A third-party food safety audit is an assessment of your food safety system by an independent organization, not you, and not your customer. It is how the food industry lets a supplier prove, to a standard everyone trusts, that its safety system works, so that every buyer does not have to send its own auditor to every plant. The certificate that results is the passport that keeps purchase orders flowing.
Most plants meet third-party audits because a customer demanded a GFSI certificate, and the audit becomes a recurring event the quality team plans its year around. But "audit" covers three genuinely different things, and confusing them is where plants waste effort. This post separates certification audits from customer audits and regulatory inspections, explains how to choose a certification body, walks the audit cycle, and covers the part that actually decides your outcome, closing nonconformities with evidence.
What are the types of food safety audit?
Food safety audits come in three parties, and the differences are not academic, they change who sets the rules, what you walk away with, and what happens if you fall short. Getting the categories straight is the first step to preparing for the right thing.
- First-party (internal) audit. You audit yourself. Your own team checks your system against the standard to find gaps before anyone external does. It is a required element of every certification scheme and your cheapest way to find problems, covered in our quality audit checklist.
- Second-party (customer) audit. A customer, or someone acting for them, audits you against their requirements. A major buyer may run its own supplier audit on top of, or instead of, accepting a certificate. The rules are the customer's, and the stakes are that specific relationship.
- Third-party audit. An independent certification body audits you against a published standard and, if you pass, issues a certificate. This is the one that scales, because the certificate is recognized by many buyers at once. GFSI-benchmarked schemes are the dominant form.
Sitting alongside all three is the regulatory inspection: an agency such as the FDA or USDA inspecting for legal compliance. An inspection is not a "third-party audit" in the certification sense, it enforces law, not a voluntary standard, but plants experience it as another external assessment, so it belongs in the same mental map.
How do certification audits differ from customer and regulatory audits?
They differ in who owns the standard and what a bad result costs you. A certification audit is run to a published, GFSI-benchmarked standard by an accredited certification body, and a serious failure costs you the certificate, and the customers who require it. A customer audit is run to a single buyer's checklist, and a bad result costs you that account. A regulatory inspection is run to law, and a bad result costs you a citation, a warning letter, or worse.
The reason GFSI certification exists is to collapse the second category. Before benchmarking, every large retailer sent its own auditors to every supplier, and plants drowned in redundant customer audits. GFSI's promise, "certified once, accepted many times", means a single certification audit against a recognized scheme like SQF BRCGS or FSSC 22000 satisfies buyers who would otherwise each audit you separately. That is the entire value proposition, and our GFSI certification guide explains the benchmarking machinery behind it. The specific code edition you are audited against depends on your audit date, for SQF, our guide to SQF edition changes covers which edition governs when. Note that certification does not make you immune to customer or regulatory audits, a big buyer can still audit you, and the FDA inspects regardless, but it dramatically reduces the redundant second-party load.
How do you choose a certification body?
You choose a certification body (CB) by confirming it is accredited and licensed for your scheme, then weighing scope, auditor quality, and logistics. The CB is the organization whose auditor visits your plant and whose name goes on your certificate, and not all CBs are equal, but the non-negotiable is accreditation, because an unaccredited certificate is not recognized. Weigh these factors.
- Accreditation and scheme license. The CB must be accredited by a recognized accreditation body and licensed by your scheme owner (for example, licensed by SQFI to conduct SQF audits). This is what makes the certificate count. Verify it directly; do not take it on trust.
- Scope for your category. Schemes divide food into sectors and categories, and a CB must be licensed for yours. A CB strong in dairy may not cover your bakery or supplement operation.
- Auditor competence and availability. An auditor who knows your process finds real issues and wastes less of your time on misunderstandings. Ask about auditor experience in your category and realistic scheduling lead times.
- Reputation and consistency. Talk to peers. A CB seen as a rubber stamp can hurt you when a customer discounts its certificates; one seen as arbitrary makes your life hard for no safety gain.
- Logistics and cost. Travel, language, and fees matter, but rank them below accreditation and competence. The cheapest audit that produces a weak certificate is not a bargain.
