FSSC 22000 Remote Audits – What you need to know

FSSC 22000 Remote Audit

As of June 2020, it is possible to conduct a part of the FSSC 22000 audit remotely. On this page, we have summarized the main conditions and rules for remote audits of FSSC 22000 certified sites.

In the wake of the GFSI decision to accept remote audits, FSSC 22000 published a new annex to its certification scheme. The new Annex 9 describes the procedure for remote auditing and is applicable to initial audits, surveillance audits and recertification.

A remote audit is only possible after a positive risk assessment, performed by the certification body. Based on a questionnaire, filled out by the certified site, the certification body must evaluate whether a remote audit is appropriate to achieve the audit objectives. It takes into account the historical performance of a site, including any risks identified from complaints and recalls, as well as the availability of records and documentation in electronic form.

How is the remote part of the FSSC 22000 Audit done?

The remote audit is done by use of ICT. FSSC does not prescribe what type of tools should be used. In order to protect data security, DQS auditors typically work with the tools suggested by the certified site.

Doing part of the audit remotely is optional, and must be agreed between the certified site and its certification body.

What is being audited?

The process as described in Annex 9 consists of two main steps:

1) Remote Audit: consists of a document review and interviews with key staff. It focuses primarily on the ISO 22000-component of the FSSC 22000 scheme.

2) Audit on site: Focuses on the effective implementation of the food safety management system, (including HACCP), the PRPs, visual inspection of processes and facilities as well as all other clauses that were not covered during the remote audit.

Initial Audits

The entire stage 1-audit can be done remotely, as long as it meets the audit goals as specified in ISO 17021-1 (9.3.1.2.2). This means the stage 1 cannot be limited to a mere review of documents: live video must be used to observe the work environment and the facilities. The report of the stage 1 audit must specify that it was performed remotely, which ICT tools were used and which audit objectives were achieved.

The Stage 2 audit, by contrast, must be done entirely on site. It needs to be completed within six months after the stage 1. If a site fails to have the stage 2 audit within six months, the stage 1 audit must be repeated.

Surveillance Audits

Annex 9 provides the possibility to do a part of the surveillance audit remotely. The remote audit and the on-site audit must be done within a timespan of thirty days. In case of serious exceptional events that prevent the audit from taking place, the timeframe can be extended to 90 days. If the timeframe is exceeded, the full surveillance audit must be done on-site – if not, the certificate needs to be suspended.

Recertification Audits

Recertification audits can also be done partially remotely. The full audit then consists of a remote and an on-site part. Both parts must be completed before the certificate expires. The remote audit and the on-site audit must be done within a timespan of thirty days. In case of serious exceptional events that prevent the audit from taking place, the timeframe can be extended to 90 days.

Unannounced Audits

Even for unannounced audits, doing a part of the audit remotely is possible, as long as the on-site part is done first. The remote part of the audit must then follow within 48 hours of the on-site audit.

Audit Duration

  • The remote audit will typically be 1 day, and the onsite audit the remainder of the total duration of the regular annual audit. The onsite audit cannot be less than 1 day and shall at least be 50% of the total audit duration.

If there are problems with the use of ICT (e.g. connection problems) that impact the ability to do an effective audit, the audit must be aborted and rescheduled.

Confidentiality, Security and Data Protection

Needless to say, protecting confidential information during and after a remote audit is essential. Certification bodies and their auditors must comply with local data privacy laws. As part of the audit preparation, all certification, legal and customer requirements related to confidentiality, security and data protection shall be identified and actions taken to ensure their effective implementation. This implies that both the auditor and the auditee agree with the use of ICT and with the measures taken to fulfil these requirements.

The FSSC 22000 Annex 9 with the full information on remote auditing is available for download here.

How DQS can assist you

As an approved certification body for the FSSC 22000 Scheme as well as the founder of DQS Remote, we are at the forefront of remote auditing. With auditors available across the globe, we are ready to support you – remotely or on-site. Contact us today or sign up for our newsletter to stay up to date!