In late 2007 and into early 2008, several of the world’s largest retailers announced a process change to their supplier networks. Effective almost immediately, the existing audit program used to qualify suppliers would no longer be accepted. Instead, based on product risk, many of the suppliers would have to discontinue any audits currently used and become certified under a Global Food Safety Initiative (GFSI) audit scheme. Auditing represented a small segment of the food safety community until this announcement; in fact, it was often the realm of retired regulatory inspectors and consultants, and it certainly didn’t resemble the industry it is today. Experienced auditors who met the criteria for a certification audit became a highly coveted resource in a business where demand far outpaced supply, and it became imperative that all involved did whatever was needed to find any and all auditors who could execute these new audits (see “21 C.F.R. 117.3 Definition of an Audit”). Hindsight tells us mistakes were made all around as poorly trained auditors were rushed to execute audits in a tense marketplace.
Few understood the ramifications of ignoring details such as product category qualifications, as the primary focus was fulfilling the audit schedules necessary to keep store shelves full. Auditors worked hard to reduce the backlog, working at a pace that was brutal and unsustainable. Audit companies juggled everything possible to accommodate audit requests, bringing in anyone with even the remotest qualifications in auditing. A certification audit could cost as much as two to three times a regular audit, so it wasn’t long before these suppliers recognized some of these audits did not meet expectations, raising concerns over auditor competence and qualifications. Subsequently, initial rumblings about auditor competence began to float through the industry.
And, as the issue was being raised in the supplier community, the overall viability of the auditor’s role in food safety came into question, as a series of very high-profile outbreaks hit the headlines in the U.S. at sites that had scored well on recent audits. The public was outraged and confused at the same time. Regardless of the site’s history of food safety or what other factors may have been involved, an auditor had failed to catch the major problems eventually discovered at these sites, and people were getting sick. Without any concern over audit “scope” limitations of the audits involved in these events, many simply assumed it was because “a bad auditor” had done the audit and either missed the obvious or ignored concerns due to dubious ethics. While both the auditor and audit company certainly share some responsibility, most in the industry now realize many of these events went well beyond the simple failure of any individual auditor. But the message was clear—auditors and auditing companies needed to improve significantly to regain the public trust, and the phrase “qualified auditor” entered the food safety consciousness across the entire spectrum of audited, auditor/auditing and the public.
In the years since, many have invested long hours into improving the auditor’s role and performance in food safety auditing, and overall auditor competence has improved. GFSI initiated efforts to understand the challenges facing the auditing world, and many of the early improvements in auditor competence were the result of the effort and commitment of GFSI’s Auditor Competence Technical Working Group (TWG). The TWG met for the first time in September 2010 with the fundamental objective of establishing what a food safety auditor is, by determining the auditor’s role using a job task analysis (JTA) to develop a list of tasks and expectations, and defining the competencies (skills, knowledge and attributes) required to accomplish each task to better understand how these competencies can be acquired.
Ultimately, GFSI realized this needed to be an ongoing working group, and the TWG was renamed the GFSI Auditor Competence Scheme Committee (ACSC). The ACSC was restructured in 2015 to include parity stakeholder representation and now works in parallel on the key identified phases of the competency implementation project:
• Publication and further development of competencies
• Examination of knowledge competencies
• Assessment of auditor skills
The ACSC published GFSI’s first round of auditor competencies in 2013, so this was the first peek at what a qualified auditor might look like. While work continues in the ACSC’s focus areas, more research is needed beyond what the GFSI program has completed. Auditors cannot be expected to perform at optimal levels without access to a comprehensive training plan that addresses the requirements identified in the JTA.
Fundamental auditor training has been harmonized across multiple GFSI schemes for some time now. And to the extent possible, auditor qualification criteria have been strengthened throughout the full range of audit types used across the industry, not just GFSI’s accredited third-party certification audits.
