FOOD SAFETY SYSTEMS CERTIFICATION

22000 VERSION 5.1 INTERNAL AUDITOR

VILT TRAINING COURSE

LEARNER GUIDE
 ADMINISTRATION

CONTENTS PAGE
COURSE ADMINISTRATION ............................................................................................... 3
SESSION ONE ..................................................................................................................... 8
INTRODUCTION TO FSSC 22000 V5.1 ............................................................................... 8
SESSION TWO................................................................................................................... 28
FOOD SAFETY MANAGEMENT SYSTEM (FSMS) ............................................................ 28
SESSION THREE ............................................................................................................... 62
AUDIT DEFINITION, TYPES AND PRINCIPLES ................................................................ 62
SESSION FOUR ................................................................................................................. 69
ROLES AND RESPONSIBILITIES OF AUDITORS ............................................................. 69
SESSION FIVE ................................................................................................................... 81
THE AUDIT PROCESS....................................................................................................... 81
SESSION SIX ..................................................................................................................... 93
PREPARING FOR THE INTERNAL AUDIT ........................................................................ 93
SESSION SEVEN ............................................................................................................. 104
CONDUCTING THE AUDIT .............................................................................................. 104
SESSION EIGHT .............................................................................................................. 116
AUDIT REVIEW ................................................................................................................ 116
APPENDICES ................................................................................................................... 138

FSSC 22000 V5.1 IA VILT TC Page |2

Learner Guide 08 02 2021
 ADMINISTRATION

COURSE ADMINISTRATION

FSSC 22000 V5.1 IA VILT TC Page |3

Learner Guide 08 02 2021
 ADMINISTRATION

FOREWORD
This course has been developed by SGS for the benefit of clients wishing to understand how to
internally audit against FSSC 22000 and its requirements. In November 2020, the scheme was
updated form Version 5 to Version 5.1.

The course is owned by and certificated as SGS United Kingdom Ltd. and is provided
internationally as SGS Certification and Business Enhancement (CBE).

SGS UK Limited is a FSSC Licensed Training Organisation; this course is approved by FSSC.
The SGS policy and objectives with respect to the course are given below.

FSSC 22000 V5.1 IA VILT TC Page |4

Learner Guide 08 02 2021
 ADMINISTRATION

POLICY STATEMENT AND OBJECTIVES

The objective of this course is to provide leaners with the knowledge and skills required to
perform an internal audit of part of a FSMS against FSSC 22000 V5.1 and ISO 22000:2018, in
accordance with ISO 19011:2018, ISO/TS 22002-1:2009, as applicable and contribute to the
continual improvement of the management systems.

PRIOR KNOWLEDGE

The course is designed ideally for experienced food safety professionals with an understanding
of the management systems approach to food safety.

Prior to attending this training course, learners should have, but it is not essential, sufficient
knowledge of the following food safety management principles and concepts to ensure that this
training is as beneficial as possible:

Before starting this course, learners are expected to have the following prior knowledge of:

 Management principles and concepts:

 Plan-Do-Check-Act (PDCA) cycle.

 Food safety management:

 Concepts of food safety management including:

• HACCP.

• Hazard analysis.

• Hazard and risk assessment and management etc.

• The relationship between food safety management, customer satisfaction

and customer food safety requirements.

 Commonly used food safety management terms and definitions, as given in ISO
22000:2018 and FSSC V5.1.

 FSSC V5.1 and ISO 22000:2018:

 The requirements of FSSC V5.1 and ISO 22000:2018 which may be gained by
completing a foundation training course or equivalent.

FSSC 22000 V5.1 IA VILT TC Page |5

Learner Guide 08 02 2021
 ADMINISTRATION

COURSE BRIEF
LEARNER INTRODUCTIONS

At the start of the course, learners will be asked to introduce themselves. This introduction
should include information on the individual’s job function, organisation, the organisation’s
product or service, the organisation’s certification details, the individual’s knowledge and
understanding of the FSSC standards and their expectations upon completing the course.

PARTICIPATIVE LEARNING

This course is presented using techniques that have been designed to make training an
enjoyable as well as a beneficial experience. The approach is based on scientific evidence as
to how the brain works and how people learn.

SUCCESS CRITERIA

Learners will be graded based on:

 Full attendance of the course.

 Acceptable performance in the learning objectives.

LEARNING OBJECTIVES

Upon completion of this course, learners will be able to:

 Explain the structure of FSSC V5.1 and the role of internal audit in the maintenance
and improvement of food safety standards.

 Explain the PRPs and Additional Requirements of FSSC V5.1.

 With reference to the Plan-Do-Check-Act cycle, explain the process-based FSMS

model for ISO 22000:2018, and the role of internal audit in the maintenance and
improvement of FSMS.

 Explain the role and responsibilities of an Auditor to plan, conduct, report and follow-up
an internal FSMS audit, based on FSSC V5.1, ISO 22000:2018 and in accordance
with ISO 19011.

Learners will need to demonstrate acceptable performance in all areas in order to complete the
course successfully.

FSSC 22000 V5.1 IA VILT TC Page |6

Learner Guide 08 02 2021
 ADMINISTRATION

CONTINUOUS ASSESSMENT

There is no continuous assessment for this course

EXAMINATION

There is no examination for this course.

COURSE CERTIFICATION

Learners will be issued with a “Certificate of Attendance” and will receive this within eight weeks
of course completion.

REMINDER

The use of mobile phones, iPads, iPhones, Tablets, pagers etc. during the course are not
permitted.

CONTINUOUS IMPROVEMENT

Learners are given a Course Evaluation Form at the start of the course for completion and
submission at the end of the course. This provides SGS CBE with important customer feedback
for the continuous improvement of the course.

COMPLAINTS

Learners may appeal or make a complaint about any aspect of the course or the continuous
assessment. Appeals and complaints should be addressed, in writing, to the local SGS Office.

FSSC 22000 V5.1 IA VILT TC Page |7

Learner Guide 08 02 2021
 SESSION ONE

SESSION ONE

INTRODUCTION TO FSSC 22000

V5.1

FSSC 22000 V5.1 IA VILT TC Page |8

Learner Guide 08 02 2021
 SESSION ONE

INTRODUCTION TO FSSC 22000 V5.1

OBJECTIVES

When you have completed this session, you will be able to:

 Identify the purpose, benefits and principles of a FSMS which includes managing and
reducing risk.

 Explain the development and application of FSSC 22000 V5.1 including the technical
specifications sector PRPs and FSSC Additional Requirements V5.1.

 Explain the content and relationship between FSSC 22000 and other management
system standards.

 Explain the principles of HACCP, the process approach and continual improvement
based on the Plan-Do-Check-Act (PDCA) cycle.

KEY POINTS

 History of FSSC 22000 and ISO 22000:2018.

 FSSC 22000 and FSMS family of standards.

 FSSC 22000 requirements, i.e. ISO 22000:2018 & ISO/TS 22002-1 and the additional
requirements V5.1.

 The purpose and benefits of a FSMS.

 Compatibility with other management system standards.

 The principles of HACCP.

 The process approach and continual improvement based on the PDCA cycle.

FFSSC 22000 V5.1 IA VILT TC Page |9

Learner Guide 08 02 2021
 SESSION ONE

INTRODUCTION TO FSSC 22000 V5.1

INTRODUCTION

The FSSC 22000 certification scheme outlines the requirements for the audit and certification of
food safety management systems (FSMS) of organisations in the food supply chain.

BACKGROUND

During the 90s, there had been a series of high-profile international food safety crises including
BSE, dioxin and listeria. Within the food industry there was a growing audit fatigue as retailers
and brand manufacturers audited factories against countless in-house standards, each
developed in isolation and with no consideration of convergence. The results showed no
consistency and consumer and food industry confidence was low.

The CEOs of the world’s food retailers, working through their independent network CIES - The
Food Business Forum, now the Consumer Goods Forum (CGF), agreed to take collaborative
action. In May 2000, the Global Food Safety Initiative (GFSI), a non-profit foundation, was
founded and their main goal was laid out at the beginning and remains a compelling message:
“Once certified, accepted everywhere”.

The British Retail Consortium had already published their first BRC food safety standard in
1998. The German and French retailers were starting to work together on the International
Food Standard (IFS) and the Food Marketing Institute (FMI), the Trade Association for the
North American retailers, were developing their Safe Quality Food (SQF) Standard.

The benchmarking model would credibly determine equivalency between food safety schemes,
whilst leaving flexibility and choice in the marketplace.

Its collaborative approach brings together international food safety experts from the entire
supply chain at Technical Working Group and Stakeholder meetings, conferences and regional
events. They share knowledge and promote a harmonised approach with a shared vision of
“safe food for consumers everywhere.”

The strategic direction for GFSI is provided by an industry-driven GFSI Board of Directors made
up of retailers, manufacturers and foodservice operators. It is supported by the Consumer
Goods Forum Board of Directors.

FFSSC 22000 V5.1 IA VILT TC P a g e | 10

Learner Guide 08 02 2021
 SESSION ONE

THE GLOBAL FOOD SAFETY INITIATIVE (GFSI)

The Global Food Safety Initiative (GFSI) is an industry-driven initiative providing thought,
leadership and guidance on FSMS necessary for safety along the supply chain.

This work is accomplished through collaboration between the world’s leading food safety
experts from retail, manufacturing and food service companies, as well as international
organisations, governments, academia and service providers to the global food industry.

They meet at technical working groups and stakeholder meetings, conferences and regional
events to share knowledge and promote a harmonised approach to managing food safety
across the industry. GFSI is facilitated by the Consumer Goods Forum (CGF), a global, parity-
based industry network, driven by its members.

The GFSI specify for the recognition of food safety management schemes to defined
requirements in its guidance document. It brings together food safety experts within a global
network and it drives global change through multi-stakeholder projects on strategic issues (e.g.
Auditor competence, regulatory affairs, food safety for small suppliers).

HISTORY OF FSSC 22000

ISO 9000 series of standards were first developed in 1987. Since then it has significantly
changed and in the early 2000’s, and as a result of food companies interest in ISO 9001 and
the fact that there were no specific references to food safety, the ISO committee developed ISO
15161:2001 which was the first ISO guideline on the application of ISO 9001 for the food and
drink industry. From this standard ISO 22000 followed.

Developments that followed:

2001 - 2005
• 2001 - ISO 15161 Guideline on the application of ISO 9001:2000 for the food and drink industry
• 2005 - ISO 22000:2005 published
• 2005 - GFSI benchmarked ISO 22000:2005 (rejected based on the PRP)

2008 - 2009
• 2008 - PAS 220:2008 issued to establish sufficient PRPs for ISO 22000:2005
• 2009 - www.fssc22000.com launched and FSSC 22000 issued (combining ISO 22000:2005 and PAS
220:2008)
• 2009 - Content of FSSC 22000 approved by GFSI and ISO / TS 22002-1 replaced PAS 220

2010 - 2013
• 2010 - FSSC 22000 fully recognised by GFSI
• 2013 - Reapproved by GFSI against Guidance Document Version 6

2018 - 2020
• 2018 - Version 4.1 of FSSC 22000 additional requirements becomes mandatory
• 2018 - ISO 22000:2018 version update to the standard replacing 2005
• 2019 - The Foundation release FSSC 22000 Certification Scheme V5
• 2020 - The Foundation release FSSC 22000 Certification Scheme V5.1 following the release of GFSI
benchmarking Requirements Version 2020

FFSSC 22000 V5.1 IA VILT TC P a g e | 11

Learner Guide 08 02 2021
 SESSION ONE

AIMS OF A FSMS

The development of a FSMS represents a “pro-active”, systematic and logical approach to

address the problems of food safety. These may be internal (within the organisation) or external
(the result of factors outside of the organisation).

The organisation may respond through:

 Corporate vision and policies.

 Corporate culture, values.

 Interactive communication.

 Pre-requisite programmes (e.g. ISO / TS 22002-1).

 HACCP principles.

 System management.

ISO 22000 is an attempt to unify these key elements to ensure food safety along the food chain
up to the point of final consumption and FSSC 22000 is relevant at the manufacturing stages of
the food chain. Legal compliance is a key element within FSSC 22000.

LEGAL COMPLIANCE

With greater levels of food safety related regulations being imposed, organisations need an
increasingly more robust system to ensure that they can demonstrate that not only have they
considered the regulatory requirements but that they are actively monitoring compliance. By
implementing a FSMS the organisation can demonstrate that they are aware of the regulations
that apply to them and that they have a robust system in place to ensure that they maintain
compliance.

ISO 22000 does not seek to undermine or replace existing statutory requirements pertaining to
the food sector in the country of application. It recognises the salient inputs from the regulatory
role of the authorities across the whole food chain and requires demonstration of compliance
with applicable legislation.

Implementation of these systems alone will not bestow immunity from company liability or
prosecution but will significantly reduce the risks if the systems are maintained effectively.

Clearly it is the organisation’s responsibility to evaluate its own compliance and FSSC Auditors
are not food safety regulatory inspectors.

FFSSC 22000 V5.1 IA VILT TC P a g e | 12

Learner Guide 08 02 2021
 SESSION ONE

LEGAL COMPLIANCE, CONTINUED

However, Auditors must assess as to how legal requirements are incorporated into the system
and how the organisation implements its commitment to comply with legal and agreed
customer requirements for food safety both in the country of manufacture and where the food
products are being sold.

Auditors conducting audits on a FSMS and integrated management systems will have to be
aware of the appropriate standards and the legal requirements of the respective countries
where they are conducting the audits and where the products are being sold to in as far as
possible. In this respect, there is significant difference between legal compliance and conformity
with standards.

Where an organisation is not in compliance with legal requirements, the organisation may be
liable to prosecution. If an organisation’s FSMS does not conform to FSSC 22000, third-party
certification may be withdrawn but the organisation will not be liable to prosecution.

Auditors conducting FSSC audits, identify, by evidence, areas of conformity and nonconformity
to FSSC 22000 through their formal reporting systems. Where there is evidence of
nonconformity to legal requirements, it is advisable to bring this to the attention of the
organisation’s management who then have the responsibility to take appropriate action through
their relevant management system controls.

Where Auditors are appropriately trained and conducting integrated management system
audits, they are required to report both legal compliance and conformity to standards against
the audit evidence.

THE INTERNATIONAL FRAMEWORKS AND PROTOCOLS FOR THE SAFE PROVISION

OF FOODS

 HACCP: Based on Codex Alimentarius Guidelines CXC 1-1969 (2020), and other
international standards have been developed over time based on these HACCP
principles i.e.:

 U.S. Food Safety Modernization Act (FSMA).

 USFDA 21 CFR part 110,123.

 Canadian Food Inspection Agency’s Food Safety Enhancement Program

(FSEP), etc.

FFSSC 22000 V5.1 IA VILT TC P a g e | 13

Learner Guide 08 02 2021
 SESSION ONE

THE INTERNATIONAL FRAMEWORKS AND PROTOCOLS FOR THE SAFE PROVISION

OF FOODS, CONTINUED

 GFSI Recognised schemes:

 FSSC 22000 Version 5.1.

 BRC Global Food.

 IFS Food.

 SQF Code.

 GlobalGAP / CanadaGAP.

 GMP (Good Management Practice).

 Other retailer-based schemes.

 Others: Organic, Fairtrade, GMO etc.

THE BENEFITS OF A FSMS

The establishment and operation of a FSMS (FSSC or otherwise) will not, itself, necessarily
result in immediate reduction in adverse food safety risks. Essentially, a FSMS is a tool that
enables an organisation to achieve and systematically control the level of food safety
performance that it has set.

The system should also provide economic benefits such as:

 Reduced food safety breach investigation time.

 Reduced process training and new staff training.

 Reduced litigation.

 Reduced legal fees.

 Possible reductions in insurance premiums.

 Increase in commercial / public image.

 Protection of assets.

 Improvement in staff recruitment.

 Increased confidence with customers and other interested parties.

FFSSC 22000 V5.1 IA VILT TC P a g e | 14

Learner Guide 08 02 2021
 SESSION ONE

THE BENEFITS OF A FSMS, CONTINUED

When certificated to FSSC 22000 by an independent certification body such as SGS, BVQI or
Lloyds Register etc., the organisation benefits by:

 Improved profile and credibility.

 Competitive advantage in the marketplace.

 Valuable input from third-party Auditors.

 Employee pride and motivation.

 Meeting present or future anticipated demands of customers.

 Potentially lower levels of regulatory reporting.

 Meeting present or future anticipated demands of customers.

FSSC 22000 CERTIFICATION SCHEME

The FSSC 22000 certification scheme requirements are applicable to organisations in the food
and feed supply chain regardless of their size and complexity, whether profit-making or not and
whether public or private.

FSSC 22000 consists of the following components:

 ISO 22000:2018.

 Sector specific pre-requisite programs (PRPs) e.g. ISO / TS 22002-1.

 FSSC Additional Scheme Requirements V5.1.

FSSC 22000 V5.1

Additional
Scheme PRP: ISO/TS
Requirements - 22002-1
V5.1

ISO 22000:2018

FFSSC 22000 V5.1 IA VILT TC P a g e | 15

Learner Guide 08 02 2021
 SESSION ONE

SCOPE OF FSSC 22000 CERTIFICATION

FSSC 22000 is a complete certification scheme for the entire food chain, which comply with the
publicly available food safety management systems standard ISO 22000:2018 “Requirements
for any organisation in the food chain”, technical specifications for sector PRPs and additional
scheme requirements.

The scheme provides a certification model that can be used in the whole food supply chain. It
can cover sectors where such a technical specification for sector PRPs has been realised.

FSSC 22000 follows the food chain category description as defined in ISO / TS 22002-3:2013.

The scheme documents contain the requirements for organisations in the food and feed supply
chain to gain certification. They shall be used by the applicant organisation to assess, develop,
implement and improve its food and feed safety management system prior to application for
certification.

The requirements of the food and feed safety management system also serve as the normative
documents for certification of the organisation.

The normative documents shall be used by the certification body to assess the continuous
compliance of the food and feed safety management system of the applicant organisation with
the required performance.

The scheme is intended for the audit, certification and registration of food safety management
systems for the following scopes and product categories on the next page.

FFSSC 22000 V5.1 IA VILT TC P a g e | 16

Learner Guide 08 02 2021
 SESSION ONE

Scope and Product Categories

Category Sub Scope
Category
A AI Farming of animals for meat/milk/eggs/honey ISO 22000
AII Farming of fish and seafood ISO/TS 22002-3
FSSC 22000 Additional Requirements
C CI Processing of perishable animal products (e.g. meat, poultry, eggs, dairy and fish / seafood ISO 22000
products) ISO/TS 22002-1
CII Processing of perishable plant products (e.g. fruits, fresh juices, vegetables, grains, nuts and FSSC 22000 Additional Requirements
pulses and frozen water-based products)
CIII Processing of perishable animal and plant products (mixed products; e.g. pizza, lasagne,
sandwich, dumpling, ready-to-eat meal)
CIV Processing of ambient stable products (e.g. canned products, biscuits, snacks, oil, drinking
water, beverages, pasta, flour, sugar, food-grade salt)
D DI Production of feed ISO 22000
ISO/TS 22002-6
FSSC 22000 Additional Requirements

DIIa Production pet food (only for dogs and cats) ISO 22000
ISO/TS 22002-1
FSSC 22000 Additional Requirements

DIIb Production of pet food (for other pets) ISO 22000

ISO/TS 22002-6
FSSC 22000 Additional Requirements
E EI Catering ISO 22000
ISO/TS 22002-2
FSSC 22000 Additional Requirements
F FI Retail / wholesale ISO 22000
BSI/PAS 221
FSSC 22000 Additional Requirements
G GI Provision of transport and storage services for perishable food & feed ISO 22000
ISO/TS 22002-5
GII Provision of transport and storage services for ambient stable food & feed FSSC 22000 Additional Requirements
I I Production of food packaging and packaging materials ISO 22000
ISO/TS 22002-4
FSSC 22000 Additional Requirements
K K Production of Bio-chemicals ISO 22000
ISO/TS 22002-1
FSSC 22000 Additional Requirements

FSSC 22000 V5.1 IA VILT TC P a g e | 17

Learner Guide 08 02 2021
 SESSION ONE

ISO 22000:2018 FOOD SAFETY MANAGEMENT SYSTEMS

REQUIREMENTS FOR ANY ORGANISATION IN THE FOOD CHAIN

The requirements for the development, implementation and maintenance of the FSMS are laid
down in the standard ISO 22000:2018 “Food Safety Management System’s – Requirements for
any organisation in the food chain”.

ISO 22000:2018 is an international standard for food safety and is globally recognised.
However, FSSC 22000 is the GFSI approved food safety standard (see section 5.2 on GFSI).

ISO 22000:2018 provides requirements for a FSMS to enable an organisation to establish,

implement, operate, monitor, review, maintain and improve a documented FSMS within the
context of the organisation’s overall business risks (organisational and operational).

ISO 22000:2018 is designed “to harmonise on a global scale the requirements for food safety
management for businesses within the food chain”. The standard is intended to be used by
organisations seeking to establish a more focussed, coherent and integrated FSMS than is
normally required by law. The standard requires organisations to meet any applicable food
safety related statutory and regulatory criteria into its food safety system.

It is applicable to any organisation within the food chain, regardless of size, from feed
producers, primary producers through food manufacturers, transport and storage operators and
sub-contractors to retail and food outlets. The standard may be applied to inter-related
organisations such as:

 Producers of equipment.

 Packaging material.

 Cleaning agents.

 Additives and ingredients.

It may be applied to service providers.

ISO 22000:2018 is a FSMS which is internationally recognised, and it brings together

recognised food safety concepts (HACCP) to ensure food safety of the products or services of
the organisation in whichever sector of the food chain it is involved.

ISO 22000:2018 points out that the adoption by organisation of a Food Safety Management
System (FSMS) is “a strategic decision for an organization that can help to improve its overall
performance in food safety”.

FSSC 22000 V5.1 IA VILT TC P a g e | 18

Learner Guide 08 02 2021
 SESSION ONE

REQUIREMENTS FOR ANY ORGANISATION IN THE FOOD CHAIN, CONTINUED

The potential benefits to an organisation of implementing a FSMS based on ISO 22000:2018

include:

 The ability to consistently provide safe foods and relevant products and services that
meet customer and applicable statutory and regulatory requirements.

 Addressing risks associated with its objectives.

 The ability to demonstrate conformity to specified FSMS requirements.

HACCP / CODEX PRINCIPLES AND HAZARD IDENTIFICATION

The guidelines for the application of a HACCP System are established in the Codex
Alimentarius General Principles of Food Hygiene CXC 1– 1969 (2020).

The seven principles of HACCP are:

 Principle 1 — Conduct a hazard analysis and identify control measures.

 Principle 2 — Determine the critical control points.

 Principle 3 — Establish validated critical limits.

 Principle 4 — Establish monitoring procedures.

 Principle 5 — Establish corrective actions to be taken when monitoring indicates a

deviation from a critical limit at a CCP (OPRP) that has occurred.

 Principle 6 — Validate the HACCP plan and then establish procedures for verification
to confirm that the HACCP system is working as intended.

 Principle 7 — Establish documentation concerning all procedures and records

appropriate to these principles and their application

FSSC 22000 V5.1 IA VILT TC P a g e | 19

Learner Guide 08 02 2021
 SESSION ONE

HAZARD ANALYSIS

The HACCP team should list all hazards that may be reasonably expected to occur at each
step according to the scope of the FSMS, from primary production, processing manufacture,
and distribution until the point of consumption. All biological, chemical and physical hazards
should be considered. All requirements relating to HACCP are outlined in ISO 22000 Clause
8.5.

BIOLOGICAL HAZARDS

Food-borne biological hazards include microbiological organisms such as bacteria, viruses,

fungi and parasites. These organisms are commonly associated with humans and with raw
products entering the food establishment. Many of-these microorganisms occur naturally in the
environment where foods are grown. Most are killed or inactivated by cooking, and numbers
can be minimised by adequate control of handling and storage practices (hygiene, temperature
and time).

