เอกสารประกอบการอบรม

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 54 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 54 FSSC 22000 v6 Internal Auditor Training Course End of Day 1 Do you have any questions for your tutor at the end of this first day?

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 55 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 55 FSSC 22000 v6 Internal Auditor Training Course Day 2 Welcome.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 56 FSSC 22000 v6 Internal Auditor Training Course Your tutor will now review the contents of day 1, by running a short quiz with you. How to play • The tutor splits the class into two teams • One team starts; the teams take turns to answer questions • The tutor records the scores on a flip chart For each question there are four options: • Teams answer the question immediately • Teams use 50/50 to remove two incorrect answers • Teams use ‘ask an expert’ - the expert will give some guidance on the correct answer • Teams use ‘ask the opposition’ e.g. team one can ask team two for help determining the right answer, but will they tell the truth? Will they return the favour on another question? Copyright © 2023 BSI. All rights reserved. 56 Review of day 1 quiz For each question there are four options: • Teams answer the question immediately • Teams use 50/50 to remove two incorrect answers • Teams use ‘ask an expert’ - the expert will give some guidance on the correct answer • Teams use ‘ask the opposition’ e.g. team one can ask team two for help determining the right answer, but will they tell the truth? Will they return the favour on another question 25 How to play • The tutor splits the class into two teams • One team starts; the teams take turns to answer questions • The tutor records the scores on a flip chart

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 57 FSSC 22000 v6 Internal Auditor Training Course Reviewing documented information while conducting audit The auditees relevant documented information should be reviewed to: • Determine the conformity of the process, as far as documented, with the audit criteria • Gather information to support the audit activities The review may be combined with other audit activities, and may continue throughout the audit. Your tutor will now explain the concept of “random independently selected sampling”. This concept forms the foundation of a sound audit report, and an audit conducted with integrity. Remember, sampling applies to areas/processes as well as documented information and interviews. Samples should be chosen: • By the auditor • Permission sought • Establish and agree the facts • Remain impartial Verifying information Only information relevant to the audit objective, scope and criteria should be collected. Also, only information that is verifiable should be accepted as audit evidence. Audit evidence should be recorded. An audit is not a search for nonconformities, but it is to verify conformity with specified requirements (audit criteria). Copyright © 2023 BSI. All rights reserved. 57 Figure 2 - Overview of a typical process of collecting and verifying information Source of information Collecting by means of appropriate sampling Audit evidence Evaluating against audit criteria Audit findings Reviewing Audit conclusions

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 58 FSSC 22000 v6 Internal Auditor Training Course It is important to take complete notes. They provide objective evidence of what happened. Checklists define samples to be looked at, but notes record samples actually looked at - they may be different. Some notes may not be included in the formal audit report, but are still used as documented information. Notes taken now may be useful later, for instance: Should findings be unclear, or their accuracy challenged. Information must always be clear, retrievable and traceable to origin. The auditor’s work documents should be used to record the audit and provide the basis for later conclusions. Notes should include: • Visual observations • Names of auditees (but not in the audit report) • Information gathered through interviews • Lists of documented information reviewed • Description and results of tests performed, or comparisons made to evaluate conformance/effectiveness with FS requirements Copyright © 2023 BSI. All rights reserved. 58 Recording the facts For investigation now For investigation later Must be legible Must be retrievable

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 59 FSSC 22000 v6 Internal Auditor Training Course All audit evidence needs to be evaluated against the audit criteria provided (typically in the slide above). This may give rise to conformity, or nonconformity with audit criteria. Remember, from Activity 1, a nonconformity is defined as a: ‘Non-fulfillment of a requirement’. It is important to keep reminding yourself during an audit that you are not looking for nonconformance, but conformance against the criteria, and good practices. However you will undoubtedly, at some point in time, discover a nonconformity. If there is any doubt as to whether a nonconformity exists, the auditee should be given the benefit of the doubt, and no nonconformity raised. If in doubt leave it out, but you may consider raising it as a concern. You can call them ‘Opportunities For Improvement (OFI’s)’ or ‘observations’ for this situation. Your tutor will explain these, but you are free to call it whatever you want (see also later in the course on grading of nonconformities). We will revisit formally documenting a nonconformity after your audit (next). However, for the time being please ensure you document the audit evidence and the specific audit criteria you are evaluating it against. The tutor will help you with this by asking you to record these on a flipchart for your group, during your audit next. Copyright © 2023 BSI. All rights reserved. 59 Organizations EMS Generating audit findings Non-fulfilment of a requirement... Compliance obligation Management System Standards

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 60 FSSC 22000 v6 Internal Auditor Training Course Activity 8a: Generating audit findings Purpose: Practice reviewing organizational documents and creating audit lines of investigation and practice generating audit findings, and conduct necessary skills required for effective internal audit activities. Part 1: Document review 30 minutes work 5 minutes discussion Directions: Please review the Case Study documents (page 23 onwards), and add/amend your open questions already created. Normally such documents would have been provided during your audit, through your own samples chosen, but for the sake of this activity we have provided them in the Case Study. Part 2: Generating audit findings 5 mins iread and consider observations 30 mins audit 10 minutes overall summary feedback/reflection to own workplace Directions: Assume you have now completed your brief site tour, and overleaf are your observations. Please now audit the Case Study organization, one group at a time, using your questions generated above, and the site tour observations. Your tutor will invite other groups to critique your audit approach. Copyright © 2023 BSI. All rights reserved. 60 Activity 8a: Generate audit findings 30 Please review the Case Study documents (page 23 onwards), and add/amend your open questions already created Assume you have now completed your brief site tour, and overleaf are your observations Please now audit the Case Study organization, one group at a time, using your questions generated above, and the site tour observations. Your approach will now be critiqued

