เอกสารประกอบการอบรม

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 6 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 6 Copyright © 2023 BSI. All rights reserved. 6 Course aim To provide guidance and practical experience in planning, executing, reporting and audit follow-up of an internal audit, when monitoring the effectiveness and conformity of an FSMS based on FSSC 22000

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 7 FSSC 22000 v6 Internal Auditor Training Course Learning objectives describe in outline what you will know, and be able to do, by the end of the course. On completion delegates will gain the displayed knowledge and skills. You will have the knowledge to: • Explain the guidelines of management system auditing according to ISO 19011 • Determine the application of ISO 19011 guidelines to auditing FSSC 22000 You will have the skills to: • Initiate the audit • Prepare audit activities • Conduct audit activities • Prepare and distribute the audit report • Complete the audit • Audit follow up Copyright © 2023 BSI. All rights reserved. 7 Copyright © 2023 BSI. All rights reserved. 7 Learning objectives Knowledge Explain the guidelines of management system auditing according to ISO 190011 Determine the application of ISO 19011 guidelines to auditing FSSC 22000 Skills Initiate the audit Prepare audit activities Conduct audit activities Prepare and distribute the audit report Complete the audit Audit follow up

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 8 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 8 PRPs Sector specific pre-requisite programs (ISO/TS standards/BSI PAS) ISO 22000 ISO 22000 provided a common framework across the entire supply chain to manage requirements, communication internally and externally, and continually improve the system Quick reminder: FSSC 22000 setup FSSC 22000 requirements FSSC 22000 adds specific requirements to ensure consistency, integrity, and to provide governance and management of the Scheme The FSSC 22000 Scheme has 3 required components supported by the BOS Decision List : The FSSC 22000 Scheme consists of three components: • ISO 22000:2018 • Sector specific PRPs • Additional requirements • Board of Stakeholders (BoS) decision list providing updates to the Scheme that overrule or provide further clarification on the existing Scheme rules and are required to be implemented and applied until they are adopted in a new version of the Scheme. The BoS decision list is updated by the Board of Stakeholders as required There is an option to also include a full ISO 9001:2015 audit under the FSSC 22000-Quality Scheme. The ISO 22000:2018 Standard provides the basic framework throughout the food chain. The sector specific PRP documents define the scope of the scheme as to be implemented by organizations. The FSSC 22000 extra requirements turn it into a certification scheme that meets the requirements of GFSI Benchmarking. These requirements are: 1) Management of services and purchased materials 2) Product labelling 3) Food defense 4) Food fraud mitigation 5) Logo use 6) Management of allergens (food chain categories C, E, FI, G, I and K) 7) Environmental monitoring (food chain categories C, I and K) 8) Formulation of products (food chain category D) 9) Transport and delivery (food chain category FI) 10) Storage and warehousing (all food chain categories) 11) Hazard control and measures to prevent cross-contamination (food chain categories C and I)

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 9 FSSC 22000 v6 Internal Auditor Training Course 12) PRP verification (food chain categories C, D, G, I and K) 13) Product development (food chain categories C, D, E, F, I and K) 14) Health status (food chain category D) 15) Requirements for organizations with multi-site certification (food chain categories A, E, FI and G) NOTE: at the time of publishing and delivery, this course content was current however due to the evolutionary nature of the FSSC 22000 scheme, it is critical to observe all updates published by FSSC here https://www.fssc22000.com/scheme/scheme-documents-version-5-1/

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 10 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 10 Copyright © 2023 BSI. All rights reserved. 10 Quick reminder: FSSC 22000 v6 documents Prerequisite programmes on food safety Part 6: Feed and animal production BSI Standards Publication Prerequisite programmes on food safety Part 4: Food packaging manufacturing BSI Standards Publication Prerequisite programmes on food safety Part 2: Catering BSI Standards Publication Prerequisite programmes on food safety Part 1: Food manufacturing BSI Standards Publication Food safety management systems – Guidance on the application of ISO 22000 BSI Standards Publication FSSC 22000 v6 Certification is possible for sectors where a PRP document is published Quick reminder: FSSC 22000 v6 documents

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 11 FSSC 22000 v6 Internal Auditor Training Course This course is aimed at personnel who already have an understanding of FSSC 22000; as the requirements of this standard are not specifically taught on this internal auditor’s course. However, your tutor will now provide a platform for the refresh of some of this knowledge through a quiz and the following slide. Duration: 20 minutes activity Directions: The tutor will ask a ‘True or False’ question. Answer true or false by selecting a green card if you think the answer is true, or selecting the red card if you think it is false. If you are not sure, you have only one ’spare life’ card; after you have used it you must answer the next question(s), as it cannot be used twice. The tutor will then reveal the answer. Copyright © 2023 BSI. All rights reserved. 11 Copyright © 2023 BSI. All rights reserved. 11 Refresh quiz The tutor will ask a ‘True or False’ question. Answer true or false by selecting a green card if you think the answer is true, or selecting a red card if you think it is false 20 If you are not you are not sure, you have only one ’spare life’ card; after you have used it you must answer the next question(s), as it cannot be used twice The tutor will then reveal the answer