Most of reported food-borne disease outbreaks and cases are caused by pathogenic bacteria.
A certain level of these microorganisms can be expected with some raw foods. Improper
storage or handling of these foods can contribute to a significant increase in the level of these
microorganisms. Cooked foods often provide fertile media for rapid growth of microorganisms if
they are not properly handled and stored.

CHEMICAL HAZARDS

Chemical contaminants in food may be naturally occurring or may be added during the
processing of food. Harmful chemicals at high levels have been associated with acute cases of
food-borne illnesses and can be responsible for chronic illness at lower levels.

PHYSICAL HAZARDS

Illness and injury can result from hard foreign objects in food. These physical hazards can result
from contamination and / or poor practices at many points in the food chain from harvest to
consumer, including those within the food establishment.

FSSC 22000 V5.1 IA VILT TC P a g e | 20

Learner Guide 08 02 2021
 SESSION ONE

OTHER HAZARDS

Other hazards that need to be considered are issues such as deliberate sabotage from either
internal or external sources within the organisation. The HACCP team will need to assess the
likely sources and locations where the raw materials / products etc. may be vulnerable. In
accordance with some GFSI standards this needs to be built into the HACCP study or a
standalone risk assessment carried out.

Since some food industry scares and fraudulent activities e.g. melamine in baby milk and
horsemeat being used to substitute beef products, a higher degree of scrutiny and emphasis is
being placed on food business to identify the vulnerability of their incoming raw materials which
could have been substituted or tampered with.

As a result of the Elliott review (see www.gov.uk) one of the recommendations for improvement
in food fraud was that food business need to carry out a vulnerability risk assessment and these
can be carried in conjunction with product risk assessments and HACCP risk assessments as
deemed appropriate.

Food defence is also a key component of FSMS to ensure that food ingredients and materials
and finished products remain safe while being transported, processed and stored until they
reach the consumer. It is the ideologically or behaviourally motivated, intentional adulteration
that might impact consumer health.

For appropriate food defence plans food businesses will need to assess their risks and have
measures in place to reduce the chances of someone intentionally contaminating the food
supply in order to kill or hurt people, disrupt the economy or ruin the food business.

FSSC 22000 V5.1 IA VILT TC P a g e | 21

Learner Guide 08 02 2021
 SESSION ONE

ACTIVITY ONE: FSMS, FSSC 22000 AND HACCP AWARENESS

PURPOSE

 To review your understanding of FSMS, FSSC 22000 and HACCP Awareness.

TASK

 Answer the questions below in the box provided.

 Be prepared to discuss your response with the group.

OUTPUT

 Present your conclusions for discussion by the whole group.

TIME ALLOWED

 Activity: 30 minutes.

 Feedback: 15 minutes.

FSSC 22000 V5.1 IA VILT TC P a g e | 22

Learner Guide 08 02 2021
 SESSION ONE

FSMS, FSSC 22000 AND HACCP AWARENESS QUESTIONNAIRE

1) What are the key benefits for an organisation to implement a FSMS?

2) Explain the difference between the terms ‘hazard analysis’ and ‘risk assessment’.

FSSC 22000 V5.1 IA VILT TC P a g e | 23

Learner Guide 08 02 2021
 SESSION ONE

3) What is the meaning of the term ‘hazard control plan?

4) What are the Codex Principles of HACCP?

FSSC 22000 V5.1 IA VILT TC P a g e | 24

Learner Guide 08 02 2021
 SESSION ONE

5) What is the difference between ISO 22000:2018 and FSSC 22000?

6) Define what a PRP is and give some examples of specific FSSC PRPs.

FSSC 22000 V5.1 IA VILT TC P a g e | 25

Learner Guide 08 02 2021
 SESSION ONE

7) How would you describe the difference between a CCP and an OPRP?

8) What external influences affect any FSMS and describe how they have an effect?

FSSC 22000 V5.1 IA VILT TC P a g e | 26

Learner Guide 08 02 2021
 SESSION ONE

9) Where in FSSC 22000 does it refer to compliance with Food Safety legislation? Give
examples of evidence that would support such requirements.

10) If you discover that the organisation is in breach of Food Safety legislation during a
FSSC Certification audit, what actions must you take and what should you do?
11)

12)

13)

14)

15)

16)

17)

18)

19)

20)

FSSC 22000 V5.1 IA VILT TC P a g e | 27

Learner Guide 08 02 2021
 SESSION TWO

SESSION TWO

FOOD SAFETY MANAGEMENT

SYSTEM (FSMS)

FSSC 22000 V5.1 IA VILT TC P a g e | 28

Learner Guide 08 02 2021
 SESSION TWO

FOOD SAFETY MANAGEMENT SYSTEM (FSMS)

OBJECTIVES

When you have completed this topic, you will be able to:

 Explain the PDCA framework and its significance to ISO 22000:2018 and its
processes.

 Outline the processes involved in establishing, implementing, operating, monitoring,

reviewing and maintaining a management system, including the significance for
Auditors.

 Understand and discuss the formulation of the management system policy and
objectives.

 Explain the sector specific PRPs.

 Identify and explain the FSSC V5.1 Additional Requirements.

KEY POINTS

 Application of PDCA cycle.

 Context of the organisation.

 Leadership.

 Policy and objectives.

 Planning.

 Support.

 Documented information.

 Competence and awareness.

 Operation.

 Performance evaluation.

 Nonconformity and corrective action.

 Continual improvement.

FSSC 22000 V5.1 IA VILT TC P a g e | 29

Learner Guide 08 02 2021
 SESSION TWO

FOOD SAFETY MANAGEMENT SYSTEM (FSMS)

INTRODUCTION

This session addresses the elements and management of a FSMS based upon the process
approach set out in ISO 22000 and considers the implications for Auditors. Further to this the
session reviews the Pre-requisite Programmes and Additional FSSC Requirements.

PROCESS APPROACH

For an organisation to function effectively, management must identify and co-ordinate

numerous linked activities. An activity that takes “inputs” and converts them to “outputs” can be
considered as a “process”. Very often the output from one process becomes the input for
another process.

Thus, organisations may comprise of several linked processes that need to be identified and
managed.

The process approach, therefore, is the systematic identification and management of these
activities and the interactions between activities. Used properly, the process approach provides
control over the processes, the links between processes, and the combination and interaction
of processes.

The process-approach emphasises the importance of the understanding and fulfilment of food
safety requirements, the need to consider processes in terms of added value, establishing
policy and objective for food safety, obtaining results of process performance and effectiveness
of the FSMS and the continual improvement of processes based on objective measures.

CONTINUAL IMPROVEMENT BASED ON THE PDCA CYCLE

The process approach is based upon the methodology known as Plan-Do-Check-Act (PDCA)
which helps organisations drive continual improvement. It can be applied to all processes and
to the management system. Managing the processes and the management system together
can be achieved using the PDCA cycle, with an overall focus on risk‐based thinking taking
advantage of opportunities and preventing undesirable results.

FSSC 22000 V5.1 IA VILT TC P a g e | 30

Learner Guide 08 02 2021
 SESSION TWO

CONTINUAL IMPROVEMENT BASED ON THE PDCA CYCLE, CONTINUED

 Plan - What to do and how to do it. Establish the management system policy by setting
objectives and targets. Put controls in place (processes and procedures) that will help
your organisation to achieve the results needed to support the overall strategic plan.
Determine the:

 Context for the business.

 Interested parties.
 Organisational risks.
 Establish food safety policy, objectives and targets.
 Identify food safety hazards, their risks and plans for their necessary control.
 Planned processes and procedures relevant to improving food safety standards
and controlling hazards.
 Plans to deliver results that align with the “organisations” overall policies and
procedures and to meet customer and legal food safety requirements.

 Do - Focus on developing and implementing the processes. Make sure the

organisation is operating to the policy and strategy in line with what has been planned.
Implement and operate the food safety policy:

 Strategies
 Control measures.
 Policies.
 Procedures.

 Check - That everything has gone according to plan:

 Monitor and review performance against the food safety policy, objectives,
strategies and hazard control plans.
 Analyse the data to see how well the plan is being executed.
 Report results to management for review.
 Verify and validate controls in place and the overall effectiveness of the FSMS in
controlling the food safety hazards.
 Determine and authorise if actions for correction, corrective action and
improvement are required.

FSSC 22000 V5.1 IA VILT TC P a g e | 31

Learner Guide 08 02 2021
 SESSION TWO

CONTINUAL IMPROVEMENT BASED ON THE PDCA CYCLE, CONTINUED

 Act - Maintain and improve the FSMS by taking corrections and corrective actions
based on the results of the verification (checking) activities and issues, if highlighted,
and bringing this information and evaluating it through the management review
process and re-appraising the scope of the FSMS and policy and objectives.

This approach to food safety management that incorporates the PDCA cycle within each
activity is set out in “PDCA cycle applied to FSMS Diagram”.

Food safety management, therefore, becomes no longer a separate ““policing” function but an
integral part of business management because it has the ability to affect the “bottom line”.

This methodology is set within the clauses and requirements of ISO 22000:2018.

A diagram showing the PDCA cycle and continual improvement is shown below.

4. Take actions to continually 1. Establish objectives

Improve process performance necessary to deliver results
effectiveness and efficiency in accordance with customer
requirements and the
organisation's policies

3. Monitor and measure

processes and product
against policies, objectives
and requirements
2. Implement
2. Implement the processes

FSSC 22000 V5.1 IA VILT TC P a g e | 32

Learner Guide 08 02 2021
 SESSION TWO

APPLICATION OF THE PDCA CYCLE

COMPONENTS OF PDCA IN FSSC 22000 /ISO 22000:2018

Continually improve the FSMS by: Determine:

 Taking action to control and correct  Customer needs and expectations
nonconformity  Processes needed and their
 Evaluating corrective action to application
prevent recurrence  Sequence and interaction of
 Implementing actions and reviewing processes
their effectiveness  Criteria and methods needed to
 Addressing management review control processes
outputs

Implement and operate:

Monitor, measure, analyse and  Resources necessary to
support operation and
evaluate performance of FSMS
monitoring
against the:  Requirements for products and
 Policy services
 Objectives  Design and development
 Plans  Control externally provided
 Controls products and services
Conduct internal audits and report  Control production and service
the results to management for provision
review  Manage nonconformities

The diagram “PCDA cycle applied to a FSMS” sets out the structure and elements of a process
as addressed by clauses 4 to 10 of ISO 22000:2018.

FSSC 22000 V5.1 IA VILT TC P a g e | 33

Learner Guide 08 02 2021
 SESSION TWO

CONTEXT OF THE ORGANISATION CLAUSE 4

UNDERSTANDING THE ORGANISATION AND ITS CONTEXT

FSSC 22000 sets out the requirements for establishing, implementing, maintaining and
continually improving a FSMS within the context of the organisation. The organisation needs to
know its own context, where it fits in the food chain and what its role is, so that it can determine
all the external and internal issues that are relevant to its purpose and that affect its ability to
achieve the intended result(s) of its own FSMS.

NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

To ensure that the organisation can consistently provide safe food products and services that
meet applicable statutory, regulatory and customer requirements with regard to food safety, the
organisation shall plan and determine the interested parties and their requirements relevant to
the FSMS. The organisation shall identify, review and update information related to the
interested parties and their requirements.

SCOPE

The scope must be clearly defined as this will determine the level of control required by the
organisation to control their food safety hazards, in order to ensure that the food is safe at the
time of consumption.

The organisation must define the scope of the FSMS (clause 4.3), which should be consistent
with the risk assessment and risk treatment plan undertaken by the organisation and
appropriate to the size, nature and complexity of the organisation. An Auditor will expect that
the scope has taken into consideration: all products manufactured, services, relevant activities
and the “interested parties” needs and expectations relevant to the FSMS.

The Auditor will need to confirm that the FSMS scope statement is fit for the:

 Business situation of the audit client.

 Overall FSMS in terms of:

 Geographical, i.e. sites, locations.

 Products being manufactured.

 Processes involved.

FSSC 22000 V5.1 IA VILT TC P a g e | 34

Learner Guide 08 02 2021
 SESSION TWO

SCOPE, CONTINUED

Examples of some scopes include:

 The processing (curing, cooking, slicing) and packing (vacuum and modified
atmosphere) of whole and sliced ham, pork and beef.

 Manufacture (pasteurisation) and packing of yoghurt into glass and plastic.

 The manufacture of retail and bulk packed ambient stable and frozen breads and
pastries.

LEADERSHIP, CLAUSE 5

LEADERSHIP AND COMMITMENT

Top Management must show leadership with respect to the FSMS. The standard sets out
several ways by which management can demonstrate their commitment. One of these is
through the planning of the FSMS, planning and establishment of the food safety policy. Also:

 Defining responsibilities and authorities.

 Ensuring the integration of the FSMS requirements into the business processes.

 Ensuring the resources needed are available.

 Setting out plans for communicating the importance of effective food safety
management.

 Communicating internally and externally to ensure that information on food safety

issues is available throughout the food chain.

POLICY

The FSMS policy demonstrates the commitment of management. The policy should be
appropriate to the purpose and context of the organisation (clause 5.2) and establish an overall
sense of direction and principles for action, with regard to food safety. The policy must provide
the framework for establishing and reviewing objectives.

The organisation should ensure the policy addresses the following requirements:

FSSC 22000 V5.1 IA VILT TC P a g e | 35

Learner Guide 08 02 2021
 SESSION TWO

POLICY, CONTINUED

 Be appropriate to the organisations activities and process.

 Commit to comply with any applicable legal and other regulatory and contractual
requirements.

 Addresses the need to ensure competencies related to food safety.

 Addresses internal and external communication.

 Includes a commitment to continual improvement of the FSMS.

 Provide a framework for setting and reviewing objectives and targets of the FSMS.

 Be documented (documented information), implemented and maintained.

 Be communicated, understood and applied at all levels within the organisation.

 As an output from the management review (clause 9.3.3), the need for updating and
changing the revision of the food safety policy.

Top Management must demonstrate commitment to the FSMS and be accountable for the
scope of activities defined in the policy it is usual, though not mandatory, for an organisation to
objectively demonstrate “Top Management” commitment to the policy via the approval
signature of the most senior manager responsible for the scope of activities embraced by the
policy.

The policy must be available and maintained as documented information and communicated
and understood and applied at all levels within the organisation, and be available to relevant
interested parties as appropriate.

ORGANISATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES

Top Management must ensure that responsibilities and authorities for relevant roles are
assigned, communicated and understood (clause 5.3). In particular to ensure that the FSMS is
effectively operated, maintained and conforms to the requirements of ISO 22000:2018, and that
the performance is reported to Top Management. Also, Top Management must make
personnel aware that they have a responsibility to report any problems within the FSMS.

Top management must appoint a Food Safety Team Leader within the organisation who may
or may not have other responsibilities but will have the responsibility and authority to manage
the Food Safety Team and organise their work and ensure that they are all trained.

FSSC 22000 V5.1 IA VILT TC P a g e | 36

Learner Guide 08 02 2021
 SESSION TWO

ORGANISATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES, CONTINUED

If the FSMS is going to operate successfully then everyone within the organisation must be
aware of their responsibilities regarding the processes within the organisation.

The organisational chart if deemed appropriate should therefore be drawn up to include food
safety as well as the other business responsibilities. All levels of management and the
workforce should be included as all have a direct or indirect effect on the FSMS and safety of
the products being produced.

Refer to Appendix 2 for an example of an organisation structure.

PLANNING, CLAUSE 6

ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES

The first key focus in ISO 22000:2018 through the PDCA cycle is to plan. Planning is relative to
the context of the business, the needs of those internally and externally of the business and the
FSMS, the scope of the FSMS dictates also the level of planning required.

The objective of the FSMS is to provide safe and legal products/services to the market and
effective planning is essential.

As required by ISO 22000, food businesses based on the above knowledge will need to
determine the risks and opportunities that need to be addressed to:

 Give assurance that the FSMS can achieve its intended result(s).

 Enhance desirable effects.

 Prevent, or reduce, undesired effects.

 Achieve continual improvement.

The other layers of risk and opportunities will also need to be assessed including the HACCP
systems and assessments, these include:

 Markets risks.

 Changes in legislation.

 New markets with new requirements.

 Competitors.

FSSC 22000 V5.1 IA VILT TC P a g e | 37

Learner Guide 08 02 2021
 SESSION TWO

ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES, CONTINUED

 External risks like fraud, authenticity, security breaches or illegal practices in the food
chain that could impact their raw materials or finished products.

 Product recalls that may impact their products or business etc.

Not all risks have to be negative and can be used as an opportunity for improvement and can
end up being positive for the business, but they need to be assessed.

The food/food related business needs to consider actions that they can take to address,
minimise or avoid risks dependant on the impact on the business.

FOOD SAFETY OBJECTIVES

The commitment in the food safety policy to continual improvement is achieved in many ways.
One way is through the setting and achieving of food safety objectives.

The objectives should be:

 Measurable, where practicable and consistent with the food safety policy.

 Monitored.

 Verified.

 Communicated.

 Maintained as documented information.

The objectives, when set by Top Management, will need to take into account the:

 Applicable food safety requirements, i.e. statutory, regulatory and customer

requirements.

 Possible outcomes of the HACCP study.

 Specific business objectives that support food safety.

Once decided, the objectives need to be communicated to the appropriate people in a way that
they are able to translate these objectives into their roles so that they understand how their
individual contributions support the management system to achieve its goals. Objectives should
be reviewed periodically and revised as necessary for the continual improvement of the FSMS.

FSSC 22000 V5.1 IA VILT TC P a g e | 38

Learner Guide 08 02 2021
 SESSION TWO

PLANNING OF CHANGES

When changes happen in the food industry often there is little warning, such as a food safety
incident/recall; other times there is sufficient time to make the necessary changes, i.e. new
legislation or a new standard update.

If changes are not dealt with correctly they can have a very negative or damaging effect on the
FSMS and effective planning where possible can alleviate some unnecessary issues.

Any changes to the FSMS must be planned and carried out in a systematic manner considering
the:

 Purpose of the change and their potential consequences.

 Continued integrity of the FSMS.

 Availability of resources to implement the change.

 Allocation or re-allocation of responsibilities and authorities where necessary .

SUPPORT, CLAUSE 7

RESOURCES

Resources that are required for the effective FSMS need to be considered and the capability of
existing resources and the potential need for external resources. The resources needed for the
FSMS must be determined, planned for and provided. These will include resources to:

 Identify, establish, implement and maintain, update and continually improve the FSMS.

 Take into account the need for the FSMS to address legal and regulatory
requirements, and contractual obligations and commitments to interested parties, e.g.
local authorities, stakeholders and customers, consumers etc.

 Maintain adequate control of food safety through the correct application of all control
measures.

Resources must be provided to carry out reviews of the FSMS, react appropriately to the result
of these reviews, and update and continually improve the effectiveness of the FSMS.

FSSC 22000 V5.1 IA VILT TC P a g e | 39

Learner Guide 08 02 2021
 SESSION TWO

PEOPLE

For the FSMS to be effective and operate according to the internal and external requirements
and expectations, the business requires people. This all needs to be planned, i.e. who is
needed? Where and how competent they will need to be? This depends on the current roles
and responsibilities and those needed for the FSMS.

The organisation shall determine (plan for) and provide the persons necessary to operate and
maintain an effective FSMS, and to ensure that they are competent. Where external experts
have been identified as being required, there shall be evidence of contracts or agreements
defining competency, responsibility and authority that shall be retained as documented
evidence.

Many food/food related business do require, or rely on, some support from external sources i.e.
consultants, associations or other entities. If there are any resources needed for the
development, implementation, operation or assessment of the FSMS, then these external
parties need to have an agreement/contract with the food business to ensure their roles and
responsibilities are transparent and understood.

INFRASTRUCTURE

As well as the people, the organisation must determine, provide and maintain the infrastructure
necessary to ensure that its processes achieve conformity with the requirements of the FSMS.
The standard notes that the infrastructure can include:

 Land, vessels, buildings and associated utilities.

 Equipment including hardware and software.

 Transportation.

 Information and communication technology.

FSSC 22000 V5.1 IA VILT TC P a g e | 40

Learner Guide 08 02 2021
 SESSION TWO

WORK ENVIRONMENT

The organisation must also determine, provide and maintain the resources for the
establishment, management and maintenance of the work environment necessary to achieve
conformity with requirements of the FSMS.

This clause includes a combination of human and physical factors, such as:

 Social (e.g. non‐discriminatory, calm, non‐confrontational).

 Psychological (e.g. stress‐reducing, burnout prevention, emotionally protective).

 Physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise).

These factors can differ greatly depending on which sector the food chain the organisation
operates at, or the risk of the products or services provided.

EXTERNALLY DEVELOPED ELEMENTS OF THE FSMS

This clause refers to elements of the FSMS being developed possibly by external experts or
companies that are multinational and may be required to adopt elements of their system, e.g.
policies from corporate or other situations where parts of the system are influenced or
developed externally to fit the requirements of the organisation.

When an organisation establishes, maintains, updates and continually improves its FSMS by
using externally developed elements of a FSMS, including PRPs, the hazard analysis and the
hazard control plan (see 8.5.4), the organisation shall ensure that the provided elements are:

 Developed in conformance with requirements of this document.

 Applicable to the sites, processes and products of the organisation.

 Specifically adapted to the processes and products of the organisation by the Food
Safety Team.

 Implemented, maintained and updated as required.

FSSC 22000 V5.1 IA VILT TC P a g e | 41

Learner Guide 08 02 2021
 SESSION TWO

CONTROL OF EXTERNALLY PROVIDED PROCESSES, PRODUCTS OR SERVICES

Suppliers and sub-contractors are a key resource for all food businesses; who depend on their
services and raw materials. Therefore, this resource/support needs to be effectively planned for
and organisations should evaluate and assess their suppliers.

Information sharing, and regular open communication allows for all hazards along the food
chain to be identified swiftly, assessed and controlled. Issues such as food safety alerts,
allergen contamination, fraud and adulteration must be prevented and minimised.

If a hazard occurs swift involvement of all concerned and full awareness of the extent of the
problems is essential to control the escalation of the problem. This is achieved by appropriate
lines of control, assessment, communication and the ability of the companies and authorities
involved to be able to react effectively.

COMPETENCE

The organisation will need to have competent personnel to deliver its policy, plans and
objectives. Competence is essential, especially in relation to external experts.

The Food Safety Team is a significant resource and support of any food company and without
their competency the system would not operate or improve.

AWARENESS

Food businesses need to make sure and plan to ensure that persons doing work under the
organisation’s control shall be aware of:

 The food safety policy.

 The objectives of the FSMS relevant to their tasks.

 Their contribution to the effectiveness of the FSMS, including the benefits of improved
food safety performance.

 The implications of not conforming with the FSMS requirements.

FSSC 22000 V5.1 IA VILT TC P a g e | 42

Learner Guide 08 02 2021
 SESSION TWO

COMMUNICATION

The organisation shall determine and plan for the necessary internal and external
communication and appropriate channels relevant to the FSMS including:

 What will it communicate?

 When to communicate?

 With whom to communicate?

 How to communicate?

 Who communicates?

External communication

Food businesses need to plan for and consistently communicate externally with interested
parties within the food chain.

Relevant and effective communication within the food chain allows for swift flow of information
for each stage of the chain to assess their own individual hazards and risks. Where problems
occur, effective communication is essential for example, in the event of a food scare, recall or
withdrawal.

Internal communication

Planning for effective communication is vitally important internally to ensure that there is open
communication on issues having an impact on food safety.

Plans must be in place to ensure that the Food Safety Team is informed in a timely manner of
changes in:

 Products or new products.

 Raw materials, ingredients and services.

 Production systems and equipment.

 Production premises, location of equipment and surrounding environment.

 Cleaning and sanitation programmes.

 Packaging, storage and distribution systems.

FSSC 22000 V5.1 IA VILT TC P a g e | 43

Learner Guide 08 02 2021
 SESSION TWO

Internal communication, continued

 Competencies and or allocation of responsibilities and authorisations.

