← Back to Blog
BRCGS18 min read · 21 May 2026

How to Run Your First BRCGS Internal Audit

A step-by-step guide to planning and running your first BRCGS internal audit. Scope, scheduling, auditor competence, reporting, and corrective actions — everything you need to get it right.

Running an internal audit for the first time can feel like standing at the base of a steep hill — the view from the top is worth it, but the path up is not always obvious. This guide removes the guesswork. Whether you are a QA manager building your programme from scratch or a team member stepping into an internal auditor role for the first time, you will find everything you need here: what the standard demands, how to plan it, how to execute it on the floor, and what to do when you find something wrong.

BRCGS internal auditing is not a bureaucratic exercise. Done properly, it is the most powerful self-assessment tool your site has. It is also a Fundamental Requirement under the BRCGS Global Standard for Food Safety Issue 9 — meaning failure in this area can cost you your certification regardless of how well you perform elsewhere. Treat it accordingly.

1. Foundations: What BRCGS Requires for Internal Auditing

The Clause That Governs Everything: Clause 3.4

Clause 3.4 of the BRCGS Global Standard for Food Safety Issue 9 is the primary reference for all internal auditing requirements. It is classified as a Fundamental Requirement — the highest level of obligation in the Standard. A critical failure against a Fundamental Requirement results in an automatic fail grade regardless of performance in any other area. This classification alone should signal the weight senior management must place on the internal audit programme.

The Standard defines an internal audit as any audit completed by or on behalf of the company, as opposed to a second-party audit (such as a customer audit) or a third-party audit (such as a certification body audit). Within this definition sits a broad and powerful mandate.

Why the Standard Mandates Internal Auditing

The BRCGS Issue 9 Interpretation Guideline is direct: internal audits are one of the most powerful self-assessment tools available to a site. Specifically, a well-executed BRCGS internal audit programme serves to:

  • Confirm that the product safety and quality management systems are correct and functioning as designed
  • Verify that food safety, authenticity, legality, and quality activities are actually being carried out as documented — not just on paper
  • Monitor that products are being manufactured correctly against specifications
  • Identify potential risks and near-misses early, allowing timely correction before a problem escalates into a non-conformity at your certification audit
  • Drive continuous improvement by identifying areas that need development
  • Verify the HACCP or food safety plan, a requirement explicitly cited in Clause 2.12.2

There is also a culture dimension. The Standard acknowledges that a site's attitude toward its internal audit programme is a direct indicator of its food safety culture. A site that minimises audits, under-reports non-conformities, or fails to follow through on corrective actions is demonstrating a poor culture — and a BRCGS auditor will recognise this pattern.

What the Scope Must Cover

The internal audit programme must cover all areas of the food safety and quality management system without exception. This includes:

  • The HACCP or food safety plan and all activities required to implement it, including supplier approval, corrective actions, and verification
  • All Prerequisite Programmes (PRPs) — hygiene, pest management, allergen management, and others
  • Food defence and food fraud prevention plans
  • All documented procedures implemented to achieve the Standard
  • Both the documented systems (what you say you do) and the actual work practices (what you actually do)

The distinction between documented systems and actual work practices is critical. A tick-box exercise comparing documents to documents is not an audit. An effective BRCGS internal audit compares documents to observable, verifiable reality on the production floor.

2. Scope and Frequency — Building an Annual Audit Schedule

The Minimum Legal Requirement Under Clause 3.4.1

Clause 3.4.1 sets the minimum threshold:

There shall be a scheduled programme of internal audits covering all activities at least once per year, with a minimum of four different audit dates spread throughout the year.

This is a floor, not a target. Four audit dates spread across a year is the minimum. For most food manufacturing sites, best practice — and risk-based logic — will drive a more frequent programme.

Critically, the Standard prohibits compressing all internal audits into a single block of activity. All audits cannot be conducted on a single day, and the programme cannot cover every aspect of the system in one sweep. A once-a-year global check may have some value as a gap analysis tool when preparing for your certification audit, but it does not satisfy the requirements of a functioning internal audit programme.

