A misunderstanding of third-party audits

Art Davis talks about third-party auditing to monitor supplier food safety systems.


As a result of the recent Salmonella outbreak resulting from contaminated peanut product, the very common practice of using third-party audits to monitor supplier food safety systems has come under severe criticism. There are two aspects of the current attack that I think demonstrate a lack of understanding of the purpose and goals of a third-party supplier audit system.

The first is the simple fact that third-party audits and auditors cannot, and were never intended to, discover dishonesty, fraud, or other forms of malfeasance at the senior management level of a supplier. The third-party audit is not a regulatory function. The auditor has no legal standing and cannot demand specific documents or other information. Rather, the auditor — and in fact the entire third-party audit program — is dependent on the good will and honesty of the people and facilities being audited.

Third-party audits have evolved from a practice originally developed as an educational and informative exercise. At the request of some of the early users 50 years ago, a few groups initiated a program of reviewing supplier operations with an eye to safety and quality-related issues. The intent was as much to help improve operations as it was to provide an assur-ance of good performance. From that beginning evolved the current third-party audit system complete with scores, ratings and, occasionally, detailed reports.

The system was intended to provide useful information to all concerned parties and assumed that all were interested in discovering their faults as the initial step towards process and product improvement. Later however, especially within the last 10 to 15 years, there has been a subtle change in the intent and use of third-party audits.

What was once primarily intended as an educational tool has become instead a business tool used by customers to select, approve and monitor suppliers. The third-party audit has become a significant part of legal defense against food safety claims for downstream food companies. There has developed a belief in some quarters that the third-party audit is in some way a quasi-regulatory event that should investigate all aspects of a supplier, including ferreting out information not volunteered by the auditee. This is simply not the case.

Third-party audits are voluntary in nature. They may be required by a particular customer before the customer will purchase from a particular supplier, but the penalty for refusing the third-party audit is limited to loss of business with absolutely no regulatory or other government-related consequences.

Whether the audits are announced or unannounced, whether they cover an entire production facility or just the portions involved in manufacture of a particular product — these are issues which are agreed upon by the customer and supplier without input from, or knowledge of, any regulatory entity. In some cases the contracting parties even specify the maximum amount of time allowed to conduct an audit.

Failure of a third-party audit to discover specific issues or problems in a facility must first be investigated from the intent of the third-party audit as contracted between the audit group, the customer and the supplier. If, as in the case of the Peanut Corporation of America (PCA), customers required a minimum score on standard “GMP” audits, but did not specify whether the audits were to be announced or unannounced, then PCA could ask to be notified some time prior to the occurrence of an audit.

Obviously this could result in the auditor seeing a rather different facility than might be the case were the audit unannounced.

Based both on both the observations of FDA inspectors several months later and the extensive comments of a PCA employee as quoted in the Atlanta press after the problems came to light, this is exactly what happened. The company knew when the audit would occur and spent considerable time and effort cleaning and organizing to ensure a passing score. There was apparently an intent to deceive the auditor and, by extension, readers of the audit report, as to the fitness of the operation to produce safe products.

Unfortunately there also seems to have been no customer requirement for auditors to review microbiological testing data. Thus it is not particularly surprising that the auditor did not see, and in all probability was not aware of, the repeated Salmonella positive test results that the PCA president elected to ignore.

As a result of this event, we may well see the end of announced third-party audits and some adjustments to the details and requirements of those audits. I think we will also see audits required at more frequent intervals than the currently popular annual visit. There will be other less predictable changes in auditing that may or may not result in a more effective monitoring tool, but will probably reduce the educational value of such efforts.

I understand the need for a more investigational approach to third-party auditing, but I will miss the educational aspects.