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 61 FSSC 22000 v6 Internal Auditor Training Course Auditor observations during site tour: Plant area Generally good housekeeping observed, all areas well lit, including stairs, there is an impression that all areas appear to be clean. As you continue to walk around the facility you notice a number of pest bait boxes not secured to the wall and in some cases in the middle of the walkways. Also during the walk you notice two insectocutors not illuminated, you go over to what appears to be both of the devices switches, and discover that one of the switches is in the: ‘ON’, and the other switch is in the: ‘OFF’ position. On the production supervisors desk you notice a printed copy of an email stating: “Dear Stephanie, thank you for your concern and I fully appreciate what you are saying in your emails, and everyone understands and fully appreciates that testing of the recall procedure is important; however you cannot test this procedure at the moment, and must NOT! interrupt the current production runs. Signed Kevin Applebie.” Just as you are about to leave the production plant, you notice a large piece of polythene that has been lifted up against a side wall, in one of the corners of the plant, which was covering a desk. On the desk are a number of bottles, that are unmarked and contain pink, orange and fluorescent green liquids. Around the desk is hazard tape and a: “Quarantine” sign. Underneath the sign it states: “Highly confidential trial for new product in progress, night shift property, and property of S. Applebie, do not touch!” On the desk is what looks like congealed yogurt, there are petri dishes, a recipe for fruit and milk drinks, a copy of the HACCP Programme for “GalaRade, Red Cascade” and food contact surface SSOP (8.2.1). Quality office Whilst walking through the quality office you notice a copy of the management review meeting minutes on the quality assurance directors desk, on the minutes written in red pen within a big circle running over the first page, are the words: “TO DO SOON!” Plant managers office Whilst waiting for the plant manager to return, you notice above his desk a long list of items written on a Nobo board on the wall behind his desk. Incorporated in this list you are drawn to: “Corrective actions request forms to be checked????? Time and production season permitting.” Human resources department Whilst in the human resources department you notice stuck to the side of a visual display screen a copy of the record log (F7.3.2) dated 1-22-XX. Written in green pen with an arrow pointing down is a statement: “Work in progress.” Canteen In the canteen you notice a bag of peanuts on a table.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 62 FSSC 22000 v6 Internal Auditor Training Course Activity 8b: Audit trail Purpose: Practice methods to obtain specific evidence from an FSMS. Duration: 15 minutes work 5 minutes discussion Directions: Discuss how you can use an audit trail to collect specific audit evidence. Copyright © 2023 BSI. All rights reserved. 62 Activity 8b: Audit trail 15 Discuss how you can use an audit trail to collect specific audit evidence

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 63 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 63 Activity 8c: Internal audit activities 30 Select one of the three options below, or as assigned by your tutor, then discuss how you would approach the audit to assess: • Option 1: The food defence plan • Option 2: The food fraud mitigation plan • Option 3: The environmental monitoring programme Activity 8c: Internal audit activities Purpose: Practice reviewing organizational documents and creating audit lines of investigation, practice generating audit findings, and conduct necessary skills required for effective internal audit activities on one of the following: • Option 1: Food safety and quality culture • Option 2: Food loss and waste • Option 3: Environmental monitoring programme Duration: 30 minutes in groups 10 minutes class discussion Directions: Select one of the three options below, or as assigned by your tutor, then discuss how you would approach the audit to assess: • Option 1: The food defence plan • Option 2: The food fraud mitigation plan • Option 3: The environmental monitoring programme

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 64 FSSC 22000 v6 Internal Auditor Training Course A. Some flow charts appeared incomplete B. FSMS work instruction 8501/1 had not been signed and dated by the correct person C. Internal audit documents did not adequately reference details of nonconformities D. Observed work was not being performed in accordance with FSMS instruction: O45E E. Monitoring and measurement equipment is not used in accordance with requirements. Stephanie Applebie was seen gathering up a range of equipment and not cleaning and sterilizing them sufficiently long enough, allowing for vehicles of contamination to potentially be created, she ignored my request to segregate and leave the equipment for longer in the ultrasonic cleaners. Further, her attitude to the auditor was not very nice; so this nonconformity is raised to treat the matter, and me, seriously in the future F. Plant Manager (Hugh Trent) is required to sign the daily workplace inspection report (O55J), as required in WI 54H. However, 15th July 201X was not signed Copyright © 2023 BSI. All rights reserved. 64 Documenting nonconformities Some flow charts appeared incomplete FSMS work instruction Internal audit documents did not adequately reference details of nonconformities Observed work was not being performed in accordance with FSMS instruction: O45E Monitoring and measurement equipment is not used in accordance with requirements

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 65 FSSC 22000 v6 Internal Auditor Training Course When writing nonconformities remember ABC: Accuracy Brevity Clarity Always make sure the statements contain accurate information and are clearly written. Nobody likes to read through reams of information; so make sure the statements are as brief as possible, without sacrificing relevant information. Copyright © 2023 BSI. All rights reserved. 65 Which examples have ‘ABC’? When writing nonconformities remember ABC Writing nonconformities Accuracy Brevity Clarity

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 66 FSSC 22000 v6 Internal Auditor Training Course This is an example of a nonconformity statement, it has the three main elements. R requirement – In this case we are using the organization's own process as the criteria, and the requirement is what process 123 v.3 states. E evidence – The objective evidence is clearly identified here. D discrepancy – What the gap is between the requirement and the evidence. It is important to accurately reference the most relevant requirement that relates to the nonconformance. For an internal audit, this is most likely to be a reference to your own food safety management system procedures. If a nonconformance is identified against an FSSC Scheme document, then the specific audit criteria (clauses) for ISO 22000:2018, or the relevant PRP standard or FSSC Additional Requirements should be referenced. Copyright © 2023 BSI. All rights reserved. 66 Example nonconformity Requirement: Organization process (123 v.3) stipulates that contractors working on site are trained on FSMS requirements (including sterilization of equipment) and are required to acknowledge understanding by signing a receipt, prior to work commencement (ABC v.1). Discrepancy: The company has not ensured that relevant training for contractors is implemented prior to their commencement of work (FSMS requirements and FSA1990 Sch 5 (2)(a)(b), FSH Regulations, ISO 22000:7.2) Evidence: A contractor (DEF company), who had signed such a receipt, was observed using unsteralized monitoring equipment in the absence of a risk assessment and training in FSMS and equipment steralization. The contractor stated that he was only aware of the FS policy

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 67 FSSC 22000 v6 Internal Auditor Training Course FSMS xxx Nonconformity statement NC No: x ________________________________________________________________ Area under audit: xxxxxxxxxxxxx Process under audit: xxxxxxxxx _________________________________________________________________ ISO 22000/ ISO/TS 22002-X / FSSC22000 Clause: xxxxxx _________________________________________________________________ Requirement: xxxxxxxxxxxxxxxxxxxxxxxxx _________________________________________________________________ Objective evidence: xxxxxxxxxxxxxxxxxxxxxxxxx _________________________________________________________________ Discrepancy/nonconformity: xxxxxxxxxxxxxxxxxxxxxx _________________________________________________________________ Auditor: xxxxxxxx Date: xxxxxx Possible template that could be used:

