Auditing Procedure

4.1.1 Attend the client's facilities at the agreed time, with relevant audit forms for the visit.

4.1.2 The visit shall begin with a meeting with senior management, or just the Management Representative. This meeting must include a brief explanation of the assessment process and reporting, as well as a clear statement of the purpose of the visit and how it will proceed. During this meeting the QMSI procedures should be presented and explained to the client.

4.1.3 At the end of the meeting, and before or after a brief tour, ask the client to give an outline of the company and its Management System. This will lead into an assessment of the Organisation and Responsibility section of the standard and the client's Policy documents.

4.1.4 Audit the client's management system documentation as per the checkpoints identified in (F.16) 'Stage 1 Audit Report'.

4.1.5 Evaluate the client's location and site-specific conditions and to undertake discussions with the client's personnel to determine the preparedness for the Stage 2 Audit.

4.1.6 The above will be considered without regard for the actual practices of the client; i.e. the assessor should not audit the implementation, except in the case of internal document control. Any deficiencies found should be discussed with the client to ensure validity and understanding and then detailed on (F.16).

4.1.7 Review the client's status and understanding regarding requirements of the standard, in particular with respect to the identification of processes, environmental aspects, occupational & food safety hazards, their key performance indicators and objectives.

4.1.8 Collect and confirm necessary information about scope (FSMS - Ensure that Scope shall include the activities, processes, products or services and production site(s) that are included in the FSMS), location(s), no.of employees, no. of shifts, product/environment/OH&S/FSMS related statutory & regulatory requirements and their compliance, exclusions, consultant, contact person, contact numbers, outsourced processes, key production and service provision processes.

4.1.9 FSMS Stage 1 Audit – Again an understanding of the organization's FSMS and the organization's state of preparedness for Stage 2 by reviewing the extent to which:

• a. the organization has identified PRP that are appropriate to the business (e.g. regulatory, statutory, customer and certification scheme requirements),
• b. the FSMS includes adequate processes and methods for the identification and assessment of the organization's food safety hazards, and subsequent selection and categorization of control measures (combinations),
• c. the FSMS includes adequate processes and methods for the identification and implementation of relevant food safety legislation,
• d. the FSMS is designed to achieve the organization's food safety policy,
• e. the FSMS implementation programme justifies proceeding to the audit (stage 2),
• f. the validation of control measures, verification of activities and improvement programmes conform to the requirements of the FSMS standard,
• g. the FSMS documents and arrangements are in place to communicate internally and with relevant suppliers, customers and interested parties, and
• h. there is any additional documentation which needs to be reviewed and/or information which needs to be obtained in advance.

If an organization has implemented an externally developed elements of a FSMS, review the documentation included in the FSMS to determine if the combination of control measures: — is suitable for the organization, — was developed in compliance with the requirements of ISO 22000, and — is kept up to date.

Check the availability of relevant authorizations shall be checked when collecting the information regarding the compliance to regulatory aspects.

4.1.10 Review the allocation of resources for Stage 2 Audit and agree with the clients on the details of the Stage 2 Audit.

4.1.11 Gain a sufficient understanding of the client's management system and site operations with a view to develop an effective audit plan for Stage 2 Audit. Develop a Plan for plan for the on-site evaluation of temporary sites including where applicable: i) a representative sample of high complexity temporary sites; and ii) a representative sample of medium complexity temporary sites; and iii) if only low complexity temporary sites exist, then a representative sample of low complexity temporary sites.

4.1.12 Check whether internal audits and management review are being planned and performed and adequate evidence available on the maturity of system implementation which support client's readiness for the conduct of Stage 2 Audit.

4.1.13 Coordinate with other team members and incorporate their findings and finalize 'Stage 1 Audit Report' (F.16) identifying any areas of concern that could be classified as nonconformity during Stage 2 Audit. Take client's sign on F.16 as a mark of their acceptance of audit report contents including documented conclusions with regard to fulfilment of the stage 1 objectives and readiness for Stage 2 audit. Finalise the tentative date(s) for Stage 2 audit with client, in determining the date gave consideration to time required by client to resolve areas of concern identified in Stage 1 audit.

