I recently had the honor of speaking at the 2012 Safe Quality Food International Conference in Cincinnati on the topic of the crucial role of third-party audits in moving forward with FSMA and food safety. In the talk, I spent time looking at what is working well with third-party audit systems, and where some of the vulnerabilities are. Based on reflections from giving that talk, I thought I would share some of what I see as the key points in this week’s newsletter. At this point in time, the use of third-party audits has potential to be a massive success or a dismal failure depending on the outcome of the continued momentum to build a robust system. Currently there are at least three forces in play in the third-party audit world, each of which is interrelated. Specifically, these three areas are:
- The private sector drivers with expanding use of third-party audit systems under the umbrella of the Global Food Safety Initiative (GFSI);
- The impact of the requirements in FSMA around using third-party audits in relation to imported foods;
- The impact of the recent report from the Government Accountability Office (GAO) on this issue.
As we consider some of the pressure points in the third-party audit system, one of the vulnerabilities that I think is important is the recognition that the audit is always a “snap shot in time” exercise. This then raises the question – whether you are the recipient of a third-party audit or the person who doing that audit: Why is the audit being undertaken? Is it to protect your brand, so you really want the auditor to find the gaps in your system? Or is it to safeguard against the likelihood of litigation or share that risk with someone else if something goes wrong? Or, is it simply to generate the required certificate to allow you to sell your products? It may even be some combination of the above, but in my view the way to both receive and execute an audit is the first one – you really want to find out where the holes are in your system and fix them. Then when you get your certificate, don’t relax! Keep up the pressure, fix the problems, look for continuous improvement and make that “snap shot” assessment into a “movie” of continuous improvement. As we consider third-party audits, there are two words that signify success to me: that is, having a system that is trustworthy and rigorous. That is what will make it a success for the regulators and the private sector. As we look at the role that U.S.food regulators have played in the evolution of the third-party audit system, it was the melamine episode in 2007 that focused attention on this issue for FDA. Melamine and melamine by-product contamination of wheat gluten drove FDA to recognize that the systems around import safety needed a radical rethink. This 2007 event drove the opening of several FDA offices overseas (China, Latin America, India, Europe, etc.), as well as the 2008 Shrimp Pilot and many of the specific sections in FSMA. The Shrimp Pilot was FDA’s first foray into the third-party audit space with the intent of figuring out if the Agency could use third-party audits and what some of the challenges around such a program would be. The pilot answered those questions, and, while the answers were not all that some would have liked, they were encouraging enough for FDA to proceed and include the use of third-party audits as an important part of import controls in FSMA. The final version of FSMA included at least two key sections that will specifically leverage third-party audits: Section 303, giving FDA the authority to require certificates (issued by third-party auditors) for high risk foods, and Section 302, the Voluntary Qualified Importer Program (VQIP). So if FDA is going to use information from third-party audits to address these two sections, who will be considered an appropriate third-party auditing body? The language in FSMA provides quite a list of potential third-party auditors including:
- Foreign governments
- An agency of a foreign government
- Any other third-party, as the Secretary determines appropriate
- A single individual
- Audit agents employed or used by third-party auditors to help conduct consultative and regulatory audits.
When it comes to foreign governments, FDA must audit the food safety programs, systems, and standards of the government or agency to determine the capability of ensuring that “they meet the requirements of this Act with respect to food manufactured, processed, packed, or held for import into the United States.” When it comes to private entities, FDA must use an accreditation body, which can be FDA itself if the Agency so chooses. However, I think it is both more likely and more sensible if the FDA uses an outside party as the accreditor. Either way the accreditation body needs to perform reviews and audits of the training and qualifications of audit agents and review the internal systems of the auditing body to determine that each entity “has systems and standards in use to ensure that such entity or food meets the requirements of this Act.” Thus FDA is setting a high bar, as it should, because there are certainly organizations waiting in the wings to point out that when the “fox guards the henhouse” the system does not adequately protect the U.S. consumer. Again, this goes back to the systems being both rigorous and trustworthy. Increasing Rigor and Trust of GFSI Systems The importance of rigor and trust is not unique to FSMA-related, third-party audit activities. These attributes are also critical for the success of GFSI and the various schemes under the GFSI umbrella. As we look at the GFSI systems, there are some things that are working well and some things that are not working so well. One attribute of GFSI continues to be its concept of “once audited, accepted everywhere.” While for some, this has meant a reduction in outside audits, it is certainly not the case in all situations. Other attributes are its establishment of a process for robust standards that can adapt to any changes that new FSMA regulations may require, the program’s movement from being retail centric into the manufacturing and ingredient supplier space, and its expansion into a global system. When considering aspects of GFSI that have room for improvement, I see a clear need for more well-trained auditors. I urge GFSI, and all the schemes under GFSI, to embark on the development of third-party-audit training programs through established educational institutions, such as universities. There are many bright, capable individuals who could establish a career in this space. Such a career could be based on a robust education and training program coupled with mentored, hands-on training, and ongoing oversight of audit execution to reinforce both rigor and trust. Recognizing that the life of an auditor is a life on the road, such a career path can evolve from third-party auditor to in-house food-company QA manager and back to third-party auditor. We need to establish a career track in this space that is desirable, fun, and lucrative. Finally, there is a need for proactive public relations activity. Third-party audit systems continue to take media hits with little robust defensive response – this can and should be addressed. The purpose of an audit, and the inherent limitations associated with audits need to be communicated. I mentioned in the opening portion the impact of a new GAO study. This study assessed the capability of FDA to meet the FSMA mandate for third-party audit programs and essentially concluded that the Agency could not meet the mandate. GAO appeared to urge FDA to consider using the USDA/FSIS model of equivalency rather than the more robust system proposed in FSMA. If FDA were to go down that road it would undermine the use of private third-party audit systems in relation to FDA-regulatory activity. Personally I don’t think equivalency is workable for FDA due to the breadth and variability of FDA-regulated foods. FDA is not required to follow GAO’s recommendations, but these recommendations sow a seed of doubt into the system, and part of that doubt creates a vulnerability around private third-party audits. If FDA chooses to make it easier for foreign governments to issue the required certificates for high-risk foods and VQIP, then that will undermine the role that private third-party audits would play As we move into the next four years of the Obama administration, all those involved in third-party audit systems need to recognize that we are at a fork in the road. We have the option of rapid global expansion and broader recognition of such systems by regulators, or the option of a private sector-centric system that is on a slow trajectory to optimization. The choice is ours. I advocate for the former. Let’s drive this hard, and prove that the system can be both rigorous and trustworthy. This will require energy and leadership as well as resources, but the potential losses from not going down that fork far outweigh the costs of the alternate pathway of mediocrity that the regulators cannot trust. As a final word – if you are being audited, use that information to improve your systems, and don’t relax when the auditors leave but build from their input. If you are an auditor, it is essential to recognize the importance of your role and its increasing responsibility, but also to leverage the potential opportunities that are coming. This article originally appeared on Leavitt Partners’ Food Safety blog November 14, 2012.