How to Pass an Unannounced Audit for FDA Food Safety

Mary Hoffman
Sr. Director of Food Safety

An unannounced audit can send an entire food manufacturing facility into panic mode — but your plant doesn’t have to be one of them. In our recent webinar, Mastering the Unannounced Regulatory Inspection, Mary Hoffman, Senior Director of Food Safety at TAG, provides insights on how to pass an unannounced audit based on her 20 years of experience in the food industry and Master’s degree in Agriculture and Life Sciences with an emphasis in Food Safety and Biosecurity.

In this blog, we walk you through the major pitfalls of each step of an unannounced audit, and how to use your FSMA Audit Checklist and other tools to ensure your team is always prepared for the unexpected.

Table of Contents

Regulatory inspection procedure

Inspector arrival

The very first person your investigator will interact with — likely security or reception — needs to be primed to respond in an organized way. Creating a cheat sheet for your front-line personnel can help to ensure the check-in process goes as smoothly as possible.

For starters, who should they be on the lookout for? Some investigators may be easier to spot than others. For example, FDA investigators who are active-duty officers within the Commissioned Corps of the U.S. Public Health Service (USPHS) are required to be in uniform when on duty. However, other FDA agents, state agencies, and local agencies may not be as easily identifiable.

The USPHS uniform is one potential indicator that an auditor may be on the premises.

Once an investigator has made his or her presence known, front-line personnel should request to see official credentials and then proceed to conduct normal visitor protocols. Often, these protocols include company-mandated requirements to sign documents, such as safety requirements. Front-line personnel should be advised that it is highly likely that investigators will refuse to sign plant-required documentation. If that happens, front-line workers should be prepared with directions that specify what to do, such as making a note that the auditor was briefed on company policies and refused to sign.

There should also be a list of personnel to notify when an auditor is identified, and a plan for someone specific to escort the investigator to a conference room that can be used throughout the duration of the inspection.

Open meeting

The opening meeting sets the groundwork for the auditor to explain why they are at the plant and what their goals are. Designate a cross-functional site leadership representation to be present at the opening meeting. There should be a welcome letter.

Once escorted to the conference room, it is good practice to present the investigator with a “Dear Investigator” welcome letter. The welcome letter should provide a general overview of the facility, processes, and products, as well as company policies such as GMPs, health/safety expectations while in the production area, required escort policy, document sharing and confidentiality, and photographs.

During the opening meeting, the investigator will begin by distributing a Form 482 which outlines the purpose of the site visit. The investigator will explain the purpose of the visit, which could be routine or for a specific reason, such as customer complaints, reports of foodborne illness, or test results.  

The investigator will also confirm that the facility is subject to FDA regulation and a workload obligation, and ask additional questions to ascertain hours of operation, sanitation schedules, and what operations will occur while they are in the facility. Additional questions/discussions may be asked, but generally, the investigator will aim to keep the opening meeting as brief as possible to move on to the walk-through.

Walk-through and inspection

Both the opening meeting and the walk-through will be used to assess which products will be covered during the inspection, generally going with the highest-risk products and/or processes.  Effective management of the inspection process involves understanding and complying with specific regulations and program requirements, including those related to food safety plans, hazard analysis, preventive controls, and sanitation.

During the inspection, swabs may be taken at any time. While an environmental monitoring program is not necessarily a requirement, preparing for swabs during a surprise investigation is strongly recommended. An effective environmental monitoring program tests for food safety risks (especially the major risks to most organizations: salmonella and listeria), trains employees to clean the right way, and, importantly, teaches them why certain procedures are required to promote a strong food safety culture.

Conducting intermittent, mock regulatory inspections can help you identify potential problem areas and correct them before an auditor shows up for an unannounced audit. As part of your self-assessment, use a sample FSMA Audit Checklist to create your personalized checklist and to guide your internal audit.

Document review

Know what is required for your document review, particularly when it comes to regulations that are specific to your industry, program requirements, implementation records, and training records.

