Food Manufacturing SQF Audit Checklist | Auditor Recommended

If you lead FSQA, you know internal SQF audits only help if they actually look like the certification audit you’re preparing for.

This SQF audit checklist gives you a certification‑grade structure for Module 2 and Module 11, with severity scoring that matches CB expectations, evidence fields for traceability, and a non‑conformance log that separates root cause from corrective action. Use it to tighten evidence, severity, and corrective action closure before certification.

Plus you get a built‑in dashboard that visualizes your internal audit results so you can spot issues and trends before the auditor does.

Keep reading to see how to implement it.

Key Takeaways:

• An SQF internal audit checklist for Edition 9 must verify evidence linkage, not just procedure existence
• Internal audits reduce certification audit risk when they mirror auditor scoring, severity ratings, and evidence expectations
• Most SQF internal audits fail because they check compliance boxes without documenting verification methods or root cause
• Spreadsheet-based checklists work for facilities with stable documentation systems and experienced internal auditors
• The transition from checklist to system becomes necessary when document control, traceability, or audit frequency creates version risk

What's Included in Our SQF Internal Audit Checklist?

Overview of the Spreadsheet Tabs

This SQF edition 9 internal audit checklist includes seven tabs:

• Instructions: Purpose, scope, and how to use the checklist
• Scoring Legend: Severity definitions (C, MIN, MAJ, CRIT, N/A)
• Audit Info: Facility details, auditor, scope, and dates
• Dashboard: Summary of findings by clause and severity
• Module 2 – System: Clause-by-clause verification of SQF system elements
• Module 11 – GMP: GMP area verification tied to specific clauses
• Non-Conformance Log: Root cause, corrective action, and closure tracking

Each tab serves a specific function in creating a defensible internal audit record. The structure mirrors what CB auditors produce during certification audits.

How to Use Our SQF Internal Audit Checklist

Now that you know what's included in our SQF audit checklist, it's time to dive deeper into each tab and understand how to use these for your internal audits.

We'll start with the instructions tab:

Instructions

The Instructions tab defines the purpose and scope of this SQF audit checklist. It clarifies:

• This is an internal audit tool for food safety compliance, not a replacement for certification audits
• Scope is limited to Module 2 (System Elements) and Module 11 (Good Manufacturing Practices)
• Status codes align with SQF severity definitions

Before starting an SQF internal audit, review this tab with your auditor. Confirm they understand the difference between verification (checking records) and validation (confirming controls work). Set the expectation that every clause marked as non-conforming requires root cause analysis, not just a description.

If your facility has multiple buildings, production lines, or product categories, define scope here. Internal audits don't need to cover everything every time, but scope must be documented and justified for SQF Code compliance.

Scoring Legend

‍

The Scoring Legend tab defines five status codes used in this SQF audit template:

• C (Conformance): Requirement is met with objective evidence
• MIN (Minor): Isolated lapse that doesn't impact food safety or legality
• MAJ (Major): Systemic failure or breakdown of a food safety control
• CRIT (Critical): Imminent food safety or legality risk
• N/A (Not Applicable): Clause doesn't apply to your facility or scope

These definitions mirror SQF Code Section 3.1. CB auditors use the same scoring system during SQF certification audits.

Consistent scoring matters because it determines corrective action priority and management review focus. If your internal auditor marks everything as "major," you lose the ability to differentiate between systemic breakdowns and isolated lapses. If they mark actual major findings as "minor," you underestimate risk.

Train your internal auditors on these definitions before they conduct food safety audits. Review their scoring during the first few audits to confirm alignment.

Dashboard

The Dashboard tab summarizes SQF internal audit results by:

• Total findings by severity (minor, major, critical)
• Findings by module (Module 2 vs Module 11)
• Clause-level breakdown (which clauses had the most findings)
• Trend comparison (if you've conducted multiple audits)

This summary feeds management review and helps food safety professionals answer critical questions:

• Are we improving or regressing between audits?
• Which clauses consistently generate findings?
• Do we have systemic issues or isolated lapses?

