visitors to the sites, can opt to any of the following three options:
- Request a certificate extension for six months with a COVID-19 risk assessment (see Position Statement BRCGS 072);
- Request their re-certification audit with the “blended audit” modality (see Position Statement BRCGS 080) – where a remote audit (using ICT electronic systems) is combined with an on-site audit for re-certifications;
- Request the new temporary modality to conduct 100% of an audit remotely (according to the Position Statement BRCGS 086).
This is only applicable for announced audits. It is considered that the best option is to conduct a regular on-site audit or to go with the blended audit option, because an auditor can have a better opportunity to confirm the level of compliance on-site. The on-site audit part should be of at least 1.0 day duration, while the remote part shall not exceed 50% of the total audit duration. Note: full (100%) remote re-certification audits must replicate the exact methodology of a regular audit, including plant tours and interviews, however, it must be first verified that electronic devices and communication means can be used successfully. Also, one should be aware that 100% remote audits are not GFSI benchmarked, but are accredited. Please contact your lead auditor or certification body for more information.
What can be audited during the remote portion?
Wagner (on SQF): For SQF we would focus mainly on Module 2 items, such as Food safety policy, Management Reviews, Approved Supplier Program, Specifications, Validations, Verifications, and Training.
D’Adda (on FSSC 22000): When an audit is 100% remote, the whole activity will be done using an appropriate ICT. The audit will follow the same format and organization as an on-site one and, in any case, an auditor must be able to complete the full audit against all FSSC 22000 requirements: also during these audits a possibility to do interviews with personnel must be granted, an appropriate site inspection of all production areas, facilities, storage and external areas must be completed, implementation of PRPs must be verified, documentation must be evaluated with involvement of all management and staff, who manages the food safety system.
A fully remote audit can be conducted only, when a site is operational, and production is taking place.
For FSSC 22000 fully remote audits, it is advisable to provide supporting information to an auditor before an audit takes place. Documentation, such as site maps, updated flow diagrams, a list and overview of OPRPs/CCPs, any changes, caused by a serious event, and any other supporting information regarding the production process will be useful during an audit.
For audits done 50% remotely and 50% on-site there is the following process: during the remote part, focus will be on the ISO 22000 components of the FSSC 22000 scheme and interviews with management and key personnel. An auditor will review documents and procedures, check management review with specific focus on FSMS objectives and key process performance indicators, HACCP plan, internal audits, complaints and recalls, and how these were managed, focusing on key changes since the previous audit (applicable in the case of periodic audits and re-certification).
Ramos (on BRCGS): During the remote part of a blended audit focus should be on the information included in the documents and records: an auditor would need information on implementation and maintenance of the requirements since the last audit (meaning that samples of records, which could be requested, could be for the last twelve months). Most of the BRCGS standards are color coded, clearly indicating, which are the expected requirements to be audited against on-site, and which can be audited against remotely (e.g. management review, internal audits, complaints, recalls, etc.). But as mentioned before, everything will need to be audited, if the option selected is 100% remotely.
Who should attend the remote portion?
Wagner (on SQF): We would look at this audit no differently than as if we were onsite. It would be recommended that whichever employee is responsible for the item being audited that they attend. Employees could also be interviewed during the remote time.
D’Adda (on FSSC 22000): During remote audit both management and involved key personnel shall be available to support the auditor in his/her activity. Companies should cooperate and provide adequate resources to ensure the audit is conducted successfully.
Ramos (on BRCGS): During a remote audit both management and involved key staff shall be available to support the auditor in his activity.
What documents should we have ready for the remote portion?
Wagner (on SQF): Documents that would support Module 2 and question #2 above.
D’Adda (on FSSC 22000): The documents that should be available for the remote audit are the same, as the ones requested for ISO 22000 implementation, like context analysis, food safety management system with its defined scopes, products and processes that are included and the objectives of the FSMS, food safety policy, HACCP Plan, management review, updated internal audits and all procedures that a company has documented, which are necessary for the effectiveness of their food safety management system.
Ramos (on BRCGS): All types of documents in their latest updated version shall be readily accessible. It is up to an auditor to request documentation, which is required to fulfil the objectives of an audit within its scope. Documents could be manuals, procedures, work instructions, templates of records, and actual records.
Can we send documents ahead of time?
Wagner (on SQF): Yes, they can be sent ahead of time.
D’Adda (on FSSC 22000): It is not required to send documents ahead of time, however all documents must be prepared and available for the planned audit dates, remote or onsite. There are some organizations, which want to share information in advance and show potentially useful examples, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Thus, this information will be handled as confidential. As a representative of a certified organization, one should know that during an audit, it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfill objectives of the audit.
Ramos (on BRCGS): It is not required to send documents in advance, however there are some organizations, who want to share information beforehand to demonstrate examples, which might be useful during an audit, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to the key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Such information will be handled as confidential. As a certified organization, one should know that it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfil the audit objectives, during an audit.
Is my information confidential?
Wagner (on SQF): All information that is sent shall be confidential.
D’Adda (on FSSC 22000): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information in accordance with the DNV GL’s Information Security Policy.
Ramos (on BRCGS): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information, in accordance with the DNV GL’s Information Security Policy and confidentiality agreements signed with customers.
When does the onsite portion need to happen?
Wagner (on SQF): The onsite needs to happen within 30 days of the remote portion. Both audits must occur within the 60-day audit window for SQF.
D’Adda (on FSSC 22000): In the case of fully remote audits, there won’t be an onsite auditing activity, and it will be completed using ICT equipment. In the case of an audit done partially remotely and partially on-site: FSSC has defined that the maximum timeline between a remote audit and the on-site portion shall be 30 calendar days. In the case of a serious event, this timeline can be extended to 90 calendar days, but only after a documented concession process and risk assessment have been completed by a certification body. Serious events that could lead to a postponement of the onsite portion of an audit are pandemic emergencies like Covid-19, legal proceedings, prosecutions, affecting food safety or legality, public food safety events (e.g. public recalls, calamities etc.), natural disasters (e.g. floods, fire, earthquake), war or political instability and other serious situations, like malicious hacking.
Ramos (on BRCGS): It is expected that in a blended audit the remote part is conducted first and then the on-site part, however, if logistics require that the audit is conducted in the reverse order, this is acceptable as well. The second part of a blended audit needs to happen within the following 28 calendar days, allowing enough time for a site to do a non-conformity closure (when applicable), and a re-certification decision can be issued before the expiration date of the current certificate. In exceptional justifiable circumstances, a certification body may request a concession from BRCGS for a maximum of 90 days. In the case of a 100% remote audit, the full audit shall be conducted as scheduled on consecutive full days.