4.1.14 Forward audit report to QMSI.

4.1.15 Review and approve any changes (audit man-days, location etc.) in its arrangements for Stage 2 and arrange updation of database. If any significant changes, which would impact the management system occur, consider the need to repeat all or part of Stage 1. Inform the client that the results of Stage 1 may lead to postponement or cancellation of Stage 2

4.2.1 Client to contact the Audit Team Leader or QMSI indicating readiness for Stage 2 Audit.

4.2.2 Review file, including Stage 1 Audit Report. Ensure that responses to Stage 1 Audit findings have been reviewed and accepted by Stage 1 Audit Team Leader. In the event this has not been done and the Stage 1 Audit Team Leader is no longer in the company, the newly appointed Audit Team Leader shall review the responses.

4.2.3 Select the entire assessment team in consultation with Lead Assessor as per Sec.9.1 of Management Manual. Ensure that the interval between Stage 1 and the Stage 2 audits is sufficient to ensure that any area of concern identified during Stage 1 audit can be resolved.

4.2.4 While finalizing audit plan in consultation with Director - Technical and audit team, ensure that each team member is assigned responsibility for auditing specific processes, functions, sites, areas or activities taking into account the need for competence, and the effective and efficient use of the audit team, as well as different roles and responsibilities of auditors, auditors-in-training and technical experts. Changes to the work assignments 'Audit Plan' may be made as the audit progresses to ensure achievement of the audit objectives.

4.2.5 Ensure that an audit notice along with audit plan is prepared and sent to the client for acceptance and the assessors (as a formal appointment) for carrying out the assessment. The team leader shall also be sent Stage 1 Audit Report (F.16).

4.2.6 The Triennial assessment planning shall include a review of the past performance of the client which shall be taken into consideration in preparing the plan. The plan must ensure that the assessment is comprehensive enough to verify: the effective interaction between all elements of the system; overall effectiveness of the system considering any changes; demonstrated commitment to maintain the system's effectiveness and its contribution in achieving organization's policy and objectives.

4.2.7 Prepare work documents (checklists, audit sampling plans etc.) as necessary for reference and for recording audit proceedings. Conduct audit team meeting, review audit plan and make changes if necessary.

4.2.8 Conduct and Chair Opening Meeting with the Clients's management and, where appropriate, with those responsible for the functions of processes to be audited. Purpose of this meeting is to provide a short explanation of how the audit activities will be undertaken. The degree of details will be consistent with the familiarity of the client with the audit process and will cover the following points:

• Introduction of the participants, including an outline of their roles;
• Confirmation of the Scope of certification;
• Confirmation of the audit plan (including type and scope of audit, objectives and criteria), any changes, and other relevant arrangements with the client, such as the date and time for the closing meeting, interim meetings between the audit team and the client's management;
• Confirm formal communication channels between the audit team and the client;
• Confirm that the resources and facilities needed by the audit team are available;
• Confirm matters relating to confidentiality;
• Confirm relevant work safety, emergency and security procedures for the audit team;
• Confirm availability, roles and identities of any Guides and Observers;
• The method of reporting, including any grading of audit findings
• Inform conditions under which the audit may be prematurely terminated like total breakdown of system, presence of an immediate and significant risk, non cooperative auditee etc;
• Confirm that the audit team leader and audit team representing QMSI is responsible for the audit and will be in control of executing the audit plan including audit activities and audit trails;
• Confirm status of findings of the previous review or audit, if applicable;
• Methods and procedures to be used to conduct the audit based on sampling;
• Confirm language to be used during the audit;
• Confirm that client will be kept informed of audit progress and any concerns as the audit progresses;
• Outline format of Report and Closing Meeting;
• Confirm provision of a private work area for the team;
• Work and meal times.
• Client's Questions.