If three consecutive internal audits show findings in clause 2.5.3 (Supplier Approval and Verification), that's a systemic issue. Management review should include a decision to overhaul the supplier approval procedure or invest in supplier audits.

If findings are scattered across different clauses each audit, you likely have an execution issue (training, supervision, or resource gaps).

Use the dashboard to set priorities for the next SQF internal audit cycle. High-risk clauses or repeat findings should get deeper verification next time.

Internal SQF Audit Information Tab

The Audit Info tab captures essential information for SQF Code compliance:

• Facility name and address
• SQF site code
• Audit date and auditor name
• Scope definition (which modules, which areas)
• Certification body and certificate number

This information creates a defensible audit record. If a CB auditor asks "Who conducted this internal audit?" or "What scope did you cover?", the answer is documented here.

Auditor independence is critical under clause 2.4.4.1. The person conducting the SQF internal audit cannot audit their own work. Document the auditor's name and role to demonstrate independence.

Scope clarity prevents audit gaps. If you're only auditing Module 2 and Module 11, document that here. If you're excluding certain production lines or processes, justify why. CB auditors accept limited scope when it is risk-based and clearly documented.

Module 2 System Checklist

The Module 2 – System tab includes 38 rows covering SQF system elements. Each row in this food safety audit template includes:

• Clause: The specific SQF Code clause being audited
• Section: A plain-language description of the requirement
• Requirement: The exact text or paraphrased expectation from the Code
• Status: Dropdown for C, MIN, MAJ, CRIT, or N/A
• Evidence Type: What records or observations support your scoring
• Observations: Auditor notes on conformance or gaps
• Root Cause: Why a nonconformance occurred (if applicable)

Module 2 covers system-level controls: management commitment, document control, specifications, supplier approval, food traceability, internal audits, corrective action, and product recall. These are program requirements, not floor-level practices.

When Verifying Module 2 Clauses

Food safety and quality assurance professionals should verify:

• Does the procedure exist and is it controlled?
• Is the procedure implemented as written?
• Are records complete and accessible?
• Does evidence show the control is effective?

Common Gaps Auditors Flag in Module 2

• Procedures exist but aren't followed (e.g., document control says all procedures are reviewed annually, but review dates are missing)
• Records don't match procedure requirements (e.g., supplier approval procedure requires annual review, but records only show approval, not re-approval)
• Validation is missing (e.g., a traceability procedure exists, but no traceability test has been conducted)

Use the Evidence Type field to specify what you reviewed. Examples:

• "Document control log reviewed for 10 procedures"
• "Interviewed QA manager on management review process"
• "Reviewed 5 supplier approval files for completeness"

The more specific your evidence, the easier it is to defend your scoring during SQF certification audits or management review.

Module 11 GMP Checklist

The Module 11 – GMP tab includes 16 rows covering Good Manufacturing Practices. Each row in this SQF audit checklist includes:

• Clause: The specific Module 11 clause
• GMP Area: The operational area being verified (e.g., personnel practices, sanitation, pest control)
• Status: Dropdown for C, MIN, MAJ, CRIT, or N/A
• Evidence Type: What you observed or reviewed
• Observations: Specific findings or confirmations
• Root Cause: Why a gap occurred (if applicable)

Module 11 is floor-level execution. You're verifying that practices documented in Module 2 are actually happening on the production floor.

GMP verification differs from system verification. In Module 2, you check whether a hand-washing procedure exists. In Module 11, you observe whether employees are washing their hands according to that procedure.

Common GMP Areas Covered

• Personnel hygiene and health
• Hand-washing facilities and practices
• Cleaning and sanitation
• Pest control
• Waste disposal
• Glass and brittle plastic control
• Allergen management
• Temperature control

Evidence for Module 11 is observational and record-based. Examples:

• "Observed 5 employees entering production; all washed hands per SOP"
• "Reviewed sanitation logs for past 30 days; no missed tasks"
• "Found open waste bin in allergen room; no lid present"

GMP findings are often minor because they're isolated lapses. But repeated GMP findings in the same area suggest systemic issues—which escalates to major. Use the root cause field to identify whether a finding is training, equipment, or procedure-related.

