Food Safety Internal Audit

A food safety internal audit is the one check you actually control. Every other audit, the certification body's visit, a customer's supplier assessment, an FDA inspection, happens on someone else's terms. The internal audit is your chance to find the problems first, fix them quietly, and walk into the external audit already knowing what they'll find.

Most guides on this topic are either thin opinion pieces or paid courses that lock the real process behind a signup. This one is built for FSQA professionals who need to plan and run an ongoing program: how to schedule it, who should conduct it, what it covers, how to write findings that hold up, and how one internal audit satisfies both FSMA verification and every GFSI scheme at once. You'll also find links to free GMP and SQF checklists you can start using today.

What Is a Food Safety Internal Audit?

A food safety internal audit is a planned, systematic, and independent review a company conducts on itself to verify that its food safety management system is implemented, effective, and compliant with regulations and certification-scheme requirements. It is run by the company, or on the company's behalf, to find and fix gaps before an external auditor or the FDA does. That self-directed nature is what separates it from a certification audit, which an outside body conducts to grant or withhold a certificate.

The word "systematic" matters. An internal audit is not a casual walk-through. It follows a defined scope, uses documented criteria, gathers objective evidence, and produces recorded findings you can track to closure. Done well, it is the engine that keeps your food safety management system honest between external visits.

The Role of the Internal Auditor

The internal auditor's job is to compare what your system says it does against what it actually does, and to report the gaps without softening them. They examine procedures, observe practices, interview the people doing the work, and review records, then judge all of it against a defined standard. A good auditor is curious and skeptical, not adversarial, and their value comes from independence.

This is exactly the role of the internal auditor that scheme owners and regulators expect: an objective set of eyes that verifies the system rather than defends it. The auditor surfaces non-conformities, documents them clearly, and hands them to the process owners for correction. They don't fix the problems themselves, and they don't audit work they personally performed.

First-Party vs. Second-Party vs. Third-Party Audits

Auditing is usually grouped into three parties, and "internal" is the first. A first-party audit is one you run on yourself. A second-party audit is conducted by an interested external party, typically a customer or a brand owner checking you as a supplier. A third-party audit is performed by an independent certification body and is the one that results in an SQF, BRCGS, or FSSC 22000 certificate.

The three are connected. Your internal (first-party) program is how you prepare for and pass the second- and third-party audits that decide your certifications and customer relationships. For the broader picture of how these fit together, see our guide to food safety audits. The rest of this article focuses on the first-party program you build and run yourself.

How to Conduct a Food Safety Internal Audit: A 7-Step Process

The most credible methodology for auditing a management system is ISO 19011, the international standard for auditing management systems. It frames auditing as a managed program rather than a one-off event, and introduces a risk-based principle that should shape how you spend your limited audit hours. The seven steps below turn that framework into something you can run on a real production schedule.

Step 1: Plan the Audit Program

Start at the program level, not the individual audit. Map every element of your food safety system across a calendar so each one gets audited at least once a year, with higher-risk areas scheduled more often. A risk-based program puts your allergen controls, sanitation, and critical control points at the front of the line and audits low-risk administrative areas less frequently.

Document the program in a simple annual schedule that names the area, the standard or clause it's audited against, the assigned auditor, and the planned month. This schedule becomes evidence in itself: external auditors will ask to see your internal audit plan and proof that you followed it.

Step 2: Build the Audit Team and Define Scope

Decide who audits what, and write down the scope of each audit before it starts. Scope defines the boundaries: which processes, lines, shifts, and standards are included, and which are not. A tight scope keeps the audit focused and makes the findings meaningful.

Match auditors to scope based on competence and independence. The person auditing sanitation should understand it deeply but should not be the one who runs the sanitation program day to day. In larger plants this is straightforward; in smaller ones it takes deliberate planning, which is covered later in this guide.

Step 3: Prepare

Preparation is where audits are won. Before walking the floor, the auditor reviews the relevant standard or clause, reads prior audit findings and their corrective actions, pulls recent records, and builds or selects an audit checklist tailored to the scope. Walking in cold wastes everyone's time and produces shallow findings.

Your checklist is the backbone of the audit. You don't need to build one from scratch: start from a proven template and adapt it to your facility. Allera offers a free GMP audit checklist (free template) for prerequisite and good manufacturing practice areas, and a free SQF audit checklist (free template) for SQF-specific verification.

Step 4: Conduct the Audit

Conducting the audit is the "do and check" of the cycle. The auditor gathers objective evidence through four channels: direct observation of practices and conditions, interviews with the people performing the work, review of records and documents, and where useful, verification testing. Evidence beats opinion, so the auditor records what they see rather than what they're told should happen.