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 68 FSSC 22000 v6 Internal Auditor Training Course Activity 9: Nonconformity write up Purpose: Practice the skills necessary to document concisely a nonconformity. Duration: 30 minutes work 15 minutes discussion Directions: Please review the findings from your audit . Pick one nonconformity and write a nonconformity statement. The tutor will give you further opportunity to practice this important skill (time dependent). Copyright © 2023 BSI. All rights reserved. 68 Activity 9: Nonconformity write up 30 Please review the findings from your audit. Pick one nonconformity, and write a nonconformity statement (using the template example just covered) The tutor will give you further opportunity to practice this important skill (time dependent)

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 69 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 69 FSSC 22000 nonconformity grades: INTERNAL audits A major nonconformity shall be issued when the finding negatively affects the capability of the management system to achieve the intended results, or a legislative noncompliance linked to quality Major Critical A critical nonconformity is issued in a circumstance when there is a significant failure in the management system, a situation with direct adverse food safety impact and no approrpiate action is being observed or when food safety legality and/or certification integrity is at stake Minor A minor nonconformity shall be issued when the finding does not affect the capability of the management system to achieve the intended results Observation / Opportunity for Improvement Areas where the system can be improved; very small deviations Not a possible grade in certification audits In internal audits it is an option to use ‘opportunity for improvement’ for areas or aspects where the internal auditor finds overall compliance with some aspects that could further improve the system or have beneficial effects.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 70 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 70 FSSC 22000 nonconformity grades: EXTERNAL audits A major nonconformity shall be issued when the finding affects the capability of the management system to achieve the intended results Major Critical A critical nonconformity is issued when a direct food safety impact without appropriate action by the organization is observed during the audit or when legality and/or certification integrity are at stake Minor A minor nonconformity shall be issued when the finding does not affect the capability of the management system to achieve the intended results Observation – Improvement NOT possible Areas where the system can be improved; very small deviations Not a possible grade in certification audits FSSC 22000 Scheme certification audits does not allow for observations or ‘opportunities for improvement’ to be stated. All deviations are required to be reported as minor, major or critical nonconformities.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 71 FSSC 22000 v6 Internal Auditor Training Course Activity 10: Grading nonconformities Purpose: Practice the skills necessary to correctly grade a nonconformity. Duration: 30 minutes individually 15 minutes class discussion Directions: Please review the findings on the following pages from your audit and decide if you will grade it as: • Observation • Minor • Major • Critical On what specific requirement will you give the nonconformity? Note: In the rules for certification of FSSC 22000 v6, ‘observations’ (or opportunities for improvement) cannot be given by the auditor in certification audits. Copyright © 2023 BSI. All rights reserved. 71 Activity 10: Grading nonconformities Please review the findings on the following pages from your audit and decide if you will grade it as: • Observation • Minor • Major • Critical On what specific requirement will you give the nonconformity? 30 Note: In the rules for certification of FSSC 22000 v6, ‘observations’ (or opportunities for improvement) cannot be given by the auditor in certification audits.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 72 FSSC 22000 v6 Internal Auditor Training Course 1. 2.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 73 FSSC 22000 v6 Internal Auditor Training Course 3. 4. The warehouse manager advises that there is a stock rotation programme in place to ensure that raw materials are used in within their expiry dates, however, the stock rotation program has not been documented 5. A member of staff in the closed environment of milk pasteurization has not covered the wounds on his hands 6. CCP 1 monitoring was performed by an employee that was not present at the last CCP training 7. Site inspections to confirm compliance to PRPs are completed when the team has the time to do them and immediately prior to external food safety audits 8. An allergen is not declared on the label of a consumer ready product

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 74 FSSC 22000 v6 Internal Auditor Training Course 9. A ready-to-eat products producer has no Listeria monocytogenes monitoring in the production environment. The products do not require heating before consumption 10. Compressed air is used to clean the production line, there is no information on the quality of this air and the filters used

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 75 FSSC 22000 v6 Internal Auditor Training Course The auditor should then review all findings (conformance and nonconformities) and determine the audit conclusions against the audit objectives. Audit conclusion can address, for example: • The extent of conformity with the audit criteria • Effective implementation, maintenance and improvement of the FSMS • Achievement of audit objectives and coverage of scope • Opportunities for improvement • The identification of risks and the effectiveness of actions taken by the auditee to address risks and consider the level of the integration of different management systems and their intended results Auditors should be focused on the intended result of the management system throughout the audit process. While processes and what they achieve are important, the result of the management system and its performance are what counts. Content of audit conclusions should address issues such as the identification of risks and effectiveness of actions taken by the auditee to address risks. Copyright © 2023 BSI. All rights reserved. 75 Preparing audit conclusions The extent of conformity with the audit criteria Effective implementation, maintenance and improvement of the FSMS Achievement of audit objectives and coverage of scope Opportunities for improvement

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 76 FSSC 22000 v6 Internal Auditor Training Course Conducting the closing meeting A closing meeting should be held to present the audit findings and conclusions. Participants in the closing meeting should include the management of the auditee and, where appropriate, those responsible for the functions or processes which have been audited. If applicable, the auditor should advise the auditee of situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions (e.g. an appointed auditee was not available and a substitute was found, observations of certain work activities were not possible because they were not taking place at the time etc.). Copyright © 2023 BSI. All rights reserved. 76 Conducting the closing meeting A closing meeting should be held to present the audit findings and conclusions. Participants in the closing meeting should include the management of the auditee and, where appropriate, those responsible for the functions or processes which have been audited If applicable, the auditor should advise the auditee of situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 77 FSSC 22000 v6 Internal Auditor Training Course If defined in the management system, or by agreement with the auditee’s management, the participants should agree on the time frame for an action plan to address any audit findings, when the documented audit report will be prepared, and who it will be distributed to. The degree of detail should be consistent with the familiarity of the auditee with the audit process. Typical agenda for an internal audit: 1. Attendees 2. Thanks and confidentiality (as applicable) 3. Objective/scope/criteria 4. Limitations, sample (as applicable) 5. Summarize findings, nonconformities, positives encountered 6. Agreement/diverging opinions/appeals (as applicable) 7. Action plan time frames (as applicable) 8. Audit report time frames and distribution (if not already written). An explanation of the fact that an audit is not necessarily fully representative of the overall effectiveness of the auditee’s processes 9. Clarification (as applicable) 10. Depart Copyright © 2023 BSI. All rights reserved. 77 Internal audit agenda 1. Attendees 2. Thanks and confidentiality 3. Objective/scope/criteria 4. Limitations, sample 5. Summarize findings, nonconformities, positives encountered 6. Agreement/diverging opinions/appeals 7. Action plan time frames 8. Audit report time frames and distribution 9. Clarification 10. Depart