Non-Conformance Log

The Non-Conformance Log tab tracks findings from both Module 2 and Module 11 SQF audits. Each non-conformance includes:

• Finding ID: Unique identifier for tracking
• Clause: Which SQF clause was violated
• Severity: MIN, MAJ, or CRIT
• Description: What was found
• Root Cause: Why it occurred
• Corrective Action: Immediate fix to address the specific finding
• Preventive Action: Systemic change to prevent recurrence
• Responsible Person: Who owns closure
• Target Close Date: When the action will be completed
• Verification: How closure was confirmed
• Status: Open, Closed, or Overdue

This log separates corrective action (fixing the problem) from preventive action (preventing it from happening again). CB auditors expect both during SQF certification audits.

Root Cause Analysis

Root cause must be specific. "Lack of training" is not a root cause—it's a symptom. Root cause might be "Training procedure does not include refresher frequency" or "New hires receive training but no verification of understanding."

Corrective action addresses the immediate finding. If you found an expired ingredient, corrective action is "Removed expired ingredient from inventory."

Preventive action addresses the system gap. Preventive action might be "Updated FIFO procedure to include weekly expiration checks" or "Added expiration date field to receiving checklist."

Verification confirms the action worked. For the expired ingredient example, verification might be "Conducted inventory audit 30 days post-action; no expired ingredients found."

Track closure dates. Overdue corrective actions become their own finding during SQF certification audits.

Use Cases and Tips for The SQF Audit Checklist

Frequency and Timing Expectations

SQF Code clause 2.4.4.2 requires internal audits at least annually. Most facilities conduct internal audits 2-3 months before certification audits to allow time for corrective action.

This SQF internal audit checklist is designed for annual or semi-annual internal audits. If you're conducting monthly inspections or line audits, you need a lighter tool—or a system that aggregates findings across multiple inspections.

Timing matters. If you conduct an internal audit one week before your certification audit, you don't have time to close findings. CB auditors will see open non-conformances and question the effectiveness of your internal audit program.

Auditor Independence Requirements

Clause 2.4.4.1 requires auditors to be independent of the area being audited. This doesn't mean you need an external auditor—it means your QA manager can't audit their own quality assurance program.

Document auditor qualifications and independence in the Audit Info tab. If the CB auditor asks "Who audited Module 2?", you need to show it wasn't the person responsible for Module 2 implementation.

Smaller facilities often struggle with independence because the same people manage multiple areas. In those cases, consider:

• Rotating auditors (production manager audits QA, QA manager audits production)
• Using corporate resources or consultants for annual internal audits
• Partnering with another facility in your company to swap auditors

Independence doesn't require an SQF practitioner—it requires someone competent in the SQF Code who doesn't manage the area being audited.

How to Reduce Certification Audit Findings with Internal Audits

The purpose of an internal audit is to find problems before the CB does. If your certification audit includes findings that your internal audit missed, one of three things happened:

1. Your internal audit scope was too narrow
2. Your internal auditor didn't verify deeply enough
3. The gap developed after your internal audit

Track certification audit findings and compare them to your last internal audit. If the CB found issues you should have found, adjust your checklist or auditor training.

This free SQF audit checklist template reduces certification audit risk because it uses the same verification approach CB auditors use. You're checking the same evidence, using the same scoring, and documenting the same way.

What is an SQF Audit Checklist?

SQF Certification Audit vs SQF Internal Audit

A certification audit is conducted by a certification body (CB) auditor to verify conformance against the SQF Code. It results in certification, recertification, or findings that block certification until closed.

An internal audit is your facility's verification tool. You control the scope, timing, and auditor. The output feeds management review and identifies gaps before the CB finds them.