 Applicable statutory and regulatory requirements.

 Knowledge regarding food safety hazards and control measures.

 Customer, sector and other requirements that the organisation observes.

 Relevant enquiries and communications from external interested parties.

 Complaints and alerts indicating food safety hazards associated with the end product.

 Other conditions that have an impact on food safety.

The Food Safety Team shall ensure that this information is included when updating the FSMS
(see 4.4 and 10.3). Top Management shall ensure that relevant information is included and
planned and included in the management review.

DOCUMENTED INFORMATION

The extent of the documentation must be focused around the size of the food business, its
activities, processes, products and/or services, its complexity and the process interactions and
the competence of its personnel.

This must be effectively planned and may change over time depending on internal and external
requirements.

In the previous version of ISO 22000 there were seven mandatory procedures that are no
longer required, but a list of clauses (refer to Appendix 13) state that documented information
needs to be maintained or retained.

Documented information retained as evidence of conformity shall be protected from unintended

alterations.

Documented information may either be hard or soft copy and their control will differ depending
on the requirements of the standard. See Appendix 13 for the list of clauses requiring
documented information.

The control of documented information is important and management of the FSMS must put
plans in place as to the methods required to control them, for example:

FSSC 22000 V5.1 IA VILT TC P a g e | 44

Learner Guide 08 02 2021
 SESSION TWO

DOCUMENTED INFORMATION, CONTINUED

 Storage.

 Retention.

 Preservation.

 Control of changes.

 Disposition.

OPERATION, CLAUSE 8

OPERATIONAL PLANNING AND CONTROL

The organisation has to establish, document, implement and maintain an effective FSMS. Food
safety hazards that may be reasonably expected to occur must be identified, evaluated and
controlled in such a manner that the products of the organisation do not directly or indirectly
harm the consumer.

A significant number of the requirements within FSSC require the organisation to “Do” or
implement things can be found in clause 8.0 of ISO 22000:2018, i.e:

 To establish a PRP (ISO/TS 22002 series – select the one depending on which sector
is applicable).

 Appoint a Food Safety Team.

 Have appropriate traceability systems.

 Develop emergency preparedness and response procedures.

 Describe raw materials, end products, their characteristics and intended use etc.

 Prepare flow diagrams.

 Conduct the hazard analysis and hazard/risk assessment.

 Select appropriate control measures, i.e. PRPs, OPRPs or CCPs.

Monitoring activities are required to be carried out and updating of all information and the
documents when changes occur. Verification activities (checking) need to be carried out, also
managing and controlling the established traceability systems are required on a day-to-day
basis – one could say that it is “doing”, i.e. carrying out an activity and they are also “Checking”.

FSSC 22000 V5.1 IA VILT TC P a g e | 45

Learner Guide 08 02 2021
 SESSION TWO

OPERATIONAL PLANNING AND CONTROL, CONTINUED

When issues occur, they need to be managed and controlled to ensure that unsafe or
potentially unsafe products are handled appropriately and in accordance with the documented
procedures. Where required product withdrawal/recall procedures may need to be initiated.

PRE-REQUISITE PROGRAMMES (PRPS)

The organisation shall establish, implement, maintain and update PRPs to facilitate the
prevention and/or reduction of contaminants in the products, product processing and work
environment.

The PRPs should be appropriate to the context of the organisation and the nature of the
products being manufactured and/or handled. It should be implemented across the entire
production system as applicable and approved by the food team. The PRP requirements are
specified in the ISO/TS 22002-x series and/or the BSI/PAS 221 standards.

When establishing the PRPs the organisation must ensure that applicable statutory, regulatory
and customer requirements are identified. The organisation should consider the applicable part
of the ISO/TS 22002 series, applicable standards, codes of practice and guidelines. The
organisation shall also consider:

a) Construction, lay-out of buildings and associated utilities.

b) Lay-out of premises, including zoning, workspace and employee facilities.
c) Supplies of air, water, energy and other utilities.
d) Pest control, waste and sewage disposal and supporting services.
e) The suitability of equipment and its accessibility for cleaning and maintenance.
f) Supplier approval and assurance processes (e.g. raw materials, ingredients, chemicals
and packaging).
g) Reception of incoming materials, storage, dispatch, transportation and handling of
products.
h) Measures for the prevention of cross-contamination.
i) Cleaning and disinfecting.
j) Personal hygiene.
k) Product information/consumer awareness.
l) Others, as appropriate.
Documented information shall specify the selection, establishment, applicable monitoring and
verification of the PRP(s).

FSSC 22000 V5.1 IA VILT TC P a g e | 46

Learner Guide 08 02 2021
 SESSION TWO

CONTROL OF NONCONFORMITY, CORRECTION AND CORRECTIVE ACTIONS

FSMS, when being managed appropriately, will identify gaps and issues from the “checking”
activities (verification and validation) that will require some action to be taken.

During the processing of end products when integrity to food safety has been compromised, or
there is some doubt that the system parameters have been breached, the Food Safety Team,
Operators or Management will need to implement suitable restrictions.

Corrections, corrective actions and any other means may need to be implemented to control
products which are nonconforming or potentially unsafe.

Product withdrawals are also an option, if the products that have been deemed unsafe have
been delivered to the customer/consumer.

The Auditor should ensure that the process for identifying such a condition is robust and that
the correct route of addressing unsafe products is followed, any doubts having been resolved
one way or the other during the process.

Note: That corrective action needs the input of a competent person, and its scope includes
trend analysis and prevention of recurrence.

CONTINUAL IMPROVEMENT AND UPDATING

The successful achievement of continual improvement is achieved by organisations that utilise

the ‘Plan- Do-Check-Act’ cycle effectively, also when sufficient resources and competency are
in place to identify the issues and carry out appropriate root cause and implement the
necessary corrections and corrective actions.

Once the cycle is generated improvements will take place, FSSC 22000 requires Top
Management to use the FSMS to continually improve its own effectiveness. The organisation
need to consider the system performance as a whole when determining the actual trend based
on audit evidence. Top Management must ensure that the organisation continually improves
the effectiveness of the FSMS through the use of:

 Communication.

 Management review.

 Internal audit.

 Evaluation of individual verification results.

FSSC 22000 V5.1 IA VILT TC P a g e | 47

Learner Guide 08 02 2021
 SESSION TWO

CONTINUAL IMPROVEMENT AND UPDATING, CONTINUED

 Analysis of results of verification activities.

 Validation of control measure combinations.

 Corrective actions.

 FSMS updating.

Also, the achievement of the food safety objectives is another method of determining
improvement year on year within the organisation.

Updating the FSMS is a requirement that Top Management must ensure takes place. It is an
action output from the ongoing review and analysis of the FSMS (through internal
communication, meetings, external communication, e.g. legal bodies, withdrawals, customer
complaints, changes in legislation, changes in the raw materials, finished products etc.).

The Food Safety Team need to carry out periodic evaluation of the current information used in
the FSMS. This should be aligned with the lower level updating requirements and the results of
the evaluation, this then feeds into the management review.

The organisation should check whether the scope of this evaluation covers the whole FSMS
starting with the issues which trigger an update through to the successful implementation of the
change. Consideration must then be given whether it is necessary to review the hazard
analysis, the established operational PRP(s) and the HACCP plan.

PERFORMANCE EVALUATION, CLAUSE 9

MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION

It is the responsibility of management to monitor, evaluate, verify and review the effectiveness
and efficiency of its own FSMS.

Where issues are identified during checking, management need to authorise actions for
correction, corrective action and improvement.

As a result of the hazard analysis and risk assessment specific control measures for controlling
food safety hazards will have been identified (planned) and the FSMS requires that these
controls (CCP/OPRP) are checked for their ability to control the hazards to acceptable levels,
i.e. validation.

FSSC 22000 V5.1 IA VILT TC P a g e | 48

Learner Guide 08 02 2021
 SESSION TWO

MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION, CONTINUED

It’s important to check that the validation process itself is effective, reliable and that control
measures are not introduced or changed until this assurance is supported by evidence –
sometimes very scientifically sought and tested, or from external resources; otherwise from
research and data established internally.

Either way the Food Safety Team must determine how valid and accurate the control measures
are for each CCP and OPRP.

Monitoring steps of each of the CCPs and OPRPs needs to have been planned. These
activities of “checking” on a routinely basis show and demonstrate that the validated controls
remain in control, i.e.:

 Within their critical limits for CCPs.

OR

 Within their action criteria for OPRPs.

AND

 Are effective for each batch/production run etc.

Monitoring frequencies are set by the HACCP team and all of the information for each CCP and
OPRP will be available as documented information in the hazard control plan (clause 8.5.4).

As required in any FSMS, all control measures require ongoing verification (clause 8.8).
Therefore, all critical parameters (CCPs) and action criteria for OPRPs that are necessary for
the products, are checked at the stated frequencies by competent staff.

The organisation shall ensure that verification activities are not carried out by the person
responsible for monitoring the activities. This is clearly stated in the standard (clause 8.8.1) and
ensures independence and objectivity when the verifier is checking that the monitoring has
happened in accordance with the hazard control plans and that the controls in place are
maintained and effective.

The retained documentation information will enable an organisation to demonstrate that the
system is complying with its determined controls and processes.

The organisation must use suitable methods for monitoring and verification of the FSMS
processes. These methods must demonstrate the ability of processes to achieve planned
results. All methods used for verification, validation and monitoring need to be adequate and all
equipment needs to be accurate. This is achieved through clause 8.7, control of monitoring and
measuring, i.e. calibration.
FSSC 22000 V5.1 IA VILT TC P a g e | 49
Learner Guide 08 02 2021
 SESSION TWO

MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION, CONTINUED

Performance evaluation of the FSMS is vital to determine how effective it is. The food business
will need to analyse and evaluate:

 All the appropriate data and information from all the monitoring and measurement
activities.

 The results of all the verification activities relating to the PRPs and the hazard control
plan.

 The results of the internal and external audits that have been “planned” and
“completed”.

INTERNAL AUDIT

The organisation must conduct internal audits at planned intervals to provide information on
whether the FSMS conforms to requirements of FSSC 22000 and is effectively implemented
and maintained.

This means the establishment of an audit programme taking into consideration the importance
of the processes concerned and the results of previous audits.

Audits must be objective and impartial and the means by which Auditors are selected must
ensure that this objectivity is maintained, and they must be competent to carry out audits.

The management responsible for the area being audited must ensure that any necessary
corrections and corrective actions are taken within the agreed timeframe.

Also, the audits need to check that the FSMS meets the intent and objectives of the food safety
policy. Follow-up activities will include the verification of the actions taken and the reporting of
verification results.

FSSC 22000 (V5.1) lays specific requirements for internal auditing for organizations with multi-
site certification. Where the central function must ensure there are sufficient resources available
and that the roles, responsibilities and requirements are clearly defined for management.
Internal auditors, technical personnel reviewing internal audits and other key personnel involved
in the FSMS. The management system must be audited at least annually and based on risk. It
requires the internal audit programme to be established by the central function (CF) covering all
sites. Internal auditors must be independent of the areas they audit and be assigned by the CF
to ensure impartiality.

FSSC (V5.1) Lays down specific training and competency requirements for internal auditors.
FSSC 22000 V5.1 IA VILT TC P a g e | 50
Learner Guide 08 02 2021
 SESSION TWO

EVALUATION AND MANAGEMENT REVIEW

As part of a FSSC 22000 FSMS all of the verification activity results are required to be
evaluated by the Food Safety Team. The purpose of the evaluation is to determine if the
verification activities have been witnessed and conformity or nonconformity with requirements
or otherwise demonstrated.

If gaps are identified, then the organisation will need to restore control to achieve the required
conformity. This can be done by reviewing procedures, hazard analysis, PRPs, OPRPs, CCPs,
how effective the resources and training is and the competency levels.

When there are set systems in place to be carried out, they must then be verified, and the
results of those verification activities need to be evaluated. The results of the analysis and
resulting activities must be recorded and shall in relevant form be reported to Top Management
as input to the management review. It must also be used as an input to FSMS updating, as the
evaluation will identify if there are any requirements for change. It is the role of the management
review to consolidate all the results and review of the overall performance of the FSMS.

The organisation’s Top Management should review the FSMS, at planned intervals to ensure
the continuing suitability, adequacy and effectiveness of the FSMS. This requirement is at the
core of the FSMS and is an input to the review, as it identifies any necessary changes and
improvements.

Typically, management review activities comprise of a meeting to review data and issues,
though a “meeting” is not specifically stated by the standard. The management review is a
substantial section of “Check” and it initiates the “Act” within the PDCA cycle of FSMS.

Top Management shall review the organisation’s FSMS at planned intervals, to ensure its
continuing suitability, adequacy, and effectiveness (clause 9.3.1). The management review
must be planned and carried out taking into consideration (clause 9.3.2):

 The status of actions from previous management reviews.

 Changes in external and internal issues that are relevant to the FSMS, including
changes in the organisations context.

 Information on the performance and effectiveness of the FSMS, including trends in:

 Results of systems updating activities.

 Monitoring and measurement results.

 Analysis of the results of verification activities related to PRPs and the hazard
control plan.

FSSC 22000 V5.1 IA VILT TC P a g e | 51

Learner Guide 08 02 2021
 SESSION TWO

EVALUATION AND MANAGEMENT REVIEW, CONTINUED

 Nonconformities and corrective actions.

 Audit results (internal and external).

 Inspections (regulatory, customer).

 Performance of external providers.

 Review of risks and opportunities and of the effectiveness of actions taken to

address them.

 Extent to which objectives of the FSMS have been met.

 Adequacy of resources.

 Any emergency situations, incident or withdrawal/recall that occurred.

 Relevant information obtained through external and internal communication, including

requests and complaints from interested parties.

 Opportunities for continual improvement.

The outputs of the management review shall include decisions and actions related to (clause
9.3.3):

 Continual improvement opportunities.

 Any need for changes to the FSMS, including resource needs and revision of the
safety policy and objectives of the FSMS.

 Records of the management review shall be maintained.

FSSC 22000 V5.1 IA VILT TC P a g e | 52

Learner Guide 08 02 2021
 SESSION TWO

IMPROVEMENT, CLAUSE 10

NONCONFORMITY AND CORRECTIVE ACTION

Any FSMS, when being managed appropriately, will identify gaps and issues from the
“Checking” activities (verification and validation) that will require some action to be taken.

In the processing of end products, when integrity to food safety has been compromised, or
there is some doubt that the system parameters have been breached, the Food Safety Team,
Operators or Management will need to implement suitable restrictions and controls.

Corrections, corrective actions and any other means may need to be implemented to control
products which are nonconforming or potentially unsafe.

Product withdrawals/recalls are also an option if the products that have been deemed unsafe
have been delivered to the customer/consumer.

Note: That corrective action needs the input of a competent person and its scope includes trend
analysis and prevention of recurrence of the issue.

UPDATE OF THE FSMS

Updating of the FSMS is a requirement that Top Management must ensure takes place. It is an
action output from the ongoing review and analysis of the FSMS through:

 Internal communication.

 Meetings.

 External communication, e.g. legal bodies, withdrawals/recalls, customer complaints.

 Changes in legislation.

 Changes in raw materials, finished products etc.

The scope of this evaluation should cover the whole FSMS, starting with the issues which
trigger an update through to the successful implementation of the change. Consideration must
then be given whether it is necessary to review the:

 Hazard analysis.

 Established PRPs.

 Hazard control plan, i.e. CCPs & OPRPs.

FSSC 22000 V5.1 IA VILT TC P a g e | 53

Learner Guide 08 02 2021
 SESSION TWO

PRE-REQUISITE PROGRAMS (PRP)

The PRPs within any FSMS are the foundation of the food hygiene and food safety controls.
They include controls such as GMP, hygiene and any minimum legal requirements for the
hygiene environment of the food production facility.

As discussed previously ISO 22000:2018 requires, in clause 8.2, that organisations shall select
and implement specific PRPs for basic hygiene conditions, ISO 22000:2018 on PRPs did not
fulfil the GFSI’s benchmarking requirements and therefore these technical specifications were
developed and are used in addition to ISO 22000:2018 to provide an agreed set of
requirements recognised globally.

Specific technical specifications for each food sector have been developed by leading food
industry experts to cover sector specific PRP requirements, e.g.:

 ISO/TS22002-1 Food Manufacturing.

 ISO/TS22002-2 Catering.

 ISO/TS22002-3 Farming.

 ISO/TS22002-4 Food Packaging Manufacturing.

 ISO/TS22002-5 Transport and Storage.

 ISO/TS22002-6 Feed and Animal Food Production.

 BSI/PAS 221:2013 Retail and Wholesale.

See the FSSC website for the most up to date list of recognised PRPs.

In the technical specifications the requirement of each food sector PRPs are outlined. Some of
these include PRPs such as:

 Construction and layout of buildings.  Pest control.

 Equipment suitability, cleaning and  Personnel hygiene and employee

maintenance. facilities.

 Utilities – air, water, energy.  Rework.

 Waste disposal.  Product recall procedures.

 Layout of premises and workspace.  Warehousing.

FSSC 22000 V5.1 IA VILT TC P a g e | 54

Learner Guide 08 02 2021
 SESSION TWO

 Management of purchased materials.  Product information/consumer

awareness.
 Measures for prevention of cross
 Food defence, biovigilance and
contamination;
bioterrorism.
 Cleaning and sanitizing.

When establishing, implementing and maintaining these PRPs, organisations shall consider
other appropriate information such as:

 Regulatory requirements in the country where the food is produced and where the food
is going to be sold and consumed.

 Recognised sector or product group codes of practices and guidelines.

 Customer requirements.

The operational conditions of the FSMS and the conditions of the PRPs shall be specified
and documented, fully operational and verified to facilitate the successful implementation of
the FSMS.

FSSC 22000 V5.1 IA VILT TC P a g e | 55

Learner Guide 08 02 2021
 SESSION TWO

FSSC V5.1 ADDITIONAL REQUIREMENTS

Additional requirements have been introduced to meet the needs of key stakeholders and the
GFSI benchmark document, to ensure adequate control of food safety specific requirements for
the FSMS are included in the scheme.

This section outlines the requirements for certification against which Certification Bodies audit
the Food Safety Management System of the organisation in order to achieve certification
against FSSC 22000.

MANAGEMENT OF SERVICES AND PURCHASED MATERIALS

In addition to clause 7.1.6 of ISO 22000:2018 organisations shall ensure, that when laboratory
analysis services are used for verification/validation of food safety, these shall be conducted by
a competent laboratory that has the capability to produce precise and repeatable test results
using validated test methods and best practices. This can include the laboratory being
approved against ISO 17025.

For food chain categories C, D, I, G and K, the following additional requirements applies to ISO
22000:2018 clause 7.1.6. The organisation shall have a documented procedure for
procurement in emergency situations to ensure that products still conform to specified
requirements and the supplier has been evaluated.

In addition to ISO/TS 22002-1:2009 clause 9.2, the organisation shall have a policy for the
procurement of animals, fish and seafood that are subject to control prohibited substances (e.g.
pharmaceuticals, veterinary medicines, heavy metals and pesticides).

For food chain categories C,D I,G and K, the following additional requirement applies to ISO/TS
22002-1 clause 9.2; ISO/TS 22002-4 clause 4.6 and ISO/TS 22002-5 clause 4: The
organisation shall establish, implement and maintain a review process for product specifications
to ensure continued compliance with food safety, legal and customer requirements.

PRODUCT LABELLING

In addition to clause 8.5.1.3 of ISO 22000:2018 organisations shall ensure that statutory and
regulatory requirements from the country of intended sale is checked against, to ensure
products are labelled according to all applicable statutory and regulatory requirements in the
country of intended sale, including allergen and customer specific requirements. Where a
product is unlabelled, all relevant product information shall be made available to ensure safe
use of the food by the customer or consumer.
FSSC 22000 V5.1 IA VILT TC P a g e | 56
Learner Guide 08 02 2021
 SESSION TWO

FOOD DEFENCE

Organisations must have documented procedures for threat assessments to successfully

identify and assess potential threats and to develop and implement mitigation measures for
significant threats.

Organisations must have a clear and concise documented food defence plan which is required
to specify the mitigation measures, covering the processes and products within the FSMS
scope. The plan with be required to comply with applicable legislation and be kept up-to-date.

FOOD FRAUD MITIGATION

Organisations must have a documented procedure to conduct food fraud assessments to

identify and assess potential vulnerabilities, and to develop and implement mitigation
measures.

A fraud mitigation plan must be in place and documented specifying the measures covering the
processes and products within the FSMS scope. The plan must also comply with any relevant
legislation and be kept up to date.

LOGO USE

Organisations shall use the FSSC 22000 logo, once certified, to the standard and for marketing
activities only.

MANAGEMENT OF ALLERGENS (CATEGORIES C, E, FI, G, I AND K)

Organisations must have a documented allergen plan that includes risk assessments covering
all potential sources of allergen cross-contamination and control measures to reduce risks.

ENVIRONMENTAL MONITORING (CATEGORIES C, I AND K)

Organisations must have a documented procedure for a risk-based environmental monitoring

program to evaluate the effectiveness of controls on preventing contamination from the
manufacturing environment. As a minimum this must include the evaluation of microbiological
and allergen controls that might be present. Monitoring activities of the data, including regular
trends, must also be in place.

FSSC 22000 V5.1 IA VILT TC P a g e | 57

Learner Guide 08 02 2021
 SESSION TWO

FORMUALATION OF PRODUCTS (CATEGORY D ONLY)

Organisations must have a procedure in place to manage the use of ingredients that contain
nutrients which can have adverse animal health impact.

TRANSPORT AND DELIVERY (CATEGORY FI ONLY)

Organisations must ensure that products are delivered and transported under conditions which
minimise potential contamination.

STORAGE AND WAREHOUSING

The organisation shall establish, implement, and maintain a procedure and specified stock
rotation system that includes FEFO principles in conjunction with the FIFO requirements.

In addition to ISO/TS 22002-1:2009 clause 16.2, the organisation shall have specified
requirements in place that define post-slaughter time and temperature in relation with chilling
and freezing of the products.

HAZARD CONTROL MEASURES FOR PREVENTING CROSS-CONTAMINATION (FOOD

CHAIN CATEGORIES CI & I)

For food chain category I, the following additional requirement applies to ISO 22000:2018
clause 8.5.1.3. The organisation shall have specified requirements in place in case packaging
is used to impart or provide a functional effect on food (e.g. shelf-life extension).

For food chain category CI, the following requirements apply in addition to ISO/TS 22002-
1:2009 clause 10.1. The organisation shall have specified requirements for an inspection
process at lairage and/or at evisceration to ensure animals are fit for human consumption.

PRP VERIFICATION (FOOD CHAIN CATEGORIES C, D, G, I & K)

For food chain categories C, D, G, I and K the following additional requirements applies to ISO
22000:2018 clause 8.8.1. The organisation shall establish, implement, and maintain routine
(e.g. monthly) site inspections/PRP checks to verify that the site (internal and external),
production environment and processing equipment are maintained in a suitable condition to
ensure food safety. The frequency and content of the site inspections/PRP checks shall be
based on risk with defined sampling criteria and linked to the relevant technical specification.

FSSC 22000 V5.1 IA VILT TC P a g e | 58

Learner Guide 08 02 2021
 SESSION TWO

PRODUCT DEVELOPMENT (FOR FOOD CHAIN CATEGORIES C, D, E, F, I & K)

A product design and development procedure shall be established, implemented and

maintained for new products and changes to product manufacturing processes to ensure safe
and legal products are produced. This shall include the following:

 Evaluation of the change on the FSMS taking into account any new food safety
hazards (including allergens) introduced and updating the hazard analysis accordingly.

 Consideration of the impact on the process flow for the new product and existing
products and processes.

 Resource and training needs.

 Equipment and maintenance requirements.

The need to conduct production and shelf-life trials to validate product formulation and
processes are capable of producing a safe product and meet customer requirements.