GFSI’s efforts to improve auditor competence raised awareness of the issue, which attracted other key stakeholders such as the National Environmental Health Association (NEHA). With its expertise in credential development and management, NEHA joined the efforts to provide broader support in auditor development (see “Supply Chain Control Program” ). Like GFSI, NEHA conducted a food safety auditor JTA, which supports the NEHA Food Safety Auditor credential, creating a career path for the professional food safety auditor.
Overall, this attention to auditor competence and qualification has improved auditor training throughout the system, but there is still room for improvement. At present, the imbalance between auditor supply and demand has improved substantially since the early days of GFSI’s launch, although we may see some of those elements again as the auditor is called to participate in various roles found in the Food Safety Modernization Act (FSMA).
We began by looking at the emergence of the auditor qualifications; now we must turn our attention to the qualified auditor in food safety (QFSA). The QFSA role is far more than a list of competencies, skills and knowledge such as those defined by GFSI and NEHA. In fact, it starts with one of the most important roles defined by the regulations, the “qualified individual,” which emerged later as the preventive controls-qualified individual. And as that role has evolved over the course of FSMA rulemaking, so has the role of the qualified auditor.
What Is the Auditor’s Role in FSMA?
The publication of FSMA and its implementing regulations identified the third-party food safety auditor as a key role in the successful implementation and execution of a newly launched global food safety oversight system. In this case, it’s a significant part of a regulatory program, not just a sector of private industry as with GFSI. Where audits and auditors are concerned, FSMA’s rules incorporate many of the lessons learned in the GFSI launch, and as FSMA gets underway, it can build on the foundations set at GFSI. So as we now understand what auditor qualifications were before, we must understand what a qualified auditor is under FSMA, and only then can we understand how to develop one.
Since FSMA was signed in 2011, industry and the auditing community have struggled to identify ways to utilize the massive amount of information and experience residing in GFSI audits and avoid implementing yet another audit program that duplicated, or paralleled, the GFSI program. After all, GFSI and the benchmarked scheme owners combined their efforts to support the certification bodies (CBs) and auditors performing supplier audits around the world that now truly met everyone’s expectations. These efforts resulted in a wealth of audit data to further support the “once certified, accepted everywhere” premise underlying GFSI’s concept of a comprehensive audit performed under a robust system of checks and balances. Suppliers were reluctant to switch audit programs before, and they are loath to discard the time, effort and costs invested in getting where they are just to start all over again, now more than ever.
For every industry discussion about the U.S. Food and Drug Administration (FDA)’s potential use of third-party audits that occurred during the pre-final rule period, there was a dissenting argument from others that still worried about auditor competence and integrity, including the consumer group community, which felt it was a conflict to allow a third-party auditor (of any type) to perform this function at all. From their perspective, FDA’s role should include all inspecting and/or auditing functions to prevent the “fox watching the henhouse” exposure they perceived would happen if third-party audits of facilities were included in FSMA, and they were particularly concerned about their use in domestic facilities. Every time a rule revision was released, the discussions would start again. Starting with the proposed rules and continuing until the final rules were released late last year, both sides submitted comments strongly urging FDA to recognize their concerns. FDA has worked to strike a balance acceptable to all stakeholders, while also meeting congressional requirements to increase inspections across the board, especially of foreign facilities. During this same period, the General Accounting Office released a report relevant to this topic that ultimately determined FDA simply did not/would not have the resources necessary to accomplish the program’s inspection objectives, domestic and/or foreign. Eventually, it became clear that third-party audits would play a role in the certification of high-risk imported foods and those interested in participating in the Voluntary Qualified Importer Program (VQIP). It was also clear that FDA would require these audits be executed by trained, highly qualified auditors following a strict set of guidelines.
FDA published the Accredited Third-Party Certification final rule, as well as the Model Accreditation Standard draft guidance, to set out the guidelines and requirements accreditation bodies and CBs must meet to participate. These accredited certification audits are based on a framework similar to the GFSI model for third-party, accredited, certification audits, using FDA’s Model Accreditation Standards rather than a private-sector platform like GFSI.