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 12 FSSC 22000 v6 Internal Auditor Training Course PDCA • FSSC 22000, through the ISO 22000 standard employs the process approach which incorporates the Plan‐Do‐Check‐Act (PDCA) cycle and risk‐based thinking • This process approach enables an organization to plan its processes and their interactions • The PDCA cycle enables an organization to ensure that its processes are adequately resourced and managed, and that opportunities for improvement are determined and acted on As illustrated on the slide, the process approach embraces two PDCA cycles: • One cycle covers the overall frame of the FSMS (ISO 22000 Clause 4 to Clause 7 and Clause 9 to Clause 10) • The other cycle covers the operational processes within the food safety system as described in ISO 22000 Clause 8 This means that communication between the two cycles is essential. Copyright © 2023 BSI. All rights reserved. 12 Copyright © 2022 BSI. All rights reserved. Organizational planning and control PLAN (FSMS) 4. Context of the organization 5. Leadership 6. Planning 7. Support (including control of externally provided processes, products or services) DO (FSMS) 8. Operation CHECK (FSMS) 9. Performance and evaluation ACT (FSMS) 10. Improvement Updating of preliminary information and documents specifying the PRPs and hazard control plan ACT (food safety) Verification activities CHECK (food safety) Analysis of results of verification activities DO (food safety) Control of products and process nonconformities Control of monitoring and measuring Implementation of the PLAN (food safety) PRPs Traceability system Emergency preparedness and response Validation of control measures Hazard analysis Hazard control plan (HACCP/ORP Plan) Verification planning Operational planning and control PLAN (food safety) The double PDCA cycle

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 13 FSSC 22000 v6 Internal Auditor Training Course FSSC 22000, within ISO 22000, Clause 9.2.1 states that the organization shall conduct internal audits at planned intervals to provide information on whether the food safety management system: a) Conforms to: 1. The organization’s own requirements for its food safety management system 2. The requirements of this document (ISO 22000) b) Is effectively implemented and maintained The keyword here is shall. It means it is a requirement, and not a guideline or a suggestion. An ‘audit programme’ will be formally defined in the terms and definitions activity coming up. As the PRP requirements and extra requirements added by FSSC 22000 link in to the ISO 22000 standard and/or require them to be incorporated into the FSMS, the whole of the FSSC 22000 requirements need to be part of the internal audit programme. Copyright © 2023 BSI. All rights reserved. 13 Requirement for internal audits ISO 22000: 2018: Clause 9.2.1 Internal audit to provide information on whether FSMS: • Conforms to organization’s FSMS requirements • Conforms to FSSC 22000 requirements • Is effectively implemented and maintained

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 14 FSSC 22000 v6 Internal Auditor Training Course As an auditor, it is very important that you are aware of the intended outcome(s)/result(s) of the particular management system you are auditing against. For FSSC 22000, the potential intended outcome(s)/result(s) are to enable organizations to: a) Have the ability to consistently provide safe foods and relevant products and services that meet customer and applicable statutory and regulatory requirements b) Address risks associated with its objectives c) Have the ability to demonstrate conformity to specified food safety management system requirements Copyright © 2023 BSI. All rights reserved. 14 Consistently provide safe foods and relevant products and services that meet customer and applicable statutory and regulatory requirements Address risks associated with its objectives Demonstrate conformity to specified FSMS requirements Intended outcome(s)/result(s): FSSC 22000?

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 15 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 15 ISO 19011 guidelines and application to auditing FSSC 22000

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 16 FSSC 22000 v6 Internal Auditor Training Course This International Standard provides guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits; as well as guidance on the evaluation of competence of individuals involved in the audit process (including the person managing the audit programme, auditors and audit teams). It is applicable to all organizations that need to conduct internal or external audits of management systems, or manage an audit programme. The application of this International Standard to other types of audits is possible, provided that special consideration is given to the specific competence needed. Your tutor will provide you with a loan copy later. Copyright © 2023 BSI. All rights reserved. 16 ISO 19011 Guidelines for auditing management systems Guidelines for auditing management systems (ISO 19011:2018)

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 17 FSSC 22000 v6 Internal Auditor Training Course Activity 1: Auditing terms and definitions Purpose: Familiarization with the common auditing terms and definitions within ISO 19011. Duration: 15 minutes work 5 minutes class discussion Directions: Match the cards into pairs, one term and one definition. Alternatively select the definition you feel matches the terms in the table provided. Be prepared to brief the rest of the delegates on your answers. Copyright © 2023 BSI. All rights reserved. 17 Activity 1: Auditing terms and definitions 15 Match the cards into pairs, one term and one definition answers Be prepared to brief the rest of the delegates on your answers

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 18 FSSC 22000 v6 Internal Auditor Training Course Terms Definitions 1 Audit criteria 2 Audit evidence 3 Audit findings 4 Auditee 5 Auditor 6 Nonconformity 7 Audit team 8 Audit programme 9 Audit plan 10 Audit scope 11 Technical expert 12 Audit

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 19 FSSC 22000 v6 Internal Auditor Training Course What is an audit? Systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. (Clause 3.1, ISO 19011) We are now going to explore each area underlined. Copyright © 2023 BSI. All rights reserved. 19 Definition of an audit How would you define a management system audit?

