10 Most Common BRCGS Internal Audit Non-Conformances

Every BRCGS audit season, the same findings land on the same desks. Here are the ten most common internal audit non-conformances — and how to close them before the certification body does.

Every BRCGS audit season, the same findings land on the same desks. Not because food safety teams aren't trying, but because these ten areas hide in plain sight — built into daily operations, overlooked in the rush of production, or papered over with actions that fix the surface without touching the cause.

Here's what they are, why they keep happening, and how to close them before the certification body does it for you.

1. Incomplete or Outdated HACCP Plans

What it is

The HACCP plan hasn't been reviewed within the required 12 months, or it hasn't been updated to reflect a change in raw materials, process, packaging or equipment. In some cases, the scope doesn't cover all products manufactured on site.

Why it happens

HACCP reviews get scheduled and then displaced by production pressures. Teams assume that if nothing has changed on the floor, the plan doesn't need touching. This assumption is wrong. Clause 2.12.3 requires review *at least annually*, even when nothing has changed — and additionally before any change that could affect food safety.

How to fix it

Build the HACCP review into the management review calendar as a fixed, non-negotiable item. Create a documented trigger list — changes to raw material suppliers, new ingredients, packaging modifications, new products, published recalls involving similar hazards — that automatically initiates a HACCP review. Every review must be documented, with evidence that the team met, what was assessed, and what (if anything) changed. A signed and dated revision sheet is the minimum. If the plan is unchanged after review, that conclusion must be documented too.

2. Inadequate Glass and Brittle Materials Management

What it is

The glass and brittle materials register is incomplete, checks aren't being recorded at the required frequency, or the breakage procedure isn't being followed and documented. Registers sometimes list items that can't be found, or don't list items that clearly exist in the production area.

Why it happens

The register was created during certification preparation and then left untouched. Staff perform checks but don't record them consistently. The breakage procedure exists but no one has been trained to the point where they can execute it without instruction.

How to fix it

Five documents must be in place and current, as required under clause 4.9.3.2: the register of items with location, number, type and condition; a risk assessment defining inspection frequency; completed inspection records (recorded even when nothing has changed); cleaning and replacement procedures; and a breakage procedure. The breakage procedure must specify who is authorised to act, what product is quarantined, how the area is cleaned, and how re-entry to production is authorised. Records of all breakages must be maintained. Check the register annually at minimum, and every time a structural change occurs in the production area.

3. Poor Calibration Records for Measuring Equipment

What it is

Equipment on the calibration schedule has no calibration record, records are incomplete, equipment is past its calibration due date, or the calibration method isn't traceable to a national or international standard.

Why it happens

Calibration is often treated as a maintenance function rather than a food safety control. Schedules slip. New equipment gets added to production without being added to the register. Staff calibrate equipment but record it informally — on a scrap of paper, in a notebook that no one can find during an audit.

How to fix it

Clause 6.4.1 requires a documented list of all measuring equipment used to monitor CCPs, product safety, legality and quality, showing location, identification code, and calibration due date. Clause 6.4.2 requires calibration at a predetermined frequency, against a defined method traceable to a recognised standard, with results documented. Where a thermometer has calibration uncertainty of ±0.5°C and the critical limit is 72°C, the working limit must be set at 72.5°C to account for that uncertainty (clause 6.4.3). Build calibration due dates into a live register, not a spreadsheet that gets emailed once a year. Assign one person to own it. Audit the register quarterly as part of the internal audit programme.

4. Food Safety Culture Programme Gaps (Issue 9 Requirement)

What it is

No documented culture plan exists. Or a plan exists but it's a one-page statement rather than a structured programme with activities, timescales, measurement and review. Or the plan exists on paper but there is no evidence it has been implemented.

Why it happens

Clause 1.1.2 was introduced in Issue 9 and many sites still treat it as an add-on rather than a core requirement. Culture plans are written to satisfy the auditor, not to actually shift behaviour. Without senior management involvement, the plan stalls at the technical team.