HEALTH STATUS (FOOD CHAIN CATEGORY D ONLY)

In addition to ISO/TS 22002-6 clause 4.10.1, the organisation shall have a procedure to ensure
that the health of personnel does not have an adverse effect on the feed production operations.
Subject to legal restrictions in the country of operation, employees shall undergo a medical
screening prior to employment in feed contact operations, unless documented hazards or
medical assessment indicates otherwise. Additional medical examinations where permitted,
shall be carried out as required and at intervals defined by the organisation.

REQUIREMENTS FOR ORGANISATIONS WITH MULTI-SITE CERTIFICATION (FOOD

CHAIN CATEGORY A, E, FI & G)

Central Function

 The management of the central function shall ensure that sufficient resources are
available, and that roles, responsibilities and requirements are clearly defined for
management, internal Auditors, technical personnel reviewing internal audits and other
key personnel involved in the FSMS.

FSSC 22000 V5.1 IA VILT TC P a g e | 59

Learner Guide 08 02 2021
 SESSION TWO

Internal Audit Requirements

 An internal audit procedure and program shall be established by the central function
covering the management system, central function, and all sites. Internal Auditors shall
be independent from the areas they audit and be assigned by the central function to
ensure impartiality at site level.

 The management system, centralised function and all sites shall be audited at least
annually or more frequently based on risk assessment.

 Internal Auditors shall meet at least the following requirements, and this shall be
assessed by the CB annually as part of the audit:

 Work experience: Two years full-time work experience in the food industry
including at least one year in the organisation.

 Education: Completion of a higher education course or, in the absence of a

formal course, have at least five years work experience in the food production or
manufacturing, transport and storage, retailing, inspection or enforcement areas.

 Internal audit reports shall be subject to a technical review by the central function,
including addressing the nonconformities resulting from the internal audit. Technical
reviewers shall be impartial, have the ability to interpret and apply FSSC normative
documents (at least ISO 22000, the relevant ISO/TS 22002-x, PAS-xyz and the FSSC
additional requirements) and have the knowledge of the organisations processes and
systems.

 Internal Auditors and technical reviewers shall be subject to annual performance

monitoring and calibration. Any follow-up actions identified shall be suitably actioned in
a timely and appropriate manner by the central function.

FSSC 22000 V5.1 IA VILT TC P a g e | 60

Learner Guide 08 02 2021
 SESSION TWO

FSSC 22000 V5.1 IA VILT TC P a g e | 61

Learner Guide 08 02 2021
 SESSION THREE

SESSION THREE

AUDIT DEFINITION, TYPES AND

PRINCIPLES

FSSC 22000 V5.1 IA VILT TC P a g e | 62

Learner Guide 08 02 2021
 SESSION THREE

AUDIT DEFINITION, TYPES AND PRINCIPLES

OBJECTIVES

When you have completed this session, you will be able to:

 Define the terms and definitions and principles involved in auditing.

 Explain the definition, scope and objectives of first, second and third-party audits of
management systems.

KEY POINTS

 Audit definitions.

 Types of audit.

FSSC 22000 V5.1 IA VILT TC P a g e | 63

Learner Guide 08 02 2021
 SESSION THREE

AUDIT DEFINITION, TYPES AND PRINCIPLES

INTRODUCTION

An audit can be conducted against a range of criteria relating to requirement defined in one or
more management system standards, policies and requirements specified by relevant
interested parties, statutory and regulatory requirements, one or more management system
processes defined by the organisation or other parties and management system plan(s) relating
to the provision of specific outputs of a management system (e.g. quality plan, project plan).

DEFINITION

ISO 19011 defines an audit as a:

“Systematic, independent and documented process for obtaining objective

evidence and evaluating it objectively to determine the extent to which audit
criteria are fulfilled.”

In other words, an audit is a check that the management system is operating effectively and in
accordance with the system criteria. ISO 19011, guidelines for auditing management systems,
sets out the process by which audits are conducted.

ISO 19011 contains guidance on:

 Principles of auditing.

 Managing an audit programme.

 Conducting an audit/

 Competence and evaluation of Auditors.

TYPES OF AUDIT

There are three types of management system audit: First-party, Second-party and Third-party.

FSSC 22000 V5.1 IA VILT TC P a g e | 64

Learner Guide 08 02 2021
 SESSION THREE

FIRST-PARTY (INTERNAL AUDIT)

Definition: An audit by the organisation of its own management system and procedures, also
known as an internal audit.

Objective: To assure maintenance, development and continual improvement of the

management system.

Scope: The audit will look into problem areas where processes do not align with each other,
there are opportunities for improvement and the effectiveness of the management system.

SECOND-PARTY

Definition: An audit by the organisation on its suppliers and sub-contractors, or an audit on the
organisation by its customer/s.

Objective: To determine suitability of suppliers; and to appraise supplier/sub-contractor’s

performance in respect of the management system. Also, for potential customers to check that
the organisation has a solid management system and could therefore be a suitable supplier
and/or for actual customers to check the performance of the organisation on a given contract or
job.

Scope: These requirements may include special control over certain processes or
requirements. These audits can be done on-site by reviewing the processes or even off-site by
reviewing documents submitted by the supplier. The customer can audit all or part of the
contract – whatever they see a need to audit.

THIRD-PARTY

Definition: Audit carried out by an auditing organisation independent of the client and the user,
for the purpose of certifying the client’s management system (ISO/IEC 17021).

Objective: To determine whether an organisation’s management system has been established,

documented, implemented and maintained in accordance with a specified standard.

Scope: This audit is specific to the requirements of the standard and certifying compliance.

FSSC 22000 V5.1 IA VILT TC P a g e | 65

Learner Guide 08 02 2021
 SESSION THREE

PRINCIPLES OF AUDITING

Auditing is characterised by reliance on a number of principles. These principles should help to

make the audit an effective and reliable tool in support of management policies and controls, by
providing information on which an organisation can act in order to improve its performance.

INTEGRITY

Integrity is the foundation of professionalism. Auditors must carry out their work with honesty,
diligence and responsibility. They must apply and meet any legal requirements and
demonstrate their competence.

Auditors must conduct their work in an impartial manner, remaining fair and unbiased in all
findings. They must also be sensitive to any influences that may be exerted on their judgement
when carrying out the audit.

FAIR PRESENTATION

Auditors have an obligation to report audit findings, audit conclusions and audit reports truthfully
and accurately on all the audit activities. Any unresolved or diverging opinions between the
audit team and the auditee and any obstacles encountered should be reported. Communication
should be truthful, accurate objective, timely, clear and complete.

DUE PROFESSIONAL CARE

The application of due diligence and judgement in auditing requires Auditors to exercise a
degree of care appropriate to the importance of the task and to the confidence placed in them
by audit clients and other interested parties. Having the necessary competence is an important
part of this.

CONFIDENTIALITY

Auditors must be discreet in the use and protection of information that they acquire during an
audit. This includes the handling of sensitive or confidential information. Information should not
be used for personal gain, or used in any way that harms the auditee.

FSSC 22000 V5.1 IA VILT TC P a g e | 66

Learner Guide 08 02 2021
 SESSION THREE

INDEPENDENCE

Independence is the basis for the impartiality of the audit and objectivity of the audit
conclusions. Auditors must be independent of the function being audited. They must remain
free from bias and conflicts of interest. Auditors should maintain objective throughout the audit
process to ensure audit findings and conclusions are based only on the audit evidence.

EVIDENCE-BASED APPROACH

The rational method for reaching reliable and reproducible audit conclusions in a systematic
audit process uses an evidence-based approach.

Audit evidence must be verifiable. It should be based on samples of the information available,
since the audit is conducted during a finite period of time and with finite resources. The use of
sampling must be appropriate to the confidence placed in the audit conclusions.

ISO/IEC 17021-1 provides a number of principles that should be applied as guidance for the
decisions that may need to be made during an audit.

These principles are intended to inspire confidence to all parties that a management system
audit meets requirements.

The principles are:

 Impartiality.

 Openness.

 Competence.

 Confidentiality.

 Responsibility.

 Responsiveness to complaints.

RISK-BASED APPROACH

An audit approach that considers risks and opportunities uses a risk-based approach which
should influence the planning, conducting and reporting of audits in order to ensure that audits
are focused on matters that are significant for the audit client, and for achieving the audit
programme objective.

FSSC 22000 V5.1 IA VILT TC P a g e | 67

Learner Guide 08 02 2021
 SESSION THREE

FSSC 22000 V5.1 IA VILT TC P a g e | 68

Learner Guide 08 02 2021
 SESSION FOUR

SESSION FOUR

ROLES AND RESPONSIBILITIES

OF AUDITORS

FSSC 22000 V5.1 IA VILT TC P a g e | 69

Learner Guide 08 02 2021
 SESSION FOUR

ROLES AND RESPONSIBILITIES OF AUDITORS

OBJECTIVES

When you have completed this session, you will be able to:

 Describe the roles and responsibilities of the Audit Client, Auditors, Guides and
Observers.

 Explain the need for effective communication with the auditee throughout the audit
process.

KEY POINTS

 Roles and responsibilities.

 Behaviours.

 Supporting people.

 Managing the audit.

 Questioning techniques.

FSSC 22000 V5.1 IA VILT TC P a g e | 70

Learner Guide 08 02 2021
 SESSION FOUR

ROLES AND RESPONSIBILTIES OF AUDITORS

INTRODUCTION

Auditors play a key role in guaranteeing the effectiveness of the audit. The use of the process
approach is a requirement of ISO management system standards, and Auditors should
understand that auditing a management system is auditing an organisations processes and
their interactions in relation to one or more management system standards.

Auditors should:

 Review all relevant information related to their assigned audit tasks.

 Prepare any work documents (including checklists) necessary to carry out those tasks.

 Comply with the audit requirements.

 Carry out assigned duties effectively and efficiently.

 Report nonconformities and audit findings.

During any audit, the Auditor should:

 Stay within the audit scope.

 Communicate the audit requirements to the auditee.

 Collate the evidence from the audit both for and against conformity.

 Document any Corrective Action Requests (CARs).

 Report the audit findings to the auditee.

 Verify corrective actions taken in response to CARs.

 Retain and safeguard all documents pertaining to the audit.

FSSC 22000 V5.1 IA VILT TC P a g e | 71

Learner Guide 08 02 2021
 SESSION FOUR

PERSONAL BEHVAIOURS

Auditors should possess the necessary attributes to enable them to act in accordance with the
principles of auditing. Auditors should demonstrate professional behaviour whilst performing the
audit. These professional behaviours include being:

 Ethical, i.e. fair, truthful, sincere, honest and discreet.

 Open-minded, i.e. willing to consider alternative ideas or points of view; diplomatic, i.e.
tactful in dealing with individuals.

 Observant, i.e. actively observing physical surroundings and activities.

 Perceptive, i.e. aware of and able to understand situations.

 Versatile, i.e. able to readily adapt to different situations.

 Tenacious, i.e. persistent and focused on achieving objectives.

 Decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis.

 Self-reliant, i.e. able to act and function independently while interacting effectively with
others.

 Able to act with fortitude, i.e. able to act responsibly and ethically, even though these
actions may not always be popular and may sometimes result in disagreement or
confrontation.

 Open to improvement, i.e. willing to learn from situations.

 Culturally sensitive, i.e. observant and respectful to the culture of the auditee.

 Collaborative, i.e. effectively interact with others, including audit team members and
the auditee’s personnel.

FSSC 22000 V5.1 IA VILT TC P a g e | 72

Learner Guide 08 02 2021
 SESSION FOUR

CONDUCTING THE AUDIT

SUPPORTING PEOPLE

During the audit the Auditor may come across several factors which will affect the effectiveness
of the audit. These factors can include the risks associated to the interaction with the
participants.

What are the risks from the interpersonal element of an audit?

 The auditee does not co-operate for whatever reason.

 The auditee genuinely feels that the process was not fair.

 There is just cause for complaint about the Auditor’s behaviour.

 The Auditor does not effectively find out the status of the process under audit.

Audits always involve interviews and are a one-to-one personal experience for both parties. In
some instances, this can cause the auditee to feel picked-upon, apprehensive, nervous,
threatened, angry and keen to vent their frustration. It’s important for the Auditor to take control
of the situation if this is the case so to not lose control of the audit.

The Auditor can do this by being:

 Alert and relaxed.

 Able to realise when the auditee is puzzled by the question being asked.

 Friendly and polite.

 Capable of being gently persistent.

 Non-threatening.

 Able to listen.

 Attentive to the auditees needs.

 Aware of the auditee’s attitude.

The whole process depends on the Auditor. They must manage the whole process to ensure
that situations are controlled in a professional manner allowing the auditee to be comfortable,
relaxed and communicative throughout.

FSSC 22000 V5.1 IA VILT TC P a g e | 73

Learner Guide 08 02 2021
 SESSION FOUR

SUPPORTING PEOPLE, CONTINUED

The Auditor must ensure that all planned criteria has been covered with timescales being met
and, if required, any changes are managed in the correct way, ensuring transparency
throughout the audit. If the Auditor manages the process in this way, it will mean that no-one
has just cause to consider a complaint.

The first impression is important, and so is body language. The Auditor should trust his or her
intuition and they should ask themselves:

 Do they appear nervous?

 Do they appear upset?

 Do they appear evasive?

The Auditor should try to understand why the auditee may feel that way. To support this, they
may wish to ask themselves the following questions:

 Did they not understand the question?

 Is there something to hide?

 Are they uncomfortable with this style of questioning?

 Do they disagree with the findings, but will not say so?

 Is there some other reason – non-work related?

 Is the Auditor being sensitive to their needs?

In these circumstances, the Auditor should quickly appraise the situation to check if the auditee
has misunderstood and, if necessary, defuse it. Take breaks when required and enquire further
about the ‘problem’ (whilst avoiding becoming involved in personal issues).

The right outcome during the audit is that the auditee feels that the process was fair, effective
and the conclusions drawn were fair, accurate and they accept them.

FSSC 22000 V5.1 IA VILT TC P a g e | 74

Learner Guide 08 02 2021
 SESSION FOUR

POSITIVE AND PROFESSIONAL

The Auditor should adopt a positive, professional and constructive approach and try to obtain a
co-operative, open and honest approach from the auditee.

To achieve these objectives, the Auditor should:

 Meet the area representative first.

 Always talk to those performing the task.

 Explain the purpose of the visit.

 Be calm, polite and reassuring.

 Never act in a condescending manner.

 Speak clearly and carefully.

Interviews are an important means of collecting information and should be carried out in a
manner adapted to the situation and person interviewed. However, the Auditor should consider
the following:

 Interviews with persons from different levels and functions, and especially with persons
performing activities or tasks under consideration.

 Whenever possible, the interview should be conducted during normal working hours
and at the normal workplace of the interviewed person.

 Every attempt should be made to put the interviewed person at ease prior to the
interview.

 The reason for the interview, and any note taking, should be explained.

 Interviews may be initiated by asking the persons to describe their work.

 The results from the interview should be summarised and any finding should be
verified with the interviewed person where possible.

 Leading questions should be avoided.

 The interviewed persons should be thanked for their participation and co-operation.

FSSC 22000 V5.1 IA VILT TC P a g e | 75

Learner Guide 08 02 2021
 SESSION FOUR

QUESTIONING TECHNIQUES

CLOSED QUESTIONS

Closed questions are used to elicit small specific pieces of information and invite a brief
response from the interviewee. For Auditors, the best use of the closed question is to confirm
factual details.

 “Are you the only person doing this job?”

 “Is that where you keep the records?”

 “Have you had any training for this?"

An interview that proceeds along these lines is more like an interrogation than a conversation,
and the information is strictly factual, with no explanation or clarification.

Auditors interview in order to gather information as to whether a process is working effectively,

closed questions do not always achieve this. A good audit will comprise 70% open questions,
30% closed; 60:40 is not bad, but anything that tips the balance towards more closed questions
will mean that the audit is very stilted and can be a difficult situation for both the Auditor and
auditee.

OPEN QUESTIONS

Open questions allow the interviewee to include more information, including feelings, attitudes
and more detail on the subject. This allows the Auditor to better assess their true thoughts and
feelings on an issue. There are six words that are important to any Auditor. These are:

 How?

 What?

 Where?

 When?

 Who?

 Why?

FSSC 22000 V5.1 IA VILT TC P a g e | 76

Learner Guide 08 02 2021
 SESSION FOUR

OPEN QUESTIONS, CONTINUED

You should ask efficient, open-ended questions to elicit information and avoid terse, brief
replies. Open-ended questions invite the interviewee to “open-up” on a topic. They encourage
the interviewee to speak, rather than nodding their response. For example:

 “How are you getting on?"

 “What records do you complete?"

 “Where do you keep the documents?"

 “How were you trained for this?"

This style of questioning makes it easier for the interviewee. They are being given the space to
speak and to relax and the interview becomes more of a conversation and flows well.

However, you will need to continue to focus on the task under question to maintain the control
and direction of the audit.

Rather than ask a question an Auditor may request an auditee to “SHOW ME”. This is also a
very important way for an Auditor to elicit information.

FOLLOW-UP QUESTIONS

These questions are used to develop and focus an answer to an open-ended question.

 “What about the documents you use?"

 “Where did you say you keep the records?"

 “Is that right, you received only on-the-job training for this?"

SUMMARY AND RE-RUN

This is the process of summarising various points from the interviewee and obtaining their
confirmation that these are accurate. As the interview progresses, the interviewee will produce
lots of information. You will need to select that which is important to retain and understand.
Periodically, you may interject a summary sentence with an interrogative inflection:

 “So, the way this is described in the procedures is not accurate?"

 “So, this part of the document is not completed because they do not give you the exact
information?"

FSSC 22000 V5.1 IA VILT TC P a g e | 77

Learner Guide 08 02 2021
 SESSION FOUR

SUMMARY AND RE-RUN, CONTINUED

You need to ensure that you keep control of the interview and focus on the issues where you
need information. And of course, at the end of the interview, make sure that you thank the
interviewee for their co-operation and openness.

The Auditor must control the audit. It’s important that they do not get side-tracked or be
led/misled. The Auditor must dictate the pace and should not make any assumptions.

The Auditor must:

 Be prepared.

 Talk as little as possible.

 Be punctual.

 Avoid misunderstandings.

 Be polite and calm.

 Keep questions clear and concise.

 Give positive feedback.

 Insist on the person being questioned to answer for themselves

The Auditor must be prepared for, and be aware of, a range of possible occurrences. For
example:

 Aggressive auditees.

 Emotional blackmail.

 Timid auditees.

 Special requirements.

 People that do not turn up.

 Local issues and cultural custom.

 Missing documents.

 Pre-prepared samples (always choose your own).

When faced with these situations, the Auditor must act decisively, professionally and fairly,
keeping in mind the objectives and purpose of the onsite audit.

FSSC 22000 V5.1 IA VILT TC P a g e | 78

Learner Guide 08 02 2021
 SESSION FOUR

FSSC 22000 V5.1 IA VILT TC P a g e | 79

Learner Guide 08 02 2021
 SESSION FOUR

FSSC 22000 V5.1 IA VILT TC P a g e | 80

Learner Guide 08 02 2021
 SESSION FIVE

SESSION FIVE

THE AUDIT PROCESS

FSSC 22000 V5.1 IA VILT TC P a g e | 81

Learner Guide 08 02 2021
 SESSION FIVE

THE AUDIT PROCESS

OBJECTIVES

When you have completed this session, you will be able to:

 Determine the audit objectives, the purpose and significance of the audit scope and
criteria.

 Identify the importance of selecting a competent audit team and explain how to do this
effectively.

 Outline the different audit methods, including on-site and remote audit activities and
audit activities requiring human interaction and non-human interaction.

 Explain the need for effective communication with the auditee throughout the audit
process.

KEY POINTS

 Audit objectives, scope and criteria.

 Audit methods and evidence.

FSSC 22000 V5.1 IA VILT TC P a g e | 82

Learner Guide 08 02 2021
 SESSION FIVE

THE AUDIT PROCESS

INTRODUCTION

An internal audit programme will be planned to take into consideration the status and
importance of the processes and areas to be audited, as well as the results of previous audits.

Each individual audit should be based on defined audit objectives, scope and criteria. These
should be consistent with the overall audit programme objectives defined by the organisation.

AUDIT OBJECTIVES

Each individual audit should be based on defined audit objectives, scope and criteria. The audit
objectives define what is to be accomplished by the individual audit and may include the
following:

 Confirming that the management system complies with all the elements of the
standard.

 Determining as to whether the management system is designed to achieve and is

achieving, regulatory compliance and continual improvement in the performance of the
system processes.

 Confirming that the organisation complies with its own policies and procedures.

 Evaluating the capability of the management system to ensure compliance with

legislative and contractual requirements.

 Evaluating the effectiveness of the implemented management system in meeting

specified objectives.

 Identifying areas of potential improvement of the management system.

FSSC 22000 V5.1 IA VILT TC P a g e | 83

Learner Guide 08 02 2021
 SESSION FIVE

AUDIT SCOPE

The audit scope should be consistent with the audit programme and audit objectives. The audit
scope (what you look at during the audit) describes the extent and boundaries of the audit in
terms of factors such as:

 Physical locations.

 Products, activities and processes.

 Organisational units.

 Duration of the audit.

THE AUDIT CRITERIA

The audit criteria (the requirements you audit against) are used as a reference against which
conformity is determined.

The audit criteria may include:

 Requirements of the management system standard.

 Applicable policies.

 Procedures and Standard Operating Procedures (SOPs).

 Risk and opportunities identified by auditee.

 Regulations and legislation.

 Contract requirements.

 Industry sector codes of conduct.

FSSC 22000 V5.1 IA VILT TC P a g e | 84

Learner Guide 08 02 2021
 SESSION FIVE

THE AUDIT PROCESS FOR COLLECTING AND VERIFYING AUDIT EVIDENCE

Only information that can be subject to some degree of verification should be accepted as audit
evidence. The diagram below shows an overview of the audit process of collecting and verifying
audit evidence to reach audit conclusions from ISO 19011:2018.

• Source of Information

• Collecting by means of appropriate sampling

• Audit evidence

• Evaluating against audit criteria

• Audit findings

• Reviewing findings

• Audit conclusions

FSSC 22000 V5.1 IA VILT TC P a g e | 85

Learner Guide 08 02 2021
 SESSION FIVE

SELECTING AND DETERMINING AUDIT METHODS

Those managing the audit programme should select and determine the methods for effectively
conducting an audit. This will depend on the audit objectives, scope and criteria as well as the
duration and location.

Audits can be performed on-site, remotely or as a combination of the two. The method should
consider the associated risks and opportunities and be selected as appropriate to ensure
effectiveness of the audit.

ON-SITE AUDITING

On-site auditing is the preferred way to audit. Audit methods for an on-site audit can include:

 Interviews, checklists and questionnaires with auditee participation.

 Sampling.

 Document review.

 Observing work being performed.

REMOTE AUDITING

Remote audits can be performed at any place other than at the location of the auditee and
irrespective of the distances involved. The feasibility of this method will depend on the level of
confidence that exists between the Auditor and the audit client or auditee. Remote auditing also
refers to activities that are conducted off-site such as the:

 Document review.

 Completion of checklists.

 Analysis of data.

What is a remote audit?

A remote audit is one that is conducted off-site using mobile or desktop applications (ICT). The
audit plan must address the scope of the remote audit. Personnel with responsibilities
pertaining to the audit plan will need to be available for their relevant parts of the audit, this
includes Top Management for the opening and closing meetings.
FSSC 22000 V5.1 IA VILT TC P a g e | 86
Learner Guide 08 02 2021
 SESSION FIVE

Benefits of a remote audit

The value of this audit method resides in its potential to provide flexibility to achieving audit
objectives. Technology has made remote auditing more feasible and opens the opportunity to
audit sites remotely which reduces travel time and costs and the environmental impact posed
from audit travel.

Risks of a remote audit

We must also consider the limitations and risks posed from using technology in remote
auditing. Risks include; information security, data protection, reliability and quality of the
objective evidence collected. The following are questions that may arise:

 When watching images, are we looking at real time images or are we looking at video
records?