4.2.9 A brief tour of the facility may be appropriate at the end of the meeting, as well as a brief private team meeting to instruct the other team members regarding the Style of the audit and peculiarities of the Client's System. Where the audit of a particular activity on site requires specific competence, the team leader assigns the audit team member personnel accordingly.

4.2.10 The assessment shall then proceed as per the program. Audit findings summarizing conformity and detailing nonconformity and its supporting audit evidence shall be recorded in Assessor Notes and/or Corrective Action Request to enable an informed certification decision to be made or certification to be maintained. Discuss nonconformity with the client to ensure that they understand the problem and have opportunity to offer more evidence of compliance. A CAR shall be recorded against a specific requirement of the audit criteria and should be worded adequately, identifying in detail the objective evidence on which the nonconformity is based. At the end of discussions with a particular person all deficiencies shall be recapped, so that they (and the guide) will know what to expect as CARs the next morning or the Audit Closing meeting, whichever is appropriate? Do not give prescriptive advice or consultancy while explaining the audit findings and / or clarifying the requirements of ISO 9001/ISO 14001/ISO 45001/ISO 22000 standard. Also don't suggest cause of nonconformities or their solution. Gradings should not be discussed, unless it is definitely a Major. 'Opportunities for improvement or Observations' may be identified and recorded in Assessor Notes, however, ensure that nonconformities are not recorded as 'Opportunities for improvement or Observations'.

4.2.11 During these audits auditor(s) spends majority of audit time to conduct interviews, observe processes and activities and review documentations & records to obtain information (audit evidence) relevant to the audit objectives, scope and criteria by appropriate sampling to:

• examine and verify the structure, policies, processes, procedures, records and related documents;
• determine that these meet all the requirements relevant to the intended scope of certification;
• determine that the processes and procedures are established, implemented and maintained effectively;
• performance monitoring, measuring, reporting and reviewing against key performance objectives;
• the client's management system ability regarding meeting applicable statutory, regulatory and contractual requirements;
• operational control of the client's processes;
• internal auditing and management review;
• management responsibility for the client's policies;
• links between normative requirements, policy, performance objectives and targets;
• communicate to the client any inconsistencies between policy, objectives and targets.

FSMS – Use Table A.1 in Annex A of ISO/TS 22003-1:2022 for assessment of compliance with clause 7.2 of ISO 22000:2018.

OHSMS – Audit the following personnel: i) management with legal responsibility for OH&S, ii) employees' representative(s) with responsibility for OH&S, iii) personnel responsible for monitoring employees' health, iv) managers and permanent/temporary employees, v) contractors' management and employees.

4.2.12 During the audit, periodically assess audit progress and exchange information. Audit Team Leader shall reassign work as needed. A meeting shall be held at the beginning of each day to discuss findings of the previous day and for the team leader to countersign all CARs raised. Then a meeting is held with the client in which the CARs are presented for signing, and the plan is reviewed. Resolve any diverging opinions and record unresolved points.

4.2.13 As the assessment progresses, consider CARs outstanding from previous SA visits and process them as appropriate. Areas of concerns identified during the Stage 1 shall either be noted as closed, or detailed on CARs by the assessors. The team leader shall ensure that all Stage 1 concerns are considered prior to preparing the report.

4.2.14 Record details of audit evidence in 'Assessor Notes' (F.23). Notes should include: (i) area audited (ii) client representative (iii) procedures referred to (iv) management system standard requirements (v) details of samples selected and (vi) sufficient comments to demonstrate conformity or nonconformity for each site. Submit these to the Audit Team Leader.

4.2.15 Where the available audit evidence indicates that audit objectives are unattainable or suggests presence of an immediate and significant risk (e.g. safety/threat to EMS/OHS), immediately report this to the client and QMSI. Action may include reconfirmation or modification of the audit plan, changes to objectives or scope, or termination until the risk is removed or reduced. Report the outcome to QMSI.

4.2.16 Review with the client any need for changes to the audit scope which becomes apparent as on-site auditing activities progress and report this to QMSI.

