Integrity Program for Auditors
I. Executive Summery of the IFS Integrity Program
IFS Integrity Program
The IFS Integrity Program, launched in early 2010, includes different measures to assure the quality of the IFS certification schemes by reviewing audit reports of certified companies and by several measures to analyse and improve the work of certification bodies and auditors.
The IFS Integrity Program strengthens the reliability of the IFS schemes by checking the implementation of the IFS standards in practice.
The main procedures of IFS Integrity Program are described in the Annex 4 of the framework agreement; these procedures have been developed in regular meetings of the IFS Quality Assurance Working Group composed of international members. The Annex 4 of the framework agreement has to be signed by all certification bodies having a contract with IFS Management GmbH. Auditors performing IFS audits have to accept the IFS Integrity Program procedures to assure a qualitative performance of IFS audits. Certification bodies are obliged to inform their customers applying for an IFS audit certificate about the content of the Annex 4 of the framework agreement in current version. The IFS Integrity Program mainly works on the following activities:
I.1 Complaint management
A detailed complaint management process analyses all necessary information. Retailers or any other interested parties have the right to forward any possible complaint issue to IFS for investigation as part of the Integrity Program. The respective information can be forwarded by e-mail via
Based on the complaint reason the Integrity on-site Checks will mainly be performed unannounced (announcement 30 minutes before start of the Integrity on-site Check). In some special cases Integrity on-site Checks might also be performed announced (announcement in general about 48 hours before).
I.2 Risk based approach and monitoring of IFS Quality Assurance
Quality Assurance activities of IFS Integrity Program monitor the entire IFS system by different tools:
In order to care for correct implementation of all procedures described in IFS standards and respective regulative documents IFS Integrity Program carries out regularly office audits at certification bodies (Integrity CB Office Audits). During these Integrity CB Office Audits work performance of IFS approved auditors and of certification bodies is checked by means of several report examples and database analyses. If during these Integrity CB Office Audits special topics have to be clarified, this could also lead to Integrity Witness Audits of IFS approved auditors or to Integrity on-site Checks at companies certified by the respective certification body.
Additionally — taking into account a risk based approach — reports of certified companies are analysed and read by IFS Quality Assurance Management staff. For the risk based approach different criteria have been defined by IFS Quality Assurance Working Group. These analyses are an ongoing monitoring procedure of IFS Quality Assurance Management taking into account both economic criteria (e.g. number of issued certificates in certain countries) or quality criteria (e.g. audit results, audit times etc.). As described before, Integrity on-site Checks will mainly be performed unannounced and in some special cases (depending on the case and the topic to be clarified) might also be performed announced. Integrity Witness Audits of IFS approved auditors may also be based on this risk based approach analysis of IFS Quality Assurance Management.
General comment for section I.1 and I.2:
Companies having a valid IFS certificate have to accept an unannounced/announced Integrity on-site Check and to give access and support to the commissioned Integrity auditor. The acceptance of the IFS Integrity Program is part of the regulations of all IFS standards. Also witnessing IFS approved auditors from certification bodies by commissioned Integrity auditors during regular IFS audits has to be accepted.
Integrity on-site Checks or Integrity Witness Audits and also Integrity CB Office Audits carried out as part of the Integrity Program are conducted by Integrity auditors employed at or commissioned by IFS Management GmbH. Integrity auditors are completely independent of the auditees and the IFS certification bodies.
I.3 Sanctions
If, following a complaint or following the risk based approach / monitoring quality assurance actions, the cause of a deficiency has been found to be the fault of a certification body and / or an auditor, IFS will forward all necessary information anonymously to an independent sanction committee. The sanction committee, which is made up of a lawyer and participants from industry, retailers and certification bodies, shall make a decision on whether a breach exists and on its severity.
Topics concerning administrative faults of certification bodies based on database investigations can be directly assessed by the IFS Quality Assurance Management, but have to be confirmed by the chairman (lawyer) of the sanction committee. Sanctions and/ or penalties will be issued to the certification body and/or its auditors if the sanction committee concludes that a breach has been committed. The type of sanction and/ or penalty depends on the severity of breach (see chapter II. 3 and II.5). In connection with each finally decided breach a certification body and /or an auditor may get a certain amount of “negative points”. These “negative points” are summarized, but the period of limitation is 2 years (rolling system). Only in very severe cases certification bodies or auditors might be suspended for a certain time frame or contracts might be cancelled. In general the target of IFS Integrity Program activities is to improve the performance of certification bodies and/or auditors by requesting corrective actions like attending at further trainings in case of decided breaches.
