Blog
Guides 4 min read

Checklist: how to prepare the Food Defense part of your audit

What the auditor looks for in Food Defense (IFS 4.21, BRCGS 4.2) in a block-by-block checklist, with the most common findings and how to avoid them.

Documentation and audit checklist on a table

Anyone who has passed an audit knows it: the Food Defense part almost never fails due to lack of plan, it fails due to evidence. The plan exists, of course, but the latest version is on the quality computer, the visit log is a folder in the door with half-signed signatures and the access control for the night shift lives in an Excel that no one has opened since March. None of this means the plant is unsafe; It means that the evidence is not where it should be when they ask for it.

And they ask for it more and more. IFS Food v8 dedicates clause 4.21 to Food Defense, BRCGS Issue 9 includes it in 4.2 within site security, and FSSC 22000 adds its own requirements with the TACCP and VACCP evaluations. This checklist is designed so that you arrive at that part of the audit with your homework done.

What exactly does the auditor look at?

Beyond the writing of each standard, the auditor looks for the same thing: that the plan exists, that it is alive and that it is complied with in the plant. And since Regulation (EU) 2021/382 introduced food safety culture in Regulation (EC) 852/2004, you want to see staff buy into it too. Specifically, it will review:

  • Food Defense Plan documented, updated and with a person in charge with name and surname.
  • Threat and vulnerability assessment (TACCP) reviewed after changes in layout, processes or personnel.
  • Real access control: critical doors closed, keys and cards under control.
  • Management of visits and contractors with complete registration and support.
  • Critical areas identified and marked: water tanks, silos, chemicals, technical rooms.
  • Training of personnel in Food Defense, with attendance records.
  • A documented annual drill or review of the plan.

The checklist, block by block

Review it a week or two before the audit, not the day before. Each point should be answered with a yes and evidence.

  • Documentation: signed and dated plan, up-to-date TACCP, history of reviews and incidents.
  • Access and perimeter: full fencing, controlled exterior doors, updated list of keys and cards, operating and recording cameras.
  • Staff and visitors: check-in and check-out without gaps, visitors always accompanied in critical areas, reception that includes Food Defense.
  • Reception and docks: carriers by appointment, seals verified and noted at reception, docks never open without supervision.
  • Incident response: procedure for suspicious manipulation, defined chain of warnings, record of the last drill and its conclusions.

The three most common findings

The first is the outdated plan: it was written for the previous certification based on a generic template and does not reflect either the current layout or the actual shifts. This is avoided by reviewing it after each relevant change, not just on the date marked on the calendar.

The second, the incomplete visitor log: blank departure times, missing signatures, contractors who entered for a moment without registering. It is avoided by turning registration into a mandatory access step, not a favor that is asked of the visitor.

And the third, training without evidence. The staff knows what to do when faced with a stranger on the floor, but there is no record of the session where it was explained. The golden rule of any audit applies here: if it is not written, it has not passed.

The golden tip: gather evidence before they ask for it

What burns the most time in an audit is not what is missing, but what is scattered: the paper accesses at the concierge, the training in a human resources Excel, the photos of the seals on the mobile phones of three different people. When the auditor asks how Pier 2 was checked on a particular Tuesday, every minute of searching detracts from the credibility of the entire system. Assemble a single Food Defense dossier with evidence from the last year and try to recover any record in less than a minute.

Where to start

If you don't have a plan yet, or yours needs an update, there's a free IFS Food v8-aligned Food Defense plan template on the SentyHub templates page, ready to adapt to your facility.

And if your problem is scattered evidence, it is exactly what SentyHub solves: accesses, visits, dock appointments, forms and notices are recorded on a single platform, and with VideoProof each control has its associated video. When the day comes, the dossier for the auditor is exported in seconds, not in afternoons from folder to folder.