Building a Risk-Based Annual Programme

Start with a risk assessment. The audit schedule is not a calendar exercise — it is a risk management exercise. Your risk assessment must identify:

1. All areas and activities that require auditing. Map every element of your food safety and quality management system: HACCP plan, each PRP, food defence plan, food fraud prevention plan, all documented procedures. Nothing should exist without an audit home on the schedule.

2. The appropriate audit frequency for each area. Frequency is not uniform. It is set in relation to:

  • The inherent risk of the activity
  • Previous audit performance in that area
  • Known issues within the company
  • Customer requirements

Practical guidance from the Issue 9 Interpretation Guideline: CCPs are inherently higher risk than administrative procedures. Internal audits of CCPs should therefore occur more frequently than audits of lower-risk activities. A site that has previously found persistent non-conformities in a specific area should increase audit frequency for that area until sustained compliance is demonstrated.

3. The most appropriate timing. Consider seasonality — if certain production activities only occur during specific months, schedule audits to coincide with active operations. Auditing a dormant grape pressing line in winter provides no value. The Standard explicitly acknowledges this: seasonal sites are not expected to audit while shut down, but must complete pre-season audits (particularly of the HACCP plan, hygiene status, and staff training) before production restarts.

Consider auditing across different shifts — including evenings, nights, or weekends if your operation runs them. Non-conformities do not respect shift patterns.

Translating Risk Assessment into a Schedule: A Practical Framework

Once the risk assessment is complete, build a master schedule document that records:

Area / ActivityRisk LevelMinimum FrequencyPlanned Audit DatesAssigned Auditor
HACCP Plan — CCP verificationHighQuarterlyQ1, Q2, Q3, Q4[Name]
PRP: Allergen ManagementHighBi-annualQ1, Q3[Name]
PRP: Pest ControlMediumAnnualQ2[Name]
Food Fraud Prevention PlanMediumAnnualQ3[Name]
Supplier Approval ProcedureMediumAnnualQ1[Name]
Corrective Action ProcedureMediumAnnualQ2[Name]
Training RecordsLowAnnualQ4[Name]

This schedule is a live document. Review it at each management review meeting (Clause 1.1.4) and adjust it when risk changes — new products, new processes, customer complaints, or recurring non-conformities are all triggers to revisit frequency.

If your BRCGS certification audit falls early in the calendar year before much of the current year's schedule has been completed, the BRCGS auditor may review the internal audit records from the previous year. Your programme continuity and record quality must be maintained year-round — not ramped up before an audit visit.

3. Auditor Competence — Training and Independence

Clause 3.4.2: The Two Pillars

Clause 3.4.2 states plainly:

Internal audits shall be carried out by appropriately trained, competent auditors. Auditors shall be independent (i.e. not audit their own work).

These two requirements — competence and independence — are non-negotiable. A BRCGS auditor will typically discuss your audit process directly with your internal auditors during the certification audit to verify their competence firsthand.

What "Appropriately Trained" Means in Practice

Training for internal auditors must be documented in training records per Clause 7.1.6. An internal auditor must be able to demonstrate formal training through either:

  • Attendance at an external internal auditor training course
  • Structured in-house training delivered by a competent person

The content of auditor training must cover all of the following:

Auditing skills:

  • How to plan and schedule an effective audit
  • How to use audit techniques correctly — document review, process observation, audit trails, and staff interviews
  • How to prepare audit reports in the company's agreed format
  • How to follow up on findings and close out non-conformities

Technical knowledge:

  • Relevant knowledge of the activity being audited — for example, a working understanding of HACCP principles is required to audit a HACCP plan effectively
  • This may be demonstrated through work experience in the sector or specific technical training

Soft skills:

  • Asking open-ended, probing questions without triggering defensiveness
  • Remaining objective under pressure from department managers
  • Building rapport with the auditee while maintaining professional rigour

Training must be of sufficient duration and depth to produce a competent, consistent auditor — not merely a trained observer. The Interpretation Guideline is explicit: good auditing is a skilled discipline that produces evidence-based assessments. It is not form-filling.

External auditors are permitted as a resource where internal capacity is insufficient. However, they must still be used in a way that distributes audit dates across the year — they cannot be engaged for a single annual block. Refer to Clauses 1.2.4 and 3.5.3 for the requirements governing food safety consultants.