How to fix it

BRCGS is explicit about what triggers a major non-conformity versus a minor: no documented plan at all = major; a poor-quality plan or one that isn't fully implemented = minor. The plan must cover, at minimum: clear and open communication on product safety; training; feedback from employees; behaviour changes needed to improve product safety; performance measurement; an action plan with timescales; and a review of completed activities. The plan must be reviewed and updated at least annually. Senior management must be able to speak to its implementation during the audit (clause 1.1.11). Critically: the auditor isn't auditing culture itself — they're auditing evidence that the requirements of the clause are being met. Treat it as a managed programme, document everything, and make the evidence accessible.

5. Supplier Approval Records Missing or Out of Date

What it is

Suppliers on the approved supplier list have no approval evidence on file, or questionnaires haven't been reissued within three years, or approval hasn't been reviewed following a significant change. In some cases, raw materials are being received from suppliers who aren't on the approved list at all.

Why it happens

Approved supplier lists grow without being pruned. Suppliers are added when they're taken on, but the ongoing review cycle isn't maintained. Questionnaire re-issue is a manual process that relies on someone remembering to do it every three years.

How to fix it

Clause 3.5.1.3 requires a documented process for ongoing supplier performance review, based on risk. Where approval is based on questionnaires, they must be reissued at least every three years. Clause 3.5.1.4 requires an up-to-date approved supplier list, accessible at goods receipt. Create a supplier review calendar that flags questionnaire renewal dates automatically. For each supplier, the file must hold the approval basis (questionnaire, certificate, audit report, or combination), the risk assessment, and a record of the ongoing review. Where approval is based on third-party certification, track certificate expiry dates and follow up before they lapse. Any material received from an unapproved supplier must go through the exception procedure (clause 3.5.1.7).

6. Traceability Exercise Failures

What it is

The annual traceability test can't be completed within the required four-hour window, the mass balance doesn't reconcile adequately, or the test isn't documented with a clear link map between records. Some sites complete the test only in one direction — raw material to finished product — without also testing backwards.

Why it happens

Traceability is tested once a year and the test is prepared in advance, which doesn't reveal how the system would perform under real conditions. Records are stored in different systems or locations, so retrieving them in sequence takes longer than anticipated. The mass balance is attempted but the variance can't be explained.

How to fix it

Clause 3.9.3 requires that the traceability system be tested across the range of product groups, in both directions, including a quantity check or mass balance. The test must be timed. Full traceability should be achievable within four hours. The test must include a summary of the documents referenced and a clear map of the links between them. Run at least one unannounced traceability test per year — assign a batch and time the retrieval without advance preparation. Where the mass balance shows variance, document the explanation (process loss, decanting, production waste). If you can't explain it, the system is not working. Review the test results against the requirement that the system would function during an actual recall.

7. Inadequate Pest Management Documentation

What it is

The site plan showing pest device locations is outdated. Inspection records exist only when pest activity is found — negative findings aren't being recorded. Recommendations from the pest contractor haven't been acted on within the required timescale. The scope of the pest contract doesn't cover the full site.

Why it happens

Pest management is often fully contracted out and the site treats the contractor's report as sufficient. The site doesn't review the contractor's documentation critically, and the contractual responsibilities between site and contractor aren't clearly defined.

How to fix it

Clause 4.14.4 specifies that pest management documentation must include: an up-to-date site plan showing device locations; identification of baits and monitoring devices; clearly defined responsibilities for site and contractor; details of pest control products used and emergency action instructions; records of observed pest activity; and records of treatments undertaken. Clause 4.14.9 adds that all recommendations made by the contractor must be actioned by the site within a suitable timescale. Critically: all inspections must be recorded even when findings are negative (clause 4.14.4). This is the due diligence record. Missing bait stations must be recorded, reviewed and investigated (clause 4.14.5). Update the site plan every time device locations change. Review the contract scope against the current site footprint annually.