The SQF audit checklist linked in this guide is designed for internal audits. It uses the same scoring structure, evidence requirements, and clause-level detail that CB auditors use, but you control when and how it's deployed.

Why Generic SQF Checklists Fail Under Edition 9

Most free SQF checklists are clause lists with yes/no checkboxes. They don't capture evidence type, root cause, or verification method. Under Edition 9, auditors expect you to show how you verified conformance, not just that you checked a box.

Generic checklists also fail to differentiate between minor, major, and critical non-conformances. If your internal audit scores everything as "non-compliant" without severity ratings, you can't prioritize corrective action or explain findings to management in terms they understand.

Edition 9 introduced explicit expectations around risk-based thinking, validation vs verification, and management review linkage. A checklist that doesn't capture those elements won't expose the gaps auditors will find.

What Auditors Expect to See From Internal Audits

CB auditors review your internal audit records during certification audits. They look for:

• Evidence that internal audits covered the same clauses they're auditing
• Severity ratings that match SQF definitions (minor, major, critical)
• Root cause analysis for non-conformances, not just descriptions of what was wrong
• Corrective and preventive actions with closure dates and verification
• Management review of internal audit results with decisions documented

If your internal audit checklist doesn't produce those outputs, auditors question whether your internal audit program is effective. That often results in a finding against clause 2.4.4 (Internal Audits and Inspections) or 2.4.5 (Corrective and Preventive Action).

How SQF Edition 9 Changed Internal Audit Expectations

Risk-Based Thinking and Audit Depth

Edition 9 embedded risk-based thinking throughout Module 2. Internal audits now need to verify that your facility identified risks, implemented controls, and validated those controls work.

This means your SQF internal audit checklist can't just ask "Does a risk assessment exist?" It needs to verify:

• Risks are documented for relevant clauses (product safety, food defense, supplier approval)
• Controls are implemented and linked to identified risks
• Validation records show controls are effective

Audit depth matters. Auditors expect internal audits to go deeper on high-risk clauses and lighter on administrative ones. Your checklist should reflect that prioritization.

Learn how SQF edition 10 is changing expectations.

Verification vs Validation vs Records

Edition 9 clarified the difference between verification, validation, and record-keeping. Internal audits must distinguish between:

• Verification: Checking that something was done as specified (e.g., reviewing a temperature log)
• Validation: Confirming that a control actually works to achieve food safety (e.g., validating a kill step)
• Records: Documentation that verification or validation occurred

Your SQF Edition 9 internal audit checklist should have fields that force you to specify which type of evidence you reviewed. If you verified a procedure exists but didn't check implementation records, that's a gap auditors will find.

Management Review and Audit Linkage

Clause 2.1.4 requires management review of internal audit results. Edition 9 tightened the expectation that management review includes decisions, not just acknowledgment.

Your internal audit checklist should feed directly into management review. That means:

• A summary of non-conformances by severity
• Trends across multiple audits (repeat findings, systemic issues)
• Resource needs or policy changes identified during the audit

If your checklist produces a list of findings but no trend analysis or management summary, you're creating extra work—and audit risk.

The Most Common SQF Audit Failures We See & How to Prevent them with the SQF Audit Checklist

Procedures Without Records

One of the most common certification audit findings: a procedure exists, but no records show it's being followed.

Example: Your internal audit procedure says you audit Module 2 annually. But the CB auditor reviews your records and finds the last internal audit was 18 months ago.

This checklist prevents that by forcing you to specify evidence type. If you can't identify records that prove conformance, you can't mark the clause as conforming.

Verification Not Documented

Another common failure: verification happened, but it wasn't documented in a way the auditor could reconstruct.

Example: You conducted a traceability test, but there's no record of which lot was traced, what records were reviewed, or whether the test passed.

The Observations field in this checklist forces documentation. If your internal auditor writes "Traceability test conducted," they haven't created a defensible record. The observation should say "Traced lot 240115A from finished goods to raw material in 3 hours; all records matched."