BRCGS-recommended resources for internal auditor development include:

  • The BRCGS Internal Auditor Training course (available via BRCGS Participate)
  • The BRCGS Guideline on Internal Auditing (available from the BRCGS Store)
  • ISO 19011 — Guidelines for Auditing Management Systems

Consider calibration sessions at the beginning of each audit year — a facilitated exercise where all internal auditors review the same scenario and compare findings. Calibration builds consistency and is recognised as good practice in the Interpretation Guideline.

The Independence Requirement: No Exceptions

Auditor independence is absolute. An internal auditor may not audit their own work or any programme for which they are immediately responsible. This exists for one clear reason: an auditor who has a personal or professional stake in the outcome of an audit cannot provide an objective assessment.

The Standard's definition of conflict of interest is deliberately broad. The Interpretation Guideline gives the following explicit example of what is not acceptable: workers on one shift auditing the work of another shift completing the same work are not independent, because they are not independent of the operation itself.

Practical implications for your auditor allocation:

  • The Production Manager cannot audit production procedures
  • The Head of Hygiene cannot audit cleaning and sanitation PRPs
  • A CCP operator cannot audit the CCP for which they are responsible
  • Cross-departmental auditing is the standard solution: QA audits production; production management audits dispatch and warehousing; and so on

Document your independence decisions in the audit schedule. During a certification audit, the BRCGS auditor will verify that your independence model is defensible.

4. Planning a Single Audit: The Pre-Audit Routine

Step 1: Define the Specific Audit Scope

Each internal audit within the programme must have a defined scope that considers a specific activity or a section of the HACCP or food safety plan. Scope definition is not vague — it answers four questions precisely:

  1. What is being audited? (e.g., Allergen Management PRP — specifically segregation procedures and cleaning validation between allergen runs)
  2. Where is the audit taking place? (e.g., Production areas 1 and 2, ingredient storage, and the dispatch area)
  3. When will it take place, and across which shifts?
  4. What documents are in scope? (e.g., the Allergen Management Procedure, the Allergen Changeover Work Instruction, allergen cleaning records from the past three months)

Write this scope into an Audit Plan document and give it to the relevant department head in advance. This is not a weakness — it is good practice. The auditee should know what is being audited so they can have the right people and records available. The element of surprise belongs to enforcement inspections, not internal audits.

Step 2: Build Tailored Audit Checklists

A generic checklist applied to every audit is one of the most common audit programme failures. Build your checklist specifically for the scope of each audit.

A robust BRCGS internal audit checklist should include:

  • Specific clause references from Issue 9 relevant to the area being audited
  • Procedure-specific questions drawn directly from the site's own documented procedures — e.g. "The allergen changeover procedure states that all contact surfaces must be swabbed post-clean. Select three recent changeover records — are all swab results documented with pass/fail status?"
  • Observation prompts for physical verification on the floor — e.g. "Visually inspect the allergen storage area — are all allergen-containing materials clearly labelled and physically segregated from non-allergen ingredients?"
  • Staff interview questions to verify procedural awareness — e.g. "Ask the line operative to describe what they would do if they found allergen spillage in the non-allergen zone."
  • Record review requirements — specifying which records to pull, across what date range, and what constitutes compliance versus non-compliance

Checklists are working tools. They should have space for auditor notes, evidence references, and preliminary findings alongside each question. Dates and identifying information for every record reviewed should be noted — this level of detail demonstrates audit rigour and allows findings to be traced.

Step 3: Allocate Realistic Time Blocks

Audit scheduling is frequently underestimated. A common failure is allocating one hour to an audit that requires three — the result is a superficial sweep rather than a genuine assessment.

As a general guide, allocate time for the following phases:

PhaseTypical Duration
Opening meeting (with department head)15–30 minutes
Document and records review30–60 minutes
Physical floor walk and observations45–90 minutes
Staff interviews20–40 minutes
Auditor notes consolidation20–30 minutes
Closing meeting (to present preliminary findings)15–30 minutes

For a scope-defined audit of a single PRP, budget a minimum of three hours. For a HACCP plan verification audit, budget a full day.