 Can we capture everything about the remote site or are we being guided by selected
images?

 When planning for a remote interview, will there be a stable internet connection and
the person to be interviewed knows how to use it?

 Can the processes and sites to be audited be realistically audited off-site?

 Can you have a good overview of the facilities, equipment, operations and controls?
Can you access all the relevant information?

Many of these questions can only be answered after a visit to the site.

Remote audit technology

The use of technology for remote auditing will only be successful if the right conditions are in
place. The availability of information and communication technologies may be used to conduct
all or some of the audit remotely. There are different technologies which can be used for remote
audits these include:

 Remote audit software.

 Web conferencing.

 Client hosted systems.

FSSC 22000 V5.1 IA VILT TC P a g e | 87

Learner Guide 08 02 2021
 SESSION FIVE

Remote audit software

A remote auditing software which directly connects the auditee with the audit team, wherever
they are working in the world. The auditee can interact with the audit team and share
information in real-time.

Web conferencing

Remote audits can be conducted via various web conferencing programs like Skype, Zoom and
Microsoft Teams. Web conferencing allows the Auditor the opportunity to view objective
evidence in real time watching online live images of remote sites.

Client hosted systems

In some cases, client systems can be used for the remote audit. The auditee can offer access
to their systems for the Auditor to view objective evidence.

AUDIT ACTIVITIES

Interactive audit activities involve interaction between the audit client’s personnel and the audit
team. Examples include:

 Conducting interviews.

 Observing work performed with remote guide.

 Completing checklists and questionnaires.

 Conducting document review with auditee participation.

Non-interactive audit activities are those where there is no human interaction between the
auditee and the audit team, for example:

 Conducting document review (e.g. records, data analysis).

 Observing work performed via surveillance means, considering social and statutory
and regulatory requirements.

 Analysing data.

 Most audits will be made up of a mix of interactive and non-interactive activities.

FSSC 22000 V5.1 IA VILT TC P a g e | 88

Learner Guide 08 02 2021
 SESSION FIVE

AUDIT ACTIVITIES, CONTINUED

Examples of requirements, activities and process that are likely to be remote audited:

AUDIT ACTIVITIES REMOTE INTERACTION

Opening and closing meetings with people from
different sites.

Audit plan reviewing at different stages of the Phone call, video conference.
audit.
Web meeting.
Intermediate conclusions report.

Audit team intermediate meetings.

Organisation’s processes/activities/people:

a) People working from home or off-site.

b) Processes or activities, where the audit

objective is mainly the review of documents
and explanatory information obtained Video conference with screen share.
through interview, such as purchasing, Real-time video images obtained with drones,
human resources/training, commercial mobile or fixed video cameras.
processes, design and development. Many
Access to video monitoring of sites.
of these activities are performed by Shared
Services.
c) Infrastructure that has a wide territorial
range such as water or energy
transportation.

Particular situations: Video conference, real time images, shared

screen, asynchronous document and data
a) Participation of experts.
review

Additional guidance for remote auditing can be found in the ISO APG Guidance on Remote
Audits.

FSSC 22000 V5.1 IA VILT TC P a g e | 89

Learner Guide 08 02 2021
 SESSION FIVE

AUDITOR SELECTION

As soon as the audit has been agreed, the Auditor needs to be appointed. The Auditor should
be able to be objective; this normally means that they will not be auditing their own work or line
of management. It is important that an Auditor has some knowledge of:

 Legislation and other requirements.

 The technology used.

 Specific activities assessed.

 Ideally be ‘trained’.

OBSERVERS

The presence and justification of Observers during an audit activity may help train more
Auditors, but a large group of people (Managers/Auditors/Observers) may inhibit staff.

GUIDES

On internal audits, Guides are not usually needed unless the company is large or has many
sites.

Guides are assigned to the audit team to facilitate the audit. It is the responsibility of the audit
team to ensure that Guides do not influence or interfere in the audit process or outcome of the
audit.

FSSC 22000 V5.1 IA VILT TC P a g e | 90

Learner Guide 08 02 2021
 SESSION FIVE

FSSC 22000 V5.1 IA VILT TC P a g e | 91

Learner Guide 08 02 2021
 SESSION FIVE

FSSC 22000 V5.1 IA VILT TC P a g e | 92

Learner Guide 08 02 2021
 SESSION SIX

SESSION SIX

PREPARING FOR THE INTERNAL

AUDIT

FSSC 22000 V5.1 IA VILT TC P a g e | 93

Learner Guide 08 02 2021
 SESSION SIX

PREPARING FOR THE INTERNAL AUDIT

OBJECTIVES

When you have completed this session, you will be able to:

 Explain the structure, determine the duration and select appropriate audit activities.

 Prepare an audit plan.

 Explain the advantages and possible disadvantages of using a checklist.

 Prepare an audit checklist.

KEY POINTS

 The audit plan.

 Work documents.

 Process-based auditing.

 Audit checklist.

FSSC 22000 V5.1 IA VILT TC P a g e | 94

Learner Guide 08 02 2021
 SESSION SIX

PREPARING FOR THE INTERNAL AUDIT

INTRODUCTION

When preparing for the audit it’s important for the Auditor to consider the audit process. This
involves planning what information, document and records are needed for the audit, as well as
making arrangements for proposed dates and timings.

DETERMINING AUDIT TIME

The audit duration will need to be determined and will be affected by the requirements of the
relevant management system standard, the size and complexity, geography (number of sites
and location), the technological and regulatory context and whether there is any outsourcing of
any activities included in the scope of the management system.

Results of any previous audits and the risks associated with the products, processes or
activities of the organisation will also be a key factor in the timings of the audit.

THE AUDIT PLAN

The Audit Team Leader should prepare a plan for the on-site audit activities. The plan should
provide the necessary information for the audit team and auditee. It should enable the
scheduling and co-ordination of the audit activities. An example of an audit plan pro-forma is set
out in Appendix 3.

The level of detail should be adapted to suit the scope and complexity of the audit. The details
may differ between audits.

When developing the plan, the Audit Team Leader should consider the:

 Appropriate sampling techniques.

 Composition of the audit team and its collective competence.

 Risks to the organisation created by the audit, for example, the presence of the audit
team influencing health and safety, environment and food safety or security and the
threat to the auditee’s products, services.

 Personnel or infrastructure (if applicable) and if there are any specific requirements by
the client then these need to be considered.

FSSC 22000 V5.1 IA VILT TC P a g e | 95

Learner Guide 08 02 2021
 SESSION SIX

THE AUDIT PLAN, CONTINUED

The audit plan should include:

 Audit objectives and scope.

 Audit criteria and reference documents.

 Dates and places where the on-site audit activities are to be conducted.

 Identification of the organisational and functional units and processes to be audited.

 Time and duration for on-site audit activities.

 Time and duration of meetings with the auditee’s management and audit team
meetings.

The plan may also include, as appropriate:

 The identification of the auditee’s key representatives participating in the audit.

 The language(s) where this is different from the language of the Auditor(s) and/or the
auditee.

 Roles and responsibilities of the audit team members and any accompanying persons.

 The audit report topics including any methods of nonconformity classifications.

 Format and structure.

 Logistic arrangements (travel, on-site facilities).

 Safety and possible need for PPE/special garments.

 Matters related to confidentiality.

 Any arrangements for audit follow-up actions.

 Expected date of issue and distribution.

For a typical, relatively brief and focussed internal audit, many of the above issues may not be
relevant.

The audit plan should be sufficiently flexible to permit changes, such as any changes in
emphasis that may become necessary as the audit activities progress. An example of an audit
plan or itinerary is shown overleaf. Any revised audit itinerary should be agreed before
continuing.

FSSC 22000 V5.1 IA VILT TC P a g e | 96

Learner Guide 08 02 2021
 SESSION SIX

Example of an audit plan pro-forma

Organisation:

Address: Date(s) On-site:

Lead Auditor:

Team Member(s):

Standard(s):

Audit Language:

Audit Scope and

Observations:

Criteria and
Reference Docs:

Date Time Auditor Area / Department / Process / Key Contact

Function

Notes:

 Times are approximate and will be confirmed at the opening meeting prior to
commencement of the audit.

 Auditors reserve the right to change or add to the elements listed before or during the
audit depending on the results of on-site investigation.

 A private place for preparation, review and conferencing is requested for the Auditor’s
use.

 Please provide a light working lunch on-site each audit day.

FSSC 22000 V5.1 IA VILT TC P a g e | 97

Learner Guide 08 02 2021
 SESSION SIX

WORK DOCUMENTS

Work documents are those used by the audit team for the purpose of reference and/or
recording the audit. They can include:

 Audit procedures, checklists and sampling plans.

 The audit plan.

 Checklists, for recording information and supporting evidence.

 Records of meetings.

 Forms for reporting nonconformities and audit findings.

The use of these documents, such as audit plans, checklists and forms, should not restrict the
extent of audit activities.

Work documents should be retained, at least until audit completion. Audit team members
should suitably safeguard those involving confidential or proprietary information.

THE TURTLE DIAGRAM

In some situations, there may not be explicit documents such as procedures or work
instructions that enable the Auditor to develop a checklist easily. Instead, the Auditor may be
faced with little more than a process map covering several complicated task and activities.

Nonetheless, the Auditor will need to ensure that the tasks and activities needed to deliver the
food safety process objectives and the audit criteria have been addressed.

The Auditor may gain an understanding of the factors involved in a process by mapping the
processes based on the requirements of the relevant standard or developing a Turtle Diagram.

A Turtle Diagram (see Appendix 5) may be used in any audit process. The Turtle Diagram acts
as a checklist for organising thoughts and questions around the key principles of any process. It
is a “memory jogger”, acting as a prompt to identify and investigate the various elements of the
processes: objectives, outputs, results and inputs (What? Who? How?).

The diagram may be adapted or amended as required. Those elements which are not
appropriate may be deleted and any other elements which should, or could, be addressed can
be added.

The completed “Turtle Diagram” may be used to compile a checklist or in place of, or in addition
to, a separate, detailed checklist.

FSSC 22000 V5.1 IA VILT TC P a g e | 98

Learner Guide 08 02 2021
 SESSION SIX

AUDIT CHECKLIST

The purpose of a checklist is to ensure that the objectives and scope of the audit are met, and
that every part of the audit is completed.

The development of the checklist takes place after the Auditor has gained an understanding of
the scope, process performance and the sequence of process activities or interaction.

The compilation of a checklist is a way of analysing the processes involved. The checklist acts
as a guide for the Auditor, it helps to structure and conduct the audit successfully.

ADVANTAGES OF USING A CHECKLIST

The checklist is used as a working document, and a record. The advantages of using a
checklist include:

 Aiding the preparation for the audit.

 Using the number of questions and size of samples to estimate the time required to
conduct an audit or parts of an audit.

 Supporting the Auditor to control the complexity and pace of the audit.

 Supporting the Auditor in planning for the audit.

 Utilising it as a means of recording responses by auditees.

POSSIBLE DISADVANTAGES OF USING A CHECKLIST

Although there are positives to using a checklist there are also disadvantages, as the use of
standardised checklists may stifle initiative and analysis of the processes or procedures. They
may also prevent the Auditor from investigating significant incidents simply because they were
not on the checklist.

FSSC 22000 V5.1 IA VILT TC P a g e | 99

Learner Guide 08 02 2021
 SESSION SIX

PREPARING THE CHECKLIST

The complexity or detail on a checklist will depend on the experience of the Auditor. An
example of a blank checklist is set out in Appendix 6. An example of a completed checklist is
shown in Appendix 7.

In preparing the checklist, the Auditor should consider:

 The processes which are taking place.

 Any relevant procedures.

 Documents and records being used.

 The requirements of the standard.

 The requirements of the management system.

FSSC 22000 V5.1 IA VILT TC P a g e | 100

Learner Guide 08 02 2021
 SESSION SIX

ACTIVITY TWO: PREPARING A CHECKLIST

PURPOSE

 This activity requires teams to prepare for an audit against the requirements of FSSC
22000 V5.1.

TASK

 You have been asked to conduct an internal audit of Big Brewery.

 The audit will focus on a meeting with Top Management to audit the organisation’s
continual improvement processes.

 You are looking for evidence that there is a planned and systematic approach to
continual improvement in accordance with the requirements of FSSC 22000 V5.1.

 To conduct the audit effectively:

 Develop a checklist using the forms provided to address at least ten

requirements which together cover the following areas:

• Policy.

• Objectives and plans to meet those objectives.

• The internal audit programme.

• Management review.

 Your preparation may cover the following areas:

 Confirmation that the policy is appropriate to the purpose and context of the
organisation.

 The methods by which the policy is communicated to employees.

 Consideration was given to the needs and expectations of interested parties and
how they are given access to the policy.

 The reasoning behind the adoption of objectives and plans to achieve the
objectives.

 The methods by which the policy and plans have been communicated
throughout the organisation.

 The determination of resources to ensure that the SYSTEM is effective.

FSSC 22000 V5.1 IA VILT TC P a g e | 101
Learner Guide 08 02 2021
 SESSION SIX

TASK, CONTINUED

 Reports on the performance of the SYSTEM are produced and the actions taken
as a result of these reports.

 The internal audit arrangements.

 The output from the management review is consistent with the organisation’s
commitment to continual improvement of the system.

OUTPUT

 Feedback your findings for discussion by the whole group.

TIME ALLOWED

 Activity: 30 minutes.

 Feedback: 15 minutes.

FSSC 22000 V5.1 IA VILT TC P a g e | 102

Learner Guide 08 02 2021
 SESSION SIX

FSSC 22000 V5.1 IA VILT TC P a g e | 103

Learner Guide 08 02 2021
 SESSION SEVEN

SESSION SEVEN

CONDUCTING THE AUDIT

FSSC 22000 V5.1 IA VILT TC P a g e | 104

Learner Guide 08 02 2021
 SESSION SEVEN

CONDUCTING THE AUDIT

OBJECTIVES

When you have completed this session, you will be able to:

 Outline the process for conducting audit activities, from the opening meeting through to
preparing audit conclusions and closing the audit.

 Demonstrate the ability to:

 Conduct opening meetings effectively.

 Build rapport with the auditee during the audit, including sensitivity to the needs
and expectations of the auditee.

 Implement the audit plan, to use documented information for the audit and follow
audit trails.

 Collect and verify objective evidence by means of appropriate sampling.

KEY POINTS

 Collecting and verifying information.

 Opening meeting.

 Conducting the audit.

 Questioning techniques.

 Controlling the audit.

FSSC 22000 V5.1 IA VILT TC P a g e | 105

Learner Guide 08 02 2021
 SESSION SEVEN

CONDUCTING THE AUDIT

INTRODUCTION

The purpose of the audit is to evaluate the implementation, and effectiveness, of the
management system. The audit will normally take place within the department under review
and the areas covered will include:

 Information and evidence about conformity to the requirements of the applicable

management system standard or other normative document.

 Performance monitoring, measuring, reporting and reviewing against key performance

objectives and targets.

 The management system and performance in respect of legal compliance.

 Operational control of the auditee’s processes.

 Previous internal audits.

 Management review.

 Management responsibility for the policies.

The audit will also analyse the links between the normative requirements, policy, performance
objectives and targets, any applicable legal requirements, responsibilities, competence of
personnel, operations, procedures, performance data and internal audit findings and
conclusions.

OPENING MEETING

An opening meeting should be held with the management of the department being audited or,
where appropriate, those responsible for the functions or processes. Records of attendance at
the opening meeting should be kept. The purpose of the meeting is to:

 Present or to confirm the audit plan.

 Clarify how the audit activities will be undertaken.

 Establish communication.

FSSC 22000 V5.1 IA VILT TC P a g e | 106

Learner Guide 08 02 2021
 SESSION SEVEN

OPENING MEETING, CONTINUED

In an internal audit situation, this meeting is often quite informal and may not involve a formal
sit-down process. The meeting should be led by the Auditor including an introduction to all
participants and their roles, methods and procedures to be used to conduct the audit, advising
the auditee that the audit will only be a sample of the information available and to provide
reassurance of the element of uncertainty inherent in all audits.

The following items need to be considered and agreed as appropriate:

 The audit objectives, scope and criteria.

 The audit plan and other relevant arrangements.

 The date and time of the closing meeting.

 Interim meetings between the audit team and the auditee's management, and any late
changes.

 Formal communication links between the audit team and the auditee.

 Confirmation that during the audit, the auditee will be kept informed of audit progress.

 Confirmation that resources and facilities needed by the audit team are available.

 Matters relating to confidentiality.

 Relevant work safety, emergency and security procedures for the audit team.

 Availability, roles and identity of any Guides.

 Methods of reporting including nonconformities.

A checklist for a formal opening meeting is set out in Appendix 8.

In many audit situations the opening meeting may just confirm that an audit is taking place, so
the above list is neither prescriptive nor exhaustive. The golden rules for the opening meeting
are keeping it brief and concise and under control.

FSSC 22000 V5.1 IA VILT TC P a g e | 107

Learner Guide 08 02 2021
 SESSION SEVEN

COLLECTING AND VERIFYING INFORMATION

AUDIT EVIDENCE

Information collected during the audit should be verified and confirmed by the Auditors to be
correct, so it can then be considered to be “audit evidence”. Audit evidence can be defined as
“records, statements of facts or other information which are relevant to the audit criteria and
verifiable” (ISO 19011:2018).

Audit evidence may be obtained from people, processes, equipment, tools, materials,
documentation and by observation. This is done in several ways, such as:

 Interviews.

 Observations of activities and the surrounding work environment and conditions.

 Documents, for example: policy, objectives, plans, procedures, instructions, licences

and permits, specifications, drawings, contracts and orders.

 Records such as: inspection records, minutes of meetings, purchasing records,

calibration records, training records, audit reports, monitoring programmes and results
of measurements.

 Data summaries, analyses, metrics and performance indicators.

 Reports from other sources, for example: energy suppliers, maintenance sub-
contractors’ reports and equipment supplier documents.

 Computerised data bases and web-sites, e.g. energy suppliers.

 Building management systems, production management systems and other

information systems related to energy uses, variables and static factors.

 Simulation and modelling.

 Information relating to interfaces between functions, activities and processes.

The step-by-step process of tracking activities, following leads and ascertaining evidence to
obtain information is called an “audit trail”. The audit evidence collected during an audit will
inevitably be only a sample of the information available, since an audit is conducted during a
finite period of time and with limited resources.

There is always an element of uncertainty inherent in all audits, and users of the audit
conclusions should be made aware of this uncertainty.

FSSC 22000 V5.1 IA VILT TC P a g e | 108

Learner Guide 08 02 2021
 SESSION SEVEN

SAMPLING

An Auditor cannot interview every person, observe every activity or task, examine every
document and record everything, there simply isn't time to do this. An audit must be based on
sampling enough evidence to be able to establish, with confidence, the degree of conformity
demonstrated in the process under review.

The objective of audit sampling is to provide information for the Auditor to have confidence that
the audit objectives can or will be achieved.

The risk associated with sampling is that the samples may not be representative of the
population from which they are selected, and thus the Auditor’s conclusion may be biased and
be different to that which would be reached if the whole population was examined.

There may be other risks depending on the variability within the population to be sampled and
the method chosen. Audit sampling typically involves the following steps:

 Establishing the objectives of the  Determining the sample size to be

sampling plan. taken.

 Selecting the extent and  Conducting the sampling activity.

composition of the population to
be sampled.  Compiling, evaluating, reporting
and documenting results.
 Selecting a sampling method.

When sampling, consideration should be given to the quality of the available data, as sampling
insufficient and inaccurate data will not provide a useful result.

The selection of an appropriate sample should be based on both the sampling method and the
type of data required, e.g. to infer a particular behaviour pattern or draw inferences across a
similar population.

Reporting on the sample selected could consider the sample size, selection method and
estimates made based on the sample and the confidence level.

Audits can use either judgement-based sampling or statistical sampling.

FSSC 22000 V5.1 IA VILT TC P a g e | 109

Learner Guide 08 02 2021
 SESSION SEVEN

Judgement-based sampling

Judgement-based sampling relies on the knowledge, skills and experience of the audit team.
For judgement-based sampling, the following can be considered:

 Previous audit experience within the audit scope.

 Complexity of requirements (including legal requirements) to achieve the objectives of

the audit.

 Complexity and interaction of the organisation’s processes and management system

elements.

 Degree of change in technology, human factor or management system.

 Previously identified key risk areas and areas of improvement.

 Output from monitoring of the management system.

 Severe risks may require very large samples to be reviewed.

A drawback to judgement-based sampling is that there can be no statistical estimate of the

effect of uncertainty in the findings of the audit and the conclusions reached.

Statistical sampling

Statistical sampling is normally when there is a substantial amount of data to review. If the
decision is made to use statistical sampling, the sampling plan should be based on the audit
objectives and what is known about the characteristics of the overall population from which the
samples are to be taken.

Statistical sampling design uses a sample selection process based on probability theory.
Attribute-based sampling is used when there are only two possible sample outcomes for each
sample, for example, correct/incorrect or pass/fail. Variable-based sampling is used when the
sample outcomes occur in a continuous range.

The sampling plan should consider whether the outcomes being examined are likely to be
attribute-based or variable-based. For example, when evaluating conformance of completed
forms to the requirements set out in a procedure, an attribute-based approach could be used.

When examining the occurrence of food safety incidents or the number of breaches, a variable-
based approach would likely be more appropriate.

FSSC 22000 V5.1 IA VILT TC P a g e | 110

Learner Guide 08 02 2021
 SESSION SEVEN

Statistical sampling, continued

The key elements that will affect the audit sampling plan are:

 The size of the organisation.

 The number of competent Auditors.

 The frequency of audits during the year.

 The time of individual audit.

 Any externally required confidence level.

When a statistical sampling plan is developed, the level of sampling risk that the Auditor is
willing to accept is an important consideration. This is often referred to as the acceptable
confidence level.

For example, a sampling risk of 5% corresponds to an acceptable confidence level of 95%. A

sampling risk of 5% means the Auditor is willing to accept the risk that 5 out of 100 (or 1 in 20)
of the samples examined will not reflect the actual values that would be seen if the entire
population was examined.

When statistical sampling is used, Auditors should appropriately document the work performed.

This should include a description of the population that was intended to be sampled, the
sampling criteria used for the evaluation (e.g. what is an acceptable sample), the statistical
parameters and methods that were utilised, the number of samples evaluated, and the results
obtained.

DOCUMENT REVIEW

The document review allows the Auditor to study the documents relevant to the audit criteria,
objectives and scope of the audit. The purpose of the review is to provide information to the
Auditor for the actual audit activities.

The Auditor will need to satisfy themselves that the management system, as described in the
documented processes, meets the requirements of the audit criteria.

The audit criteria will be requirements of the relevant standard, including legislation compliance
and conformance with the organisation’s own policies and procedures. In undertaking the
review, the Auditor will consider whether the system and the processes referenced within the
system are appropriate to the needs of the business.
FSSC 22000 V5.1 IA VILT TC P a g e | 111
Learner Guide 08 02 2021
 SESSION SEVEN

DOCUMENT REVIEW, CONTINUED

Once satisfied that the system and processes are adequate and meet the requirements of the
relevant standard, the Auditor should use this information to:

 Devise an audit plan to notify the auditee of the format for the audit.

 Develop the necessary working documents for the audit.

Depending on the type of audit, and the objectives and scope of the audit, the Auditor may wish
to review:

 The documented statements of policy and objectives.

 The documented risk assessments, method statements and procedures.

 Any other documents needed by the organisation to gain a thorough understanding of

its activities and processes. These may include operational procedures, work
instructions and records.

In an internal audit, the Auditor will probably concentrate on the documentation (procedures,
risk assessments and method statements or work instructions) covering the precise scope of
the audit. The documentation should be reviewed to determine conformity with the audit criteria.

