(a) Audit planning. Before beginning to conduct a food safety audit under this subpart, an accredited third-party certification body must:
(1) Require the eligible entity seeking a food safety audit to:
(i) Identify the scope and purpose of the food safety audit, including the facility, process(es), or food to be audited; whether the food safety audit is to be conducted as a consultative or regulatory audit subject to the requirements of this subpart, and if a regulatory audit, the type(s) of certification(s) sought; and
(ii) Provide a 30-day operating schedule for such facility that includes information relevant to the scope and purpose of the audit; and
(2) Determine whether the requested audit is within its scope of accreditation.
(b) Authority to audit. In arranging a food safety audit with an eligible entity under this subpart, an accredited third-party certification body must ensure it has authority, whether contractual or otherwise, to:
(1) Conduct an unannounced audit to determine whether the facility, process(es), and food of the eligible entity (within the scope of the audit) comply with the applicable food safety requirements of the FD&C Act and FDA regulations and, for consultative audits, also includes conformance with applicable industry standards and practices;
(2) Access any records and any area of the facility, process(es), and food of the eligible entity relevant to the scope and purpose of such audit;
(3) When, for a regulatory audit, sampling and analysis is conducted, the accredited third-party certification body must use a laboratory that is accredited in accordance with:
(i) ISO/IEC 17025:2005; or
(ii) Another laboratory accreditation standard that provides at least a similar level of assurance in the validity and reliability of sampling methodologies, analytical methodologies, and analytical results.
(4) Notify FDA immediately if, at any time during a food safety audit, the accredited third-party certification body (or its audit agent, where applicable) discovers a condition that could cause or contribute to a serious risk to the public health and provide information required by § 1.656(c);
(5) Prepare reports of audits conducted under this subpart as follows:
(i) For consultative audits, prepare reports that contain the elements specified in § 1.652(a) and maintain such records, subject to FDA access in accordance with section 414 of the FD&C Act; and
(ii) For regulatory audits, prepare reports that contain the elements specified in § 1.652(b) and submit them to FDA and to its recognized accreditation body (where applicable) under § 1.656(a); and
(6) Allow FDA and the recognized accreditation body that accredited such third-party certification body, if any, to observe any food safety audit conducted under this subpart for purposes of evaluating the accredited third-party certification body's performance under §§ 1.621 and 1.662 or, where appropriate, the recognized accreditation body's performance under §§ 1.622 and 1.633.
(c) Audit protocols. An accredited third-party certification body (or its audit agent, where applicable) must conduct a food safety audit in a manner consistent with the identified scope and purpose of the audit and within the scope of its accreditation.
(1) With the exception of records review, which may be scheduled, the audit must be conducted without announcement during the 30-day timeframe identified under paragraph (a)(1)(ii) of this section and must be focused on determining whether the facility, its process(es), and food are in compliance with applicable food safety requirements of the FD&C Act and FDA regulations, and, for consultative audits, also includes conformance with applicable industry standards and practices that are within the scope of the audit.
(2) The audit must include records review prior to the onsite examination; an onsite examination of the facility, its process(es), and the food that results from such process(es); and where appropriate or when required by FDA, environmental or product sampling and analysis. When, for a regulatory audit, sampling and analysis is conducted, the accredited third-party certification body must use a laboratory that is accredited in accordance with paragraph (b)(3) of this section. The audit may include any other activities necessary to determine compliance with applicable food safety requirements of the FD&C Act and FDA regulations, and, for consultative audits, also includes conformance with applicable industry standards and practices.
(3) The audit must be sufficiently rigorous to allow the accredited third-party certification body to determine whether the eligible entity is in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, and for consultative audits, also includes conformance with applicable industry standards and practices, at the time of the audit; and for a regulatory audit, whether the eligible entity, given its food safety system and practices would be likely to remain in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations for the duration of any certification issued under this subpart. An accredited third-party certification body (or its audit agent, where applicable) that identifies a deficiency requiring corrective action may verify the effectiveness of a corrective action once implemented by the eligible entity but must not recommend or provide input to the eligible entity in identifying, selecting, or implementing the corrective action.
(4) Audit observations and other data and information from the examination, including information on corrective actions, must be documented and must be used to support the findings contained in the audit report required by § 1.652 and maintained as a record under § 1.658.