Do not schedule audits during high-pressure production periods where key personnel will be unavailable or distracted. Equally, do not audit only during quiet periods — you need to observe the operation under normal production conditions.

5. On the Floor: Conducting the Audit

Conducting the audit effectively requires discipline in three distinct operational phases.

Phase 1: The Opening Meeting

Begin every audit with a brief, structured opening meeting with the relevant department head or supervisor. This is not a formality — it serves four operational purposes:

  1. Confirm the scope and process — ensure both parties agree on what is being audited and how
  2. Agree on logistics — which records will be pulled, who will accompany the auditor on the floor walk, which operatives may be available for interview
  3. Set the tone — a professional, non-adversarial tone established here determines the quality of information you receive throughout the audit
  4. Note any significant changes since the last audit — new operatives, process changes, equipment modifications, customer complaints — these are your audit intelligence and should sharpen your focus

Document the opening meeting attendance and time in your audit record.

Phase 2: Evidence Gathering

This is the technical core of the audit. Use three evidence-gathering methods in combination — the strength of an audit finding depends on corroboration from more than one source.

Document and Record Review

Pull records systematically. Do not review the same three records every audit cycle — vary the date ranges and the individuals whose records you review. What you are looking for:

  • Are records completed fully, accurately, and on time?
  • Do the records reflect what the procedure says should happen?
  • Are monitoring frequencies being met?
  • Are out-of-range results being handled correctly — with corrective action documented?
  • Have signatures, dates, and authorisations been completed where required?

Note the specific document title, reference number, and date range reviewed in your audit notes. This traceability is what transforms notes into evidence.

Physical Observation and Floor Walk

Walk the area actively. You are comparing observable reality against documented procedure. Key observation techniques:

  • Trace a product or process forward and backward — follow a raw material from receipt through processing and packaging. Does what you observe align with what the HACCP plan and procedures describe?
  • Inspect physical conditions — hygiene standards, equipment state, signage, segregation, temperature controls, allergen separation, pest evidence
  • Look for near-miss conditions — worn gaskets, unlabelled containers, blocked drains, damaged racking near open product
  • Check calibration status on critical monitoring equipment — thermometers, scales, metal detectors

Avoid completing the floor walk too quickly. Slow observation finds more than a brisk walk-through.

Staff Interviews

Staff interviews are among the most revealing audit techniques and are frequently under-utilised. Approach them as a genuine assessment of procedural knowledge and actual practice — not as an examination designed to catch people out.

Effective interview techniques:

  • Use open-ended questions: "Can you walk me through what you do when you start a new allergen run?" rather than "Do you follow the allergen procedure?"
  • Follow the thread: if an answer reveals a gap, ask the next question to understand whether this is an isolated lapse or a systemic issue
  • Interview operatives at their workstation, not in a meeting room — proximity to the task produces more accurate answers
  • Interview multiple staff members on the same topic — consistency of answers indicates a well-embedded procedure; inconsistency is a finding

Document the role (not necessarily the name) of each person interviewed and the key information obtained.

Phase 3: The Closing Meeting

Close every audit with a formal closing meeting with the department head. Present your preliminary findings — both conformities and non-conformities. This step is mandatory under the Standard and serves several functions:

  • It gives the auditee an opportunity to provide additional evidence for any finding they believe is incomplete
  • It ensures there are no surprises in the written report — the department head is already aware of the findings before the formal document is issued
  • It allows you to begin agreeing on corrective actions and timescales informally before the formal CAR process begins
  • It demonstrates the rigour and transparency of your audit programme

Present findings clearly: reference the specific clause or procedure implicated, describe the evidence gathered, and state the finding. Do not soften non-conformities — a clear finding is more useful to the site than a diplomatic ambiguity.

6. Writing the Internal Audit Report

What a Compliant Report Must Contain

Clause 3.4.3 requires that internal audit reports identify conformity as well as non-conformity and include objective evidence of the findings. The Standard is not prescriptive about format — reports may be handwritten, electronic documents, or recorded in a management system. However, the content must be defensible.

