Strategy, Legal & Operations

Surviving an audit under the new FSMA

The dreaded audit. It’s not a matter of if, but when. The Food Safety Modernization Act (FSMA) mandates an inspection frequency for food manufacturers, and based on risk, the audits could be an frequent as every three years. What steps must you take now to ensure your company is able to prove its compliance and pass an audit? In this, the final in our four-part series highlighting the effects of the FSMA on food manufacturers, we’ll touch on what the FDA will be looking for during an FSMA audit, and highlight what is required of you to meet those requirements.

Make a plan and work the plan

The FSMA requires you to maintain an active, written preventive control plan, and gives the FDA a mandate to perform regular audits to ensure that you have one and are following it.

Once you have a plan in place, you must actively oversee and manage that plan, and be able to prove you are doing so. The oversight and management of your preventive control plan involves three steps: monitoring, corrective actions, and verification. In all likelihood, you’re already performing this type of due diligence, but you may not be maintaining the records that an FDA auditor will require of you to prove your compliance. Below we briefly outline the three steps and call out the detailed record keeping that may be required for compliance with each. 


Companies must be able to prove that your preventive controls are consistently performed. Examples of this would be regularly measuring and recording the results of various tests for pathogens, tracking and monitoring temperatures, and written verification that each of your suppliers are also following the rules.

Effectively meeting this requirement will require policies, procedures, and technologies that disallow untested product into the supply chain, and can capture and archive the results of your testing efforts.

Corrections and corrective actions

Corrections are steps taken to timely identify and correct a minor, isolated problem occurring during food production, and corrective actions are the actions to reduce the likelihood the problem will recur, evaluate affected food for safety, and prevent it from entering the food chain. Corrections and corrective actions might be initiated internally, when a potential production problem is detected, for example, or might be launched as a result of a customer complaint.

Both corrections and corrective actions must be documented with detailed historical records, including dates, products, affected customers, and results.

Your ability to initiate, communicate, and complete a recall falls under this section of the rules. In all likelihood, an FDA auditor will ask you to perform a mock recall to prove your company’s capabilities.

A successful recall requires you to forward and backward trace your products and the ingredients that comprise them and produce documentation detailing the path affected products have traveled.


Verification is required to ensure that your preventive controls are consistently implemented and effective. Such verification might include validating (with scientific evidence) that a certain preventive control is capable of effectively controlling an identified hazard, routinely the calibrating testing instruments, and regularly reviewing records to verify that monitoring and any necessary corrective actions are being conducted.

The results of your verification efforts must be readily available during an audit. All your other efforts may go unrewarded if you are not able to demonstrate that your monitoring and corrective actions are effective. You’ll need rigorous bookkeeping to ensure equipment is tested regularly and a way to record and track your results.

Preparing for such an audit can be a major undertaking for organizations that have not incorporated prevention as part of their processes, workflows, and culture. A modern business management solution designed for the food industry will help your company rise to the challenges brought on by the FSMA and ensure you are doing all that is required of you to protect your customers and your company – and remain in compliance.

Special thanks to our partners at NexTec Group for contributing to this series.