Good auditors follow the process, not just the paperwork. Watching a sanitation crew actually clean a line tells you more than reading the cleaning log, and asking an operator to explain a critical limit reveals whether training stuck. The auditor notes both conformities and gaps, because a useful audit confirms what works as well as what doesn't.

Step 5: Document Findings

Every gap becomes a documented finding, and every finding is classified. Most programs use three categories: conformities, non-conformities, and observations or opportunities for improvement. Non-conformities are often split further into major and minor based on the risk they carry.

The quality of a finding depends entirely on how it's written. A finding that says "sanitation needs work" is useless. A finding that names the requirement, the evidence, the root cause, the risk, and the fix is actionable. That structure has a name, and it's the subject of the next section.

Step 6: Corrective Action (CAPA)

Findings without corrective action are just complaints. For each non-conformity, the process owner investigates the root cause, applies an immediate correction, and then puts a corrective action in place to stop the problem from recurring. The distinction matters: cleaning up a spill is a correction, fixing the broken procedure that caused the spill is corrective action.

The loop only closes when someone verifies the corrective action actually worked. That verification, re-checking the area weeks later to confirm the fix held, is what separates a real CAPA program from a paperwork exercise. Strong corrective action management is one of the most common weak points external auditors flag.

Step 7: Follow-Up and Close-Out

The final step verifies effectiveness and feeds the results back into the system. The auditor confirms each corrective action is complete and effective, formally closes the finding, and rolls the results into your management review. Trends across audits, repeat findings in the same area, slow close-out times, point to systemic issues worth addressing at the program level.

Close-out also updates the program itself. If an area produced serious findings, audit it more often next cycle. This is the continuous loop ISO 19011 is built around, and it's what turns a series of audits into a program that genuinely improves over time.

A good internal audit is only as good as the follow-up. See how Allera turns findings into tracked corrective actions, so nothing slips between the audit and the close-out.
Explore Allera's food quality management software →

The 5 C's of an Internal Audit Finding

A well-written finding answers five questions, known as the 5 C's. They turn a vague observation into a record someone can act on, verify, and close. Use them as the structure for every non-conformity you document, and your findings will hold up under any external scrutiny.

Criteria

Criteria is the requirement you audited against. It might be a clause in your certification standard, a section of 21 CFR Part 117, an internal SOP, or a customer specification. Naming the exact criterion anchors the finding in an objective requirement rather than the auditor's preference. Without it, the finding is just an opinion.

Condition

Condition is what you actually observed. State it factually and specifically: what, where, when, and how many. "Three of ten cooler temperature logs for the week of June 8 were missing the verification signature" is a condition. "Records are sloppy" is not.

Cause

Cause is the root reason the gap exists. Look past the symptom to the underlying failure: a procedure that doesn't exist, training that didn't happen, a step that's impractical as written, or a control with no owner. Identifying the true cause is what makes the corrective action effective instead of cosmetic.

Consequence

Consequence is the risk if the gap isn't fixed. Tie it to food safety, compliance, or certification: a missing verification could mean an out-of-control CCP goes undetected, which could mean unsafe product reaching customers. Stating the consequence helps leadership prioritize and justifies the resources the fix will need.

Corrective Action

Corrective action is what will be done, by whom, and by when. It assigns ownership and a deadline, and it addresses the cause rather than just the symptom. A finding without a named owner and a due date will not close on time. These five elements together feed directly into your CAPA process and your food safety management system records.

Why Internal Audits Matter, and Why Most Manufacturers Aren't Ready

Internal audits are a regulatory and certification requirement, but the reason to take them seriously is more practical: most facilities are not as audit-ready as they think. The internal audit is the cheapest, lowest-stakes place to discover that, and the only place where the only cost of a failure is a corrective action rather than a lost certificate or a recall.

The Audit-Readiness Gap

Industry research in 2026 found that a large share of small and mid-sized food manufacturers are not audit-ready, even though they face the same expectations as larger operations. The gap usually isn't a lack of effort. Records live in scattered spreadsheets and binders, corrective actions stall without owners, and no one has verified the system end to end since the last certification audit. An internal audit program is the mechanism designed to close exactly that gap.

Find It Before They Do

The whole point of a first-party audit is to make your own discoveries before an outsider makes them for you. A non-conformity you find internally costs you a corrective action and a follow-up check. The same non-conformity found during a certification audit can cost you a major finding, a corrective-action deadline under pressure, and a possible downgrade. Found during an FDA inspection, it can become a Form 483 observation or worse.