Audits conducted under this program must be unannounced facility audits, and the auditor must agree in advance to notify FDA upon discovering a condition that could cause or contribute to a serious risk to public health, which provides some relief to the consumer side. In addition to other requirements, the final rule requires the accredited third-party CBs to ensure their auditors are competent, objective and have no conflicts of interest.
Consultative and regulatory audits are the two kinds of audits that FDA-accredited, third-party CBs and their audit agents can perform using FDA’s accredited certification program. In both, the auditor must examine compliance with applicable federal food safety requirements (including any and all currently available FSMA rules) and comply with strict reporting requirements in the VQIP program and mandatory import certification programs.
Of course, unaccredited auditing companies can also perform consultative third-party audits along with other types of audit activities, as long as there is no attempt to use them to address any regulatory need. There are plenty of audit situations that wouldn’t require an accredited CB to achieve the desired results, but that is not the focus of this article.
Just as it looked as though we had a complete picture of the key roles audits and auditors would play in the FSMA rules, the final rule poses one last curve that really gets to the heart of the qualified auditor challenge.
Supply Chain Controls
Program Expands the Roles of Audits and Auditors
FDA added a supply chain management requirement (Subparts G and E, respectively) in the Preventive Controls rules for human and animal foods. This program was included after requests for public comments in earlier proposed rules supported its need and value. The resulting responses not only supported it as a necessary component of food safety, but also the scope and scale of these suggestions resulted in subparts dedicated to the topic in FSMA. In the respective subparts, on-site annual audits are one of the accepted supplier verification activities to be considered—based on the product risks involved. If a hazard requiring a control is identified at a supplier, the receiving facility must perform some form of supplier verification activity. There are other options available for supplier verification activities, but for our purposes, we will focus on the audit activity. Now we will finally find out who the qualified auditor is and what he or she does.
If the identified supplier-controlled hazard has the potential to cause serious adverse health consequences or death to humans and/or animals, an audit performed by a qualified auditor is the required verification activity. The type of audit that can be used for verification can be a second- or third-party audit, as long as it includes the applicable regulatory compliance requirements. In other words, it can be a supplier audit executed by a third party or the receiving facility.
Audit content must include the appropriate FDA regulations for that food, which will include the Preventive Controls rules once those implementation deadlines are reached. The audit used for supplier verification doesn’t have to be a certification audit; as long the audit is performed by a qualified auditor, contains the correct content and is completed before the raw material is used, it will meet the requirements for this part.
To be perfectly clear in describing this audit, a quick review of select sections of the Section 117.435 on-site audit states:
(b) If the raw material or other ingredient at the supplier is subject to one or more FDA food safety regulations, an on-site audit must consider such regulations and include a review of the supplier’s written plan [e.g., Hazard Analysis and Critical Control Points (HACCP) plan or other food safety plan], if any, and its implementation, for the hazard being controlled (or, when applicable, an on-site audit may consider relevant laws and regulations of a country whose food safety system FDA has officially recognized as comparable or has determined to be equivalent to that of the United States).
(c) (1) The following may be substituted for an on-site audit, provided that the inspection was conducted within 1 year of the date that the on-site audit would have been required to be conducted:
(i) The written results of an appropriate inspection of the supplier for compliance with applicable FDA food safety regulations by FDA, by representatives of other federal agencies (such as the United States Department of Agriculture), or by representatives of state, local, tribal, or territorial agencies; or
(ii) For a foreign supplier, the written results of an inspection by FDA or the food safety authority of a country whose food safety system FDA has officially recognized as comparable or has determined to be equivalent to that of the United States.
(d) If the on-site audit is solely conducted to meet the requirements of this subpart by an audit agent of a certification body that is accredited in accordance with regulations in part 1, subpart M of this chapter, the audit is not subject to the requirements in those regulations.
