Purpose of Internal Audit and Annual Planning Approach
Within the scope of the ISO 22000 Food Safety Management System, internal audit is one of the most critical internal control mechanisms that evaluates whether the system established by the organization functions not only in its documented form but also through its actual on-site implementation. Internal audit is not a formality conducted prior to the certification audit; it is a strategic management tool aimed at the continuous improvement of food safety performance.
One of the common misconceptions frequently encountered in Kioscert practices is the perception of internal audits as activities carried out rapidly before the audit solely to fulfill certification requirements. However, ISO 22000 defines internal audit as a structure that reveals the strengths and weaknesses of the system, identifies risks at an early stage, and generates data for top management.
Core Objectives of Internal Audit Under ISO 22000
The primary objective of internal audit is to objectively assess whether the ISO 22000 Food Safety Management System complies with all requirements of the standard. However, this objective is not limited to conformity assessment alone. An effective internal audit system demonstrates how well the organization manages food safety risks, how effectively critical control points operate, and whether processes are implemented as planned.
When internal audit records are reviewed during audits, a common weakness is the excessive focus on documentation while on-site practices are insufficiently questioned. The ISO 22000 approach expects internal audits to address documents, records, and on-site practices together.
Core Perspective
Internal audit is not conducted to find faults; it is performed to strengthen the system and enhance food safety performance.
Strategic Importance of the Annual Internal Audit Plan
ISO 22000 requires internal audits to be conducted at planned intervals and mandates that such planning be based on a risk-based approach. The annual internal audit plan is the fundamental management tool that predefines which processes will be audited, at what frequency, and within what scope.
In Kioscert audit practice, organizations without an annual plan or those conducting a single “general audit” on one date often fail to demonstrate the maturity of their internal audit system. An effective annual plan enables more frequent and in-depth review of food safety critical processes.
Risk-Based Planning Approach
In ISO 22000 internal audit planning, not all processes are expected to be audited at the same frequency. Processes with higher food safety risks, from raw material intake to dispatch, should be prioritized. For example, processes involving CCPs, allergen management, and cleaning and sanitation practices must be prioritized in the annual plan.
Auditors examine how this risk-based approach is applied when reviewing internal audit plans. Auditing all departments at the same frequency may indicate superficial planning and insufficient consideration of food safety risks.
Balancing Annual Planning with Operational Reality
When preparing the internal audit plan, operational workload, production seasons, and personnel availability must also be taken into account. Unrealistic plans may lead to continuous postponement or superficial execution of audits.
ISO 22000 allows the plan to be updated when necessary. However, such updates must be made in a controlled manner and properly justified. Unplanned postponements or undocumented changes create the impression of weak internal audit discipline.
Documentation of the Internal Audit Plan
The annual internal audit plan must clearly define the processes to be audited, audit dates, auditors, and scope. During audits, not only the existence of the plan but also its actual implementation on-site is verified.
In Kioscert practices, the alignment between the plan and audit reports is considered one of the key indicators of internal audit system effectiveness. Conducting audits not included in the plan or lacking records for planned audits may be interpreted as systemic weaknesses.
A well-planned internal audit creates value not before the audit, but long before the audit takes place.
Effective Internal Audit Planning from the Kioscert Perspective
Kioscert considers the ISO 22000 internal audit plan as a fundamental preparation phase of the certification process. A properly structured annual plan makes food safety management proactive and eliminates surprises during certification audits.
In conclusion, when the purpose of internal audit and the annual planning approach are correctly structured, the ISO 22000 internal audit system moves beyond being a mere obligation and becomes a management tool that genuinely delivers food safety value to the organization.
Process-Based Audit Scope and Checklists
Within the ISO 22000 Food Safety Management System, the effectiveness of internal audits is directly related to how audits are structured. The process-based audit approach is based on conducting internal audits not solely according to standard clauses, but through the end-to-end process flow from raw material intake to final product dispatch. This approach enables food safety risks to be assessed at their actual source.
In Kioscert practices, it is frequently observed that internal audits conducted using clause-based checklists often fail to identify real on-site risks. Process-based audits, on the other hand, address documentation, records, and implementation simultaneously, providing a holistic view of the system.