From Score-Chasing to Risk-Based Auditing

The industry is moving away from auditing as a score-chasing exercise and toward risk-based, prevention-focused auditing. That shift is built into the 7th principle of ISO 19011, the risk-based approach, which says your audit effort should follow your risk. Spend your hours where the hazards and the consequences are greatest, not evenly across every clause. For more on why this discipline pays off, Food Safety Magazine on why internal audits matter makes the case from the regulatory and cultural side.

What a Food Safety Internal Audit Covers

A thorough internal audit program eventually touches every element of your food safety system, but it helps to group the scope into clear domains. Each has its own checklist, risk profile, and natural audit frequency. The four areas below cover the bulk of what auditors examine in a food manufacturing facility.

Prerequisite Programs and GMPs

Prerequisite programs are the foundation everything else sits on: sanitation, pest control, maintenance, personnel hygiene, waste management, and facility condition. These are the high-frequency, high-visibility areas where problems show up first and most often. Auditing them well is the baseline of any credible program, and our guide to GMP in the food industry breaks down what each area should include.

HACCP / Food Safety Plan

The heart of the audit is your hazard analysis and the controls that flow from it. The auditor verifies that critical control points are monitored, critical limits are respected, monitoring records are complete, and the hazard analysis still reflects your actual process. Reviewing the HACCP principles shows what each of these checks is really verifying, and your food safety plan is the document the audit holds everything against.

Records and Document Control

Records are where auditors live, because they are the evidence that your system actually operates as written. The internal audit checks that records are complete, accurate, signed, retained for the required period, and retrievable on request. It also verifies document control: that people are working from current versions of procedures, not outdated copies. Gaps here are some of the most common and most preventable findings.

Allergen, Traceability, and Supplier Controls

High-risk areas deserve more frequent auditing than the annual minimum. Allergen control, traceability and recall readiness, and supplier approval each carry serious consequences when they fail, so build them into your schedule more than once a year. A traceability exercise that can't reconstruct a lot in the target time is a finding worth catching internally, long before a real recall does.

Who Should Run Your Internal Audits? (The Independence Problem)

The hardest practical question in internal auditing isn't what to check, it's who should check it. The principle is simple: auditors must be independent of the work they audit. Living that principle in a plant where everyone reports to the same quality manager takes some creativity.

Auditor Competence and Training

A qualified internal auditor needs three things: knowledge of the standard being audited, understanding of the process under review, and auditing skill itself, how to gather evidence, interview without leading, and write a defensible finding. Document that competence, because external auditors will ask how you qualified your internal auditors. Training records, mentored audits, and a defined competence requirement all serve as that evidence.

The Independence Rule, and How Small Plants Meet It

The independence rule says auditors should not audit their own work. In a small plant where the QA manager touches everything, the practical solutions are to audit across functions, rotate auditors between areas, and train staff outside of quality to audit the quality function. Standards generally phrase this as auditing "where practicable," which acknowledges the reality of small teams while still expecting genuine effort toward objectivity.

When to Bring in a Second Party

When you genuinely can't achieve independence internally, or when you want a fresh perspective before a certification audit, bring in outside help. Consultant-led internal audits and mock audits give you qualified, independent eyes and often catch what familiarity has made invisible to your own team. Our walkthrough of how to prepare for an SQF audit (and pass it) shows how internal and mock audits feed directly into a successful outcome.

Internal Audits and FSMA Verification

US manufacturers often treat internal audits as a certification requirement only, missing that they also satisfy a regulatory expectation. The internal audit is a verification activity under the FSMA preventive controls framework, and running one well helps demonstrate compliance with the rule.

Where the Internal Audit Fits in Preventive Controls

FDA's Preventive Controls for Human Food rule requires you to verify that your preventive controls are consistently implemented and effective, and to reanalyze your food safety plan periodically. The rule doesn't use the words "internal audit," but a systematic internal audit is one of the cleanest ways to generate the verification and reanalysis evidence it expects. The same activity that prepares you for SQF or BRCGS produces the records FDA looks for.

The Records the FDA Expects

The rule's recordkeeping expectations are specific, and they're laid out in 21 CFR Part 117's recordkeeping requirements. You need to retain records that show monitoring, corrective actions, and verification activities, and you need to be able to produce them on request. An internal audit program that captures findings, corrective actions, and close-out verification in a retrievable form is producing exactly the trail Subpart F describes.

Internal Audit Requirements by Certification Scheme (SQF, BRCGS, FSSC 22000, ISO 22000)

If your facility is certified to a GFSI-benchmarked scheme, internal audits aren't optional, they're a mandatory clause. Each scheme phrases the requirement a little differently, but they all demand a planned, documented program with independent auditors and tracked corrective actions. Mapping them side by side shows how much they overlap.

