A food safety internal audit is a scheduled self-check in which trained, independent staff audit your own programs against your certification scheme's requirements and your own written procedures, before an external certification body does. It is the mechanism that keeps a food safety system honest between annual audits, and every GFSI-recognized scheme requires one.
Done well, the internal audit is the cheapest finding you will ever get: you catch the gap yourself, fix it quietly, and walk into the certification audit with nothing to hide. Done as a rubber-stamp, one person ticking boxes on their own department the week before the auditor lands, it is worse than nothing, because it tells the auditor your system does not police itself. This guide covers how to schedule audits by risk, who should run them, how to build checklists tied to your scheme, and how to close gaps before certification.
What is a food safety internal audit?
A food safety internal audit is a systematic, documented check of your food safety management system, performed by your own trained people, to confirm the system works as written and meets the requirements of your scheme. It is "internal" because you run it on yourself, and it is an "audit" because it produces objective evidence, records reviewed, floor observations, interviews, not opinions.
Every GFSI-recognized scheme (SQF, BRCGS, FSSC 22000, IFS) requires an internal audit program that covers the whole system on a defined frequency, with competent auditors, records of what was checked, corrective actions on findings, and communication of results to management. The internal audit is where you prove to yourself that your HACCP plan, prerequisite programs, and management procedures are being followed on the floor, not just on the shelf.
How often should you run internal audits?
At minimum, cover your entire food safety system once a year, but schedule the individual audits by risk so the high-risk programs get looked at more often than the low-risk ones. Your scheme sets the floor, and your risk assessment sets everything above it.
The scheme minimums differ, and this trips people up when they switch standards:
| Scheme | Internal audit minimum | Note |
|---|---|---|
| BRCGS Food Safety | At least 4 internal audits across at least 4 different dates per year | The full scope must be covered over the year; you cannot do it all in one day |
| SQF | At least one internal audit of the full system per year | SQF recommends spreading audits through the year rather than one big event |
| FSSC 22000 / ISO 22000 | Planned program covering the whole system at planned intervals | Frequency set by risk and importance of the process, no fixed count |
The smart move is to ignore the minimum as your plan and build a risk-based schedule instead. Audit your kill step allergen changeovers, and sanitation more often than you audit your document-control procedure. A calendar that hits every element at least annually, and the risky elements quarterly, satisfies any scheme and actually protects you.
Who should conduct the audit?
Someone trained in auditing who is independent of the area being audited, they cannot audit their own work. That independence rule is the single most-cited internal-audit requirement across schemes, and the most-broken. If the sanitation supervisor audits the sanitation program, the audit is compromised no matter how honest the person is, because they cannot see their own blind spots and an external auditor will discount the whole result.
Independence does not require an outsider. In a plant of any size you cross-assign: the quality tech audits production, a production lead audits the warehouse, the maintenance planner audits sanitation. What every auditor needs is training, in the audit process itself and in the scheme they are auditing against, plus the standing to write up a finding on a colleague without it becoming a fight. Auditors gather evidence and record findings; they do not fix the problem themselves, because fixing it is the audited area's job and mixing the two roles destroys independence.
How do you build a checklist tied to your scheme?
Build the checklist straight from the clauses of your issued scheme code, so every requirement maps to a question and no requirement is missed. A generic "food safety checklist" off the internet will not survive a certification audit; a checklist whose rows are your scheme's clause numbers will.
For each clause, the checklist should force the auditor to gather three kinds of evidence rather than answer yes or no from a desk:
- Document evidence. Is the required procedure written, current, and approved? Pull the actual document, not a list.
- Record evidence. Do the completed records show the procedure was followed, every shift, with signatures and real values, not backfilled?
- Floor evidence. Stand at the point of control and watch it happen. Does what the operator does match the procedure and the record?
The gap between those three is where findings live. A CCP procedure that says every hour, a log that shows every two hours, and an operator who says "when I get a chance" is the classic finding, and you want to be the one who catches it, not your certification body. Tie each checklist row back to your HACCP plan, your SSOPs and your GMP programs so the audit reaches the actual controls.
How do you run the audit and close the gaps?
Run the audit as evidence-gathering, then convert every finding into a corrective action with a root cause, an owner, a due date, and a verification that it actually worked. Follow this sequence.
- Plan the audit. Set the scope, the clauses in play, and the schedule, and confirm the assigned auditor is independent of the area.
- Prepare from the last audit. Pull the prior findings and confirm they were closed, repeat findings are the ones certification bodies punish hardest.
- Gather evidence on the floor. Work the checklist by reviewing documents, sampling records, watching the process, and interviewing the people who run it.
- Write clear findings. State the requirement, the evidence, and the gap in plain terms. A finding an operator cannot understand cannot be fixed.
- Assign corrective actions with root cause. For each finding, capture the root cause, not just the symptom, and assign an owner and a due date. Use your standard corrective-action process.
- Verify closure. Confirm each corrective action was done and worked, with evidence. A corrective action marked closed without proof is an open finding waiting for the auditor.
- Report to management. Roll the results into the management review so leadership sees the trend, allocates resources, and owns the risk.
The step most programs skip is the loop back to root cause. A finding written as "log had a two-hour gap" and closed by "talked to operator" fixes nothing, the gap comes back next quarter. A finding traced to "no relief coverage for the checker during breaks" and closed by a schedule change fixes the cause. That difference is the whole reason a certification body reads your internal-audit records: they are checking whether your system corrects itself or just re-documents the same problem.
By the numbers. Internal auditing is a required element of every GFSI-recognized scheme. Under the Global Food Safety Initiative benchmarking requirements, recognized standards must include an internal audit program specifying scope, frequency, auditor competence, records, and communication of results. BRCGS requires internal audits on at least four different dates across the year; SQF requires at least one audit of the full system annually. Both require the auditor to be independent of the function audited. Always confirm the current numbers in your scheme's issued code.
Why do internal audit programs fail their certification audit?
Almost always for one of three reasons: the audit was not independent, the findings were never closed, or the same finding keeps coming back. A certification auditor reads your internal audit records as a test of whether your system polices itself, and any of those three tells them it does not.
The independence problem is a scheduling fix, cross-assign auditors and document it. The closure problem is a discipline problem, and it is the one that quietly sinks most programs: findings get written, corrective actions get promised, and nobody verifies they happened until the finding shows up again next year. When your internal audits, corrective actions, and verification live in scattered spreadsheets, tracking a finding to closure is manual and easy to drop. Capturing audit findings and their corrective actions in one connected system, with the owner, the due date, and the verification tied to the original finding, turns the internal audit from a paperwork exercise into a real close-the-loop tool. Harmony's connected data model makes that closure visible, so an overdue corrective action surfaces before the auditor finds it. For a real-plant example of paper records becoming live data, see the CLS case study.
How does the internal audit prepare you for certification?
The internal audit is a dress rehearsal for the certification audit against your GFSI scheme, so run it like one. Use the same clauses, the same evidence standard, and the same corrective-action rigor the external auditor will use, and there are no surprises on the day. The best internal audit programs are slightly harder than the real thing: they find the gap first, close it, and leave the certification body with a system that already works. Pair the internal audit with a healthy food safety culture and it becomes routine maintenance rather than an annual scramble.