FSSC 22000 V5.1 IA VILT TC P a g e | 112

Learner Guide 08 02 2021
 SESSION SEVEN

ACTIVITY THREE: ROLE-PLAY- CONDUCTING THE AUDIT

PURPOSE

 This activity consists of role-playing against the requirements of FSSC 22000 V5.1.

TASK

 You have been asked to conduct an audit of Big Brewery.

 The role-play focuses on a meeting with the Top Management to audit the
organisation’s continual improvement processes. You are looking for evidence that
there is a planned and systematic approach to continual improvement in accordance
with the requirements of FSSC 22000 V5.1.

 You will be expected to:

 Use any documents that you have for this audit – your checklist from Activity
Two and FSSC V5.1.

 Speak to Top Management (tutors) in the organisation that you are auditing.

 Request to see any document in the organisation that you are auditing.

 Listen to responses from auditees (tutors) and provide feedback.

 Record audit evidence.

 Ensure that confidentiality in respect of proprietary information are applied.

 Demonstrate the ability to manage meetings effectively.

 Demonstrate the ability to implement the audit plan, use work documents and to
follow audit trails.

 Demonstrate the ability to build rapport with the auditee during the audit,
including sensitivity to the needs and expectations of the auditee.

 Demonstrate the ability to manage audit interviews effectively, including the

ability to formulate effective audit questions.

 Demonstrate the ability to collect and verify appropriate audit evidence, including
appropriate sampling.

FSSC 22000 V5.1 IA VILT TC P a g e | 113

Learner Guide 08 02 2021
 SESSION SEVEN

OUTPUT

 Provide feedback on your findings to the course tutor.

 Each response is then discussed within the entire group, to gain consensus.

TIME ALLOWED

 Preparation for role-play: 60 minutes.

 Feedback: 45 minutes (typically for each team: 15 minutes).

FSSC 22000 V5.1 IA VILT TC P a g e | 114

Learner Guide 08 02 2021
 SESSION SEVEN

FSSC 22000 V5.1 IA VILT TC P a g e | 115

Learner Guide 08 02 2021
 SESSION EIGHT

SESSION EIGHT

AUDIT REVIEW

FSSC 22000 V5.1 IA VILT TC P a g e | 116

Learner Guide 08 02 2021
 SESSION EIGHT

AUDIT REVIEW
OBJECTIVES

When you have completed this session, you will be able to:

 Outline the process for preparing audit conclusions and closing the audit.

 Explain how audit findings are determined by evaluating objective evidence against
audit criteria.

 Explain the purpose and typical content of an internal audit report including recording
nonconformity.

 Explain the corrective action process and audit follow-up activities.

KEY POINTS

 Audit review meeting.

 Audit findings.

 Finding statements.

 Corrective Action Requests (CARs).

 Classification of CARs.

 Opportunities for improvement.

FSSC 22000 V5.1 IA VILT TC P a g e | 117

Learner Guide 08 02 2021
 SESSION EIGHT

AUDIT REVIEW
INTRODUCTION

When the audit is complete, the Auditor should conduct a review of the findings with the
auditees. This is a very formal meeting in the case of external audits. It may be much less
formal in internal audits. However, below is a comprehensive list of issues and activities which
may form the structure and content of such a meeting.

When the review and analysis of the information and evidence has been completed and a
conclusion reached, the Auditor/team will present the findings to management at a “closing
meeting”.

CONDUCTING A CLOSING MEETING

A closing meeting, led by the Auditor, should be held with the auditee's management and those
responsible for the functions audited. Records of attendance at the closing meeting should be
kept. The purpose of this meeting is to present audit findings and conclusions in such a manner
as to ensure that they are understood and acknowledged by the auditee and to agree the time-
period for the auditee to present a corrective action plan.

For internal audits, this may be an informal process. The meeting should be constructive and
aimed at system improvement, especially as the Auditor and auditee work for the same
organisation and have the same objectives.

A closing meeting agenda will vary according to the type of audit conducted, but the following
list, which is neither exhaustive nor prescriptive, contains typical management system items on
a closing meeting agenda:

 Distribute an attendance list for completion by attendees.

 Restate the purpose and scope of the audit.

 State the decision and conclusion.

 Summary of good points within the management system.

 Explain Major and Minor CARs.

 Explain CAR form completion and obtain client representative's signature on CAR.

 Explain the significance of sampling technique.

FSSC 22000 V5.1 IA VILT TC P a g e | 118

Learner Guide 08 02 2021
 SESSION EIGHT

CONDUCTING A CLOSING MEETING, CONTINUED

 Report on opportunities for improvement.

 Stress confidentiality.

 Explain reporting and follow-up.

 Have the Auditor log signed.

 Obtain attendance list.

 Thank the client.

 Congratulate where appropriate.

During the closing meeting, the Auditor/Team Leader must explain all findings and evidence
carefully and precisely, and be prepared to support and justify the findings.

The Auditor must avoid being drawn into an argument, apologise if an error transpires and alter
or withdraw the CAR if necessary and refuse the 'quick fix' as a solution to the finding.
Management must investigate and attempt to correct the root cause of the problem to prevent
any recurrence.

AUDIT FINDINGS

An organisation’s management should be open to both positive and negative issues reported
as a result of any audit.

A ‘finding’ may be positive or negative. However, the term ‘finding’ is often used by Auditors to
describe a negative situation only.

Until it is classified, a negative audit finding may be a:

 Nonconformity / nonconformance / noncompliance.

A nonconformity (nonconformance or noncompliance) arises when the process or procedure

being audited is not being conducted or completed as it should.

FSSC 22000 V5.1 IA VILT TC P a g e | 119

Learner Guide 08 02 2021
 SESSION EIGHT

AUDIT FINDINGS, CONTINUED

A nonconformity is defined as “The non-fulfilment of a requirement”. Therefore, a nonconformity

may be a failure to:

 Comply with the standard applicable to the organisation.

 Implement the policy, process or documented requirements specified by the

organisation.

 Implement a legislative or contractual requirement.

If there is no specified requirement, there can be no nonconformity. What the Auditor thinks
should be done is not a specified requirement.

Nonconformities should be recorded and supported by audit evidence. Nonconformities should

be reviewed with an appropriate auditee representative to obtain acknowledgement of the audit
evidence.

The auditee representative’s acknowledgement indicates that the audit evidence is accurate,
and that the nonconformity is understood. Every attempt should be made to resolve any
difference of opinion concerning the audit evidence, and unresolved points should be recorded.

Sometimes during an audit, an Auditor may identify a deficiency that is then effectively resolved
by management before the closing meeting. In a situation such as this, provided the Auditor is
convinced that the matter has indeed been resolved, it should not be raised formally at the
closing meeting.

A record should be made by the Auditor to verify that the action implemented is complete and
acceptable. However, it would be unusual for management to have had the time to confirm full
close-out of the problem in so far as to check whether their solution will have prevented any
future recurrence of the nonconformance.

True corrective action involves confirmation that action taken is effective and will prevent
recurrence of the negative situation.

FSSC 22000 V5.1 IA VILT TC P a g e | 120

Learner Guide 08 02 2021
 SESSION EIGHT

FINDING STATEMENT

A “finding statement” is a description of the conformity or nonconformity discovered during the

audit. The finding statement should contain:

 An overview of the finding.

 A description of the nonconformity.

 The objective evidence on which the nonconformity is based.

 Summary of the requirement being contravened.

Below is an example of a finding statement:

Example 1:

“Pest control programme is not fully in compliance with requirements of FSSC 22000. From the
review of the pest control records it was noted that the results for inspections carried out in
2018 have not been assessed and analysed for trends.

It is required specifically by clause 12.5 of ISO / TS 22002-1 that trend analysis is to be carried
out”.”

Example 2:

“During the inspection of line five a piece of card was observed attached to the conveyor in
order to prevent the products from flipping over. The operator explained that the card was
changed every shift but that without it the products would fall. No request for permanent repair
was recorded.

Clause 8.6 of ISO/TS22002-1 requires that a request for repair of temporary fixes is included in
the maintenance schedule.”

A number of similar nonconformities may be grouped by process, function, procedure or

standard clause into a single finding statement.

FSSC 22000 V5.1 IA VILT TC P a g e | 121

Learner Guide 08 02 2021
 SESSION EIGHT

WHEN ARE FINDING STATEMENTS WRITTEN?

Some auditing organisations insist on finding statements being written out immediately after a
deficiency is identified, and the representative's signature obtained. However, an Auditor should
ensure that all relevant evidence is gathered before deciding what to do. The best practice is to:

 Go over the facts verbally and agree the nature of the nonconformity with the auditee,
detailing the audit evidence.

 Make notes and consult these later to make a statement.

 Draft finding statements during a working lunch or at the end of the day, then finalise at
the end of the day or end of audit private review.

It is ideal if a second party can review the finding statement before finalising the wording and its
classification.

CORRECTIVE ACTION REQUEST (CAR)

This is a form used by many organisations (see Appendix 10). It is used to describe a
nonconformity or noncompliance and request action. It may also be known as a Nonconformity
Report or Noncompliance Notice.

The term corrective action is used here because the form deals with both nonconformance
control (immediate correction of the finding) and prevention of problem recurrence (corrective
action).

The CAR is raised after careful consideration at the audit review prior to the closing meeting
with the organisation. The CAR form is used to:

 Report nonconformities.

 Show the level or classification of those nonconformities.

 Record acceptance of the nonconformity by the auditee (usually the audited

organisation’s representative).

 Record the actions taken to correct the nonconformity and prevent its recurrence.

 Record acceptance by the Auditor of the corrective action taken to resolve the
nonconformity and prevent recurrence of the problem.

FSSC 22000 V5.1 IA VILT TC P a g e | 122

Learner Guide 08 02 2021
 SESSION EIGHT

CORRECTIVE ACTION REQUEST (CAR), CONTINUED

The CAR should contain references to:

 The applicable process, function or procedure.

 Standard and clause number.

 Auditor’s name.

 Finding statement.

CLASSIFICATION OF CARS

Many organisations do not classify the severity of nonconformances as they all have to be
addressed, and during internal auditing a relatively modest number may be found.

Certification Bodies are required to classify nonconformities and the definitions given below are
standard.

Critical Nonconformity

This is defined in FSSC 22000 V5.1 as:

 “Circumstance in which direct food safety impact without appropriate action by the
organization is observed during the audit or when legality and/or certification integrity
are at stake.”

Major CAR

This is defined in ISO/IEC 17021-1 as:

 “(A) nonconformity that affects the capability of the management system to achieve the
intended results.”

Nonconformities could be classified as Major when there is significant doubt that effective
process control is in place. In general terms this would be where the nonconformity is likely to
result in an immediate risk to the food safety, for example:

FSSC 22000 V5.1 IA VILT TC P a g e | 123

Learner Guide 08 02 2021
 SESSION EIGHT

Major CAR, continued

 The absence of, or substantial failure to meet the requirements of the standard.

 When the nonconformance indicates a total breakdown of a process or procedure

significant to food safety.

 An organisation misusing a certification mark or an accreditation mark which

misrepresents their certification.

Minor CAR

These are raised where a deficiency (or deficiencies) has been identified in a process in the
operation of the organisation’s management system, but which is less severe than warrants a
Major CAR.

The classification of CARs is based upon good judgement, expertise and experience of the
Auditor, and may have far-reaching consequences.

ADDRESSING CORRECTIVE ACTION

Corrective action can be defined as action to eliminate the cause of a “nonconformity” and to
prevent recurrence.

In processing CARs, the Auditor and auditee have specific responsibilities. The auditee's
management must, in conjunction with the management representative, investigate and clearly
identify the problem, propose a programme of long-term corrective action and agree a target
date for completion. They must also introduce changes, verify effectiveness by internal audit or
other means and notify the Auditor of conformance whilst aligning with continuous improvement
measures.

At this stage, one of the responsibilities of the Auditor is to evaluate the proposals for corrective
action to ensure the immediate remedial action is taken and that long-term corrective action
proposed will prevent a recurrence of the nonconformity.

FSSC 22000 V5.1 IA VILT TC P a g e | 124

Learner Guide 08 02 2021
 SESSION EIGHT

RESOLVING THE NONCONFORMITY

To resolve the nonconformity, the management of the area that has been audited will:

 Take immediate action to correct the nonconformity.

 Analyse the effects of the nonconformity on actual and potential well-being of

personnel.

 Identify the root cause or causes of the problem or incident.

 Initiate a similar investigation into other areas where the problem may exist.

 Develop effective actions to prevent a recurrence of the nonconformity or situation.

 Implement and monitor the corrective action.

Management should:

 Approve the proposed corrective actions.

 Monitor progress in completing the corrective actions.

 Arrange a follow-up internal audit to verify effectiveness.

FOLLOW-UP AND CLOSE-OUT

AUDIT FOLLOW-UP

The audit client or auditee is responsible for determining any corrective action needed to deal
with a nonconformity or incident. Corrective action and subsequent follow-up actions, which
may include additional audits, should be completed within an agreed time period. The auditee
should keep the Auditor informed of the status of corrective action activities.

Corrective action should be verified in accordance with the appropriate documented procedure.
A follow-up report may be prepared and distributed in a manner similar to the original audit
report.

The process of determining whether the corrective action requested has been implemented is
called "follow-up". This can be done by reviewing documentation submitted by the client or by
visiting the client's premises.

FSSC 22000 V5.1 IA VILT TC P a g e | 125

Learner Guide 08 02 2021
 SESSION EIGHT

AUDIT CLOSE-OUT

The action relating to the verification and acceptance of corrective action by the Auditor is
called "close-out".

Methods of "close-out" will include re-audit of areas in which nonconformities have been
identified, where physical evidence has to be seen, or a review of new and/or revised
documentation and records of action taken (e.g. training).

The Auditor will verify the effectiveness of corrective actions by visiting the organisation and by:

 Carrying out an audit of objective evidence.

 Verifying that the corrective actions have been implemented.

 Ensuring short and long-term effectiveness.

 Recording details of the follow-up.

 Signing-off the forms.

The Auditor may be presented with sufficient documentary evidence of corrective action
success that it is possible to close out a nonconformity without a visit.

CONTINUAL IMPROVEMENT

THE ROLE OF THE MANAGEMENT REVIEW

The progress of corrective action toward resolving CARs from internal and external audits
should be considered at the management review. In addition, the effectiveness of actions taken
to address risks and opportunities should be identified and implemented if necessary.

In this forum, therefore, audit results, the analysis of the data collected during audits, corrective
actions and opportunities for improvement should be considered with a view to continually
improving the suitability, adequacy and effectiveness of the organisation’s management
system. The inputs to the review are:

 The status of actions from previous management reviews.

 Changes in external and internal issues that are relevant to the MS including changes
in the organisations context.

FSSC 22000 V5.1 IA VILT TC P a g e | 126

Learner Guide 08 02 2021
 SESSION EIGHT

THE ROLE OF THE MANAGEMENT REVIEW, CONTINUED

 Information on the performance and effectiveness of the MS, including trends in:

 Results of systems updating activities.

 Monitoring and measurement results.

 Analysis of the results of verification activities related to PRPs and the hazard
control plan.

 Nonconformities and corrective actions.

 Audit results (internal and external).

 Inspections (regulatory, customer).

 Performance of external providers.

 Review of risks and opportunities and of the effectiveness of actions taken to

address them.

 Extent to which objectives of the MS have been met.

 Adequacy of resources.

 Any emergency situations, incident or withdrawal/recall that occurred.

 Relevant information obtained through external and internal communication, including

requests and complaints from interested parties.

 Opportunities for continual improvement.

In this forum, the organisation is able to identify and plan the actions needed to address those
opportunities to continually improve the suitability, adequacy and effectiveness of the MS.

Internal audits are essential part of this process to ensure that improvements are implemented
and ongoing.

AUDIT REPORT PREPARATION AND CONTENT

The Auditor is responsible for the preparation, accuracy and completeness of the audit report.
The audit report should provide an accurate record of the audit and should contain audit
conclusions on issues such as the following, if within the audit objectives and scope:

FSSC 22000 V5.1 IA VILT TC P a g e | 127

Learner Guide 08 02 2021
 SESSION EIGHT

AUDIT REPORT PREPARATION AND CONTENT, CONTINUED

 Extent of conformance of the management system to the audit criteria.

 The effective implementation of the management system.

 The ability of management review process to ensure the continuing suitability and
effectiveness of the management system.

The audit report should include, or make reference to the:

 Identification of the organisation or processes audited.

 Agreed audit objectives, scope, exclusions and plan.

 Audit criteria, including a list of reference documents, against which the audit was
conducted.

 Identification of audit team members.

 Date(s) and place(s) the audit was conducted.

 Audit findings.

The audit report may include:

 The duration of the audit.

 The identification of the auditee's key representatives and any Guides participating in
the audit.

 A summary of the audit process including any obstacles encountered.

 A statement of the confidential nature of the contents.

 A distribution list for the audit report.

 Confirmation that the audit objectives have been accomplished within the audit scope
in accordance with the audit plan.

 Any agreed follow-up action plans.

 Any unresolved diverging opinions between the audit team and the auditee.

 Recommendations for improvement.

FSSC 22000 V5.1 IA VILT TC P a g e | 128

Learner Guide 08 02 2021
 SESSION EIGHT

REPORT APPROVAL AND DISTRIBUTION

The audit report should be issued within an agreed time period, dated and approved as defined
in appropriate documented procedures and should then be distributed to the designated
recipients.

An example of an Internal Audit Report Pro-forma is given in Appendix 11.

RETENTION OF DOCUMENTS

Work documents and reports pertaining to the audit should be retained or destroyed by
agreement between the participating parties and in accordance with audit procedures and any
applicable requirements.

The audit team and audit programme management should not disclose the contents of
documents, the nature of any other information obtained during the audit, or the audit report, to
any other party without the explicit approval of the audit client and, where appropriate, the
approval of the auditee.

FSSC 22000 V5.1 IA VILT TC P a g e | 129

Learner Guide 08 02 2021
 SESSION EIGHT

ACTIVITY FOUR: WRITING NCRS

PURPOSE

 To identify and classify nonconformities in respect of FSSC 22000 and record finding
statements.

TASK

 The incidents below occur during an internal FSSC 22000 audit.

 In each of the situations, there may be nonconformity in respect of FSSC 22000

requiring a CAR to be raised.

 In your team:

 Examine each incident and take the following actions:

• Determine the number of the clause from FSSC 22000 that identifies the
nonconformity.

• If you decide a situation provides evidence of nonconformity, classify the

nonconformity as Critical, Major or Minor.

• Once complete, select any two of the nonconformities and record finding
statements that would be presented to management, on the CAR forms
provided.

 You will be given a number of CARs that have been raised during some audits:

 Evaluate proposals for corrective action and differentiate between correction and
corrective action.

 Record your acceptance and/or comments of the proposed corrective action in

the space provided on the form.

OUTPUT

 Be prepared to feedback your findings to the whole group.

FSSC 22000 V5.1 IA VILT TC P a g e | 130

Learner Guide 08 02 2021
 SESSION EIGHT

TIME ALLOWED

 Activity: 60 minutes.

 Feedback: 15 minutes.

FSSC 22000 V5.1 IA VILT TC P a g e | 131

Learner Guide 08 02 2021
 SESSION EIGHT

FSSC 22000 INTERNAL AUDIT INCIDENTS

1) Incident:
During a FSSC 22000 audit of a dairy, the Auditor sees 40 cartons of processed cheese
(about 400kg) with a batch number, XZ2238 (dated three months before this audit is taking
place), in a designated nonconforming product area in a temperature-controlled environment.
The Auditor asks the Production Manager to explain the reason why the cartons are there.
The Production Manager says that they found metal particles in the batch and these
exceeded the critical limits set in CCP3. “We put them here”, says the Production Manager,
“so that they would not enter the food chain”. Records confirm that this was the only action
that took place with this incident.

Clause:

Classification (if evidence of nonconformity):

2) Incident:
During an audit of an organisation processing chicken products, the Auditor requests to
review the internal audit process with the Food Safety Team Leader and asks to see the
schedule for internal audits and the required procedure.

The Auditor reviews the Internal Audit Plan and supporting documentary evidence confirms
that the audits are conducted in accordance with the plan outlined in the FSMS Manual. The
FSMS Manual, Version One - March 12th, states that each identified process area will be
audited, as a minimum, at six-monthly intervals, and the internal audit procedure (reference
SOP 14) confirms this. The procedure also states that that the organisation’s Health & Safety
Training Officer will act as the Internal Auditor. In the review of the internal audits conducted,
the Auditor notes that 70% of the issues raised have related to the production area and have
all concerned Food Handler training and staff competence.

Clause:

Classification (if evidence of nonconformity):

FSSC 22000 V5.1 IA VILT TC P a g e | 132

Learner Guide 08 02 2021
 SESSION EIGHT

3) Incident:
During an internal audit of a distillery to ISO 22000 the Auditor is viewing the reduction
process in which distilled water is added to the final distillate to bring it down to 63% alcohol
by volume prior to loading into casks for the legal minimum maturation period of three years.
The alcohol level is determined by automatically measuring the density of the reduced spirit
using an Anton Paar Alcohol Monitor. The Auditor notices that one of the production lines is
shut down while a maintenance technician is servicing its measuring device on a nearby
table, strewn with assorted tools, machinery components and an open tub of grease. When
the Auditor asks about the cleaning treatment for the device before reinsertion, the technician
says, “it is not necessary since the alcohol will kill any bacteria anyway”. The Auditor notes,
from the hazard analysis, that there had not been any specific hazards listed relating to
maintenance activities in the spirit reduction process.

Clause:

Classification (if evidence of nonconformity):

4) Incident:
During a FSSC 22000 audit of the management review process at an organisation producing
fruit drinks, the Auditor notices from the records of the management review meetings that the
meetings are not attended by any of the Top Management team. When the Auditor queries
this, the management representative explains that the management review has evolved into
a two-tier process, as it was proving so difficult for all the Departmental and Top Managers to
be available at the same time. The process now is that Departmental Managers meet and
conduct the first tier of the management review. The management representative prepares a
summary report including actions and recommendations. This is passed round each of the
Top Management team for comment, and the Managing Director (MD) finally agrees the
action plan.

Clause:

Classification (if evidence of nonconformity):

FSSC 22000 V5.1 IA VILT TC P a g e | 133

Learner Guide 08 02 2021
 SESSION EIGHT

5) Incident:
During an FSSC 22000 audit the Auditor is reviewing the process of supplier selection and
approval at an organisation processing meat products site. The Auditor has made a list of
four selected high risk raw materials (as stated in the risk assessment) from the traceability
challenge carried out earlier in the day and is cross-checking their approval. The Auditor
noticed that one of the four suppliers had not been audited by the meat processing company
or did not have third-party certification either, as stated in the approval procedure PRO34.

Clause:

Classification (if evidence of nonconformity):

6) Incident:
During the audit of a confectionery factory, the Auditor is walked through the process of mint
toffee production lines. There are three production lines. The Auditor observes that a
member of staff is working on the mixing process and sees that she is manually applying oil
to reduce the stickiness of the toffee. She is the only person controlling the mixing process on
this production line. The Auditor asks the Production Manager about the type of oil that staff
are using. The Production Manager replies, “Line one is the last trial production, we are using
soya bean oil instead of palm oil”. The Auditor asks what will happen to the production that is
currently being mixed. The Production Manager replies that this batch will be blended with
the commercial batch, “after we have received confirmation of the order from the client,
hopefully next week”.

Clause:

Classification (if evidence of nonconformity):

FSSC 22000 V5.1 IA VILT TC P a g e | 134

Learner Guide 08 02 2021
 SESSION EIGHT

7) Incident:
During the site tour of a wheat flour factory, with the Food Safety Manager, the Auditor sees
three containers of the factory’s wheat flour product in 3kgs bags, left outside and labelled
‘Animal Feed’. The Auditor asks the Food Safety Manager what type of nonconformity is
applied to these products. The Food Safety Manager explains; “These products contained a
level of pesticide above our finished product specification. We have this problem quite often
but luckily, we have several animal feed companies around here to buy these products from
us”. The Auditor asks the Food Safety Manager to show him the communications regarding
the pesticide, between the factory and the animal feed companies.
The various communications do not show any record of levels of pesticide. “The animal feed
companies are not interested in that and do not require it” says the Food Safety Manager.

