FSSC 22000 Remote Audits: Annex 9, Full Remote Audit Addendum & Remote Discussion
FSSC 22000 offers two remote audit options: the partially remote audit and the fully remote audit. In the following you will learn how certification works and what distinguishes the two remote audit options from one another. You will also find out how you can use a third option, the so-called remote discussion, to extend the upcoming FSSC 22000 audit up to March 30, 2021 at the latest.
- The partially remote audit
- The fully remote FSSC 22000 audit
- FSSC 22000 Remote Discussion
1. The partially remote audit
As of June 2020, it is possible to conduct a part of the FSSC 22000 audit remotely. In the wake of the GFSI decision to accept remote audits, FSSC 22000 published a new annex to its certification scheme. The new Annex 9 describes the procedure for remote auditing and is applicable to initial audits, surveillance audits and recertification.
A remote audit is only possible after a positive risk assessment, performed by the certification body. Based on a questionnaire, filled out by the certified site, the certification body must evaluate whether a remote audit is appropriate to achieve the audit objectives. It takes into account the historical performance of a site, including any risks identified from complaints and recalls, as well as the availability of records and documentation in electronic form.
How is the remote part of the FSSC 22000 Audit done?
The partially remote audit is done by use of ICT. FSSC does not prescribe what type of tools should be used. In order to protect data security, DQS auditors typically work with the tools suggested by the certified site.
Doing part of the audit remotely is optional, and must be agreed between the certified site and its certification body.
What is being audited?
The process as described in Annex 9 consists of two main steps:
1) Remote Audit: consists of a document review and interviews with key staff. It focuses primarily on the ISO 22000-component of the FSSC 22000 scheme.
2) Audit on site: Focuses on the effective implementation of the food safety management system, (including HACCP), the PRPs, visual inspection of processes and facilities as well as all other clauses that were not covered during the remote audit.
The entire stage 1-audit can be done remotely, as long as it meets the audit goals as specified in ISO 17021-1 (188.8.131.52.2). This means the stage 1 cannot be limited to a mere review of documents: live video must be used to observe the work environment and the facilities. The report of the stage 1 audit must specify that it was performed remotely, which ICT tools were used and which audit objectives were achieved.
The Stage 2 audit, by contrast, must be done entirely on site. It needs to be completed within six months after the stage 1. If a site fails to have the stage 2 audit within six months, the stage 1 audit must be repeated.
Annex 9 provides the possibility to do a part of the surveillance audit remotely. The remote audit and the on-site audit must be done within a timespan of thirty days. In case of serious exceptional events that prevent the audit from taking place, the timeframe can be extended to 90 days. If the timeframe is exceeded, the full surveillance audit must be done on-site – if not, the certificate needs to be suspended.
Recertification audits can also be done partially remotely. The full audit then consists of a remote and an on-site part. Both parts must be completed before the certificate expires. The remote audit and the on-site audit must be done within a timespan of thirty days. In case of serious exceptional events that prevent the audit from taking place, the timeframe can be extended to 90 days.
Even for unannounced audits, doing a part of the audit remotely is possible, as long as the on-site part is done first. The remote part of the audit must then follow within 48 hours of the on-site audit.
The remote audit will typically be 1 day, and the onsite audit the remainder of the total duration of the regular annual audit. The onsite audit cannot be less than 1 day and shall at least be 50% of the total audit duration.
If there are problems with the use of ICT (e.g. connection problems) that impact the ability to do an effective audit, the audit must be aborted and rescheduled.
Confidentiality, Security and Data Protection
Needless to say, protecting confidential information during and after a remote audit is essential. Certification bodies and their auditors must comply with local data privacy laws. As part of the audit preparation, all certification, legal and customer requirements related to confidentiality, security and data protection shall be identified and actions taken to ensure their effective implementation. This implies that both the auditor and the auditee agree with the use of ICT and with the measures taken to fulfil these requirements.
The FSSC 22000 Annex 9 with the full information on remote auditing is available for download here.
2. The fully remote FSSC 22000 audit
Since October 2020 it is possible to conduct FSSC 22000 audits completely remotely in the case of serious events, for example wars, strikes, security risks or natural disasters, as in the case of the COVID-19 pandemic. The document "Full Remote Audit Addendum" makes it possible. You can access it here.
The full FSSC 22000 Remote Audit is an accredited, non-GFSI recognized, voluntary option. It can only be used if access to the premises of the certified organization is not possible as a direct result of a serious event. The remote audit can only be carried out with mutual consent.
The remote audit option can be used for annual, announced FSSC 22000 surveillance or recertification audits as well as for transition audits. Even follow-up audits to close out nonconformities, can generally be done remotely - depending on the nature of the nonconformity. Critical nonconformities require an on-site follow-up audit in all instances. Special audits can also be conducted remotely based on the outcome of the serious event risk assessment.
First, the certification body conducts a risk assessment to determine the impact of the serious event on the current certification status of the certified organization. The full remote audit option can only be utilized when the risk of maintaining certification is determined as being low.
The certification body then conducts a feasibility assessment to determine, in conjunction with the certified organization, whether a full remote audit is a viable option and to determine if the full audit objectives can be achieved through the use of information and communication technology (ICT).
For a full remote audit to be conducted, the site need to be operational with production taking place. In the event that the site has closed and/or no production is taking place the full remote audit option cannot be applied.
Before the audit, ICT means to be used shall be tested. Feasibility also depends on the online connection quality. The auditor and all other members of the audit team must receive suitable support and training on the use of ICT prior to the remote audit.
In the event that the ICT utilized does not function properly or prevents / hampers a robust audit, the audit shall be aborted and suitable follow-up actions determined in line with the audit schedule and Scheme requirements.
Data security and confidentiality
In remote audits, the protection of data is particularly important. The use of information and communication technology must be mutually agreed in accordance with information and data security measures and regulations before ICT is used. Video and/or audio recordings, screenshots, and storage of evidence shall also be mutually agreed and the certification body shall keep record of these agreements.
How DQS can assist you
As an approved certification body for the FSSC 22000 Scheme as well as the founder of DQS Remote, we are at the forefront of remote auditing. With auditors available across the globe, we are ready to support you – remotely or on-site. Contact us today or sign up for our newsletter to stay up to date!
3. FSSC 22000 Remote Discussion
If you do not want to make use of the remote audit options, it is possible to extend the audit until March 30, 2021. For this, a remote audit discussion must take place before the due date.
This remote audit discussion consists of a risk analysis that the site must complete and that is assessed by the certification body. An auditor then performs a two-hour online audit and issues a report after the audit. The certificate will be extended by 6 months, but no further than March 30, 2021. This is due to the fact that from April 1, 2021 audits according to FSSC Version 5.1 must be performed. Here you can find out everything you need to know about the revision of the FSSC 22000 standard.
If you are interested in an FSSC remote discussion, please contact your account manager or register here.