11 MANAGEMENT REVIEW, INTERNAL AUDIT AND VERIFICATION – Food and Drink – Good Manufacturing Practice, 7th Edition



Management review is the process of reviewing the quality management system (QMS)/food safety management system (FSMS) and food integrity management system (FIMS) and is undertaken by senior management at regular intervals. Management review is undertaken to determine the degree of management control and its effectiveness, and verify that the food safety and quality policy and food safety and quality objectives, QMS, FSMS and FIMS, are suitable and being complied with. It is also an opportunity to identify any areas for improvement. An internal audit programme should support the management review process. It provides an input to management review by measuring the level of conformance with the QMS/FSMS/FIMS and the effectiveness of the QMS/FSMS/FIMS in achieving food safety, legality and quality objectives.

Management Review

11.1 Management review is formally addressed by manufacturing organisations at regular structured management meetings. The effectiveness of the management review meetings requires certain prerequisites to be in place, including determining:

  • who will be on the senior strategic management review team and any operational management review teams that might operate at the department level;
  • who will chair the meetings;
  • how often the meetings will take place;
  • the agenda that will be followed;
  • who will take and maintain the minutes of the meeting; and
  • the identification of appropriate preventive and corrective actions that arise from discussions at the meeting.

The meeting minutes form part of the formal records of the organisation (see Chapter 13) and need to be retained to provide objective evidence that the meeting(s) took place The minutes also need to identify the actions that were agreed as a result of the meeting and any follow‐up action that was agreed at the meeting to ensure that the agreed actions were implemented and were effective. Clear actions need to be agreed with responsibilities for action and timescales for completion. It is important that all actions are SMART (specific, measurable, achievable, relevant and time based) otherwise preventive or corrective action will be limited in its degree of effectiveness. The channels of communication of the meeting decisions and the actions that have been agreed must be formalised. The frequency of meetings can be monthly, bimonthly or quarterly. If the meetings are any less frequent, then they become a historic review rather than a real‐time management process that drives continuous improvement. For the same reason, minutes need to be circulated to those concerned without delay as a guide to agreed decisions and in order to facilitate prompt action.

Inputs to the Review Process

11.2 Inputs to the management review process can include the following:

  • progress in complying with previous management review meeting minutes and action plans;
  • areas of non‐compliance, including incidents, customer complaints, non‐conforming items and status of existing corrective actions as well as the effectiveness of previously completed corrective actions;
  • progress in complying with the QMS, FIMS, FSMS and hazard analysis critical control point (HACCP) plan and any non‐conformance and subsequent corrective action;
  • progress in complying with food safety and quality objectives and trends in food safety and quality costs such as level of rejection, rework and cost of customer complaints;
  • progress in complying with internal food integrity plans such as security assessments, vulnerability assessments and threat analysis critical control point (TACCP) plans or their equivalent (see Chapter 6);
  • horizon scanning for potential supply issues which could mean that there is a greater risk to food integrity, safety or quality, e.g. poor harvests, weather events such as drought in key supply locations or social issues that will impact on supply;
  • preventive actions and opportunities for improvement that have been or need to be addressed;
  • results from internal, external and third‐party audits;
  • changes to the documented system since the last review;
  • general customer feedback and analysis of customer and/or consumer complaint data including service levels and subsequent investigations and actions taken;
  • changes to the organisational structure or individual job responsibilities;
  • analysis of supplier performance and approval of new suppliers and contractors;
  • analysis of product and service performance;
  • changes that could affect the QMS/FSMS/FIMS system, including new market requirements, legislation, technology, products and processes; and
  • training programmes and the current training needs/plans, including effectiveness of previous training.

11.3 If an integrated management review process is undertaken, inputs could also include social accountability and organisational and food safety culture, animal welfare, corporate social responsibility, personnel health and safety, and environmental issues.