IFS Management informs the appropriate accreditation body if a breach for a certification body and / or for an auditor has been decided.
All these procedures concerning breaches, penalties and “negative points” are laid down in the Annex 4 of the framework agreement between IFS and each certification body.
II. Detailed Information about Integrity Program Procedures for Auditors
II.1 Integrity on-site Checks
IFS MANAGEMENT may conduct so-called Integrity on-site Checks, which are performed at IFS certified companies.
IFS MANAGEMENT shall in general ensure that the auditor in charge of the Integrity on-site Check has the technical and language skills (or that an interpreter is present) to conduct the relevant Check. In special cases the Integrity on-site Check might be carried out in English; such special cases will be considered due to the topics to be checked and taking the company involved into consideration. In addition, IFS MANAGEMENT shall guarantee the economic and personal independence of the auditor by ensuring prior to each Integrity on-site Check that the auditor has not had any economic relationship with the organization 2 years prior to the Integrity on-site Check, and that the auditor undertakes not to enter into an economic relationship with the organization for a period of 4 years following the Integrity on-site Check. Furthermore, the auditor shall sign a declaration of independence and confidentiality with IFS MANAGEMENT.
In general Integrity on-site Checks are performed unannounced. The decision of the duration of the Integrity on-site Check is up to IFS Quality Assurance Management.
If IFS MANAGEMENT decides, that based on the issue to be investigated (e.g. received complaints; special topics to be clarified with the need to have certain company´s representatives available) an announced Integrity on-site Check is necessary, IFS MANAGEMENT will apply an announcement procedure as follows:
Depending on the case and the topic to be clarified IFS MANAGEMENT may notify the certification body that is subject to the complaint and/ or the certified organization (by email and/ or fax using the contact details stored in the IFS database) 0-48 hours prior to the date of the Integrity on-site Check that an Integrity on-site Check will be conducted. In case IFS MANAGEMENT decides to notify the certification body as well as the certified company, IFS MANAGEMENT has to notify both parties at the same time prior to the date of the Integrity on-site Check. The certification body has the possibility to attend the Integrity on-site Check as observer.
If the certification body gets notified by IFS MANAGEMENT about the planned Integrity on-site Check, it is prohibited for the certification body to contact the certified company howsoever (also not through third parties). In the case the certified company contacts the certification body it is prohibited to give information concerning the upcoming Integrity on-site Check.
Integrity on-site Checks can be organized based on a complaint or can be planned by IFS Quality Assurance on a risk based approach.
The risk based approach may take into account the following topics:
a) With respect to companies to be checked risk factors to be taken into account may be:
Seasonal processes, production of “high risk products”, scope of the audit with product exclusions, outsourcing activities, company´s certification history, recalls, public notifications, special current food safety issues, identified non-conformities and other IFS Management indicators, etc.
b) With respect to auditors risk factors to be taken into account may be:
Reduction of audit duration in comparison with standard calculation rules, observations concerning final audit score or rating of standard requirements in the report, performance of auditors (e.g. based on already received breaches, results of Integrity CB Office Audits or Integrity on-site Checks, hints from received complaints), etc.
II.2 Integrity Witness Audits
Integrity Witness Audits are IFS audits, whereby a regular IFS certification audit is attended by a witness auditor employed or commissioned by IFS MANAGEMENT. The aim is to examine the work of the auditor in an audit situation by observing the auditor’s method and assessments of the IFS requirements. Such audits are performed on the basis of an IFS checklist. The result of the Integrity Witness Audit is primarily based on the comparison between the assessments of the auditor and of the observing witness auditor. IFS MANAGEMENT and certification body agree on the date and the company where the Integrity Witness Audit shall take place.
Integrity Witness Audits may be based on a complaint received by IFS Quality Assurance for an auditor or internal investigations of IFS Quality Assurance.
Additional Integrity Witness Audits may be conducted when a penalty has been imposed against an IFS auditor. The main focus of this Integrity Witness Audit is then to ensure that the problem which led to the penalty has been rectified. A positive outcome results in the confirmation of the auditor approval for IFS audits.
Information about these Integrity Witness Audits will be forwarded to the certification body responsible for this audit and to the respective accreditation body. Reports of positive Integrity Witness Audits may also be used as one of the evidences requested by standard schemes to maintain ongoing IFS auditor approval. In case of deviations notified by observing the auditor’s method and assessments of the IFS requirements, the certification body has to define corrective actions. In case severe lacks are noticed in auditor´s performance (e.g. not noticing that product safety is in danger, that a breach of law occurs or customer requirements are not fulfilled), IFS MANAGEMENT will send this case to the sanction committee for final decision about a breach for the auditor.