Core Logic of the Process-Based Audit Approach
In process-based audits, each process is evaluated together with its inputs, outputs, responsibilities, risks, and control mechanisms. Within the scope of ISO 22000, this evaluation is deepened particularly through hazard analysis, PRPs, OPRPs, and CCPs.
Auditors expect internal audit records to go beyond merely listing process names and to demonstrate which controls are applied within these processes and how effectively they operate. For this reason, defining a clear and measurable audit scope is critical.
Good Practice
Defining a separate audit scope for each process and linking this scope to hazard analysis outputs is considered a strong practice in ISO 22000 audits.
Determining the Internal Audit Scope
When defining the scope in process-based audits, the organization’s food safety risk profile must be taken into consideration. Risks originating from raw materials, allergen management, cleaning and sanitation, traceability, and recall processes should be at the core of the audit scope.
The ISO 22000 approach expects the internal audit scope not to be static but to be updated in line with changes in products, processes, or legislation. During audits, it is specifically verified whether such scope updates are documented.
Aligning Checklists with Processes
For an effective internal audit, the checklists used must reflect the actual operation of processes. Generic or copy–paste checklists may overlook organization-specific risks. Therefore, checklists should be structured in a company-specific manner.
Auditors review whether the questions included in checklists are aligned with hazard analysis, PRP, and OPRP records. Checklists filled out only with Yes/No responses without explanations create the impression of a superficial audit.
PRP, OPRP, and CCP-Focused Control Structure
In ISO 22000 internal audits, checklists should be designed particularly around PRPs, OPRPs, and CCPs. Monitoring, verification, and record-keeping processes related to critical control points must be evaluated in detail during the audit.
During audits, particular attention is paid to whether CCP limits, monitoring frequencies, and actions taken in case of deviations are sufficiently questioned within internal audits.
Joint Evaluation of Documents, Records, and On-Site Practices
One of the most important advantages of process-based audits is the ability to test the consistency between documents, records, and on-site practices simultaneously. In ISO 22000 audits, disconnects between these three elements are considered a major nonconformity risk.
During internal audits, not only the existence of procedures but also how they are implemented on-site and verified through records must be examined.
Process-based audit is the real on-site test of the food safety management system.
Effective Audit Scope from the Kioscert Perspective
Kioscert considers the process-based approach in ISO 22000 internal audits as one of the most powerful methods for generating value during certification audits. When this structure is correctly designed, internal audits become not only a tool for identifying nonconformities but also a system development instrument.
In conclusion, proper structuring of process-based audit scope and checklists is a critical factor that directly determines the effectiveness of the ISO 22000 internal audit system and its success in certification audits.
Auditor Competence and Independence Criteria
Within the scope of the ISO 22000 Food Safety Management System, the reliability of internal audits and the value of their outputs are directly related to the competence and independence of the individuals conducting the audits. An audit structure carried out by auditors who lack competence or whose independence is compromised may conceal existing weaknesses instead of revealing them.
In Kioscert audit experience, internal audits are often planned based on the assumption that the person most familiar with the process should conduct the audit. However, ISO 22000 expects auditors not only to understand the process but also to possess auditing techniques, food safety risk knowledge, and objective evaluation skills.
What Is Auditor Competence Under ISO 22000?
Auditor competence is formed through the combination of education, experience, and auditing skills. An ISO 22000 internal auditor is expected to have sufficient knowledge to understand all clauses of the standard, HACCP principles, PRP and OPRP structures, and food safety risk management.
During audits, records demonstrating auditor competence, including training certificates, participation records, and experience information, are reviewed. Subjective statements such as long-term operational experience are not accepted as objective evidence of competence.
Core Competence Areas
For ISO 22000 internal auditors, food safety knowledge, auditing techniques, reporting capability, and communication skills constitute the primary evaluation criteria.
Auditor Training and Development Process
ISO 22000 requires auditor competence to be maintained not through one-time training activities but through continuous development. Standard revisions, regulatory changes, and emerging risk areas must be included in ongoing training programs.
Auditors examine whether training activities are planned, conducted at defined intervals, and reflected in internal audit performance.
Importance of the Independence Principle
Independence in internal audits means that auditors must not audit their own work. Under the ISO 22000 approach, auditors are expected to have no direct operational responsibility for the processes they audit.