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 78 FSSC 22000 v6 Internal Auditor Training Course Activity 11: Closing meeting Purpose: Practice the skills necessary to conduct an effective closing meeting. Duration: 15 minutes preparation, whole class 20 minutes, closing meeting, whole class 10 minutes class discussion Directions: The tutor will select one (or two) delegates to act as the audit team leader. The team leader(s) are to run the meeting following a typical agenda covered earlier. Assume the auditees’ management are not familiar with the audit process. The closing meeting will relate to the audit you just carried out, and related findings. Management will be in attendance. Other delegates are to select one nonconformity from their groups findings (please each select a different one) and write the nonconformity out, as per the last Activity (in your notebook). These will be individually presented (read out), as directed by the team leader(s) in the closing meeting. Copyright © 2023 BSI. All rights reserved. 78 Activity 11: Closing meeting 35 Other delegates are to select one nonconformity from their groups findings (please each select a different one) and write the nonconformity out, as per the last Activity (in your notebook). These will be individually presented (read out), as directed by the team leader(s) in the closing meeting The tutor will select one (or two) delegates to act as the audit team leader. The team leader(s) are to run the meeting following a typical agenda covered earlier. Assume the auditees’ management are not familiar with the audit process The closing meeting will relate to the audit you just carried out, and related findings. Management will be in attendance

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 79 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 79 Prepare audit report, complete audit and follow up

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 80 FSSC 22000 v6 Internal Auditor Training Course The audit report should provide a complete, accurate, concise and clear record of the audit. Please draw out conclusions which are both positive and negative. Organizations typically tend to have their own template for their audit reports. The method of actually providing a copy of the report (and to whom/when) will typically depend on the policy of your own organization, and decisions in the closing meeting. The audit report should be dated, reviewed and approved, as appropriate, and is normally confidential. Typical contents of an internal audit report include, or refer to: • Date(s), locations, audit objectives, scope, and criteria • Auditee(s) and auditor details • Audit conclusions, and the degree to which audit criteria has been fulfilled • Audit findings, related evidence • Nonconformity reports/statements The audit report may also include/refer to (as appropriate): • Audit plan, summary of the audit process, including any obstacles encountered • Any unresolved diverging opinions, and any areas in audit scope not covered • Confirmation that audit objectives were accomplished • Opportunities for improvement, and good practices identified • Agreed follow-up plan, and a statement of confidentiality • Implications for the audit programme/subsequent audits, and a distribution list Copyright © 2023 BSI. All rights reserved. 80 Preparing and distributing the audit report Date(s), locations, audit objectives, scope, and criteria Auditee(s) and auditor details Audit conclusions, and the degree to which audit criteria has been fulfilled Audit findings, related evidence Nonconformity reports/statements

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 81 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 81 Activity 12: Summary audit report writing 60 Please prepare a summary audit report from your audit Activity 12: Summary audit report writing Purpose: Practice the skills necessary to write a summary audit report. Duration: 60 minutes work 5 minutes discussion Directions: Individually please prepare a summary audit report from your audit. Please refer to an example audit report template which you can use, in your References section.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 82 FSSC 22000 v6 Internal Auditor Training Course The audit is complete when all planned activities have been carried out, documents retained or destroyed, and lessons learnt entered into the continual improvement process(es). When completing the audit, lessons learned from the audit can identify risks and opportunities for the audit programme and the auditee. Copyright © 2023 BSI. All rights reserved. 82 Completing the audit The audit is complete when all planned activities have been carried out, documents retained or destroyed, and lessons learnt entered into the continual improvement process(es). When completing the audit, lessons learned from the audit can identify risks and opportunities for the audit programme and the auditee

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 83 FSSC 22000 v6 Internal Auditor Training Course The conclusions of the audit can indicate the need for corrections, and for corrective, or improvement actions. Such actions are usually decided and undertaken by the auditee within an agreed timeframe. As appropriate, the auditee should keep the person managing the audit programme, and the auditor, informed of the status of these actions. The completion and effectiveness of these actions should be verified. This verification may be part of a subsequent audit. Audit follow-up options can include: • Limited re-audit • Submission and review of amended documentation • Roll over until the next internal audit A summary of the process, including follow-up, is as follows: • Identification of nonconformities found during the audit (auditor) • Audit report prepared/agreed date of corrective action plan (auditor/auditee) • Corrective action plan (CAP) issued (auditee) • Auditor evaluates response to nonconformities in CAP (escalation if necessary) • Completion of corrective action by auditee • Evaluation of effectiveness by auditee • Verification of completion by auditor • Escalation (if necessary) • Documented information retained of each stage in this process Copyright © 2023 BSI. All rights reserved. 83 Conducting audit follow-up Identification of nonconformities found during the audit (auditor) Audit report prepared/agreed date of corrective action plan (auditor/auditee) Corrective action plan (CAP) issued (auditee) Evaluation of response to nonconformities in CAP (escalation if necessary) (auditor) Completion of corrective action (auditee) Evaluation of effectiveness (auditee) Verification of Completion (auditor) Escalation (if necessary) Documented information retained of each stage in this process Auditor Auditee KEY Copyright © 2023 BSI. All rights reserved. 83