4.2.17 Put great emphasis in determining the maturity of internal auditing and management review processes, as these are absolutely mandatory for achieving desired results out of implemented management system.

4.2.18 Also ensure that the client's management system and performance are legally compliant based on the demonstrated implementation of the system and not rely on the planned or expected results. If non-compliant issues are identified, raise these issues as CAR and immediately communicate to the client's management/relevant personnel.

4.2.19 When all items on the Plan have been assessed, the team shall come together to raise CARs from the last day, and to complete 'Stage 2 Audit Report' (F.17). Audit team will:

• review the audit findings against audit objectives and criteria and classify the CARs;
• agree upon the audit conclusions, taking into account uncertainty inherent in the audit process;
• agree any necessary follow-up actions;
• confirm the appropriateness of the audit programme (F.32) or identify modifications;
• Request client to acknowledge contents of Audit Report and CAR (F.14).

4.2.20 The Audit Report shall clearly state the recommendation for approval or otherwise and point out that it is subject to review by QMSI management.

OH&SMS - Any organization failing to demonstrate their initial or ongoing commitment to legal compliance, shall not be recommended for certification. Where the organization may not be in legal compliance, it shall demonstrate it has activated an implementation plan to achieve full compliance within a declared date, supported by a documented agreement with the regulator wherever possible.

4.2.21 A Surveillance Audit Plan shall be completed for all sites of a multi-site Client.

4.2.22 Decide to hold a special Corrective Action visit in maximum three months time to clear up significant numbers of CARs, or if some element such as Internal Audit is not considered reliable and needs closer scrutiny, or where a CAR poses an immediate threat to EMS/OHS. The reasons for such a visit shall be clearly explained to the client.

4.2.23 Generally Minor CAR's must be closed out before the next surveillance audit or they will escalate to a Major CAR. In the case of recertification, all CARs must be closed out prior to the expiration of the current certificate.

4.2.24 The Closing Meeting shall be held with the client's management and, where appropriate, those responsible for the functions or processes audited. OHSMS - Request the representative to invite management legally responsible for OH&S, personnel responsible for monitoring employees' health and employees' representative(s) to attend. During closing meeting following elements will be discussed:

• Thank the Client for co-operation and hospitality;
• Point out the sampling nature means uncertainty exists;
• The method and timeframe of reporting, summarise findings and their grading, state Recommendation;
• Agree timeframe (typically not more than three months) for corrective action;
• QMSI's post audit activities and timing of Surveillance Audits;
• Information about complaint and appeal handling process;
• Answer Questions and resolve diverging opinions;
• Close the meeting;
• Circulate Attendance list.

4.3.1 Conducting large, formal Opening Meeting is not necessary, unless the client requests one. However the visit shall begin with a discussion with at least the client's MR, to review the CARs and to construct an informal plan for the visit. Any entire elements of the system which have been set for re-assessment should be programmed first.

4.3.2 Examine objective evidence relating to each CAR to establish whether the CAR can be downgraded or closed, record the verification results on 'Corrective Action Plan' (F.15). CARs relating to re-assessed areas shall be closed or downgraded before leaving the area. Raise new CARs if and when appropriate.

4.3.3 If time runs short before examining all CARs, elect to postpone examination of some Minor CARs until the next Surveillance Audit. However, all Major CARs must be reviewed during the visit.

4.3.4 At the end of the visit present any new CARs for signing by the client and complete audit report F.19.

4.3.5 Follow step 4.2.20 to 4.2.25.

4.4.1 The frequency of Surveillance Audits is defined in the contract, and usually occurs annually (plus or minus one month), but must be held no more than twelve months between visits (no tolerance). If this is exceeded without suspension or withdrawal, the Director - Technical must explain and record the reasons why the approval has not been suspended or withdrawn.

4.4.2 At least one week prior to the visit, contact the client and the assessor to verbally confirm or adjust the visit date and time. Once agreed they shall be sent in writing to both the client and assessor along with Audit Plan.