One of the most frequently observed nonconformities during audits is the auditing of one’s own department. This practice undermines the objectivity of internal audit results and is questioned during certification audits.
Practices to Ensure Independence
In small and medium-sized organizations, independence may be difficult to ensure due to resource constraints. In such cases, cross-audit practices, assigning auditors from different departments, or externally supported internal audit solutions may be applied.
Auditors review how independence is ensured through audit plans and assignment records. These practices must be justified and properly documented.
Auditor Impartiality and Code of Conduct
In addition to competence and independence, impartial and professional behavior of auditors is essential for the reliability of ISO 22000 internal audits. Personal relationships, hierarchical pressure, or defensive attitudes weaken audit effectiveness.
Therefore, auditor codes of conduct should be clearly defined within internal audit procedures, and auditors must be informed and trained on these rules.
A competent but non-independent auditor protects the system; it does not improve it.
Reliable Audit Structure from the Kioscert Perspective
Kioscert considers auditor competence and independence as the foundation of reliability in the ISO 22000 internal audit system. When this structure is properly established, internal audit outputs generate real value during certification audits.
In conclusion, systematically ensuring auditor competence and independence is a fundamental requirement for maintaining an objective, effective, and sustainable ISO 22000 internal audit process.
On-Site Evidence Collection and Record Verification Techniques
The real value of ISO 22000 internal audits in practice emerges not only through the review of documented information, but through the auditor’s direct observation of how activities are actually performed on-site and the support of these observations with verifiable evidence. On-site evidence collection represents a critical stage that tests whether the food safety management system functions in operational reality rather than merely on paper.
In Kioscert audit practice, one of the most frequently observed weaknesses in internal audits is the review of records at a desk without sufficient comparison to on-site practices. The ISO 22000 approach mandates the integrated and consistent evaluation of documents, records, and on-site implementation.
Approach to Effective On-Site Observation
On-site observation is one of the most powerful tools available to internal auditors. How processes are executed, the extent to which personnel comply with instructions, and how critical control points are practically monitored are assessed during this stage. While observing, the auditor should not only ask what is being done, but also why it is being done in that way.
Auditors expect internal audit reports to include concrete on-site observations. Process-specific findings supported by examples significantly enhance the depth and credibility of internal audits compared to general statements.
Good Practice
Linking each critical on-site observation with the relevant record or documented information strengthens the integrity of the evidence chain.
Supporting Evidence Through Personnel Interviews
Personnel interviews constitute a key component of on-site evidence collection. Within the scope of ISO 22000, auditors should assess how well employees understand their duties, responsibilities, and food safety risks associated with their activities.
Auditors expect interviews to be conducted in a clarifying and confirmatory manner rather than a confrontational one. Responses provided by personnel must be consistent with procedures and training records.
Record Verification Techniques
Record verification is the fundamental step that tests the reliability of evidence collected during internal audits. Monitoring forms, CCP records, cleaning schedules, calibration records, and maintenance logs are among the most frequently verified records in this process.
Auditors must focus not only on whether records are completed, but also on whether they are maintained accurately, timely, and consistently. Comparing records from different time periods for the same process enables the identification of systematic weaknesses.
Enhancing Evidence Through Traceability Tests
Traceability tests are among the most effective methods for assessing system integrity during on-site evidence collection. Starting from a selected finished product, the ability to promptly access the associated raw materials, suppliers, and relevant record sets is expected.
Auditors review how frequently such tests are conducted within internal audits and how their results are evaluated. Failure of traceability tests is interpreted as a high food safety risk.
Use of Photographs, Samples, and Physical Evidence
Where necessary, photographs, samples, or physical evidence collected on-site may strengthen internal audit reports. However, such evidence must be collected in a controlled manner, with proper authorization and in compliance with confidentiality requirements.
The ISO 22000 approach encourages the use of visual or physical evidence as supporting elements, while emphasizing that the primary value lies in the consistency between records and actual implementation.
Evidence collected on-site reveals the reality of the system, while records demonstrate its discipline.
Strong Evidence Chain from the Kioscert Perspective
Kioscert considers on-site evidence collection and record verification techniques as the backbone of reliability in ISO 22000 internal audits. When properly managed, this area enables internal audit findings to produce strong and indisputable evidence during certification audits.