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 20 FSSC 22000 v6 Internal Auditor Training Course Systematic: • An audit is based around the acronym PERC: Plan, execute, report, close out • Each of these areas will be covered in this order during the course • It acts like a process; one leads into the next • This also links to PDCA; continual improvement • The audit is not complete or effective unless these four activities have been completed Another acronym that can be used is PETEC: Plan, establish, test, evaluate and conclude (see your References section). Your tutor will explain these terms. Copyright © 2023 BSI. All rights reserved. 20 PERC Plan Execute Report Close-out

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 21 FSSC 22000 v6 Internal Auditor Training Course Independent: • Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest • For internal audits, auditors should be independent from the operating managers of the function being audited • Auditors should remain objective throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and encourage objectivity. Documented (information) – FSSC 22000: • ‘Information required to be controlled and maintained by an organization and the medium on which it is contained’ • Documented information can be in any format and media, and from any defined source. The audit will need documenting Copyright © 2023 BSI. All rights reserved. 21 PERC: Plan, execute, report, close-out Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest For internal audits, auditors should be independent from the operating managers of the function being audited Auditors should remain objective throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence Independent:

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 22 FSSC 22000 v6 Internal Auditor Training Course XYZ Process a b c (Activity) 1 (interacting – inputs/outputs) d e (interrelated - links) 3 2 k g Set of activities f (1 – 7) 4 h 5 i 6 7 n o p DETERMINED OUTPUTS (n – p) OTHER PROCESSES DETERMINED INPUTS (a-c) OTHER PROCESSES Copyright © 2023 BSI. All rights reserved. 22 What is a ‘process’? Process (Set of interrelated or interacting activities that use inputs to deliver an intended result) Input Output Resources (to enable transformation to occur) Monitoring and measurement opportunities (before, during, and after the process) Operating criteria (enacted by a control or procedure) A process is a: ‘Set of interrelated or interacting activities that use inputs to deliver an intended result’. The below process contains a set of activities that are interrelated (showing links from/to), interacting (showing inputs/outputs), and the transformation of process inputs into process outputs.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 23 FSSC 22000 v6 Internal Auditor Training Course In general terms, applicable to all audits against whatever criteria, the auditor gathers objective audit evidence (next slide) which is verifiable, and evaluates it against an audit criteria (following slide). The auditor then makes a decision based on the evaluation, to derive the output (audit findings). The output then feeds into the audit report which we will come to later. Copyright © 2023 BSI. All rights reserved. 23 So, what is the audit process? Audit evidence (Objective evidence) Audit criteria (Requirements) Evaluation Audit findings INPUTS AUDIT ACTIVITY OUTPUTS

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 24 FSSC 22000 v6 Internal Auditor Training Course Objective evidence (ISO 19011): ‘Data supporting the existence or verity of something’. Objective audit evidence is evidence that can be verified normally through sight, sound or documented information. So, how in practice are we going to obtain objective audit evidence? There are three main methods: 1. We can visually see a process being carried out (perhaps also witnessed by a guide, or indeed a photo if permitted) 2. We can be told a ‘statement of fact’ from an interview with a responsible individual from the area that we are auditing 3. We can inspect relevant documented information Copyright © 2023 BSI. All rights reserved. 24 What is objective audit evidence? We can visually see a process being carried out We can be told a ‘statement of fact’ from an interview with a responsible individual from the area that we are auditing We can inspect relevant documentary information

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 25 FSSC 22000 v6 Internal Auditor Training Course Audit criteria (ISO 19011): ‘Set of requirements used as a reference against which objective evidence is compared’. Hopefully the previous slides have made the definition of an audit clear. **Your tutor may ask you questions now, before moving on, to confirm your understanding of this important definition.** Copyright © 2023 BSI. All rights reserved. 25 What is an ‘audit criteria’? FSSC 22000 • ISO 22000 • ISO/TS 22002-x or other PRP document • FSSC 22000 requirements FS documented information Applicable statutory and regulatory requirements Codes of practice/guidelines Corporate policies/requirements

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 26 FSSC 22000 v6 Internal Auditor Training Course Activity 2: Principles of auditing Purpose: Introduce the principles of auditing, as documented in ISO 19011 – Guidelines for auditing management systems. Duration: 10 minutes work 5 minutes classroom discussion Directions: Review the principles of auditing on the next page and note which expansion belongs with which principle. Copyright © 2023 BSI. All rights reserved. 26 Principle Expansion Integrity Fair presentation Due professional care Confidentiality Independence Evidence-based approach Risk-based approach Activity 2: Principles of auditing 10 Review the principles of auditing on the next page and note which expansion belongs with which principle

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 27 FSSC 22000 v6 Internal Auditor Training Course • Security of information • Rational method for reaching reliable and reproducible audit conclusions in a systematic audit process • Obligation to report truthfully and accurately • An audit approach that considers risks and opportunities • Basis for the impartiality of the audit and objectivity of the audit conclusions • Foundation of professionalism • Application of diligence and judgement in auditing Principle Expansion Integrity Fair presentation Due professional care Confidentiality Independence Evidence-based approach Risk-based approach