The Qualified Auditor
FSMA’s rules build the definition of the qualified auditor using the foundation of the preventive controls-qualified individual. The term “preventive controls” was removed from the name but not from the requirements that it covers. It may be misleading at first, but since the qualified auditor may also audit food subject to other FDA food safety regulations, the preventive controls portion was removed from the name. Whether or not the supplier is required to implement preventive controls, it would still be subject to some other form of FDA regulation such as HACCP, so its meaning is implied by simply using “qualified auditor.” This should not be confused with the role of the qualified individual, as that pertains to other personnel’s job-specific training and education. The actual definition for a qualified auditor states:
Qualified auditor means a person who is a qualified individual as defined in this part and has technical expertise obtained through education, training or experience (or a combination thereof) necessary to perform the auditing function as required by (supply chain control) found in §117.180(c)(2).
To summarize, a qualified auditor must have the appropriate food safety training (preventive controls, HACCP, etc.) and auditing skills to audit a raw materials supplier as required in subpart G.
Tables 1 and 2 compare the duties of the preventive controls-qualified individual and the qualified auditor. Unfortunately, other than what is discussed here, little else about the qualified auditor is found in the human food regulation. A quick look at the animal food rule did provide some interesting insights.
The comments and responses shown below are found in the animal food rule. Each adds information and insight into the new qualified auditor’s role. Note: The comparable animal food rule citations are Section 507.53 Subpart C for Section 117.180 Subpart C and Section 507.135 Subpart E for Section 117.435 Subpart G.
Comment 399: Some comments object to the proposed requirement that a qualified auditor must be a preventive controls-qualified individual with certain technical auditing expertise. One comment asserts that a qualified auditor should not be required to have the broader skills of a preventive controls-qualified individual.
Response 399: We have revised the definition of “qualified auditor,” and the requirements applicable to a “qualified auditor,” such that a “qualified auditor” means a person who is a “qualified individual” as that term is defined in this final rule, rather than a “preventive controls-qualified individual,” because some auditors may be auditing businesses (such as produce farms) that are not subject to the requirements for Hazard Analysis and Risk-Based Preventive Controls, and it would not be necessary for such an auditor to be a “preventive controls-qualified individual.”
Comment 400: Some comments ask us to consider specifying training for qualified auditors. These comments also ask us to consider certain industry documents in any guidance we may issue regarding qualified auditors.
Response 400: At this time, we are not planning to specify a training curriculum for qualified auditors. If we develop guidance related to qualified auditors, we will consider industry documents that are already available.
Comment 395: Some comments ask who will assess the qualifications of a particular preventive controls-qualified individual (and, therefore, the qualified auditor) or determine whether particular individuals are in fact “qualified.” Some comments ask us to use an outcome-based demonstration of competency. Some comments ask us to specify that all work experience must be comparable or that a preventive controls-qualified individual must pass a proficiency test. Some comments ask us to establish minimum standards for competency. Some comments ask us to clarify what job experiences would be sufficient. Some comments ask how we will verify that reported training and experience are true.
Response 395: We are not establishing minimum standards for competency and do not intend routinely to directly assess the qualifications of persons who function as a preventive controls-qualified individual, whether by their training or by their job experience. Instead, we intend to focus our inspections on the adequacy of the food safety plan. As necessary and appropriate, we will consider whether deficiencies we identify in the food safety plan suggest that the preventive controls-qualified individual may not have adequate training or experience to carry out the assigned functions, including whether reported training and experience are accurately represented.
The comments and responses clearly indicate that the agency expects industry to take a strong role in determining how auditors meet the qualifications needed for these programs. Although the auditor’s role and performance in food safety auditing, as well as overall auditor competence, have improved significantly, the FSMA rules must now be incorporated as the process moves forward. As the FSMA rules near implementation, we will have a better idea of how industry and the auditing community will respond to these challenges.
Patricia A. Wester is president of PA Wester Consulting. She is an experienced veteran in food safety, having held advanced positions in both domestic and international food safety firms.