Outputs from the Review Process

11.4 Measurable outputs that demonstrate the effectiveness of the management review process include:

  • continued compliance with statutory, legislative and market requirements;
  • improved allocation of resources;
  • continued focusing of the food safety and quality policy and food safety, integrity and quality objectives on the issues affecting the manufacturing organisation;
  • improved planning and communication on future changes within the business, including new products, technology and processes, new suppliers, changes to the organisational structure and individual job responsibilities or the documented system;
  • improved management of the corrective and preventive action programme;
  • monitoring of supplier performance and improved communication with regard to issues of service and raw material/ingredient performance;
  • monitoring of the status of food integrity, safety and quality risks;
  • improved relationships with customers;
  • measurement of food safety, integrity and quality costs on an ongoing basis towards reduction in non‐conforming product and service; and
  • continued focusing of training programmes and identification of current training needs.

Resourcing the QMS/FSMS/FIMS

11.5 It is the role of the senior management team, using the management review process as a driver, to provide the resources required to fulfil food safety, food integrity and quality objectives and to ensure legal compliance. Management review needs to consider whether existing human, physical and financial resources are adequate to achieve this and, where this is not the case, drive the implementation of appropriate corrective action so that adequate resources are in place.

Legislative and Industry Guidance

11.6 The senior management review process should have a formal process in place to ensure that the manufacturing organisation can access, and then address within its management systems and procedures, scientific and technical developments, including the emergence of new food safety hazards, food quality issues or food integrity concerns and mitigation measures, changes and updates to industry guidance and codes of practice, and changes to legislation both in the country of manufacture and those countries to which the organisation is seeking to export its products.

Types of Audit

11.7 Auditing is the management tool that identifies whether the food safety, integrity and quality manual, and associated procedures and systems, including prerequisite programmes (PRPs), have been developed and implemented appropriately, are effective and are being complied with and that there are no weaknesses in the formal system that could give rise to non‐conformance and/or no evidence of actual non‐conformance evident during the audit. Audits can be described as:

  • first‐party or internal, where the organisation is auditing its own systems and procedures;
  • second‐party, where the organisation is undertaking audits of organisations with whom it has a contractual agreement, e.g. suppliers. The customer, e.g. a food retailer or a food service organisation, will very often develop their own standard against which they are auditing; or
  • third‐party, where an independent organisation is auditing typically a supplier of a retailer or food service organisation and there is no contractual product supply agreement between them and the organisation that they are auditing. Examples of third‐party audit standards include the British Retail Consortium Global Standard Food Safety or the ISO series of system standards.

11.8 Audits can be undertaken to two levels of depth: the first is a system audit where the auditee’s (the organisation being audited) documented management system is audited against the system requirements of the standard, i.e. how the documented management system should be constructed and what elements it should contain. The second level of audit is a compliance audit, which measures if what the manufacturing organisation is doing meets the requirements of their own documented management system and the requirements of the system standard, e.g. the organisation’s documented management system may have greater requirements in place than the system standard, e.g. with regard to training, traceability or provenance standards. It is also important to determine the scope of the audit, i.e. the products and processes that will be audited and identified as being compliant, or not, in the audit.

Internal Audits

11.9 Internal audits complement the management review process. Internal, or first‐party, audits are where the organisation develops an auditing programme to audit itself in terms of products, procedures and processes. The auditing programme should include all the activities within the scope of the QMS/FSMS/FIMS. The audit programme should be defined in an audit schedule that defines audit criteria, scope, the proposed auditor and planned frequency of audits. An internal audit procedure should be developed defining the requirements for the internal audit programme, including planning and conducting audits, mechanisms for reporting the results of the audit and how any required actions will be monitored and followed up. Individual responsibilities should be defined within the procedure. The procedure should also outline the working documents that will be used, such as audit reports, audit checklists and corrective action plans. The resource required for the internal auditing programme should be reviewed, including the required number of auditors and the training required in order to develop the auditors’ specific auditing skills and technical knowledge. The resource will depend on the number of audits scheduled and their scope and frequency. The frequency of audits should be established by a formal risk assessment. The internal audit procedure should identify the depth of the internal audits, i.e. whether they are system or compliance audits, or both, and the scope of the audit, i.e. not only the area of activities being audited, but also the elements of the management systems (s) (QMS, FSMS and/or FIMS and also environmental, health and safety of personnel or other criteria) for a compliance audit and the system standard such as the British Retail Consortium (BRC) Global Standard for Food Safety, alternative private or retailer standard, ISO 22000 or EN ISO 9001:2000 or other relevant standard in the event of a system audit. Auditors should have technical knowledge of the food products and processes being audited. Auditors cannot objectively audit their own work, so internal audits should be carried out by competent auditors who are independent of the area or activity being audited. This will ensure the objectivity and impartiality of the audit process.