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 28 FSSC 22000 v6 Internal Auditor Training Course Your tutor will now direct the class to ISO 19011:2018 Clause 6 (Conducting an audit), and provide an overview of the above sub-clauses with you. ‘6.1 General This clause contains guidance on preparing and conducting a specific audit as part of an audit programme… The extent to which the provisions of this clause are applicable depends on the objectives and scope of the specific audit.’ Therefore, please note, all these activities may not be required for an internal audit. These activities will be explored further (as applicable to an internal audit), in the forthcoming slides, but first an introduction into what an audit programme is. Copyright © 2023 BSI. All rights reserved. 28 6.6 Completing audit 6.7 Conducting audit follow-up 6.3.1 Performing document review in preparation for the audit 6.3.2 Preparins ISO 19011:2018 Clause 6: Conducting an audit 6.5 Preparing and distributing audit report 6.5.1 Preparing audit report 6.5.2 Distributing audit report 6.4 Conducting audit activities 6.4.1 General (sequence may be varied) 6.4.2 Assigning roles and responsibilities of guides and observers 6.4.3 Conducting opening meeting 6.4.4 Communicating during audit 6.4.5 Audit information availability and access 6.4.6 Reviewing documented information while conducting audit 6.4.7 Collecting and verifying information 6.4.8 Generating audit findings 6.4.9 Determining audit conclusions 6.4.9.1 Preparation for closing meeting 6.4.9.2 Content of audit conclusions 6.4.10 Conducting closing meeting 6.3 Preparing audit activities 6.3.1 Performing review of documented information 6.3.2 Audit planning 6.3.2.1 Risk-based approach to planning 6.3.2.2 Audit planning details 6.3.3 Assigning work to audit team 6.3.4 Preparing documented information for audit 6.2 Initiating audit 6.2.1 General (audit Team Leader responsibility) 6.2.2 Establishing contact with auditee 6.2.3 Determining feasibility of audit

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 29 FSSC 22000 v6 Internal Auditor Training Course Each audit will need to be scheduled according to an audit programme. The definition of an audit programme (from Activity 1) was: ‘Arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.’ (As described in ISO 19011) An internal audit tends to be just one item on the audit programme, which itself will cover the complete management system scope. Auditing a management system is auditing an organization’s processes and their interactions in relation to one or more management system standard(s). Within your organization, there should be a person managing your audit programme (this could be you). This person will identify the resources needed (including the auditor assigned) for each audit. They will inform you of the specific objective, scope and criteria for your audit, and provide the resources necessary to accomplish the audit objective. Copyright © 2023 BSI. All rights reserved. 29 Audit programme Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec General office
Accounts

Stores
Production





Inspection
HR

Maintenance
Training



Transport

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 30 FSSC 22000 v6 Internal Auditor Training Course Activity 3: Internal audit programme Purpose: Define the yearly internal audit programme. Duration: 30 minutes work 15 minutes classroom discussion Directions: As directed by the tutor, discuss how you would plan the internal audits at your site to ensure all parts of your FSMS are audited at least yearly and at an appropriate frequency. Which parts would you audit more than once and why? Also consider what would form the basis to review the plan every year. Copyright © 2023 BSI. All rights reserved. 30 Activity 3: Internal audit programme 30 As directed by the tutor, discuss how you would plan the internal audits at your site to ensure all parts of your FSMS are audited at least yearly and at an appropriate frequency Which parts would you audit more than once and why? Also consider what would form the basis to review the plan every year.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 31 FSSC 22000 v6 Internal Auditor Training Course Three aspects will need deciding by the person managing the audit programme. The first aspect is the objective of every single audit: Is it to assess an organization for its degree of conformance to the FSMS standard; is it to determine where the greatest problems lie; is it to determine the organization’s ability to control its FS risks; or is it to follow-up on nonconformities reported at a previous audit? The audit objectives define what is to be accomplished by the audit and may include the following (from ISO 19011): • Determination of the extent of conformity of the management system to be audited, or parts of it, with audit criteria • Evaluation of the capability of the management system to assist the organization in meeting relevant statutory and regulatory requirements and other requirements to which the organization is committed • Evaluation of the effectiveness of the management system in meeting its intended results • Identification of opportunities for potential improvement of the management system • Evaluation of the suitability and adequacy of the management system with respect to the context and strategic direction of the auditee • Evaluation of the capability of the management system to establish and achieve objectives and effectively address risks and opportunities, in a changing context, including the implementation of the related actions Don’t forget the audit objectives already covered in ISO 22000 Clause 9.2.1. The second aspect is the scope, which relates to the ‘extent and boundaries’ of an audit. The audit scope generally includes a description of the physical locations, organizational units, activities and processes, as well as the time period covered. The third aspect is the audit criteria, as just discussed. Copyright © 2023 BSI. All rights reserved. 31 Audit objective, scope, and criteria 3 aspects will need deciding by the person managing the audit programme

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 32 FSSC 22000 v6 Internal Auditor Training Course Activity 4: Auditor responsibilities Purpose: Introduce the typical responsibilities for internal auditors. Duration: 20 minutes work 10 minutes classroom discussion Directions: Review and record in your notebooks what you believe would be typical responsibilities as an internal auditor in your organization. Be prepared to brief the rest of the class on your answers. Copyright © 2023 BSI. All rights reserved. 32 Activity 4: Auditor responsibilities 20 Review and record in your notebooks what you believe would be typical responsibilities as an internal auditor in your organization Be prepared to brief the rest of the class on your answers

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 33 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 33 Initiating and preparing audit activities