Why Every GFSI Scheme Requires Internal Audits

The Global Food Safety Initiative (GFSI) benchmarks certification schemes against a common set of requirements, and internal auditing is one of them. That's why SQF, BRCGS, FSSC 22000, and ISO 22000 all mandate it: GFSI recognition depends on it being there. For your facility, the upside is that one well-built internal audit program satisfies whichever scheme you hold, and FSMA verification besides.

Comparison Table: Frequency, Independence, and the Governing Clause

Treat the table as a planning starting point and always confirm against the current edition of your specific standard, since clause numbers and details are revised over time. You can verify each one at its source: SQF's internal auditing requirements, the BRCGS Global Standard Food Safety, the FSSC 22000 certification scheme, and ISO 22000, the food safety management standard. For scheme-specific audit prep, see our guides to the SQF audit and the BRC audit.

Do the Work Once

You don't run separate audits for each obligation. One internal audit program, built around your hazards and your system, generates the evidence for FSMA verification and your GFSI scheme at the same time. If you're working toward or maintaining a certificate, our complete SQF certification guide, our BRCGS certification overview, and our FSSC 22000 version 6 breakdown show how internal auditing fits the larger certification path.

Where the Internal-Audit Requirement Comes From (Foundations)

Internal auditing didn't originate with any single food scheme. It comes from a long management-system tradition, and understanding that lineage explains why every modern standard converges on the same expectations.

Codex, ISO 19011, and the Management-System Audit Tradition

The food safety baseline traces back to the FAO/WHO Codex Alimentarius food standards, which established the international principles for food hygiene and HACCP that national regulations and GFSI schemes build on. The auditing methodology comes from the ISO management-system world, where ISO 19011 codified how to audit any management system: program planning, auditor competence, evidence-based findings, and follow-up. When SQF, BRCGS, and ISO 22000 each require internal audits, they're applying that shared tradition to food safety, which is worth knowing when you build your own program rather than just check a box.

Running Internal Audits Without the Spreadsheet Scramble

A program that lives in spreadsheets and email is a program that drifts. Schedules slip, findings go missing, corrective actions stall, and the week before a certification audit becomes a frantic scramble to reconstruct what happened. The fix is to run the whole loop in one system built for it.

Scheduling, Reminders, and Never Missing the Annual Audit

The first thing a system gives you is a schedule that doesn't depend on anyone's memory. Your annual audit program lives in software, reminders fire before each audit is due, and you have a live view of what's done and what's coming. Missing a required internal audit is an easy way to fail a certification audit, and it's entirely preventable.

Findings, CAPA, and Closing the Loop in One System

When a finding is captured, it should carry its owner, due date, root cause, and corrective action with it, and stay visible until it's verified closed. Keeping findings, corrective actions, and the records that prove close-out in one place is also what makes document control real instead of aspirational. No more hunting through inboxes to find out whether last quarter's non-conformity ever got fixed.

Continuous Readiness vs. the Pre-Audit Panic

The goal is to be audit-ready every day, not just the week before the certification body arrives. When your internal audits, findings, and corrective actions are all current and retrievable, an external auditor's request is a two-minute pull instead of a two-week project. That continuous readiness is the difference between treating audits as events and treating them as part of how your food safety & quality assurance (FSQA) function runs.

When the external auditor asks for your last internal audit and its corrective actions, you should be able to pull them in seconds, not dig through inboxes and spreadsheets.
See how Allera handles document control.

Food Safety Internal Audit Checklist (In-Page)

Use this condensed checklist to run a complete internal audit cycle. It mirrors the seven-step process and the scope domains above, and it works as a quick self-assessment of whether your program is actually complete.

Program Setup

• Annual audit schedule is defined and covers every system element at least once
• Scope is assigned for each audit, with boundaries written down
• Auditors are trained, competent, and independent of the areas they audit
• A checklist is selected or built for each audit's scope

On the Audit

• Prerequisite programs and GMPs are observed and verified
• HACCP plan and CCPs are checked: monitoring, critical limits, records
• Records and document control are reviewed for completeness and current versions
• Allergen, traceability, and supplier controls are examined and tested

After the Audit

• Findings are logged using the 5 C's (criteria, condition, cause, consequence, corrective action)
• A corrective action with an owner and due date is assigned to each non-conformity
• Follow-up is scheduled to verify each corrective action is effective
• Results are fed into management review and the next program cycle

Grab a Ready-Made Checklist

You don't have to build your audit checklists from a blank page. Start from Allera's free, manufacturer-grade templates and adapt them to your facility: the GMP audit checklist for prerequisite and good-practice areas, and the SQF audit checklist for SQF verification.