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 84 FSSC 22000 v6 Internal Auditor Training Course Activity 13: Review and respond to proposed corrective action Purpose: Enhance ability to review/respond to an auditee’s proposed corrective action. Duration: 30 minutes work 10 minutes summary Directions: Decide on a particular nonconformity (from your audit) where corrective actions will be necessary. Provide a response detailing your proposed corrective action. The tutor may request certain elements of your corrective action to change, or be omitted, to draw out the learning points. Copyright © 2023 BSI. All rights reserved. 84 Activity 13: Review and respond to proposed corrective action 30 The tutor may request certain elements of your corrective action to change, or be omitted, to draw out the learning points. Decide on a particular nonconformity (from your audit) where corrective actions will be necessary. Provide a response detailing your proposed corrective action

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 85 FSSC 22000 v6 Internal Auditor Training Course Come up with two/three questions, from the learning during this course, to which you know the answer. As directed, ask your questions of others and provide answers to theirs. The below commentary may also provoke thought and possible questions/answers: Professional judgement and performance results are important. (A.3 and A.4):– “Auditors should apply professional judgement during the audit process and avoid concentrating on the specific requirements of each clause of the standard at the expense of achieving the intended outcome of the management system. Auditors should be focused on the intended result of the management system throughout the audit process. While processes and what they achieve are important, the result of the management system and its performance are what counts.” Copyright © 2023 BSI. All rights reserved. 85 Reflection quiz 10 Come up with two/three questions, from the learning during this course, to which you know the answer ISO 19011:2018 has a theme regarding process audits against risk to achieve intended outcomes, and not ensuring that the details of every clause are audited. Audit programmes and plans should support process audits and a risk-based approach to auditing – so the activities/products/services within a MS scope should be broken down into the audit programme/plans appropriately to support process audits. Process audits may cover many clauses for each activity/area within an MS scope boundary.

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 86 FSSC 22000 v6 Internal Auditor Training Course Copyright © 2023 BSI. All rights reserved. 86 The Board of Stakeholders (BoS) Decision List The Board of Stakeholders (BoS) Decision List is a document which contains decisions applicable to the FSSC 22000 Scheme. The decisions overrule or provide further clarification on existing Scheme rules and must be implemented Please ensure the most recent list is used Note that the decision list is dynamic and can be adjusted by the BoS when deemed necessary and you should ensure that you are kept up to date on these

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 87 FSSC 22000 v6 Internal Auditor Training Course You should now have the knowledge to: • Explain the guidelines of management system auditing according to ISO 19011 • Determine the application of ISO 19011 guidelines to auditing FSSC 22000 You should now have the skills to: • Initiate the audit • Prepare audit activities • Conduct audit activities • Prepare and distribute the audit report • Complete the audit • Audit follow up What will you now do differently? Were your expectations/specific questions/problems answered? Copyright © 2023 BSI. All rights reserved. 87 Course review and final questions

FS203001ENGX v3.0 Apr 2023 Copyright © 2023 BSI. All rights reserved. 88 FSSC 22000 v6 Internal Auditor Training Course Address: BSI Telephone: Fax: Email: <general training email>@bsigroup.com Links: http://<local web address> Add local/country contact information Copyright © 2023 BSI. All rights reserved. 88 Thank you for your participation

[Geef de tekst op] [Geef de tekst op] [Geef de tekst op] FOOD SAFETY SYSTEM CERTIFICATION 22000 Version 5 | May 2019 GUIDANCE DOCUMENT: FOOD DEFENSE

Guidance document: Food defense FSSC 22000 Version 5 | May 2019 1 of 5 1. BACKGROUND Food Defense is an important element in protecting your business and consumers from internal and external threats. It encompasses a range of potential threats from relatively common tamper hoaxes to less probable terrorist attacks. Searching the web for “product tampering” or “product tampering employee” gives numerous examples to illustrate that the threat is REAL. Often supply chain or manufacturing threats can be mitigated to reduce a wide range of threats. For example, putting a locking lid on a vat can reduce a wide range of potential intentional attacks Food Defense Programs shall be developed to reduce the risks from both internal and external threats in order to protect your customers. The FSSC 22000 Additional Requirements contain a paragraph on Food Defense. Although in ISO 22002-1 chapter 18 this topic is addressed, the FSSC Additional Requirements are aligned with GFSI requirements and taken to the management system level, making it a part of the management responsibility process. 2. DEFINITION There are many different definitions of Food Defense which are in nature very similar. Some even conflict with GFSI definition such including Food Fraud within the scope of Food Defense. It is important to realize that Food Fraud is a separate topic and a different chapter in the FSSC 22000 scheme. The GFSI definition of Food Defense is: “The process to ensure the security of food and drink from all forms of intentional malicious attack including ideologically motivated attack leading to contamination.” (GFSI 2017)1 . Other frequently used definitions are: PAS 96:2017: Food defense: procedures adopted to assure the security of food and drink and their supply chains from malicious and ideologically motivated attack leading to contamination or supply disruption (PAS 96:2017)2 . FDA (FSMA-Intentional Adulteration Rule): Food defense is the effort to protect food from intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply (FDA Food Defense fact sheet)3 . Industry and regulators have developed Food Safety Management Systems based on Hazard Analysis Critical Control Point (HACCP) principles which have proven to be effective against unintended food safety hazards. HACCP principles however have not been routinely used to detect or mitigate deliberate attacks and are therefore not relevant to Food Defense. The motivation or root-cause for Food Defense is the intent to cause harm to consumers or companies. This is different than the motivation for Food Fraud that is exclusively for economic gain. Therefore, Food Defense prevention requires a different approach than the control of unintentional food safety hazards (HACCP) and Food Fraud prevention.

Annex 1: Certificate Scope Statements FSSC 22000 Version 5 | May 2019 2 of 5 Figure 1. Intentional vs unintentional adulteration2 3. FSSC 22000 SCHEME REQUIREMENTS Part 2 – Requirements for certification V5 2.5.3 FOOD DEFENSE 2.5.3.1 Threat assessment The organization shall have a documented procedure in place to: a) Conduct a threat assessment to identify and assess potential threats; b) Develop and implement mitigation measures for significant threats. 2.5.3.2 Plan a) The organization shall have a documented food defense plan specifying the mitigation measures covering the processes and products within the FSMS scope of the organization. b) The food defense plan shall be supported by the organization’s FSMS. c) The plan shall comply with applicable legislation and be reviewed regularly.