A complete BRCGS internal audit report must document:

  • Audit details: Date, scope, areas and activities audited, name and role of auditor, names of key auditees
  • Records reviewed: Specific document title, reference number, and date range — not simply "records reviewed." This level of detail is what the BRCGS auditor will scrutinise
  • Process observations: What was observed physically, and how it compares to the documented procedure
  • Staff interviews: Roles interviewed and key information obtained
  • Conformities: Areas that meet the requirements — with evidence. Do not leave conformities unsupported; evidence of what is working well is as important as evidence of what is not
  • Non-conformities: Specific statement of the finding, evidence basis, and clause or procedure reference
  • Auditor notes: Retain original working notes alongside the final report. This is good practice recognised in the Issue 9 Interpretation Guideline

The dates and titles of every record reviewed must be noted in sufficient detail to allow them to be traced. This is what distinguishes an evidence-based audit report from a tick-box exercise.

Report Distribution

Audit results must be communicated to the personnel responsible for the activity audited — not filed away in the QA office. This communication may be achieved through:

  • A formal report issued to the department head with acknowledgement requested
  • Presentation at an operational or management review meeting
  • A closing meeting update supported by a written memo or copy of the report

The method matters less than the outcome: the responsible person must receive and understand the findings, and the responsibility for corrective actions must be documented by name and role.

A summary of internal audit results is a required agenda item at the management review meeting per Clause 1.1.4. Trending across the year's audit results — identifying recurring issues, departments with persistent non-conformities, areas of consistent compliance — is what elevates an internal audit programme from a compliance exercise to a genuine management tool.

7. Non-Conformities and Corrective Actions — Closing the Loop

The Most Common Misunderstanding About Audit Findings

Finding a non-conformity during an internal audit is not a failure. The Issue 9 Interpretation Guideline states this explicitly: identifying a non-conformity internally allows the site to implement corrective action before the issue becomes a more serious problem — at a customer audit or BRCGS certification audit. A site that consistently finds zero non-conformities in internal audits should examine whether its audits are sufficiently rigorous.

The failure mode is not finding non-conformities — it is not acting on them.

Handling Non-Conformities Under Section 3.7

All non-conformities identified during internal audits must be handled in accordance with Section 3.7 of the Standard. For any non-conformity that places the safety, authenticity, or legality of a product at risk, Clause 3.7.2 requires a documented investigation that includes:

  1. Clear documentation of the non-conformity — specific, factual, and referenced to the clause or procedure
  2. Assessment of consequences — by a suitably competent and authorised person
  3. Immediate corrective action — what was done to address the issue now
  4. Root cause analysis — identifying the fundamental cause, not the symptom
  5. Corrective and preventive action with specific timescales
  6. Named responsibility — the role accountable for completing each action
  7. Verification — confirmation that actions have been implemented and are effective

Root Cause Analysis: The Non-Negotiable Step

Root cause analysis is the step most frequently done poorly — or skipped entirely. The BRCGS Standard is unambiguous: "Retrained staff" is a corrective action, not a root cause. If training failure is the answer to every root cause investigation, the investigation was not deep enough.

The most accessible root cause technique is the Five Whys. Ask "why?" repeatedly until you reach the systemic cause rather than the immediate trigger.

Example from Issue 9 Interpretation Guideline:

An operator uses the wrong ingredient.

  • Why? The operator was unfamiliar with the procedure.
  • Why? Training was completed but not verified as satisfactory.
  • Why? The two ingredients looked identical — there was no visual distinction.
  • Why? Labels had been removed during cleaning and not replaced.
  • Why? There was no documented requirement to replace labels after cleaning, and no checklist to verify this step.

Root cause: Absence of a label-replacement requirement in the cleaning procedure, with no verification checkpoint. The corrective action is a procedure update, not retraining.

Document every step of the root cause analysis. The BRCGS auditor may review your root cause analysis against a previous non-conformity to verify that the systemic cause was correctly identified and that preventive action has been effective.

Verifying Corrective Action Closure

Clause 3.4.3 requires that the completion of corrective and preventive actions be verified. Best practice is to assign verification responsibility to the original auditor — the person who raised the finding is best placed to confirm that the corrective action has genuinely resolved the issue.