Weak Corrective Action Evidence

CB auditors frequently cite weak corrective action as a finding. The issue isn't that corrective action wasn't taken—it's that it wasn't verified or documented adequately.

This checklist separates root cause, corrective action, preventive action, and verification into distinct fields. You can't close a finding without completing all four.

Internal Audits Performed Too Close to Certification Audits

If you conduct your internal audit two weeks before your certification audit, you don't have time to close findings. The CB auditor sees open non-conformances and questions whether your corrective action process works.

This checklist includes target close dates and status tracking in the Non-Conformance Log. Use it to plan internal audits far enough in advance that findings can be closed and verified before certification.

Download the Free SQF Audit Checklist  

This SQF audit checklist is designed for:

• QA managers and SQF practitioners conducting internal audits
• Facilities preparing for initial SQF certification or recertification
• Operations teams that need a certification-grade audit structure without investing in software

To get the most value from this checklist:

• Customize the Module 2 and Module 11 tabs to match your facility's scope (e.g., remove clauses that don't apply)
• Train your internal auditor on severity definitions before they conduct the audit
• Use the Non-Conformance Log to track corrective action through closure
• Review the Dashboard with management before certification audits

Spreadsheet limitations to be aware of:

• Version control depends on file naming and manual tracking
• Evidence traceability is limited to what's written in the Observations field
• No automated alerts for overdue corrective actions
• Dashboard requires manual updates if you modify findings

These limitations don't prevent effective internal audits—they just mean you need discipline around file management and follow-through.

What's the Next Step After The SQF Audit Spreadsheet? 

Document Control and Version Risk

Spreadsheets work when one person owns the file and updates are infrequent. They fail when multiple people need access, audits happen frequently, or you're managing corrective actions across departments.

Version risk emerges when:

• The internal auditor updates the checklist, but QA is working from last quarter's version
• Corrective actions are documented in the spreadsheet, but the responsible person doesn't have edit access
• Management review references findings from the wrong audit cycle

If you're conducting internal audits more than twice per year, or if corrective action ownership is distributed across multiple people, version control becomes a problem spreadsheets can't solve.

If this sounds like you, check out Allera's document control with version control built in. It's built for small to mid sized food manufacturers.

Evidence Traceability Challenges

This checklist includes an Evidence Type field, but the evidence itself lives somewhere else—in your sanitation logs, supplier files, or corrective action records.

CB auditors expect to trace from the internal audit finding to the evidence that supports it. If your checklist says "Reviewed supplier approval records," the auditor wants to see which supplier files you reviewed and when.

Spreadsheets can't link directly to evidence. You're documenting what you reviewed, but the auditor has to ask follow-up questions to reconstruct your verification steps. That creates audit friction and increases the chance of misunderstanding.

Preparing for Continuous Audit Readiness

Facilities moving toward continuous audit readiness—where internal audits happen monthly or quarterly and feed real-time into management review—need automation that spreadsheets don't provide.

Continuous readiness requires:

• Automated alerts when corrective actions are overdue
• Real-time dashboards that update as findings are closed
• Integration between internal audits, CAPAs, and procedure revisions

If your facility is scaling to continuous auditing, or if you're managing multiple sites with separate internal audit programs, a system like Allera's document control software provides the structure and automation spreadsheets can't. It even ties your SOPs to SQF code, giving you compliance recommendations on them.

Final Thoughts

Effective internal audits expose risk early by enforcing evidence, severity discipline, and corrective action accountability.

Use this checklist to enforce evidence documentation, severity alignment, and root cause analysis. Track trends. Close findings before certification audits. Treat your internal audit program like the risk control it's supposed to be.

When spreadsheets create version control issues, evidence gaps, or management review delays, that's when you need a system that links audits to CAPAs, procedures, and records in real time. But until then, this SQF audit checklist gives you certification-grade structure for Module 2 and Module 11 internal audits.