Guidance document: Food defense FSSC 22000 Version 5 | May 2019 3 of 5 4. IMPLEMENTATION To implement the FSSC 22000 Food Defense requirements, a logical, systematic and risk-based approach should be followed. It must be noted that there are many approaches and FSSC leaves the choice to the organization. However, the most wide-spread approaches are TACCP (Threat Assessment Critical Control Points; PAS96 recommended), CARVER+Shock and FDA Food Defence Plan Builder (FDA)5 . (Note: PAS96 covers both Food Defense and Food Fraud prevention, take care when using this document). To help implementing the clauses of FSSC 22000, the following way of working is recommended. 1) Establish a Food Defense team 2) Conduct a Threat Assessment (e.g. TACCP), identify and evaluate potential threats and vulnerabilities 3) Identify and select proportionate control measures 4) Document the threat assessment, control measures, verification and incident management procedures in a Food Defense Plan supported by the Food Safety Management System 5) Develop an effective training and communication strategy and implement the Food Defense Plan. When determining the scope of your assessment it is important to realize that the threat level has been shown to be at its highest at production facilities5,8 . Make sure your own site (including staff) is covered but do not limit yourself to your own premises only and include the supply chain. Ad 1/2. You need to implement a system that logically assesses the Threats for which a number of tools are available (e.g. TACCP, CARVER+Shock, FDA Food Defense Plan Builder FDBP5 ). Whatever tool is used, is up to the organization. In essence, a Food Defense approach tries to answer the following key questions - Who might want to attack us - How might they do it - What is the potential public health impact - How can we prevent this from happening Familiarize yourself with which food processing attributes may make your food a target (e.g. large batches or ease of access intend to increase the risk). Include both external risks (elsewhere in the supply chain) AND internal risks (e.g. site/equipment access, disgruntled employees). It is important to note that every threat identified will NOT automatically be determined to be significant and will NOT automatically be required to be addressed by a control measure. It is important to identify as many threats as possible so they can be assessed. After repeated or severe incidents, a subsequent threat assessment may determine that a control measure is required. When conducting the threat assessment, it is allowed to initially group materials (e.g., similar raw materials or similar finished products). When significant risks are identified within a group, a more in-depth analysis may be required.

Annex 1: Certificate Scope Statements FSSC 22000 Version 5 | May 2019 4 of 5 Ad 3/4. When defining a Food Defense strategy, the potential threats identified under 1 shall be assessed for their significance. A risk matrix similar to HACCP can be used (e.g. Likelihood of occurrence x Impact/Consequence). Other factors such as accessibility, likelihood of detection and recognizability may be used as further indicators. A prevention strategy for the significant risks shall be developed and documented. To help with identifying preventive measures, FDA has published a database with preventive measures for different types of activities throughout the whole food chain (FDA)6 . Ad 5. The plan should be supported by the organization’s Food Safety Management System for all its products meaning that it should contain elements such as control measures, verification activities, corrections and corrective actions, responsibilities, record keeping and continuous improvement.. In addition, the FSMS needs inclusion of the Food Defense element into e.g. policies, internal audits, management review, etc. Ad 6. The effectiveness of protecting yourselves is largely depending on people. These may be external (e.g. suppliers) or internal (your own associates). Therefore, a training and/or communication program is essential. 5. FOOD DEFENSE TEAM AND TRAINING The Threat Assessment (e.g. TACCP, CARVER + Shock, FDBP) is performed by a multidisciplinary team with wide range of expertise (e.g. HR, Security, Quality, I.T., Production, Facility Manager). The composition of the Food Defense team is likely to be different than that for your HACCP and/or Food Fraud Vulnerability Assessment teams. The composition of the team may evolve over time as the understanding of Food Defense evolves External expertise may be required. Training of the team is required. Many trainings are available from a wide range of organizations. An example being Michigan State University which provides free web-based courses (MOOC Food Defence audit guide – MOOC = massive open online course)7 . The FDA provides free on-line training materials (Food Defense Awareness for FoodProfessionals), and although it is US/FDA regulatory compliance focused, this training gives a good overview (FDA)9 .

Guidance document: Food defense FSSC 22000 Version 5 | May 2019 5 of 5 6. AUDITING Auditors should assess the risk assessment and identification and implementation of preventive actions is adequate through asking the following questions: • is there a team with the correct competencies/knowledge? • has a risk assessment been performed and documented? • are relevant threats covered? • breadth of the risk assessment (whole supply chain assessed and not just own site)? • is there a methodology to determine the significance of threats? • when significant threats are identified, is there a written Food Defense plan? • how are training and communication addressed? • Is the performance of the Food Fraud Prevention Process evaluated in line with ISO 22000:2018 Chapter 9 (Performance Evaluation) • Is the analysis regularly reviewed and is the frequency adequate? • is the Emergency Response Team prepared (ISO 22000:2018 paragraph 8.4)? • is all of the above effectively implemented through the organization’s FSMS (e.g. records, awareness of people, site security, internal audits, management reviews)? 7. REFERENCES 1) GFSI Benchmarking requirements version 7.2 (draft 2017) 2) PAS 96:2017. Guide to protecting and defending food and drink from deliberate attack. 3) FDA Food Defence fact sheet: https://www.fda.gov/downloads/Food/GuidanceRegulation/FSMA/UCM503566.pdf 4) GFSI position on mitigating the public health risk of food fraud: https://www.mygfsi.com/files/Technical_Documents/Food_Fraud_Position_Paper.pdf 5) FDA Food Defense Plan Builder: https://www.fda.gov/Food/FoodDefense/ToolsEducationalMaterials/ucm349888.htm 6) FDA database of mitigation strategies: https://www.fda.gov/Food/FoodDefense/ToolsEducationalMaterials/ucm295898.htm 7) Michigan State University courses: http://foodfraud.msu.edu/mooc/ 8) Nina Puhač Bogadi, Mara Banović and Ivona Babić. Food defense system in food industry: perspective of the EU countries. Journal of Consumer Protection and Food Safety, March 2016. 9) FDA Food Defence 101 training: https://www.accessdata.fda.gov/scripts/FDTraining/index.cfm

[Geef de tekst op] [Geef de tekst op] [Geef de tekst op] FOOD SAFETY SYSTEM CERTIFICATION 22000 Version 5 | May 2019 GUIDANCE DOCUMENT: FOOD FRAUD MITIGATION