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 34 FSSC 22000 v6 Internal Auditor Training Course With the audit objective, scope, criteria, dates and contacts provided, the auditor can start to initiate the audit, as detailed in Figure 1, 19011. This will involve establishing initial contact with the auditee and determining if the audit is feasible e.g. is the auditee(s) happy with the arrangements, including who the auditor is (objectivity for example), times, dates, places, scope, criteria, duration, etc. Please see 6.2.2 and 6.2.3 (ISO 19011) for further details. Assuming the audit is feasible the auditor can start to prepare. If the audit is deemed not to be feasible by the auditor e.g. auditees are not available, processes cannot be evidenced, lack of time/cooperation etc., this then needs to be reported back to the audit programme manager immediately to resolve. Copyright © 2023 BSI. All rights reserved. 34 Initiating the audit Determine the feasibility Establish initial contact

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 35 FSSC 22000 v6 Internal Auditor Training Course Assuming the audit is feasible the auditor can start performing a document review, in preparation for the audit. This will involve gathering information to prepare applicable work documents (checklists etc.) and establishing an overview of documentation to detect possible gaps. Clearly, the extent of the review will depend upon the familiarity, size, nature, and complexity of the FSMS including the audit objective and scope. This activity can also give an indication of the effectiveness of the document control processes within the FSMS. Copyright © 2023 BSI. All rights reserved. 35 Document review in preparation for the audit Assuming the audit is feasible the auditor can start performing a document review, in preparation for the audit

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 36 FSSC 22000 v6 Internal Auditor Training Course Typical areas to consider during the document review will include: • Whether the information is complete, correct, consistent and current • Reviewing all relevant sources of information • Familiarization with the relevant parts of the FSMS, processes/instructions and areas to be audited • Priorities: What is important to management? • Incidents: Process controls, nonconformities; details may be found in corrective actions, logs etc. documented information • Previous audits: To review previous corrective action and follow-up required • If any changes have arisen to work activities and controls • Optional preliminary visit: Sometimes useful for auditors to familiarize themselves with an area, and to deal with any practical concerns e.g. need for protective clothing, arrangements for access, etc. Copyright © 2023 BSI. All rights reserved. 36 Areas to consider during the document review Whether the information is complete, correct, consistent and current Reviewing all relevant sources of information Familiarization with the relevant parts of the FSMS, processes/instructions and areas to be audited Priorities: What is important to management? Incidents: Process controls, nonconformities; details may be found in corrective actions, logs etc. Previous audits: To review previous corrective action and follow-up required If any changes have arisen to work activities and controls Optional preliminary visit: Sometimes useful for auditors to familiarize themselves with an area, and to deal with any practical concerns

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 37 FSSC 22000 v6 Internal Auditor Training Course When preparing for audit activities, the auditor should be aware of appropriate sampling techniques, (see Annex A.6 of 19011). Audit sampling takes place when it is not practical or cost effective to examine all available information during an audit, e.g. documented information is too numerous, or too dispersed geographically, to justify the examination of every item in the population. Audit sampling of a large population is the process of selecting less than 100% of the items within the total available data set (population); to obtain and evaluate evidence about some characteristic of that population, in order to form a conclusion concerning the population. The objective of audit sampling is to provide information for the auditor to have confidence that the audit objectives can, or will be achieved. The risk associated with sampling is that the samples may be not representative of the population from which they are selected, and thus the auditor’s conclusion may be biased and be different to that which would be reached if the whole population was examined. There may be other risks depending on the variability within the population to be sampled, and the method chosen. Sampling will be revisited later (conducting the audit activities). Copyright © 2023 BSI. All rights reserved. 37 Audit sampling Techniques? Sampling from activities? Audit locations? Sample size?

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 38 FSSC 22000 v6 Internal Auditor Training Course Multi-site certfication is only applicable to organizations in the following FSSC 22000 categories: • E - Catering • F - Retail and wholesale • G - Transport and storage Multi-site certification has specified requirements for the central office and internal audits, in addition to ISO 22000:2018, clause 9.2. These requirements are in place to ensure a robust internal audit programme to cover the central function (e.g. head office) and the individual sites. All sites in the organization need to be audited at least annually or more frequently, based on risk assessment, complexity and the size of the multi-site organization. The central function, or head office, is required to ensure that sufficient resources are available to support the internal audit program including clearly defined roles, responsibilities and requirements for management, internal auditors, technical personnel reviewing internal audits and other key personnel involved in the FSMS. Internal auditors need to be assigned by the central function or head office to ensure that auditors are impartial at the site level and do not audit their own work. A new requirement of FSSCv6 is that the effectiveness of the corrective actions taken to address non conformities raised through internal audits needs to be demonstrated. Copyright © 2023 BSI. All rights reserved. 38 Internal audit program for organizations with FSSC 22000 multi-site certification Internal auditors: • Impartial and independent of the function or site they audit • Specified work experience, education and training requirements • Subject to annual performance monitoring and calibration Internal audit programme: • Established by central function or head office • Covers management systems, central function and all sites • Annual audits of management system, centralized function and all sites or more frequently based on risk assessment • Internal audit reports have technical review by the central function • Effectiveness of corrective action to be demonstrated

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 39 FSSC 22000 v6 Internal Auditor Training Course An audit plan (‘description of the activities and arrangements for an audit’ - Taken from ISO 19011 Clause 3.6) based on the information from the document review, and initiating the audit, should now be prepared by the auditor. This should facilitate the effective scheduling and coordination of the audit activities, so as to achieve the audit objectives. However, the scale/complexity and amount of detail in the audit plan should reflect the complexity and scope of the audit (and between initial and subsequent audits). An audit plan should include (or reference) as appropriate: a) Audit objectives b) Audit scope c) Audit criteria and any reference documents d) Locations and activities to be audited, audit duration and date e) Audit methods to be used f) Roles and responsibilities g) Allocation of appropriate resources h) Follow-up actions from previous audits Copyright © 2023 BSI. All rights reserved. 39 Preparing the audit plan a) Audit objectives c) Audit criteria and any reference documents d) Locations and activities to be audited, audit duration and date e) Audit methods to be used f) Roles and responsibilities b) Audit scope g) Allocation of appropriate resources h) Follow-up actions from previous audits