Major pain points often involve improper record documentation, particularly failures to provide the following:

  • Quick access to specific records with evidence of real-time data control

  • Differentiated monitoring, verification, and validation records data

  • Detailed history of required records

Quick access to specific records with evidence of real-time data control

Know what records will be required. This could include records that support compliance with the Preventative Controls for Human Food Rule, Internal Adulteration Rule, CAPA records, and customer complaints (with a focus on follow-up and preventative controls for customer complaints). If a risk assessment is required, it is also required to have a written hazard analysis.

Keep your records organized and legible. Records do not have to be printed; electronic records are sufficient and, when used with record management software, can be a great help with accessing requested records quickly.

Another perk of keeping digital records is that they can help limit the information provided to food safety records. In practice, food safety and quality records are often compiled together out of convenience, but a regulatory inspection is primarily concerned with food safety. Software that automatically tags data by category can separate irrelevant information, which can help the document review proceed quickly and efficiently.

Additionally, a common mistake is employees providing records that are automatically prefilled. This is not allowed. Software that provides real-time data control showing that staff cannot prefill forms/records helps auditors quickly verify that records are compiled in accordance with FDA regulations.

Records meet minimum retention requirements

Each regulation has its own, clearly specified record retention requirements. For example, the Preventative Controls for Human Food Rule and the Internal Adulteration Rule both require records to be stored for at least two years after they were prepared.

This circles back to knowing what is required for your specific industry, products, and practices. Here are some important record retention requirements. Records must be kept for at least the amount of time specified.

  • Food Defense — 2 years

  • Preventive Controls for Human Food — 2 years

  • Food Allergen Labeling and Consumer Protection Act — 2 years

  • Acidified Foods and Low-Acid Canned Foods — 3 years

  • Current Good Manufacturing Practice for Foods — 2 years

  • Produce Safety Rule — 2 years

  • Foreign Supplier Verification Programs — 2 years

  • Sanitary Transportation of Human and Animal Food — 1 year

  • Hazard Analysis and Critical Control Points for Seafood and Juice — 1 year for refrigerated products and 2 years for frozen, preserved, or shelf-stable products

  • Dietary Supplement Current Good Manufacturing Practices (CGMP) — 1 year after shelf-life date or 2 years beyond the date of distribution of the last batch

  • Infant Formula CGMP and Quality Control Procedures — 1 year after product expiration date

Differentiated monitoring, validation, and verification records data

A common mistake is not supplying the correct records data when requested, typically based on a lack of understanding of the differences between monitoring, validation, and verification.

Validation asks, “Will it work?” This is typically a scientific study that provides data showing that you can control for pathogens given some procedure, e.g. cooking at a certain temperature. Monitoring and verification both ask “Is it working?” — but monitoring is continuous observations, whereas verification is a periodic assessment. An example of monitoring would be to regularly check refrigeration temperatures, whereas an example of verification could be a sanitation inspection.

Closing out the visit

Conduct a closing meeting with inspectors to obtain feedback, request inspection reports, and respond to any observations or issues identified during the inspection.

When possible, you can (and should) correct any issues during the inspection itself. When that’s not possible, follow-up within a timely manner, typically within a few days to two weeks. This is both for issues identified on the 483 and even for issues that may have been mentioned but not noted officially on the form, because if the auditor returns and the same issue is present, it could negatively impact the audit.

Use any negative feedback as an opportunity to strengthen your food safety culture and better prepare your company to improve future audits.

Final words of advice for passing an unannounced audit

Passing an unannounced audit can be easy if the right measures are taken beforehand to ensure success.

  • Start strong by having a procedure for front-line personnel to notify, check credentials, notify relevant leadership, and get the auditor to a comfortable workspace to begin the opening meeting.

  • Know what records are required for your business, keep them organized and legible, and make sure they meet the minimum retention requirements.

  • Review the most recent inspection reports and verify that your company has followed up and corrected the issues, in addition to taking preventative measures to reduce recurrence.

  • Establish an environmental monitoring program using a FSMA audit checklist that is specific to the requirements of your business, and conduct mock regulatory inspections regularly.


Discover more ways to streamline food and beverage plant management.