Guidance document: Food fraud mitigation FSSC 22000 Version 5 | May 2019 1 of 8 1. BACKGROUND The relevance of Food Fraud has grown over the last years, not in the least following a number of food scandals that have led to reduced consumer confidence in the Food Industry. Although the driver of Food Fraud act (cause) may be economic gain it may nevertheless result in a food safety risk. Such a risk is very often caused by negligence or lack of knowledge by fraudsters. For the consumer food fraud related risks can be1 : a) Direct Food Safety risks: the consumer is put at immediate risk (e.g. addition of melamine to milk powder that results in an acutely toxic exposure; hiding of substances resulting in undeclared allergens); b) Indirect Food Safety risks: consumer is put at risk through long-term exposure (e.g. high levels of heavy metals in food supplements causing harm – or lack of benefit – over a longer period of time) c) Technical food fraud risk: there is no direct or indirect food safety risk (e.g. misrepresentation of country-of-origin information). However, this indicates that material traceability may have been compromised and the company no longer able to guarantee the safety of their food products. For Food Manufacturers, the economic impact can be high (e.g. recall, loss of sales, cost of rebuilding reputation etc.), but also the consumer trust is important, not only for companies but for food industry (sectors) as a whole. The FSSC 22000 additional requirements contain a paragraph on Food Fraud prevention including a Food Fraud Vulnerability Assessment applicable to all products, in line with GFSI requirements. 2. DEFINITION The definition that FSSC uses is based on the GFSI Position paper issued in 20142 : Food Fraud is the collective term encompassing the intentional substitution, addition, tampering or misrepresentation of food/feed, food/feed ingredients or food/feed packaging, labelling, product information or false or misleading statements made about a product for economic gain that could impact consumer health (GFSI BRv7:2017). Food Defense is different from Food Fraud in that the motivation is not economic gain, but an intent to cause harm to consumers or companies from an ideologically or behaviourally motivated background. The harm could be economic, public health or terror. Since there are different motivations Food Defense and Food Fraud prevention require a different approach. Food Fraud is as at least as old as ancient Rome and will never be eliminated fully, the actions taken shall be aimed at minimizing the vulnerability for Food Fraud by reducing opportunities for fraudsters.

Annex 1: Certificate Scope Statements FSSC 22000 Version 5 | May 2019 2 of 8 Figure 1. Intentional vs unintentional adulteration2 3. FSSC 22000 SCHEME REQUIREMENTS Part 2 – requirements for certification V5 2.5.4 FOOD FRAUD MITIGATION 2.5.4.1 Vulnerability assessment The organization shall have a documented procedure in place to: a) Conduct a food fraud vulnerability assessment to identify and assess potential vulnerabilities; b) Develop and implement mitigation measures for significant vulnerabilities. 2.5.4.2 Plan a) The organization shall have a documented food fraud mitigation plan specifying the mitigation measures covering the processes and products within the FSMS scope of the organization. b) The food fraud mitigation plan shall be supported by the organization’s FSMS. c) The plan shall comply with the applicable legislation and be reviewed regularly.

Guidance document: Food fraud mitigation FSSC 22000 Version 5 | May 2019 3 of 8 4. IMPLEMENTATION To help implementing the FSSC 22000 Food Fraud prevention requirements, the following way of working is recommended: 1) Establish a Food Fraud Mitigation Team 2) Conduct a Food Fraud Vulnerability Assessment (FFVA) identifying potential vulnerabilities 3) Define the significant vulnerabilities 4) Identify and select proportionate control measures for the significant vulnerabilities 5) Document the vulnerability assessment, control measures, verification and incident management procedures in a Food Fraud Prevention Plan supported by the Food Safety Management System 6) Develop an effective training and communication strategy and implement the Food Fraud Prevention Plan Note: address all types of Food Fraud defined by GFSI (substitution, unapproved enhancements, misbranding, counterfeiting, stolen goods or others); address all products from incoming goods (e.g. raw materials, packaging materials) to outgoing goods (e.g. (semi) finished product). See Appendix 1 for more information. It is important to note that every vulnerability identified will NOT automatically be determined to be significant and will NOT automatically be required to be addressed by a control measure. It is important to identify as many vulnerabilities as possible so they can be assessed. For example, horsemeat in beef was not originally considered to be a vulnerability that required a control measure. After severe incidents, the vulnerability assessment may determine this to be significant in such a way that a control measure is required. Ad 1/2. When conducting an FFVA a number of factors shall be taken into account such as: • Economic vulnerability (how economically attractive is fraud) • Historical data (has it happened) • Detectability (e.g. how easy to detect, routine screening present) • Access to raw materials, packaging materials and finished products in the supply chain • Relationship with supplier (e.g. long relationship or spot-buying) • Certification through an independent sector specific control system for fraud and authenticity • Complexity of the supply chain (e.g. length, origins and where the product is substantially changed/processed) Many more aspects may be taken into account as deemed appropriate. A number of tools have been developed to assist companies in setting up a FFVA, one of them is SSAFE3 , this tool is freely available. The GFSI Board endorses this SSAFE vulnerability assessment tool. Supplier certification (forward and backward) by sector specific control systems which are specialized to prevent or mitigate food fraud can substitute own analytical routine screening. An

Annex 1: Certificate Scope Statements FSSC 22000 Version 5 | May 2019 4 of 8 example is supplier certification via a voluntary control scheme in the sector of fruit and vegetable juices and purees4 . Supply chain mapping including factors as socio-economics, behavioural, geo-political and historical data may be a useful tool to use. Very often, Food Fraud Prevention (or elements thereof) needs to be addressed at the business organization level rather than at the site level only. The key to assessing the vulnerabilities is: “think like a criminal”. When conducting the FFVA, it is allowed to group materials to start with (e.g. similar raw materials or similar finished products). When significant risks are identified within a group, a more in-depth analysis may be required. Ad 3/4. When defining a Prevention strategy, the potential vulnerabilities identified under 1 shall be assessed for their significance. A risk matrix similar to HACCP can be used (e.g. Likelihood of occurrence x Consequences). Profitability is an important factor of likelihood of occurrence. A prevention strategy for the significant risks shall be developed and documented. Ad 5. The plan shall be supported by the organization’s Food Safety Management System (FSMS) for all its products meaning that it shall contain system elements such as training, internal audits, management review, etcetera as well as operational control measures, verification activities, corrections and corrective actions, responsibilities, record keeping, verification activities, continuous improvement. Examples of verification activities can be origin/label verification, testing, supplier audits, specification management. In addition, also the FSMS needs inclusion of the Food Fraud prevention element into e.g. policies, internal audits, management review, etc. Figure 2. Differences between HACCP, TACCP and VACCP 5. FOOD FRAUD PREVENTION TEAM AND TRAINING The Food Fraud Vulnerability Assessment is performed by a multidisciplinary team with wide range of expertise (e.g. Security, Legal, Purchasing, Production, Research & Development, Regulatory affairs, Quality). The composition of the Food Fraud Prevention team is likely to be