One boundary worth stating plainly: a certification body audits, it does not consult. The same firm cannot both build your system and certify it, because that destroys independence. If you need help building the program, that is a separate consultant relationship.
What is the audit cycle?
The certification audit is not a one-time event but a recurring cycle, usually annual, and understanding the rhythm removes most of the anxiety. Here is the cycle from first application through steady state.
- Application and scope. You apply to the CB and define exactly which site, products, and processes the certificate will cover. Scope errors here haunt you later, so be precise.
- Document review. The auditor reviews your written food safety system against the standard, often remotely, before setting foot on site. Gaps found here are cheaper to fix than gaps found on the floor.
- The site audit. The auditor walks the plant and samples records: an opening meeting, a floor walk watching practices in real time, a traceability exercise on a chosen lot, deep record sampling, and a closing meeting that lists findings before anything is finalized.
- Nonconformity closeout. You respond to each finding with corrective-action evidence by the CB's deadline. This step, more than the audit day itself, decides your certification, covered in the next section.
- Certification decision and certificate. Once findings are closed and accepted, the CB makes the certification decision and issues a certificate with a defined validity period.
- Surveillance and recertification. The cycle repeats, typically annually. Under GFSI-benchmarked schemes, expect at least one audit in each three-year cycle to be unannounced, so "audit readiness" has to be a standing state, not a two-week sprint.
That unannounced-audit point is worth internalizing. A program that only looks good during a scheduled audit window is a program that will fail an unannounced visit. The whole intent is to reward plants whose records and practices hold every day, which is the same discipline your HACCP and prerequisite programs already demand.
How do you close nonconformities?
You close a nonconformity (NC) by fixing the immediate problem, finding and correcting its root cause, and giving the auditor evidence that both happened, all before the deadline. Findings are not what fail you; unclosed findings are. An auditor expects to write NCs, and a handful of minors is normal. What separates a clean certification from a stalled one is disciplined closeout.
A complete NC response has four parts, and skipping any of them gets it rejected:
- Correction. The immediate fix, you cleaned the surface, replaced the torn gasket, completed the missing record. Necessary, but not sufficient on its own.
- Root cause. Why it happened, dug deep enough that fixing it prevents recurrence. "The operator forgot" is not a root cause; "the check was not built into the changeover procedure" might be. This is the same analysis your nonconformance process should already apply.
- Corrective action. The systemic change that addresses the root cause, the revised procedure, the added verification, the training with a competency check.
- Evidence. Proof the correction and corrective action are real: photos, the updated document, records showing the new practice in use. Auditors close findings on evidence, not on promises.
Findings come in weights, minor, major, and critical, and the weight sets the response bar. A critical finding, such as a direct food safety failure or falsified records, can fail the audit outright regardless of closeout. Minors and majors are closed with evidence on the CB's timeline (commonly a set number of days), and treating those deadlines as hard dates is the difference between a certificate issued on schedule and one held up in limbo.
By the numbers. The framework behind third-party certification audits comes from the benchmark and scheme owners:
- The Global Food Safety Initiative benchmarks the schemes (SQF, BRCGS, FSSC 22000, and others) whose third-party certificates buyers accept in place of running their own supplier audits, the "certified once, recognized many times" model.
- FDA maintains its own Accredited Third-Party Certification Program a distinct regulatory framework in which accredited bodies conduct audits and issue certifications used for specific FDA import purposes, separate from voluntary GFSI certification.
How does connected data change audit prep?
A third-party audit is, at bottom, a records exercise: the auditor picks a date and a product and asks you to produce the monitoring logs, corrective actions, training records, and traceability for it, then walks the floor to see the same system in practice. When those records live in binders across several offices, prep becomes weeks of assembling and the unannounced audit becomes a genuine risk. Capturing checks, logs, and nonconformities as connected, time-stamped data at the point of work turns record retrieval into a query and makes audit-readiness a standing state rather than a scramble. That is the model Harmony uses with manufacturers, one specialty producer replaced paper production logging entirely and now generates its reports straight from live shift data, which is exactly what makes an auditor's record pull a non-event. The audit still tests a real system on a real floor; connected data just means the evidence is always there when someone asks for it. No rip-and-replace.