Clause:

Classification (if evidence of nonconformity):

8) Incident:
During an audit of a dairy, the Auditor asks to see the records of incoming inspections of the
closures/lids of the primary packaging, to batches of fresh milk that took place on 4th
December, these are not available. The Auditor then asks for records to show which
preservatives were used during the processing of this batch and the cleaning and sanitation
records before the filling of cartons for the same batch, and they were not available.

Clause:

Classification (if evidence of nonconformity):

FSSC 22000 V5.1 IA VILT TC P a g e | 135

Learner Guide 08 02 2021
 SESSION EIGHT

9) Incident:
During the audit of a soup making facility the Auditor, while reviewing the records of the
cleaning programme, noted that on a particular day the previous month that there were some
gaps in the cleaning log, which is completed by the cleaning staff. The auditor also noted that
during the weekly swabbing tests that there were two swabs that had higher results than the
remainder of the tests and queried this with the Food Safety Manager, who responded that
they had to let two cleaners go that month due to resource issues.

Clause:

Classification (if evidence of nonconformity):

10) Incident:
During an audit of the New Product Development (NPD) department of a pizza factory, the
internal auditor notices that there are pizzas in a display fridge with a ‘NEW’ label adhered to
the packaging. The auditor asks the NPD manager when the new product (X,Y,Z,K) was
launched, and is told that they were launched last week. The auditor asked to see the
product file that was used for launch. In the file they notice that there was a HACCP review
conducted for the new product. On examination of the record for the HACCP review there
was one sentence that stated that no new hazards had been identified with the launch of this
new product, and new equipment was purchased to produce the pizza. The NPD manager
confirms the new equipment was similar to existing equipment and this was the extent of the
HACCP review, and there were no other records for the evaluation of this new product with
respect to updates of the site the food safety management system. The review had been
approved by the Food Safety Team Leader.

Clause:

Classification (if evidence of nonconformity):

FSSC 22000 V5.1 IA VILT TC P a g e | 136

Learner Guide 08 02 2021
 SESSION EIGHT

FSSC 22000 V5.1 IA VILT TC P a g e | 137

Learner Guide 08 02 2021
 APPENDICES

APPENDICES

FSSC 22000 V5.1 IA VILT TC P a g e | 138

Learner Guide 08 02 2021
 APPENDICES

CONTENTS
Appendix 1: Definitions ..................................................................................................... 140

Appendix 2: Example of an Organisation Structure ........................................................... 159

Appendix 3: Example of an Internal Audit Plan Pro-forma ................................................. 160

Appendix 4: Example of an Internal Audit Pro-forma ......................................................... 161

Appendix 5: The Turtle Diagram ....................................................................................... 162

Appendix 6: Example of an Audit Checklist ....................................................................... 163

Appendix 7: Example of a Completed Audit Checklist ....................................................... 164

Appendix 8: Opening Meeting Checklist ............................................................................ 165

Appendix 9: Closing Meeting Checklist ............................................................................. 166

Appendix 10: Example of a ‘CAR’ Form ............................................................................ 167

Appendix 11: Example of an Internal Audit Report Pro-forma ........................................... 168

Appendix 12: Chain Categories (as per ISO/TS 22003:2013) ........................................... 169

Appendix 13: FSSC 22000 Maintained and Retained Documented Information ................ 170

Appendix 14: Flowchart of the On-Site Audit Process ....................................................... 176

FSSC 22000 V5.1 IA VILT TC P a g e | 139

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 1: DEFINITIONS

ACCEPTABLE LEVEL

Level of a food safety hazard not to be exceeded in the end product

ISO 22000:2018
provided by the organisation.

ACTION CRITERION

Measurable or observable specification for the monitoring of an

OPRP.
Note 1 to entry: An action criterion is established to determine ISO 22000:2018
whether an OPRP remains in control, and distinguishes between
what is acceptable (criterion met or achieved means the OPRP is
operating as intended).

ACCREDITATION

An attestation by an accreditation body that a certification body FSSC 22000

meets the requirements set out by the Foundation to carry out
FSSC 22000 certification.

ACCREDITATION BODY

An accreditation body (AB) is an appointed body that provides

accreditation to certification bodies providing conformity FSSC 22000
assessment services.

ACCREDITATION CERTIFICATE

Formal document or a set of documents, stating that accreditation

ISO/IEC 17011:2004
has been granted for the defined scope

ACCREDITATION MARK

Mark issued by an accreditation body to be used by accredited

CB’s to indicate direct conformity of an entity against a set of FSSC 22000
requirements.

FSSC 22000 V5.1 IA VILT TC P a g e | 140

Learner Guide 08 02 2021
 APPENDICES

ADDITIVE

Any substance not normally consumed as a food by itself and not

normally used as a typical ingredient of the food, whether or not it
has nutritive value, the intentional addition of which to food for a
technological (including organoleptic) purpose in the manufacture,
processing, preparation, treatment, packing, packaging, transport
or holding of such food results, or may be reasonably expected to FSSC 22000
result, (directly or indirectly) in it or its by-products becoming a
component of or otherwise affecting the characteristics of such
foods. The term does not include contaminants, or substances
added to food for maintaining or improving nutritional qualities
(Codex Alimentarius).

ADVISORY COMMITTEE

A group of key stakeholders within the scope of the Scheme who FSSC 22000
advise the Board of Stakeholders.

AUDIT

Systematic, independent and documented process for obtaining

objective evidence and evaluating it objectively to determine the ISO 19011:2018
extent to which audit criteria are fulfilled.

AUDIT CONCLUSION

Outcome of an audit after consideration of the audit objectives and

ISO 19011:2018
all audit findings.

AUDIT CRITERIA

Set of requirements used as a reference against which objective

ISO 19011:2018
evidence is compared.

AUDIT EVIDENCE

Records, statements of fact or other information which are relevant

ISO 19011:2018
to the audit criteria and verifiable.

AUDIT FINDINGS

Results of the evaluation of the collected audit evidence against

ISO 19011:2018
audit criteria.

FSSC 22000 V5.1 IA VILT TC P a g e | 141

Learner Guide 08 02 2021
 APPENDICES

AUDIT PLAN

Description of the activities and arrangements for an audit. ISO 19011:2018

AUDIT PROGRAMME

Arrangements for a set of one or more audits planned for a specific

ISO 19011:2018
time frame and directed towards a specific purpose.

AUDIT SCOPE

Extent and boundaries of an audit. ISO 19011:2018

AUDIT TEAM

One or more auditors conducting an audit, supported if needed by

ISO 19011:2018
technical experts.

AUDITEE

Organisation as a whole or parts thereof being audited. ISO 19011:2018

AUDITOR

Person who conducts and audit. ISO 19011:2018

APPEAL

Request for reconsideration of a decision made on a lodged

FSSC 22000
complaint.

BLACK-OUT DAYS

Time periods shared by the applicant / certified organisation with

the certification body that prevents the unannounced audit
FSSC 22000
occurring when the organisation is not operating for legitimate
business reasons.

BOARD OF STAKEHOLDERS

Group of representatives appointed by the Scheme’s stakeholders

who are responsible for overseeing including all certification and FSSC 22000
accreditation requirements.

FSSC 22000 V5.1 IA VILT TC P a g e | 142

Learner Guide 08 02 2021
 APPENDICES

CERTIFICATION

Process by which licensed certification bodies provide assurance

that food safety and/or quality management system and its
FSSC 22000
implementation by the audited organization comply with Scheme
requirements.

CERTIFICATION BODY

Organisation providing audit and certification services. ISO/IEC 17021-1:2015

CERTIFICATION DECISION

Granting, continuing, expanding or reducing the scope,

suspending, re-instating, withdrawing or refusing certification by a GFSI V7.2:2018
Certification Body (CB).

CERTIFICATION DECISION DATE

Date on which the certification decision is taken. FSSC 22000

CERTIFICATE OF ANALYSIS (COA)

Document provided by the supplier which indicates results of

specific tests / analysis, including test methodology, performed on a ISO 22002-1:2009
defined population of the supplier’s product.

CERTIFICATION BODY / REGISTRAR / AUDITING

ORGANISATION

An organisation that conducts food safety management system

FSSC 22000
audits to a recognised standard.

CLEANING

Removal of soil, food residue, dirt, grease or other objectionable

ISO 22002-1:2009
matter.

CLEANING IN PLACE (CIP)

System that cleans solely by circulating and / or flowing chemical

detergent solutions and water rinses by mechanical means onto ISO 22002-1:2009
and over surfaces to be cleaned.

FSSC 22000 V5.1 IA VILT TC P a g e | 143

Learner Guide 08 02 2021
 APPENDICES

CLEANING OUT OF PLACE (COP)

System where equipment is disassembled and cleaned in a tank or

in an automatic washer by circulating a cleaning solution and ISO 22002-1:2009
maintaining a minimum temperature throughout the cleaning cycle.

CERTIFIED CLIENT

Organization whose management system has been certified. ISO/IEC 17021-1-2015

COMPETENCE

Demonstrated ability to apply knowledge and skills to achieve

FSSC 22000
intended results.

CONFORMITY

Fulfilment of a requirement. ISO 9000:2015

CONTAMINANT

Any biological or chemical agent, foreign matter or other substance

not intentionally added to food which may compromise food safety ISO 22002-1:2009
or suitability.

CONTAMINATION

Introduction or occurrence of a contaminant including a food safety

ISO 22000:2018
hazard in a product or processing environment.

CONTINUAL IMPROVEMENT

Recurring activity to increase the ability to fulfil requirements. ISO 9000:2015

CONTROL MEASURE

(Food safety) action or activity that can be used to prevent or

ISO 22000:2018
eliminate a food safety hazard or reduce it to an acceptable level.

CORRECTION

Action to eliminate a detected nonconformity. ISO 9000:2015

CORRECTIVE ACTION

Action to eliminate the cause of a nonconformity and to prevent

ISO 22000:2018
recurrence.

FSSC 22000 V5.1 IA VILT TC P a g e | 144

Learner Guide 08 02 2021
 APPENDICES

CRITICAL CONTROL POINT

Step in the process at which control measure(s) is (are) applied to

prevent or reduce a significant food safety hazard to an acceptable ISO 22000:2018
level and defined critical limit(s) and measurement.

CRITICAL LIMIT

Measurable value which separates acceptability from

ISO 22000:2018
unacceptability.

CRITICAL NONCONFORMITY

A nonconformity whereby food safety is directly impacted during

FSSC 22000
the audit or when legality and / or certification integrity is at stake.

CUSTOMER

Organisation or person that receives a product. ISO 9000:2015

CUSTOMER SATISFACTION

Customer’s perception of the degree to which the customer’s

requirements have been fulfilled.
Note 1: Customer complaints are a common indicator of low
customer satisfaction, but their absence does not necessarily imply
ISO 9000:2015
high customer satisfaction.
Note 2: Even when customer requirements have been agreed with
the customer and fulfilled, this does not necessarily ensure high
customer satisfaction.

DISINFECTION

Reduction, by means or chemical agents and / or physical

methods, of the number of microorganisms in the environment, to a ISO 22002-1:2009
level that does not compromise food safety.

FSSC 22000 V5.1 IA VILT TC P a g e | 145

Learner Guide 08 02 2021
 APPENDICES

DOCUMENTED INFORMATION

Information required to be controlled and maintained by an

organization and the medium on which it is contained.
Note 1 to entry: Documented information can be in any format and
media, and from any source.
ISO 22000:2018
Note 2 to entry: Documented information can refer to: the
management system, including related processes; information
created in order for the organization to operate and evidence of
results achieved.

EFFECTIVENESS

Extent to which planned activities are realised and planned results

ISO 22000:2018
achieved.

EFFICIENCY

Relationship between the result achieved and the resources used. ISO 9000:2015

END PRODUCT

Product that will undergo no further processing or transformation

ISO 22000:2018
by the organisation.

ENVIRONMENTAL MONITORING

A program for the evaluation of the effectiveness of controls on

FSSC 22000
preventing contamination from the manufacturing environment.

ESTABLISHMENT

Any building or area in which food is handled, and the

ISO 22002-1:2009
surroundings, under the control of the same management.

FEED

Any single or multiple product(s), whether processed, semi-

processed or raw, which is (are) intended to be fed to food ISO 22000:2018
producing animals

FIRST EXPIRED FIRST OUT (FEFO)

Stock rotation based on the principle of despatching earliest

ISO 22002-1:2009
expiration dates first.

FSSC 22000 V5.1 IA VILT TC P a g e | 146

Learner Guide 08 02 2021
 APPENDICES

FIRST IN FIRST OUT (FIFO)

Stock rotation based on the principle of despatching earliest

ISO 22002-1:2009
received products first.

FIRST-PARTY AUDIT (also called Internal Audit)

An audit conducted by, or on, behalf of, the organisation itself for
management review and other internal purposes and may form the
basis for an organisation’s self-declaration of conformity. In many
ISO 19011:2011
cases, particularly in smaller organisations, independence can be
demonstrated by the freedom from responsibility for the activity
being audited.

FLOW DIAGRAM

Schematic and systematic presentation of the sequence and

ISO 22000:2018
interactions of steps in the process.

FOOD

Product substance (ingredient), whether processed, semi-

processed or raw, which is intended for consumption, and includes
drink, chewing gum and any substance which has been used in the
manufacture, preparation or treatment of “food” but does not
include cosmetics or tobacco or substances (ingredients) used as ISO 22000:2018
drugs (ISO 22000:2018). Food is intended for consumption by
humans and animals, and includes feed and animal food: FSSC 22000

— feed is intended to be fed to food-producing animals;

— animal food is intended to be fed to non-food-producing
animals, such as pets.

ANIMAL FOOD

Single or multiple product(s), whether processed, semi-processed

or raw, which is (are) intended to be fed to non-food-producing
animals.
Note 1 to entry: Distinctions are made in this document between
the terms food feed and animal food: — food is intended for ISO 22000:2018
consumption by humans and animals and includes feed and
animal food; — feed is intended to be fed to food-producing
animals; — animal food is intended to be fed to non-food-
producing animals, such as pets.

FSSC 22000 V5.1 IA VILT TC P a g e | 147

Learner Guide 08 02 2021
 APPENDICES

FOOD DEFENSE

The process to ensure the security of food and drink from all forms
of intentional malicious attack including ideologically motivated GFSI V7.2:2018
attack leading to contamination or unsafe products.

FOOD FRAUD

A collective term encompassing the deliberate and intentional

substitution, addition, tampering or misrepresentation of food, food
ingredients or food packaging, labelling, product information or GFSI V7.2:2018
false or misleading statements made about a product for economic
gain that could impact consumer health.

FOOD FRAUD PREVENTION

The process to prevent food and feed supply chains from all forms
of economically motivated, intentional adulteration that might FSSC 22000
impact consumer health.

FOOD / FEED SAFETY

Assurance that food / feed will not cause an adverse health effect
for the consumer when it is prepared and / or consumed in FSSC 22000
accordance with its intended use.

FOOD / FEED SAFETY HAZARD

Biological, chemical or physical agent in food / feed / packaging,

FSSC 22000
with the potential to cause an adverse health effect.

FOOD CHAIN

Sequence of the stages in the production, processing, distribution,

storage and handling of a food and its ingredients, from primary ISO 22000:2018
production to consumption.

FOOD GRADE

Lubricants and heat transfer fluids formulated to be suitable for use

in food processes where that may be incidental contact between ISO 22002-1:2009
the lubricant and the food.

FSSC 22000 V5.1 IA VILT TC P a g e | 148

Learner Guide 08 02 2021
 APPENDICES

FOOD SAFETY

Assurance that food will not cause harm or adverse effect for the
consumer when it is prepared and / or eaten according to its ISO 22000:2018
intended use.

FOOD SAFETY HAZARD

Biological, chemical or physical agent in food with the potential to

ISO 22000:2018
cause an adverse health effect.

FOOD SAFETY MANAGEMENT SYSTEM

Set of interrelated or interacting elements to establish policy and

objectives and to achieve those objectives, used to direct and ISO/TS 22003:2013
control an organization with regard to food safety.

FOOD SAFETY POLICY

Intentions and direction of an organisation as formally expressed

ISO 22000:2018
by Top Management.

FOUNDATION FSSC 22000

The legal owner of the FSSC 22000 certification scheme. FSSC 22000

FOLLOW-UP AUDIT

An additional audit to a regular audit for which an extra visit is

required when the audit could not be completed in the planned
time and/or the audit plan could not be realized completely. As a FSSC 22000
follow-up is part of a regular audit, it shall be completed within a
short time-frame from the main audit.

FSSC LOGO

Logo issued by the Foundation which can be used by licensed

CBs, certified organizations and licensed training organizations in FSSC 22000
accordance with FSSC 22000 Scheme requirements.

GFSI

The Global Food Safety Initiative is an industry-driven initiative

owned by the Consumer Goods Forum providing thought
FSSC 22000
leadership and guidance on food safety management systems
necessary for safety along the supply chain.

FSSC 22000 V5.1 IA VILT TC P a g e | 149

Learner Guide 08 02 2021
 APPENDICES

GUIDE

Person appointed by the auditee to assist the audit team. ISO 19011:2011

HACCP STUDY

Hazard analysis for a family of products / services with similar

hazards and similar production technology and, where relevant, FSSC 22000
similar storage technology (ISO/TS 22003:2013).

INTERESTED PARTY (PREFERRED TERM) STAKEHOLDER

(ADMITTED TERM)

Person or organization that can affect, be affected by, or perceive

ISO 22000:2018
itself to be affected by a decision.

IMPARTIALITY

Presence of objectivity. ISO / IEC 17021-1:2015

INFRASTRUCTURE

System of facilities, equipment and services needed for the

ISO 9000:2015
operation of an organisation.

INFORMATION

Meaningful data. ISO 9000:2015

INGREDIENT

A processed or unprocessed component of food, feed or

FSSC 22000
packaging.

INSPECTION

Conformity evaluation by observation and judgement accompanied

ISO 9000:2015
as appropriate by measurement, testing or gauging.

INTERNAL AUDIT (also called First-Party Audit)

An audit conducted by, or on, behalf of, the organisation itself for
management review and other internal purposes and may form the
basis for an organisation’s self-declaration of conformity. In many
ISO 19011:2011
cases, particularly in smaller organisations, independence can be
demonstrated by the freedom from responsibility for the activity
being audited.

FSSC 22000 V5.1 IA VILT TC P a g e | 150

Learner Guide 08 02 2021
 APPENDICES

LABEL

Printed matter that is part of the finished product package

conveying specific information about the contents of the package,
ISO 22002-1:2009
the food ingredients and any storage and preparation
requirements.

LOT

Defined quantity of a product produced and / or processed and / or

ISO 22000:2018
packaged essentially under the same conditions.

MANAGEMENT

Coordinated activities to direct and control an organisation. ISO 9000:2015

MANAGEMENT SYSTEM

Set of interrelated or interacting elements to establish policy and

objectives and to achieve those objectives, used to direct and ISO 9000:2015
control an organization with regard to food safety / quality
management (ISO / TS 22003:2013).

MANUFACTURING / PROCESSING

Transformation of raw materials, by physical, microbiological or

FSSC 22000
chemical means, into a final product.

MAJOR NONCONFORMITY

Nonconformity that negatively affects the capability of the

ISO/IEC 17021-1:2015
management system to achieve the intended results.

MATERIAL / PRODUCT SPECIFICATION

Detailed document description or enumeration of parameters,

including permissible variations and tolerances, which are required ISO 22002-1:2009
to achieve a defined level of acceptability or quality.

MATERIALS

General term used to indicate raw materials, packaging materials,

ISO22002-1:2009
ingredients, process aids, cleaning materials and lubricant.

MEASUREMENT

Process to determine a value. ISO 22000:2018

FSSC 22000 V5.1 IA VILT TC P a g e | 151

Learner Guide 08 02 2021
 APPENDICES

MINOR NONCONFORMITY

A nonconformity that does not affect the capability of the

ISO/IEC 17021-1:2015
management system to achieve the intended results.

MONITORING

Determining the status of a system a process or an activity. ISO 22000:2018

NONCONFORMITY

Non-fulfilment of a requirement. ISO 22000:2018

OBJECTIVE

Result to be achieved. ISO 22000:2018

OBJECTIVE EVIDENCE

Data supporting the existence or verity of something. ISO 9000:2015

OBSERVER

Individual who accompanies the audit team but does not act as an
ISO 19011:2018
auditor.

PRODUCT CONTACT

All surfaces that are in contact with the product or the primary
ISO 22002-1:2009
package during normal operation.

OPERATIONAL PRE-REQUISITE PROGRAMME

OPRP

Control measure or combination of control measures applied to

prevent or reduce a significant food safety hazard to an acceptable
ISO 22000:2018
level and where action criterion and measurement or observation
enable effective control of the process and / or product.

ORGANISATION

Legal entity that has its own functions, with responsibilities,

authorities and relationships to comply with the Scheme FSSC 22000
requirements and that could cover multiple sites.

FSSC 22000 V5.1 IA VILT TC P a g e | 152

Learner Guide 08 02 2021
 APPENDICES

OUTSOURCE

Arrangement where an external organization performs part of an

organization’s function or process.
Note 1 to entry: An external organization is outside the scope of ISO 22000:2018
the management system although the outsourced function or
process is within the scope.

PERFORMANCE

Measurable result. ISO 22000:2018

PRP PRE-REQUISITE PROGRAMME

Basic conditions and activities that are necessary within the

organisation and throughout the food chain to maintain food safety.
Note 1 to entry: The PRPs needed depend on the segment of the
food chain in which the organization operates and the type of
organization. Examples of equivalent terms are: good agricultural ISO 22000:2018
practice (GAP), good veterinary practice (GVP), good
manufacturing practice (GMP), good hygiene practice (GHP), good
production practice (GPP), good distribution practice (GDP) and
good trading practice (GTP).

PROCESS

Set of interrelated or interacting activities which transforms inputs

ISO 22000:2018
to outputs.

PROCESS FLOW DIAGRAM

A map of a sequence of events or a combination of activities,

FSSC 22000
inputs, controls and outputs.

PERISHABLE PRODUCT

Products that lose their quality and value over a specified time
even when handled correctly throughout the supply chain therefore
FSSC 22000
requiring temperature control during storage and / or transportation
to prevent damage, spoilage and contamination.

PET FOOD FOR DOGS AND CATS

Animal food intended to be fed to non-food-producing animals,

FSSC 22000
limited to dogs and cats (ISO 22000:2018).

FSSC 22000 V5.1 IA VILT TC P a g e | 153

Learner Guide 08 02 2021
 APPENDICES

PET FOOD FOR OTHER PETS

Animal food intended to be fed to non-food-producing animals

FSSC 22000
other than dogs and cats.

PRODUCT

Output that is a result of a process. ISO 22000:2018

PRODUCT RECALL

Removal of a nonconforming product from the market, trade and

warehouses, distribution centres and / or customer warehouses ISO / TS 22002-1:2009
because it does not meet specified standards.

PRODUCT WITHDRAWAL

The removal of a product by a supplier from the supply chain that

has been deemed to be unsafe and which has not been placed in GFSI V7.2:2018
the market for purchase by the end consumer.

RAW MATERIAL

Commodities, parts or substances that are assembled or

FSSC 22000
processed to form a final product.

REWORK

The process of re-manufacturing of semi-final and final products, to

obtain a final product that complies with the customer
requirements. It can also refer to material in a processed or semi- FSSC 22000
processed state that is intended to be re-used in subsequent
manufacturing steps.

REQUIREMENT

Need or expectation that is stated, generally implied or obligatory. ISO 9000:2015

FSSC 22000 V5.1 IA VILT TC P a g e | 154

Learner Guide 08 02 2021
 APPENDICES

PRODUCT RECALL

The removal by a supplier of a product from the supply chain that

has been deemed to be unsafe and has been sold to the end GFSI V7.2:2018.
consumer and is available for sale.

