- The partially remote audit
- The fully remote FSSC 22000 audit
- FSSC 22000 Remote Discussion
1. The partially remote audit
Since June 2020 it is possible to perform FSSC 22000 audits partially remote. The procedure consists of a remote audit followed by an abbreviated on-site audit. The procedure for remote audits according to FSSC 22000 is described in the new Annex 9. It is applicable for initial audits, surveillance audits and recertification audits, each under different conditions.
With the help of a risk assessment, the certification body determines whether a remote audit is an option at the site in question. The risk assessment is based on a questionnaire that determines, among other things, the historical performance of the site and the availability of documentation and records. The certification body is responsible for assessing the risk assessment. It decides whether a remote audit is possible for the site.
How is an FSSC 22000 partially remote audit conducted?
The FSSC 22000 partially remote audit is carried out using information and communication technology (ICT). There are no exact regulations regarding the means of communication - DQS auditors, for example, like to work with systems that the sites are already familiar with. In this way, technical problems and data protection risks can be prevented.
The ICT audit approach is voluntary and must be mutually agreed upon between the certification body and the organization to be certified prior to the audit.
What is audited?
The procedure described in Annex 9 consists of two main steps:
1) Remote Audit: This consists of a document review and interviews with key personnel, using ICT. The focus of the remote audit will be on the ISO 22000 components of the standard.
2) On-site audit: This will focus on the implementation and verification of the FSMS (including HACCP), PRPs, physical inspection of the production process, and any remaining requirements that were not covered during the remote audit.
The full FSSC Stage 1 audit can be conducted remotely using ICT. The objectives of the Stage 1 audit as defined in ISO 17021-1 (18.104.22.168.2) shall be achieved. To this end, ICT (i.e., live video) must be included to observe the work environment and facilities as well. The stage 1 audit report will indicate that the audit was conducted remotely, what ICT tools were used, and what objectives were met.
The Stage 2 audit is conducted as a full on-site audit within 6 months of the Stage 1 audit. If it does not take place within this period, the stage 1 audit must be repeated. It is not allowed to use the ICT audit approach for the stage 2 audit.
It is also possible to perform part of the audit remotely for the annual surveillance audits. Both the remote audit and the on-site audit must be completed within one calendar year. The maximum period between the remote audit and the on-site audit must not exceed 30 calendar days. In the case of serious events, the period may be extended to a maximum of 90 calendar days.
If this period is exceeded, the full on-site surveillance audit must be performed or the certificate will be suspended.
Re-certification audits can also be performed partially remotely. The remote audit in conjunction with the on-site audit constitutes a full recertification audit. Both processes must be completed prior to the expiration of the existing certificate.
The maximum period between the remote audit and the on-site audit shall not exceed 30 calendar days. In the case of serious events, the period may be extended to a maximum of 90 calendar days.
Even in the case of unannounced audits, part of the audit may be conducted remotely. The prerequisite is that the on-site audit is performed first. The remote audit must be performed afterwards, within a maximum of 48 hours after the on-site audit.
Duration & Schedule
The remote audit typically lasts one day, and the on-site verification audit takes up the remainder of the total duration of the regular annual audit. The on-site audit shall not be less than one day and shall be at least 50% of the total audit duration.
In the event that the ICT used is not functioning properly or is preventing / hindering a solid audit, the audit must be terminated and appropriate follow-up actions must be determined.
Confidentiality, security and data protection
The protection of sensitive information has a very high priority in remote audits. Certification bodies must consider local data protection laws. To prepare for the use of information and communication technology, all certification and customer requirements, as well as legal requirements related to confidentiality, security and privacy, must be defined and measures taken to ensure their effective implementation. All participants must demonstrably agree to the confidentiality, security, and privacy requirements.
You can view the FSSC 22000 Annex 9 document here.
2. The fully remote FSSC 22000 audit
Since October 2020, it has been possible to conduct FSSC 22000 audits completely remotely in the event of serious events, for example wars, strikes, security risks or natural disasters, as in the case of the COVID-19 pandemic. This is made possible by the document "Full Remote Audit Addendum". You can view it here.
The full FSSC 22000 remote audit is an accredited, non-GFSI approved, voluntary option. It can only be used when access to the certified organization's premises is not possible as a direct result of a serious event. The remote audit can only be performed upon mutual agreement.
The remote audit option can be applied to annual announced surveillance or recertification audits, as well as transitional audits. Remote auditing is also possible for follow-up audits to check deviations, depending on the type of deviation. Critical non-conformance requires an on-site follow-up audit in all cases. Special audits can also be performed remotely based on the result of a risk assessment for serious events.
First, the certification body conducts a risk assessment to determine the impact of the serious event on the current certification status of the certified organization. The fully remote audit option can only be used if the risks are considered low.
The certification body then conducts a feasibility assessment to determine whether a full remote audit is a viable option and whether all audit objectives can be achieved through the use of information and communication technology (ICT).
In order for a full remote audit to be conducted, the site must be in operation and still producing. If the site has been closed and / or there is no production, the remote audit option cannot be applied.
Prior to the audit, the intended ICT technologies must be tested and it must be verified that a stable Internet connection exists. The auditor and all other members of the audit team must receive appropriate training in the use of ICT prior to the remote audit.
In the event that the ICT used is not functioning properly or is preventing / hindering a sound audit, the audit must be aborted and appropriate follow-up action must be determined in accordance with the audit plan and system requirements.
Data security and confidentiality
In remote audits, data protection takes on a particularly high priority. The use of information and communication technology must therefore be mutually agreed upon in accordance with confidentiality, security and data protection requirements before ICT can be used. The recording of video and / or audio material, screenshots and the safeguarding of evidence must also be mutually agreed. The storage of data is the responsibility of the certification body.
3. FSSC Remote Discussion
If you do not want to use the remote audit options, it is possible to extend the audit until March 30, 2021. To do so, a Remote Audit Discussion must take place by the deadline.
This Remote Audit Discussion consists of a risk analysis that the site must complete and that is evaluated by the certification body. Subsequently, an auditor conducts a two-hour online audit and issues a report after the audit. Thus, the certificate is extended for 6 months, but not beyond March 30, 2021, due to the fact that from April 1, 2021, it is mandatory to audit according to FSSC version 5.1. Here you can find out everything important about the revision of the FSSC 22000 standard.