8. Training Records Incomplete or Not Role-Specific

What it is

Training records exist as attendance sheets but don't show what was taught, who taught it, or what reference material was used. There is no job role competency matrix linking training requirements to specific roles. Temporary and agency staff have no documented training records. CCP operators haven't had competency assessments.

Why it happens

Induction training is documented at the start and then not revisited. Role changes happen without a corresponding training update. Temporary staff are trained informally because there isn't time to do it properly, and nothing is recorded.

How to fix it

Clause 7.1.6 requires training records to include: name of the trainee; confirmation of attendance; date and duration; title or course contents; training provider; and for internal training, a reference to the material, work instruction or procedure used. Clause 7.1.3 requires a documented training programme identifying the competencies required for each role and reviewing training effectiveness. Where personnel operate CCPs or control measures, clause 7.1.2 requires training and a competency assessment — not just attendance. Build a training matrix that maps every role to its required training and shows current status. This is the document the auditor will ask for. Temporary and agency staff must be included. Their training records must be available at the site.

9. Internal Audit Programme Not Covering All Clauses

What it is

The internal audit schedule covers the same high-traffic areas year after year. Sections of the Standard — often section 4 (premises) or section 6 (process control) — aren't audited, or are audited using tick-box checklists that don't provide the depth required. The schedule isn't completed within the annual cycle.

Why it happens

The audit programme is written to cover the obvious requirements and doesn't systematically work through all clauses of the Standard. Tick-box formats are used because they're faster. Auditors audit areas they know, and areas they're less familiar with are consistently underaudited.

How to fix it

Clause 3.4.1 requires the internal audit programme to cover all activities that affect product safety, authenticity, legality and quality, at a frequency based on risk. All areas and clauses must be included across the annual cycle. Clause 3.4.3 makes clear that tick-box checklists alone are not sufficient — reports must show objective evidence of conformity as well as non-conformity, with enough detail that an independent reviewer could reach the same conclusion as the auditor. Build the programme against the full clause structure of the Standard. Ensure auditors are trained and independent of the area being audited. Where the programme consistently finds no non-conformities, clause 3.4.3 guidance explicitly notes this as a signal to review whether the audits are sufficiently rigorous.

10. Corrective Actions That Address Symptoms, Not Root Causes

What it is

Non-conformities are closed with actions like "staff retrained" or "procedure reviewed" without any analysis of why the failure occurred. The same non-conformance appears at the next audit. Root cause analysis is either absent or completed superficially.

Why it happens

There is time pressure to close non-conformities quickly. Root cause analysis is treated as a bureaucratic step rather than a diagnostic tool. "Retrained staff" is an easy action to record and verify. It rarely prevents recurrence.

How to fix it

Clause 3.7.1 requires documented procedures for handling issues in the food safety and quality system, including completion of root cause analysis and implementation of preventive action. The corrective action procedure must distinguish between immediate correction (fixing the specific instance) and preventive action (preventing recurrence). A minimum of five-why analysis is expected. "Staff retrained" is a corrective action for a symptom. The root cause question is: why didn't the original training embed the correct behaviour, and what systemic condition allowed the non-conformance to occur? Preventive action addresses that condition. Clause 1.1.12 requires that the root causes of non-conformities from the previous audit have been effectively addressed. Recurring non-conformities will be treated by the auditor as evidence that previous corrective actions were inadequate.

The Pattern Behind the Pattern

These ten findings aren't random. Most of them share two underlying causes: systems built during certification preparation that aren't maintained as living controls, and corrective actions that substitute visible activity for genuine problem-solving.

An internal audit programme that actually works finds these issues before the certification body does — not because the auditors are looking for trouble, but because identifying a non-conformity internally is always preferable to having it raised externally.

The goal is not a clean internal audit report. The goal is a food safety system that performs correctly every day, whether or not someone is watching.