11.10 The results of the audit should be documented and brought to the attention of the management responsible for the area being audited. This should include areas of both conformance and non‐conformance. Any preventive or corrective actions and timescales for their implementation should be mutually agreed. The management responsible for the area being audited is responsible for ensuring that any required actions are undertaken in a reasonable time frame in order to eliminate non‐conformance and ensure effective corrective action. Verification activities should then be undertaken to ensure that the prescribed preventive or corrective actions have been implemented and have been effective. A process should be put in place to manage all preventive and corrective action required within the organisation. This can be through a preventive and corrective action plan, non‐conformance or corrective action log or similar document. The quality control manager should be responsible for monitoring the completion of preventive and corrective action according to agreed timescales and should highlight poor performance for follow up, additional resources and/or further action.

11.11 The implementation of quality assurance processes within an effective QMS/FSMS/FIMS requires not only the implementation of procedural audits but also those that address extrinsic food safety hazards and food integrity threats. This requires an audit plan to be established to monitor the ‘fabric’ of the manufacturing premises in terms of the building and its physical security, zoning and access to specific areas within the manufacturing premises, use and security of equipment and tools, premises housekeeping and hygiene, and personnel hygiene. The frequency of these audits should be based on risk assessment, including assessing the degree to which the product is enclosed within food‐processing equipment or secure production zones. These premises and personnel audits should be undertaken by trained, competent individuals, and where possible should not just be seen as simply as the completion of a checklist and an opportunity to identify non‐conformance, i.e. a tick‐box activity. Auditors should be encouraged not only to have awareness of the premises and personnel standards required but also to use the internal audit process to improve staff understanding of the good manufacturing practice (GMP) standards required and promote continuous improvement. Senior management should support this activity as a preventive approach to minimising food safety and food integrity risk.

11.12 Trend analysis should be undertaken across a series of internal audits to identify areas that give rise to ongoing, albeit minor, non‐conformance, especially where corrective action is shown to have limited value in addressing weaknesses or breakdowns in the QMS, FSMS and/or FIMS. This should form an input into the management review process, as previously described. The trend analysis should form a framework for the development of specific key performance indicators (KPIs) or critical success factors (CSFs) that are robust enough to drive continuous improvement in all aspects of GMP.

11.13 Guidance on undertaking audits and developing auditing programmes can be accessed in BS EN ISO 19011:2011 Guidelines for auditing management systems. Although not relevant to internal auditing itself ISO/TS 22003:2013 Food safety management systems – Requirements for bodies providing audit and certification of food safety management systems provides guidance relevant to the undertaking of audit activities that still proves useful in developing an internal auditing programme. The annexes of this standard provide specific guidance on the time requirements for auditing.

11.14 Guidelines for auditing FIMS in the food manufacturing environment are limited to date. However, when considering the development of an auditing programme to verify the four aspects of food integrity (product, process, data and people) it is important to consider the ISO/IEC 27000 standards for information security management systems which are under development at the time of writing this Guide, including:

  • ISO/TEC 27003:2017 Information technology – security techniques – information security management systems – guidance;
  • ISO 10667‐1:2011 Assessment service delivery – Procedures and methods to assess people in work and organizational settings;
  • ISO 31000:2009 Risk management – Principles and guidelines.