The verifier should not be the person who carried out the corrective action.

Verification is documented in the audit record or corrective action register. A non-conformity remains open until verification is complete. Clause 3.4.3 states explicitly: a non-conformity will be raised against this clause if corrective and preventive actions are not completed within the agreed timescales.

8. Integrating Your Internal Audit Programme into the Management System

Management Review: The Mandatory Link

Clause 1.1.4 requires that internal audit results are summarised and reviewed at management review meetings. This is not optional. The management review is where audit trends are analysed, resource requirements are assessed, and decisions about programme changes are made.

The summary for management review should include:

  • Total number of audits completed against the schedule
  • Number and classification of non-conformities identified
  • Status of corrective and preventive actions
  • Trend analysis — are the same issues recurring? Are specific areas consistently non-compliant?
  • Any recommended changes to audit frequency or scope based on performance data

Linking Internal Audits to Continuous Improvement

An internal audit programme that functions in isolation — findings raised, actions closed, results filed — is missing its highest-value output. The findings from your BRCGS internal audit programme are a dataset. Over a 12-month cycle, they reveal the pattern of your site's food safety culture: where systems are robust, where procedures are not being followed, where training has not been effective, and where the documented system does not reflect operational reality.

Use this data. Feed it into your food safety culture plan (Clause 1.1.2). Reference it in supplier review meetings if supplier performance is creating upstream compliance pressure. Use it to calibrate your HACCP plan review. A site that treats its internal audit programme as an intelligence function — not an administrative requirement — is a site that continuously gets better.

For additional guidance on BRCGS food safety culture and how internal auditing integrates with the broader quality management system, see our Blog Post on this topic.

Summary: Your BRCGS Internal Audit Compliance Checklist

Use the following as a readiness check before and after each audit cycle:

Programme Level (Clause 3.4.1)

  • A documented annual audit schedule exists, covering all food safety and quality management system activities
  • The schedule includes a minimum of four different audit dates spread throughout the year
  • Audit frequency for each area is risk-based and documented
  • All activities are scheduled to be audited at least once per year
  • The schedule is reviewed at management review meetings

Auditor Competence and Independence (Clause 3.4.2)

  • All internal auditors have documented formal training in internal auditing
  • Training records are current and accessible per Clause 7.1.6
  • No auditor is assigned to audit their own area of responsibility
  • Independence decisions are documented in the audit schedule

Individual Audit Execution (Clauses 3.4.1–3.4.3)

  • Each audit has a defined, documented scope
  • Tailored checklists reference relevant clauses and site procedures
  • Opening and closing meetings are held and recorded
  • Evidence gathered includes records review, physical observation, and staff interviews
  • Specific records reviewed are documented by title and date range

Reporting (Clause 3.4.3)

  • Audit reports document both conformities and non-conformities with objective evidence
  • Reports are issued to the responsible personnel for the area audited
  • Results are summarised for management review

Non-Conformities and Corrective Actions (Section 3.7)

  • All non-conformities are handled per the site's corrective action procedure
  • Root cause analysis is completed for all significant non-conformities
  • Corrective and preventive actions are assigned with timescales and named responsibilities
  • Verification of completed actions is documented by the original auditor or equivalent

Running a BRCGS-compliant internal audit programme is achievable for any site — regardless of size — when the requirements are understood clearly and executed with discipline. The investment in getting it right pays dividends far beyond the certification audit: a functioning internal audit programme protects your product, your people, and your customer relationships every week of the year.

*Standards referenced: BRCGS Global Standard for Food Safety Issue 9. All clause references are to Issue 9. This guide is intended for internal use by food safety professionals and internal audit teams. For clause-specific interpretation queries, consult the BRCGS Issue 9 Interpretation Guideline.*

More From The Blog
brcgs

BRCGS Audit Checklist for South African Food Manufacturers

Read →
FSSC 22000

FSSC 22000 Certification Cost in South Africa (2026): What to Budget

Read →
HACCP

SANS 10330 Hazard Analysis: Product Description Guide (Stage 2)

Read →

Ready to put this into practice?