4.4.3 Arrange to send following original documents to the appointed auditor: All outstanding CARs (F.14), 3 Years Audit Programme (F.32), Surveillance Audit Report (F.19), Assessor Notes (F.23), Attendance Sheet.

4.4.4 Prepare working documents (checklists, audit sampling plans, etc.) as necessary for reference and for recording audit proceedings.

4.4.5 Conduct Opening Meeting as per 4.2.8 above.

4.4.6 If there are any significant changes to the system (e.g. Purchasing now computerised), those areas shall be assessed prior to auditing the areas identified on the SA Plan. If time becomes restrictive, the following priority order shall apply: 1) Changes, 2) Mandatory Items marked on 3 Years Audit Programme (Internal Audits, Management Review, Action on previous CARs, Action on complaints, effectiveness of management system(s), progress of planned activities, Use of Marks), 3) Other items on Surveillance Audit Programme.

4.4.7 During audit, evaluate effectiveness of the management system: a) with regard to achieving the objectives established by the concerned client and b) in fulfilling requirements between recertification audits.

4.4.8 Raise CAR's as appropriate and complete 'Surveillance Audit Report' (F.19).

4.4.9 In case of multi site organization, carry out audit on these sites/temporary sites as per 3 Years Audit Programme(F.32) and generate following records – Attendance, CARs (F.14) & Assessor Notes (F.23). Arrange to send these documents to Lead Auditor before the audit at Central Office for inclusion in consolidated 'Surveillance Audit Report' (F.19).

4.4.10 Follow step 4.2.8 to 4.2.25.

4.5.1 QMSI provides a written report to client for each audit. QMSI don't suggest cause of nonconformities or their solution. Ownership of the audit report lies with QMSI.

4.5.2 Audit team leader is responsible for the audit report and its content. Ensure that report is accurate, concise and clear to enable an informed certification decision. Following audit reports formats are used: Stage 1 Audit Report (F.16), Stage 2 Audit Report (F.17), Surveillance Audit Report (F.19), Recertification Audit Report (F.21). These audit reports include: (a) QMSI Logo, (b) client name and address, (c) type of audit, (d) audit criteria, (e) audit objectives, (f) audit scope, (g) any deviations, (h) significant issues, (i) audit team names, (j) dates and places, (k) audit findings, (l) significant changes, (m) unresolved issues, (n) combined/joint/integrated status, (o) disclaimer statement on sampling, (p) recommendation, (q) use of marks control, (r) verification of corrective actions.

4.5.3 Audit report will also contain: a) a statement on conformity and effectiveness of the management system with summary of evidence relating to: the capability to meet requirements and expected outcomes, and the internal audit and management review process; b) a conclusion on appropriateness of the certification scope; c) confirmation that audit objectives have been fulfilled.

4.6.1 Provide technical advice to auditors including advice on sector specific terminology, technical characteristics of processes and products and sector-specific processes and practices. Work under direction and close co-operation with competent auditor, but shall not perform an independent auditing function.

4.7 Monitor / Evaluate and submit report on performance of Technical Expert(s). Use 'Technical Expert Performance Review Form' F.3 for recording the performance.

4.8.1 Ensure that observers, if any, do not influence or interfere in the audit process or outcome of the audit.

4.8.2 Ensure that each auditor is accompanied by a guide, unless otherwise agreed with the client.

4.8.3 Ensure that guides, do not influence or interfere in the audit process or the outcome of the audit. Responsibilities of a guide can include: a) Establishing contacts and timing for interviews; b) Arranging visits to specific parts of the site; c) Ensuring rules concerning site safety and security are known and respected; d) Witnessing the audit on behalf of the client; e) Providing clarification or information as requested.

4.9.1 If a member of the audit team, in their professional judgement, discovers a breach of an Act of Parliament, or a contravention of a regulatory requirement, they should immediately brought it to the notice of Director - Technical.

4.9.2 Raise a non-conformity within maximum 3 days of receiving this information and urgently communicate to client for urgent action.