In conclusion, the systematic application of effective on-site evidence collection and record verification techniques directly enhances the reliability, depth, and certification value of the ISO 22000 internal audit process.
Nonconformity Classification and Root Cause Analysis
Within the ISO 22000 internal audit process, the accurate classification of nonconformities and the identification of their root causes constitute one of the most critical stages for achieving genuine system improvement. Nonconformities should not be treated merely as error records; they should be addressed as improvement opportunities that make weaknesses in the food safety management system visible.
In Kioscert audit experience, nonconformities identified during internal audits are often described using superficial statements, with root cause analysis either not conducted or performed incorrectly. The ISO 22000 approach expects organizations to address not symptoms, but the fundamental causes that give rise to the problem.
What Is a Nonconformity Under ISO 22000?
According to ISO 22000, a nonconformity is a failure to comply with defined requirements, procedures, legal obligations, or standard clauses of the food safety management system. Such nonconformities may arise from documentation deficiencies, record errors, deviations in on-site practices, or ineffective control mechanisms.
During audits, nonconformity statements are expected to be clear, measurable, and supported by objective evidence. Vaguely defined nonconformities weaken the effectiveness of corrective actions.
Fundamental Principle
A poorly defined nonconformity is the greatest barrier to an effective corrective action.
Classification of Nonconformities
In ISO 22000 internal audits, nonconformities are generally classified as major or minor. Major nonconformities represent critical deviations that directly threaten food safety and indicate that the system is not functioning. Minor nonconformities reflect weaknesses that do not compromise the overall system but require improvement.
Auditors examine whether nonconformity classification is applied consistently and based on risk. Automatically labeling each nonconformity as major or minor may indicate a lack of systematic evaluation.
Importance of Root Cause Analysis
Root cause analysis aims to identify not only the visible outcome of a nonconformity but also the underlying factors that led to it. The ISO 22000 approach emphasizes focusing on why it happened rather than who caused it.
During audits, limiting root cause analysis to superficial expressions such as personnel error or lack of attention is considered a common weakness. Such analyses do not result in systemic improvement.
Effective Root Cause Analysis Techniques
Commonly used root cause analysis techniques in ISO 22000 internal audits include 5W1H, Five Whys, and fishbone (Ishikawa) analysis. These methods help reveal systemic dimensions of problems and support the identification of appropriate corrective actions.
Auditors focus less on the complexity of the method used and more on whether the analysis results are realistic and actionable. Superficial use of complex techniques often produces less value than simple but effective analyses.
Relationship Between Nonconformity, Risk, and Action
Results of root cause analysis should directly feed into food safety risk assessments. If a nonconformity indicates deficiencies in existing hazard analyses or control measures, these documents are expected to be updated.
In ISO 22000 audits, linking nonconformities with the risk management system rather than addressing them in isolation is considered a positive practice.
A system that solves causes rather than symptoms becomes sustainable.
Systematic Improvement from the Kioscert Perspective
Kioscert considers nonconformity classification and root cause analysis as the improvement engine of the ISO 22000 internal audit process. When this area is effectively managed, internal audits become a source not only of identified gaps but also of development opportunities.
In conclusion, accurate classification of nonconformities and thorough root cause analysis directly influence the sustainability of the ISO 22000 internal audit system and its success in certification audits.
Monitoring of Corrective Actions and Effectiveness Verification
Within the ISO 22000 internal audit process, the true closure of identified nonconformities is achieved not merely by defining actions, but by ensuring that these actions are implemented on time and that their effectiveness is verified. Corrective action management serves as the critical bridge that enables internal audit outputs to generate value during certification audits.
A frequently observed weakness in Kioscert practices is the marking of corrective actions as completed without verifying whether they have actually eliminated the associated risks in practice. The ISO 22000 approach expects corrective actions not only to be implemented, but also to effectively eliminate the identified root causes.
Structuring the Corrective Action Plan
An effective corrective action plan must clearly define the nonconformity, its root cause, the actions to be taken, responsible persons, and target completion dates. Under ISO 22000, these plans must be measurable and traceable.
Auditors review whether corrective action plans contain process-specific and feasible actions rather than general statements. Expressions such as training provided are not considered sufficient on their own as effective corrective actions.
Good Practice
Directly linking each corrective action to the corresponding root cause provides strong evidence that the action truly addresses the underlying problem.