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 40 FSSC 22000 v6 Internal Auditor Training Course No matter how simple or complex an audit is, there should be some form of plan. Plans help the auditor manage the audit, but they should also be communicated to the auditee so that they can prepare and plan themselves for the audit. Flexibility should be built into the audit plan to permit changes which may become necessary as the audit progresses. The essence of a plan includes: Time for opening and closing meetings, a site/area tour, coverage of the audit criteria, interviews, observations and reviewing documented information with the manager, and those performing tasks within the activities, timescales for each discussion, and possibly time for report writing. It is always recommended that the audit plan is offered for review to the auditee’s management. Any objections should be resolved prior to audit commencement. Auditing a management system is auditing an organization’s processes and their interactions in relation to one or more management system standard(s). Audit planning should address or reference the organization’s processes to be audited. Please note: The auditor should take a risk-based approach to planning, based on the audit programme and the documented information provided. The auditor should also consider opportunities to improve the effectiveness and efficiency of the audit activities, and the risks to achieving the audit objectives created by ineffective audit planning. Please turn over for an enlarged version of the slide audit plan. Copyright © 2023 BSI. All rights reserved. 40 Example: Audit plan Audit plan Audit objective: To assess the effectiveness of the handling of emergencies and incidents process Audit criteria: FSMS Process SOP(8.4.2)/22k Signed by auditor: Accepted by auditee: Form No. 1 – Issue 1/ XX-XX-20XX Scope: Site ‘X’ involving all activities requiring handling of emergencies and incidents, duration 1 day Audit start date / time: XX-XX-XX / 09.30 Auditor: J Bloggs Report write up / time: XX-XX-XX / 14:45 Audit finish date / time: XX-XX-XX / 14.15 – 15.15 Closing meeting / time: XX-XX-XX / 15.15 Audit methods: On-site, human interaction Department representatives: Miss Operations Manager Mr Facilities Manager Mr Plant Maintenance Roles, responsibilities and resources required: See general audit process ‘AP1’ Date Time Auditor Area/Process XX-XX-XX 09.00 J Bloggs Opening meeting (ALL), Follow up actions from previous audit 09.30 Sales process tour (Operations Manager) and FS objectives overview 10.00 Facilities Manager: Determining FS risks and opportunities (6.1.1). Planning actions to address FS risks and opportunities (6.1.2). Actions taken to address FS risks and opportunities (6.1.3). Competence and awareness (7.2 and 7.3) 11.15 Coffee break 11.30 Plan maintenance: Process ‘6d’. Operational planning and controls (8.1). Control of externally provided processes, products of services (7.1.6). Nonconformity and corrective action (10.1). 12.30 Lunch 13.00 Facilities manager: Analysis and Evaluation (9.1.2). Continual improvement (10.2). 14.00 [Flexibility if needed] 14.45 Report write up 15.30 Closing meeting (ALL) and finish

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. AFSSC 22000 v6 Internal Audit plan Page: 1 of 1 Audit objective: To assess the effectiveness of the handling of emergencies and incidents process Audit criteria: FSMS Process SOP(8.4.2)/22k Scope: Site ‘X’ involving all activities requiring handling of emergencies and incidents, duration 1 day J Bloggs XX-XX-XX / 14.15 – 15.15 On-site, human interaction See general audit process ‘AP1’ Auditor: Audit finish date / time: Audit methods: Roles, responsibilities and resources required: XX-XX-XX / 09.30 XX-XX-XX / 14:45 XX-XX-XX / 15.15 Miss Operations Manager Mr Facilities Manager Mr Plant Maintenance Audit start date / time: Report write up / time: Closing meeting / time: Department representatives: Area/Process Opening meeting (ALL), follow up actions from previous audit Auditor J Bloggs Time 09.00 Date XX-XX- XX

All rights reserved. 41 Auditor Training Course Sales process tour (Operations Manager) and FS objectives overview Facilities Manager: Determining FS risks and opportunities (6.1.1). Planning actions to address FS risks and opportunities (6.1.2). Actions taken to address FS risks and opportunities (6.1.3). Competence and awareness (7.2 and 7.3) Coffee break Plan maintenance: Process ‘6d’. Operational planning and controls (8.1). Control of externally provided processes, products of services (7.1.6). Nonconformity and corrective action (10.1). Lunch Facilities Manager: Analysis and evaluation (9.1.2). Continual improvement (10.2). [Flexibility if needed] Report write up Closing meeting (ALL) and finish 09.30 10.00 11.15 11.30 12.30 13.00 14.00 14.45 15.30 XXSigned by auditor: Accepted by auditee: Form No. 1 – Issue 1/ XX-XX-20XX