RETAIL

Preparation, packaging, storage, serving, vending, selling or

FSSC 22000
otherwise providing food for consumption direct to the public.

REWORK

The process of re-manufacturing of semi-final and final products, to

obtain a final product that complies with the customer
requirements. It can also refer to material in a processed or semi- FSSC 22000
processed state that is intended to be re-used in subsequent
manufacturing steps.

RISK

Effect of uncertainty. ISO 22000:2018

SIGNIFICANT FOOD SAFETY HAZARD

Food safety hazard identified through the hazard assessment,

ISO 22000:2018
which needs to be controlled by control measures.

SANITATION

All actions dealing with cleaning or maintaining hygienic conditions

in an establishment, ranging from cleaning and / or sanitizing of
specific equipment to periodic cleaning activities throughout the ISO 22002-1:2009
establishment (including buildings, structural and grounds cleaning
activities).

SANITIZING

The process of cleaning followed by disinfection. ISO 22002-1:2009

SCOPE

Extent and boundaries of e.g. audit, certification, accreditation or

ISO 9001:2015
scheme activity.

FSSC 22000 V5.1 IA VILT TC P a g e | 155

Learner Guide 08 02 2021
 APPENDICES

SECOND-PARTY AUDIT

Also referred to as a Supplier Audit. An audit conducted by parties

having an interest in the organisation, such as customers, or by ISO 19011:2011
other persons on their behalf.

SPECIFICATION

Document stating requirements. ISO 9000:2015

SUPPLIER

Organisation or person that provides a product. ISO 9000:2015

SYSTEM

Set of interrelated or interacting elements. ISO 9000:2015

TECHNICAL AREA

Area characterized by commonalities of processes relevant to a

ISO / IEC 17021-1:2015
specific type of management system and its intended results.

TECHNICAL EXPERT

Person who provides specific knowledge or expertise to the audit

ISO 19011:2011
team.

TEST

Determination of one or more characteristics according to a

ISO 9000:2015
procedure.

THREAT

Susceptibility or exposure to a food defence act (such as sabotage,

malicious tampering, disgruntled employee, terrorist act, etc.)
FSSC 22000
which is regarded as a gap or deficiency that could impact
consumer health if not addressed.

THIRD-PARTY AUDIT

An audit of an organisation conducted by external, independent

auditing organisation, such as those providing registration or ISO 19011:2011
certification of conformity to the requirements of ISO 22000.

FSSC 22000 V5.1 IA VILT TC P a g e | 156

Learner Guide 08 02 2021
 APPENDICES

TOP MANAGEMENT

Person or group of people who directs and controls an organisation

ISO 22000:2018
at the highest level.

TRACEABILITY

Ability to follow the history, application, movement and location of

an object through specified stage(s) of production, processing and ISO 22000:2018
distribution.

UNANNOUNCED AUDIT

Audit that is conducted at the facility of the certified organization FSSC 22000
without prior notification of the audit date.

UPDATE

Immediate and / or planned activity to ensure application of the ISO 22000:2018

most recent information.

VALIDATION

Obtaining evidence that a control measure (or combination of control

measures) will be capable of effectively controlling the significant
food safety hazard.
Note 1 to entry: Validation is performed at the time a control measure
combination is designed, or whenever changes are made to the
implemented control measures.
Note 2 to entry: Distinctions are made in this document between the
terms validation, monitoring and verification: ISO 22000:2018

— validation is applied prior to an activity and provides information

about the capability to deliver intended results;
— monitoring is applied during an activity and provides information
for action within a specified time frame;
— verification is applied after an activity and provides information for
confirmation of conformity.

FSSC 22000 V5.1 IA VILT TC P a g e | 157

Learner Guide 08 02 2021
 APPENDICES

VERIFICATION

Confirmation, through the provision of objective evidence, that

specified requirements have been fulfilled.
Note 1 to entry: Distinctions are made in this document between
the terms validation, monitoring and verification:
— validation is applied prior to an activity and provides information
ISO 22000:2018
about the capability to deliver intended results;
— monitoring is applied during an activity and provides information
for action within a specified time frame;
— verification is applied after an activity and provides information
for confirmation of conformity.

VULNERABILITY

Susceptibility or exposure to all types of food fraud, which is

regarded as a gap or deficiency that could impact consumer health FSSC 22000
if not addressed.

PRODUCT WITHDRAWAL

The removal of a product by a supplier from the supply chain that

has been deemed to be unsafe and which has not been placed in GFSI v7.2:2018
the market for purchase by the end consumer.

WITNESSED AUDIT

Periodic on-site observation of an auditor performance by a

FSSC 22000
competent supervisor called a witness.

WORK ENVIRONMENT

Set of conditions under which work is performed. ISO 9000:2015

ZONING

Demarcation of an area within an establishment where specific

operating, hygiene or other practices may be applied to minimise ISO 22002-1:2009
the potential for microbiological cross contamination.

FSSC 22000 V5.1 IA VILT TC P a g e | 158

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 2: EXAMPLE OF AN ORGANISATION STRUCTURE

Managing Director

Operations Sales & Marketing

Director Director

National Accounts
Accountant
Manager

International Business
Quality / Technical Quality Assurance Customer Services Brand Manager
Development Manager
Manager Officer Manager

Operations Admin Staff

Sales Reps Product
Assistant
Development Officer

Packaging Forman

Charge Charge
Hands Hands

Operators Operators

FSSC 22000 V5.1 IA VILT TC P a g e | 159

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 3: EXAMPLE OF AN INTERNAL AUDIT PLAN PRO-

FORMA

Organisation:

Address: Date(s) On-site:

Lead Auditor:

Team Member(s):

Standard(s):

Audit Language:

Audit Scope and

Observations:

Criteria and
Reference Docs:

Date Time Auditor Area / Department / Process / Key Contact

Function

 Times are approximate and will be confirmed at the opening meeting prior to
commencement of the audit.

 Auditors reserve the right to change or add to the elements listed before or during the
audit depending on the results of on-site investigation.

 A private place for preparation, review and conferencing is requested for the Auditor’s
use.

 Please provide a light working lunch on-site each audit day.

FSSC 22000 V5.1 IA VILT TC P a g e | 160

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 4: EXAMPLE OF AN INTERNAL AUDIT PRO-FORMA

AUDIT AUDIT PLAN

KEY

X Audit Scheduled

Audit Completed and Satisfactory

0 Audit Completed and Unsatisfactory

X Corrective Action Follow-up Audit Date

Corrective Action Follow-up Audit Completed and Satisfactory

Process JAN FEB MAR APR MAY JUN JUL AUG SEPT OCT NOV DEC

FSSC 22000 V5.1 IA VILT TC P a g e | 161

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 5: THE TURTLE DIAGRAM

RESOURCES: WITH WHAT? RESOURCES: WITH WHO?

 Raw materials PROCESS Competence/Skills/Training
 Equipment • Process manager
 Tooling • Team leaders, operators
 Maintenance • Roles & responsibilities
 Measuring instruments • Job descriptions
 Calibration • Competence & skills matrix
OBJECTIVES
 IT
OF THE • On-the-job training & records
 Utilities – energy, water, air, temp.
PROCESS • Training courses & records
• Performance appraisals
• Communications
INPUTS?
 Business/product requirements
 Possible legal/regulatory ACTIVITY OUTPUTS?
requirements STEPS  FSMS improvement
 Materials/services from suppliers’  Deliverables to customer
specifications  Specified product, service
 Outputs (from other processes) knowledge
 Inputs into other processes
PROCESS
CONTROLS: HOW? FLOW
Support processes & procedures
DIAGRAM
 Procedures ANALYSIS: WHAT RESULTS?
 Work instructions Performance indicators
 Control plan  Targets achieved?
 Test methods  Possible legal/other compliance
 Calibration methods  Customer requirements compliance
 Emergency plans

FSSC 22000 V5.1 IA VILT TC P a g e | 162

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 6: EXAMPLE OF AN AUDIT CHECKLIST

Audit Reference: Sheet No. of

Activity
Item Compliance
Requirement Comments/Remarks
No. (Yes/No/Not
Applicable)

FSSC 22000 V5.1 IA VILT TC P a g e | 163

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 7: EXAMPLE OF A COMPLETED AUDIT CHECKLIST

Audit Reference: Sheet No. of

Activity
Compliance
Item No. Requirement Comments/Remarks
(Yes/No/Not
Applicable)
8.5.1.5 Flow Diagrams, process
steps and control measures.

8.5.1.5.1 Flow Diagram

For each product process Yes Company has documented the
category covered by the HACCP Manual/Add document/
FSMS. process/product references. This
should be completed in all instances
under this column.
Sufficient detail/schematic No It is auditing best practice, Flow
overview. Diagram, process steps and
measures.
Not all steps are included, e.g. filtering
step using 70 mesh. (CAR 1 of 7)
Including
a) Sequence/interaction of Yes Verified on-site the steps of processing
steps. completed for product.

Verified sub-contracted services:

b) Outsourced processes and Yes - Pest control sanitation.
sub-contracted work. - Cleaning calibration.
c) Inputs (raw materials, Yes Verified raw materials seen at store
ingredients, intermediate area.
products).
d) Reworking and recycling. Yes Verified recycling loop in place.
e) Outputs (ends, intermediate, No Waste disposal was not contained
by-products, waste). properly on-site (CAR 2 of 7).
Verified by FST (records). Yes Seen inspection records.
8.5.1.5.3 Description of process steps
and control measures.

Control measures implemented.

Control measures/ process Yes
parameters/ procedures
related to food safety Not all external requirements from
described. customers are documented, e.g.
Legal and customer No request for different packaging (CAR 3
requirements described. of 7).
Seen updated document xxx Rev 03.
Yes
Description updated.

FSSC 22000 V5.1 IA VILT TC P a g e | 164

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 8: OPENING MEETING CHECKLIST

Item No. Item

Introduce self, position, organisation, experience.

1)
Introduce team.

2) Ask those at meeting to introduce themselves.

3) Confirm audit objectives, scope and criteria.

Confirm audit plan:

 Date and time of the closing meeting.
4)  Any interim meetings between the audit team and the auditee's
management.
 Any late changes.
Outline methods and procedures to be used to conduct the audit:
 Classification of nonconformities.
5)
 Sampling technique.
 Element of uncertainty inherent in all audits.

6) Establish formal communication links between the audit team and the
auditee.

7) Confirm that during the audit, the auditee will be kept informed of audit
progress.

8) Confirm that any resources and facilities needed by the audit team are
available.

9) Confidentiality issues.

10) Procedures relating to relevant work safety, emergency and security.

11) Availability, roles and identity of any Guides.

12) Method of reporting including the classification of nonconformities.

13) Audit appeal system.

14) Any questions?

FSSC 22000 V5.1 IA VILT TC P a g e | 165

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 9: CLOSING MEETING CHECKLIST

A closing meeting agenda will vary according to the type of audit conducted, but the following
list, which is neither exhaustive nor prescriptive, contains typical FSMS system on a closing
meeting agenda.

Item No. Item

1) Distribute attendance list.

2) Restate purpose and scope.

3) State decision and conclusion.

4) Summary of good points within the OH&S MS.

5) Explain Major and Minor CARs.

6) Report on opportunities for improvement.

7) Explain significance of sampling technique.

8) Stress confidentiality.

9) Explain reporting and follow-up.

10) Explain CAR form completion.

11) Obtain client representative's signature on CAR.

12) Have Auditor log signed.

13) Obtain attendance list.

14) Thank the client and congratulate if appropriate.

FSSC 22000 V5.1 IA VILT TC P a g e | 166

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 10: EXAMPLE OF A ‘CAR’ FORM

CORRECTIVE ACTION REQUEST
MAJOR / MINOR

COMPANY:

JOB NO: VISIT NO: CAR NO:

AUDITOR: AUDIT DATE:

COMPANY REPRESENTATIVE:

PROCEDURE NO: REF:

ISSUE: AREA/DEPT/FUNCTION:
DETAILS OF NON-CONFORMANCE:

SIGNED: MAJOR CAR: SIGNED:

COMPANY: PROPOSED: AUDITOR:
REPRESENTATIVE: CLOSE OUT DATE:
CORRECTIVE ACTION TAKEN TO PREVENT RECURRENCE:

SIGNED:
COMPANY REPRESENTATIVE: DATE:
ACCEPTANCE OF CORRECTIVE ACTION/COMMENTS:

SIGNED:
AUDITOR: DATE:
MAJOR MINOR
NOTIFY CLOSE OUT NOTIFY CLOSE OUT
ASSESSMENT: 1 month 2 months 3 months Next Surveillance
SURVEILLANCE/REASSESS: 2 weeks 1 month 3 months Visit

FSSC 22000 V5.1 IA VILT TC P a g e | 167

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 11: EXAMPLE OF AN INTERNAL AUDIT REPORT

PRO-FORMA
INTERNAL AUDIT REPORT

AUDITOR'S NAME AUDIT REPORT

NUMBER

PREVIOUS
FUNCTION/
AUDIT DATE
PROCESS AUDITED
AND RESULTS

DEPARTMENTAL
DATE OF AUDIT
REPRESENTATIVE

AUDIT SUMMARY:

SIGNED
DATE
(AUDITOR)

SIGNED
DATE
(DEPT. REPRESENTATIVE)

FSSC 22000 V5.1 IA VILT TC P a g e | 168

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 12: CHAIN CATEGORIES (AS PER ISO/TS 22003:2013)

Clustera Category Sub-category Examples of Included Activities
Raising animals (other than fish and seafood) used for meat
Farming of
production, egg production, milk production or honey production.
Animals for Meat /
AI Growing, keeping, trapping and hunting (slaughtering at point of
Milk / Eggs /
hunting)
A Farming of Animals Honey
Associated farm packing and storage
Raising fish and seafood used for meat production
Farming of Fish
AII Growing, trapping and fishing (slaughtering at point of capture)
Farming and Seafood
Associated farm packing and storage
Growing or harvesting of plants (other than grains and pulses);
Farming of Plants
horticultural products (fruits, vegetables, spices, mushrooms etc.)
BI (other than Grains
and hydrophytes for food
B Farming of Plants and Pulses)
Associated farm packing and storage
Farming of Grains Growing or harvesting of grains and pulses for food
BII
and Pulses Associated farm packing and storage
Processing of Production of animal products including fish and seafood, meat,
CI perishable animal eggs, dairy and fish products
products
Processing of Production of plant products including fruits and fresh juices,
CII perishable plant vegetables, grains, nuts and pulses
products
C Food Manufacturing Processing of Production of mixed animal and plant products including pizza,
perishable animal lasagne, sandwich, dumpling, ready-to-eat meals
CIII
and plant products
Food and feed
(mixed products)
processing
Processing of Production of food products from any source that are stored and sold
CIV ambient stable at ambient temperature, including canned foods, biscuits, snacks, oil,
products drinking water, beverages, pasta, flour, sugar, food-grade salt
Production of Production of feed from a single or mixed food source, intended for
DI
Feed food-producing animals
Animal Feed Production of Pet Production of feed from a single or mixed food source, intended for
D DIIa
Production Food non-food producing animals (only for dogs and cats).
Production of Pet Production of feed from a single or mixed food source, intended for
DIIb
Food non-food producing animals (for other pets)
E E Catering
Activities in restaurants, hotels, workplace cafeterias, handling foods
Catering E Catering
EI EI at remote sites, transport and delivery directly to consumers.
Activities for coffee shops, food trucks and event catering.
Provision of finished food products to a customer (retail outlets,
FI Retail / Wholesale
shops, wholesalers)
F Distribution Buying and selling food products on its own account or as an agent
Food Broking /
FII for others
Trading
Associated packaging
Provision of Storage facilities and distribution vehicles for the storage and
Transport and transport of perishable food and feed
Retail, transport
GI Storage Services Associated packaging
and storage
for Perishable
Provision of
Food and Feed
G Transport and
Provision of Storage facilities and distribution vehicles for the storage and
Storage Services
Transport and transport of ambient stable food and feed
GII Storage Services Associated packaging
for Ambient Stable
Food and Feed
Provision of services related to the safe production of food, including
H Services
water supply, pest control, cleaning services, waste disposal
All manufacturing activities for plastic, carton, paper, metal, glass,
Production of Food Packaging and Packaging
Auxiliary services I wood and other materials to be used as packaging materials in the
Material
food/feed industry.
Production and development of food processing equipment and
J Equipment Manufacturing
vending machines
Mixing, cooking, packing, distilling, drying, canning, sterilization for
all products at ambient, chilled and frozen temperatures. Production
Biochemical K Production of (Bio) Chemicals of food and feed additives, vitamins, minerals, bio-cultures,
flavourings, enzymes and processing aids
Pesticides, drugs, fertilizers, cleaning agents
a Clusters are intended to be used for accreditation scope of
accredited certification bodies, and for accreditation bodies
witnessing certification bodies.
b “Farm packing” means packaging without product modification and
processing.
c “Associated packaging” means packaging without product
modification and processing and without altering the primary
packaging.

FSSC 22000 V5.1 IA VILT TC P a g e | 169

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 13: FSSC 22000 MAINTAINED AND RETAINED

DOCUMENTED INFORMATION
ISO 22000:2018 MAINTAINED

 4.3 scope of the FSMS system.

 5.2 FSMS policy.

 6.2 Food Safety objectives.

 8.2 PRP.

 8.4 Emergency preparedness and response.

 8.5 Preliminary information for Hazard analysis - 8.5 Raw materials & End product
characteristics, intended us, flow diagrams.

 8.5 Hazard analysis & hazard assessment & control measures & validation of control
measures & Hazard Control Plan & determination of CCPS’s, critical limits and OPRPs
& action criteria.

 8.7 Assessment & resulting actions if monitoring & measuring equipment is found not
to be accurate.

 8.9.2 Corrections, 8.9.3 Corrective actions.

 8.9 Product Withdrawal/Recall.

 9.2 Internal audit programme.

ISO 22000:2018 RETAINED

 6.2 Objectives.

 7.1.2 Contracts / agreements with external experts.

 7.1.5. Externally developed elements of the FSMS.

 7.1.6 Externally provided products or service activities & actions.

 7.2 Evidence of competency.

 7.4 External communication.

 8.3 Traceability.
FSSC 22000 V5.1 IA VILT TC P a g e | 170
Learner Guide 08 02 2021
 APPENDICES

ISO 22000:2018 RETAINED, CONTINUED

 8.5.1.5.2 Verified flow diagrams.

 8.5.4.5 Implementation of Hazard control plan.

 8.7 Monitoring and measurement – calibrating of devices.

 8.8 Verification of – PRP’s, CCPs & OPRPs.

 8.9 Corrections, corrective actions.

 8.9.4 Potentially unsafe products, evaluation, disposition, recall/withdrawal.

 9.1 Monitoring & analysis is evaluation.

 9.2 Internal audits.

 9.3 Management review.

 10.1 Nonconformity & corrective action.

 10.3 Updating.

DOCUMENTED INFORMATION FOR ISO/TS 22002-1

PROCEDURES / DOCUMENTS OR DOCUMENTED INFORMATION

 TS 8.6 - Preventive maintenance procedure for release of equipment back to

production.

 TS 9 – Control of nonconforming materials.

 TS 8.5 – Documented cleaning programmes.

 TS 9.3 – Method of verification to be documented.

 TS 12 - Pest management programme shall be documented.

 TS 13 – Personal hygiene rules.

 TS 13.5 – Health status – medical screening unless documented hazard or medical

assessment indicates otherwise.
 TS 13.8 – Personal behaviour – Documented policy.
 TS 14.2 0 - Rework - Segregation requirements for rework (e.g. allergen) shall be
documented and met.

FSSC 22000 V5.1 IA VILT TC P a g e | 171

Learner Guide 08 02 2021
 APPENDICES

RECORDED / RECORDS / LISTS:

 TS 14.2 - The rework classification or the reason for rework designation shall be
recorded (e.g. product name, production date, shift, line of origin, shelf-life).

 TS 16.3 - Control of temperature and humidity shall be applied and recorded where
required by the organization.

 TS 7.3 – Waste - Removal and destruction shall be carried out by approved disposal
contractors. The organization shall retain records of destruction.

 TS 9.3 – Incoming goods - Delivery vehicles shall be checked prior to, and during,
unloading to verify that the quality and safety of the material has been maintained
during transit (e.g. seals are intact, free from infestation, temperature records exist).

 TS 10.4 - Glass breakage records shall be maintained.

 TS 12.6 - Pest control - Records of pesticide use shall be maintained to show the type,
quantity and concentrations used; where, when and how applied, and the target pest.

 TS 14 – Rework - Rework shall be clearly identified and/or labelled to allow

traceability. Traceability records for rework shall be maintained.

 TS 12 – Pest control - Programmes shall include a list of chemicals which are

approved for use in specified areas of the establishment.

 TS 15.2 Recall - A list of key contacts in the event of a recall shall be maintained.

FSSC 22000 V5.1 IA VILT TC P a g e | 172

Learner Guide 08 02 2021
 APPENDICES

DOCUMENTED INFORMATION FOR FSSC 22000 V5.1

 2.5.3.1 Threat Assessment – documented procedure in place to conduct a threat

assessment to identify and assess potential threats and to develop and implement
mitigation measures for significant threats.

 2.5.3.2 Food defence plan – documented plan specifying the mitigation measures
covering processes and products within the scope of the FSMS.

 2.5.4.1 Vulnerability Assessment – documented procedure in place to conduct a food

fraud vulnerability assessment to identify and assess potential vulnerabilities and to
develop and implement mitigation measures for significant vulnerabilities.

 2.5.4.2 Food fraud mitigation plan – documented plan specifying the mitigation
measures covering processes and products within the scope of the FSMS.

 2.5.6 Allergen management plan – documented plan which includes risk assessments
covering all potential sources of allergen cross-contamination and control measures to
reduce or eliminate the risk of cross contamination.

 2.5.7 Environmental monitoring procedure – documented procedure for the evaluation

of the effectiveness of all controls on preventing contamination from the manufacturing
environment including a minimum, the evaluation of microbiological and allergen
controls present. Also including data of the monitoring activities including regular trend
analysis.

 2.5.8 Formulation of products procedure – documented procedure to manage the use

of ingredients that contain nutrients that can have adverse animal health impact

 2.5.10 Storage and warehousing procedure – documented procedure to manage the

specified stock rotation system that includes FEFO principles in conjunction with FIFO
requirements.

 2.5.13 Product development procedure – documented procedure to manage changes

to product or manufacturing processes to ensure safe and legal products are
produced.

 2.5.1.4 Health Status procedure – documented procedure to ensure health of

personnel does not have an adverse effect on the feed production operations.

FSSC 22000 V5.1 IA VILT TC P a g e | 173

Learner Guide 08 02 2021
 APPENDICES

DOCUMENTED INFORMATION FOR FSSC 22000 V5.1, CONTINUED

 2.5.1.5.2 – Requirements of organisations with multi-site certification. Internal Audit

procedure – documented internal audit procedure and program established by the
central function covering the management systems and all sites.

 2.5.1.5.2 – Internal audit reports – to be kept as evidence for technical review by the
central function

FSSC 22000 V5.1 IA VILT TC P a g e | 174

Learner Guide 08 02 2021
 APPENDICES

APPENDIX 14: FLOWCHART OF THE ON-SITE AUDIT PROCESS

Sources of information
Gathering and selecting
(document review, interviews,
observations) by appropriate

Information

Verifying

Audit evidence

Evaluating against audit criteria

Audit findings

Reviewing

Audit conclusions

FSSC 22000 V5.1 IA VILT TC P a g e | 175

Learner Guide 08 02 2021
 CONTACT SGS ACADEMY
Contact us today to find out how the SGS Academy can help
fulfil your training requirements.

www.sgs.com www.facebook.com/SGS/ www.sgs.com/twitter www.sgs.com/linkedin training@sgs.com

WWW.SGS.COM