Timely Monitoring of Actions
ISO 22000 requires corrective actions to be completed within the planned timeframes. Delayed or repeatedly postponed actions weaken the effectiveness of the internal audit system and may lead to negative evaluations during certification audits.
During audits, particular attention is paid to how action status is monitored, what measures are taken in case of delays, and whether these processes are properly documented.
Importance of Effectiveness Verification
Effectiveness verification is the stage that tests whether a corrective action has truly eliminated the nonconformity. The ISO 22000 approach requires re-evaluation of the relevant process after implementation and evidence that the risk does not recur.
Auditors examine how effectiveness verification is performed, which criteria are applied, and how results are recorded. Nonconformities closed without verification create the conditions for recurrence.
Integration of Corrective Actions with Risk Management
Outputs of corrective actions must be integrated into food safety risk analyses and control plans. If a nonconformity reveals deficiencies in hazard analyses or control measures, these documents are expected to be updated accordingly.
In ISO 22000 audits, linking corrective actions with other system components is considered an indicator of internal audit system maturity.
It is not the action taken, but the action whose effect is verified, that improves the system.
Effective Action Management from the Kioscert Perspective
Kioscert considers the monitoring and effectiveness verification of corrective actions as the result-oriented phase of the ISO 22000 internal audit process. When this structure is robust, internal audit outputs generate reliable and sustainable evidence during certification audits.
In conclusion, systematic monitoring of corrective actions and verification of their effectiveness ensure that the ISO 22000 internal audit system functions not as a closing activity, but as a continuous improvement cycle.
Generation of Data for Management Review
Within the ISO 22000 Food Safety Management System, the strategic value of internal audits is directly related to the quality and depth with which audit findings are presented to top management. Management review is a critical governance process in which internal audit outputs are transformed from operational details into actionable, measurable, and traceable managerial inputs.
In Kioscert practices, when internal audit results are presented to management as raw reports without establishing links to trends, risks, and performance, management review meetings often fail to generate the expected value. The ISO 22000 approach expects internal audit data to be synthesized in order to produce strategic insight.
Key Audit Inputs to Be Presented to Management
During management review, the following core inputs derived from internal audits are expected to be presented in a clear and comparative manner: distribution and classification of nonconformities, root cause themes, status and effectiveness of corrective actions, recurring findings, and critical risk areas.
Auditors consider it a positive practice when these inputs include not only the current period, but also comparative trend analyses with previous periods.
Good Practice
Summarizing internal audit findings along the axes of risk, impact, and priority facilitates rapid and sound decision-making by top management.
Trend Analysis and Management Decisions
Under ISO 22000, management review is not limited to the evaluation of current nonconformities. Trend analysis of internal audit data reveals whether the system is improving, whether risks are decreasing, and whether implemented actions are sustainable.
During audits, particular attention is given to how recurring nonconformities are addressed in management meetings and which strategic decisions are taken to prevent their recurrence.
Linking Internal Audit Outputs to Objectives and KPIs
Linking internal audit data to food safety objectives and performance indicators during management review is one of the key indicators of ISO 22000 system maturity. This link demonstrates that internal audits are used not only as a compliance tool, but also as a performance management instrument.
Auditors evaluate the effectiveness of the management system by examining how internal audit findings are translated into objective revisions, resource allocation decisions, or process improvement actions.
Recording and Monitoring of Decisions
ISO 22000 requires that decisions taken during management review be documented, with responsibilities and target completion dates clearly defined. Monitoring these decisions ensures closure of the internal audit cycle and supports the sustainability of continuous improvement.
During audits, the status of decisions taken in previous management review meetings and their reflection in internal audit outcomes are verified. Unmonitored decisions are considered a factor that weakens system effectiveness.
If internal audit data does not reach management, the system does not learn.
Strategic Value Creation from the Kioscert Perspective
Kioscert considers the generation of data for management review as the strategic closure point of the ISO 22000 internal audit process. When properly structured, this phase transforms internal audits from a preparation activity into a managerial decision support mechanism.
In conclusion, presenting internal audit outputs to management in a structured, analyzed, and decision-oriented manner clearly demonstrates that the ISO 22000 internal audit system is mature, effective, and capable of generating high value during certification audits.