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 42 FSSC 22000 v6 Internal Auditor Training Course Activity 5: Audit plan Purpose: Prepare for your audit of the Case Study organization and review a proposed audit plan. Duration: 20 minutes review Case Study 10 minutes review audit plan 10 minutes feedback and discussion Directions: Read the Case Study (Pages 1-13 only). Then review the sample audit plan on the following page, and comment on its suitability as a means to achieve: Audit objective: To evaluate the implementation and effectiveness of the internal and external communication, recall process, competence and training. Audit scope: Sales office (Newport, Virginia): Head office, Duration 09.00 – 12.00. Audit criteria: Operational Process Recall Procedure (SOP 8.9.5): Training and awareness Procedure (SOP 7.3) and the relevant clauses from the FSSC 22000 documents (ISO 22000, ISO/TS 22002-1 (or other PRP document), FSSC 22000 v6). Your tutor will then provide feedback on your responses. Copyright © 2023 BSI. All rights reserved. 42 Activity 5: Audit plan 30 Read the Case Study (Pages 1-13 only). Then review the sample audit plan on the following page, and comment on its suitability as a means to achieve audit objective, audit scope and audit criteria Your tutor will then provide feedback on your responses

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. AFSSC 22000 v6 Internal Audit plan (QSR 18 Issue 4) Audit objective – To evaluate the implementation and effectiveness of the internal and external communication, recall process, competence and training Audit criteria – Operational Process Recall Procedure (SOP 8.9.5): Training and Awareness Procedure (SOP7.3) and the relevant clauses from FSSC 22000 Scope: Sales office (Newport Virginia): Head office, Duration 09.00 – 12:00 Stephanie Applebie 03/06/xx 12.00 Auditor: Audit finish date/time: 03/06/xx 09.00 03/06/xx 11:15 – 11:45 03/06/xx 11.45 Sales Director Audit start date/time: Report write up Closing meeting Department representatives: Area/Process Auditor Time Date

All rights reserved. 43 Auditor Training Course Opening meeting (all) Sales office site tour Sales Director – Operational Process Withdrawal / Recall (SOP 8.9.5), (8.9.5) Recall, overview of responsibilities etc. (5.3), recent incidents/improvements relating to audit scope (10) Coffee break Sales Director – Context (4.1), interested parties (4.2) Training and Awareness Procedure (SOP7.3), (7.3) and related objectives (6.2.1/2) Report write up Closing meeting Finish S. Applebie 09.00 09.10 09.25 10.15 10.30 11.15 13.45 12.00 03/xx/xx Signed by Auditor: Stephanie Applebie Accepted by Auditee: William Ross

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 44 FSSC 22000 v6 Internal Auditor Training Course The auditor should prepare work documents for reference and for recording audit evidence. Such work documents may include for example: Checklists, and forms for recording information. Checklist A document that is created during the preparation of audit activities. It is similar to an aidememoire but is more detailed (see examples of an aide-memoire in your References section). It is created using the audit plan, it can essentially be a list of open questions the auditor wishes to ask the auditee, e.g. who, what, where, when, why, how. Its main functions/benefits are to: • Keep the audit objectives clear • Provide evidence of audit planning • Maintain the audit pace and continuity • Reducing workload during the audit • Reduce risk of auditor bias They lose effectiveness when used as purely tick-sheets or questionnaires, and should not restrict the extent of audit activities, which can change as a result of information collected during the audit. Copyright © 2023 BSI. All rights reserved. 44 Preparing work documents Keep the audit objectives clear Provide evidence of audit planning Maintain the audit pace and continuity Reducing workload during the audit Reduce risk of auditor bias

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 45 FSSC 22000 v6 Internal Auditor Training Course Please remember, the auditor should be looking for objective evidence of conformity (not nonconformity); therefore the checklist preparation stage should not lose sight of this…you are not there to catch the auditee out. You will undoubtedly find yourself auditing processes, so please consider the above in your checklists. Copyright © 2023 BSI. All rights reserved. 45 Checklist preparation PROCESS (Specific value-added activities) WITH WHO? Personnel HOW DONE? Methods/ documentation INPUTS? From whom/where WITH WHAT? Resources OUTPUTS? To whom/where WHAT RESULTS? Performance indicators

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 46 FSSC 22000 v6 Internal Auditor Training Course Activity 6: Checklists Purpose: Practice creating checklists for assessing an FSMS process. Duration: 30 minutes work Feedback and discussion will be provided during your audit tomorrow. Directions: Now using the Case Study pages 14 to 21 and the information you learnt from the last activity with the audit plan, start to record some ‘open’ questions you would ask during an interview with the personnel identified, covering the areas in the audit plan. The audit objective, scope and criteria are the same as provided in Activity 4. The audit scope (duration) however will be much shorter (1-2 hours tomorrow). Copyright © 2023 BSI. All rights reserved. 46 Activity 6: Checklists 30 Using the Case Study pages 14 to 21 and the information you learnt from the last activity with the audit plan, start to record some ‘open’ questions (on your flipchart) you would ask during an interview with the personnel identified, covering the areas in the audit plan

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 47 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 47 Conducting the audit activities