Guidance document: Food fraud mitigation FSSC 22000 Version 5 | May 2019 5 of 8 different than that for your HACCP/Food Defense Threat Assessment. The composition of the team may evolve over time as the understanding of the food fraud opportunity evolves. External expertise may be required. Training of the team is required. Many training options are available, an example being Michigan State University which provides free web-based courses (MOOC Food Fraud audit guide – MOOC = massive open online course)5 . 6. AUDITING Food Fraud poses a significant risk and it is important that around the globe the food industry takes actions. Auditors however must realize that they are not crime investigators; they are not supposed to detect fraud or confirm that the anti-food fraud program is adequate to prevent fraudulent issues. Auditors should audit only how well the company has protected itself and check if all elements required by FSSC 22000 are in place. The introduction of Food Fraud prevention within the organization's FSMS is expected to become more granular over time. At first stage it's more realistic to focus on the system/strategy being fit for purpose, rather than focusing on the effectiveness of control measures. As an auditor, the following questions need to be asked as a minimum: • is there a team with the correct competencies/knowledge? • has a vulnerability assessment been performed and documented? • are all types of vulnerabilities covered (substitution, unapproved enhancements, misbranding, counterfeiting, stolen goods or others)? • depth of the vulnerability assessment (historical data, economic motivations, detectability etc.)? • breadth of the vulnerability assessment (all materials covered)? • is there a methodology to determine the significance of vulnerabilities? • when significant vulnerabilities are identified, is there a written prevention plan? • Is the performance of the Food Fraud Prevention Process evaluated in line with ISO 22000:2018 Chapter 9 (Performance Evaluation) • Is the analysis regularly reviewed and is the frequency adequate? • is the Emergency Response Team prepared (ISO 22000:2018 paragraph 8.4)? • is all of the above effectively included and implemented through the organization’s FSMS (e.g. records, awareness of people, site security, internal audits, management reviews)?

Annex 1: Certificate Scope Statements FSSC 22000 Version 5 | May 2019 6 of 8 7. REFERENCES 1) John Spink and Douglas C. Moyer. Defining the public health threat of food fraud. Journal of Food Science Vol 76, Nr 9, 2011 p R157-R163 2) GFSI position on mitigating the public health risk of food fraud https://www.mygfsi.com/files/Technical_Documents/Food_Fraud_Position_Paper.pdf 3) SSAFE http://www.ssafe-food.org/our-projects/?proj=365# 4) The Voluntary Control System of SGF International e.v.: https://www.sgf.org/en/home/fks/ 5) Michigan State University courses: http://foodfraud.msu.edu/mooc/ 6) PWC: https://www.pwc.com/gx/en/services/food-supply-integrity-services/assets/pwc-foodfraud-vulnerability-assessment-and-mitigation-november.pdf 7) Spink, Fortin et al. Chimia International Journal for Chemistry, vol 70, Nr 5, 2016 p 320-328: http://www.ingentaconnect.com/content/scs/chimia/2016/00000070/00000005/art00002# https://www.mygfsi.com/files/Information_Kit/GFSI_GMaP_FoodFraud.pdf

Guidance document: Food fraud mitigation FSSC 22000 Version 5 | May 2019 7 of 8 APPENDIX 1 TYPES OF FOOD FRAUD – DEFINITION AND EXAMPLES (PWC6 ; Spink, Fortin et al7 ) GFSI (1) Type of Food Fraud Definition from SSAFE (2) Examples from GFSI FFTT (3) General Type of Food Fraud Dilution The process of mixing a liquid ingredient with high value with a liquid of lower value. • Watered down products using non-potable / unsafe water • Olive oil diluted with potentially toxic tea tree oil Adulterantsubstance (Adulterant) Substitution The process of replacing an ingredient or part of the product of high value with another ingredient or part of the product of lower value. • Sunflower oil partially substituted with mineral oil • Hydrolyzed leather protein in milk Adulterantsubstance or Tampering Concealment The process of hiding the low quality of a food ingredients or product. • Poultry injected with hormones to conceal disease • Harmful food colouring applied to fresh fruit to cover defects Adulterantsubstance or Tampering Unapproved enhancements The process of adding unknown and undeclared materials to food products in order to enhance their quality attributes. • Melamine added to enhance protein value • Use of unauthorized additives (Sudan dyes in spices) Adulterantsubstance or Tampering Mislabelling The process of placing false claims on packaging for economic gain. • Expiry, provenance (unsafe origin) • Toxic Japanese star anise labelled as Chinese star anise • Mislabelled recycled cooking oil Tampering Grey market production/ theft/diversion Outside scope of SSAFE tool. • Sale of excess unreported product, • Product allocated for the US market appearing in Korea Over-run, Theft, or Diversion (4) Counterfeiting The process of copying the brand name, packaging concept, recipe, processing method etc. of food products for economic gain. • Copies of popular foods not produced with acceptable safety assurances • Counterfeit chocolate bars Counterfeiting Notes:

Annex 1: Certificate Scope Statements FSSC 22000 Version 5 | May 2019 8 of 8 (1) GFSI – Global Food Safety Initiative (2) SSAFE – Safe Secure and Affordable Food For Everyone (3) GFSI FFTT – Global Food Safety Initiative: Food Fraud Think Tank (4) Grey Market -- a market employing irregular but not illegal methods; Theft -- something stolen; Diversion/ Parallel Trade -- the act or an instance of diverting straying from a course, activity, or use Figure 3. GFSI types of food fraud8