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 48 FSSC 22000 v6 Internal Auditor Training Course The main purpose of an internal audit opening meeting is to: Confirm the agreement of all parties to the audit plan, and ensure that all planned audit activities can then be performed. Other areas to be covered, as appropriate, might include: • An overview of the audit process, if necessary • Confirmation of the status of the FSMS documentation • Confirmation of the time and date (if necessary) for the closing/interim meetings • Any clarifications needed • Will you need any guides? An opening meeting should be held with the auditee’s management and, where appropriate, those responsible for the functions or processes to be audited. During the meeting, an opportunity to ask questions should be provided. The degree of detail should be consistent with the familiarity of the auditee with the audit process. In many instances the opening meeting may simply consist of communicating that an audit is being conducted, and explaining the nature of the audit. (ISO 19011 6.4.3) Copyright © 2023 BSI. All rights reserved. 48 Conducting the opening meeting The main purpose of an internal audit opening meeting Confirm the agreement of all parties to the audit plan, and ensure that all planned audit activities can then be performed

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 49 FSSC 22000 v6 Internal Auditor Training Course During the audit, the auditor should periodically communicate the progress and any concerns to the auditee. Evidence suggesting an immediate and significant risk should be reported without delay to the auditee. Perhaps the biggest challenge for the auditor is the fact that finding out information depends, amongst other things, on communication skills. Within a very short time of meeting someone, the auditor needs to have developed a degree of rapport with that person to obtain the facts essential to the audit whilst remaining objective. If these facts are indicative of a lack of management control in the area, then the auditor needs to be tactful in the way these findings are presented. General considerations will help ensure a successful interview. Don’t: • Argue • Say you understand when you don't • Ask loaded, leading, trick, vague or close-ended questions • Ask too many questions at once • Criticize individuals • Take obtrusive notes Do: • Give prior notification • Ask the right person • Ensure questions are clear and understood • Give auditee time to answer • Stay impartial • Keep the auditee informed of your concerns and findings, so there are no surprises Copyright © 2023 BSI. All rights reserved. 49 Communication skills Do’s and don’ts

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 50 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 50 Interpersonal communication Do: Assume a straight, neutral spine as this shows confidence and makes you appear taller, a trait interpreted positively around the world Don’t: Lean too far forward as this can crowd a person, suggesting aggressiveness or overeagerness Don’t: Lean back in your chair as this can suggest boredom Listening techniques Stop talking, concentrate and look interested. Consider non-verbal communication: • Gestures, posture, mannerisms, body language What are you signaling? • Your appearance? • Your attitude? Things to consider: • Eye contact, facial expression • Relative positions, voice tone Do: • Put the speaker at ease • Show you want to listen • Remove distractions • Keep calm • Stop talking • Give praise when deserved • Be empathetic Don’t: • Be judgmental • Cause interference • Be close minded (attitude) • Have wishful hearing • Talk excessively

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 51 FSSC 22000 v6 Internal Auditor Training Course Activity 7: Personal behaviour Purpose: Increase knowledge of the professional behaviour that makes a good auditor. Duration: 15 minutes work 15 minutes discussion Directions: As directed by the tutor, come up with examples of professional behaviour an individual should exhibit during the performance of an audit (e.g. ethical). Document your findings and prepare to brief the other delegates. Next consider what competences (knowledge and skills) you might possess to be a successful internal auditor. Copyright © 2023 BSI. All rights reserved. 51 Activity 7: Personal behaviour 15 As directed by the tutor, come up with examples of professional behaviour an individual should exhibit during the performance of an audit (e.g. ethical). Document your findings and prepare to brief the other delegates Next consider what competences (knowledge and skills) you might possess to be a successful internal auditor

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 52 FSSC 22000 v6 Internal Auditor Training Course Your tutor will now show you an extract from an internal audit. Please observe and comment on the auditor’s approach. The audit video is intended to be a simple generic audit to cover the audit techniques involved, and is not specific to any management system standard. You will be asked to comment on the approach and techniques employed. Please note: Auditors should apply professional judgement during the audit process and avoid concentrating on the specific requirements of each clause of the standard at the expense of achieving the intended outcome of the management system. Some ISO management system standard clauses do not readily lend themselves to audit in terms of comparison between a set of criteria and the content of a procedure or work instruction. In these situations, auditors should use their professional judgement to determine whether the intent of the clause has been met. Copyright © 2023 BSI. All rights reserved. 52 Internal audit video Your tutor will now show you an extract from an internal audit. Please observe and comment on the auditor’s approach

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 53 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 53 FSSC requirements for internal auditors of organizations with multi-site certification Work experience • Minimum 2 years in the food industry plus at least 1 year in the organization Education • Higher education course or 5 years experience in food manufacturing, transport and storage, retailing, inspection or enforcement areas Training • Lead auditor: FSMS, QMS or FSSC 22000 Lead Auditor course (40 hours duration) • Audit team members: Internal Auditor course (16 hours duration) provided by qualified internal lead auditor or external training provider • FSSC scheme training covering ISO22000, relevant ISO/TS PRPs and FSSC Additional Requirements (8 hours) It is a GFSI requirement that internal auditors are able to meet the requirements for education, work experience and training. To be effective, it makes sense that an internal auditor needs knowledge of their organization and its products and process. There is flexibility in the education and training requirements for internal auditors however minimum expectations require an understanding of the audit process and how to perform an audit and report findings. A mentoring programme for internal auditors could be considered by organizations to allow internal auditors to build their audit knowledge and skills under the supervision and support of more experienced auditors. This approach also allows for succession planning of auditors to ensure that the internal audit program is suitably resourced. Remember, these specific requirements are only applicable to organizations with multi-site certification which is applicable to FSSC 22000 categories: • E - Catering • F - Retail and wholesale • G - Transport and storage