II.3 Sanction Committee
The sanction committee consists of the following pool of people: a chairman (a lawyer), representatives from the retail sector, representatives from industry as well as representatives from certification bodies (without voting rights). If necessary, further guest participants (e.g. experts from accreditation bodies) can support the committee in technical questions; however, they do not have any voting rights. Each case will be assessed by 4 committee members (case team). These include the committee chairman and 1 representative each from retail, industry and certification bodies. The selection of each respective case team is performed by IFS MANAGEMENT using a random, rotational selection process and taking into account language issues of the documents to be investigated. IFS MANAGEMENT checks and ensures that the selected members are not dependent, whether directly or indirectly, on the organizations involved in the case. This means that members are not selected for a special case if they, e.g. have been involved as stakeholders in the complaint connected with this case or if there might be any connection known by IFS MANAGEMENT with respect to the involved certification body, auditor or company. Anyhow, cases sent to the case team of the sanction committee are made anonymous; so the members of the sanction committee will only have to decide about the topic.
The case team is responsible for deciding whether or not a Level 1 or Level 2 breach has occurred and for determining the level of breach. The case is only decided by the chairman and the representatives from retail and industry, as the representative from the certification body merely provides technical input and has no voting rights. The case team convenes once IFS MANAGEMENT has collected all the information required for the assessment of a case and has found conclusive evidence that an auditor and/ or a certification body might be in breach of the contract requirements or the relevant requirements of the IFS.
The case team additionally decides how much “negative points” are associated with the determined level of the breach according to the following system:
A Level 1 breach can be assessed with 15 or 20 “negative points” depending on the case.
A Level 2 breach can be assessed with 4 or 6 “negative points” depending on the case.
If breaches for auditors are decided the case team will additionally define, if applicable, the penalty for the auditor listed for the respective breach in connection with the assessed points (see chapter II. 5, Table II.5)
Note:
All “negative points” assessed for auditors will be summarized. For all summarized “negative points” the period of limitation will be 2 years (see chapter II.6)
In case a further Level 2 breach for the same auditor regarding the same issue within the 2 years period of limitation will be assessed, this will lead independent of the issue to an assessment with 6 “negative points”.
II. 3 (1) Decision by the sanction committee:
a) If a fault of an auditor is likely to have occurred, all relevant information shall be made accessible to the members of the sanction committee in an anonymous way in a protected area of the database. The sanction committee strives to decide within 4 weeks after the data has been made available whether a breach has been committed, what level of breach (Level 1 or Level 2) has occurred and how much “negative points” are associated with this breach (in case of breaches for auditors also the penalty to be applied).
Once the sanction committee has informed IFS MANAGEMENT of its decision, IFS MANAGEMENT shall check whether the auditor concerned has already got a certain amount of “negative points” and will inform the certification body and/ or the auditor about the status quo of “negative points”. Additionally based on the assessed level of breach and the connected “negative points” IFS MANAGEMENT will inform the certification body and/or the auditor about the imposed penalties. If a breach has been decided directly for an auditor IFS Management will inform all respective certification bodies, the auditor is working for, about the obligations and/or penalties for the respective auditor and about the assessed “negative points” connected with this breach.
II. 3 (2) Levels of Breaches for auditors
There are two levels of breaches which an auditor might commit in the course of performing an IFS audit.
Topics, which are likely to result in a Level 1 or Level 2 breach, are forwarded to the sanction committee.
All examples mentioned below for the different levels of breaches are not exclusive, further topics can be also decided as breach Level 1 or 2 breach depending on the case.
II. 3 (2) a) Level 1
Non-acceptable performance which calls into question the overall competence of the auditor: breach of contract requirements and/or IFS requirements which generally put product safety at risk and/or results in a breach of law. Relevant is only such law which is associated with the IFS certifications. A Level 1 breach can also be decided if there is objective evidence that an auditor committed a fraud.
Examples for Level 1 breaches for auditors
Severe error of an auditor when auditing a company, which puts product safety at risk and/ or leads to a breach of law.
The auditor provides incorrect information/ ratings in the audit report, which puts product safety at risk and/or results in a breach of law.
An audit was conducted by an auditor not having a current IFS approval at the time of the audit and also not being in the last step of the “IFS auditor in progress” process. The evaluation of the not approved auditor for the respective IFS standard put product safety at risk and/ or led to a breach of law.
The auditor mentioned in the audit report dates and times, but it is evident that he/ she was not at this site at the mentioned dates and times. There is objective evidence available that the wrong dates and times were notified in the audit report on purpose and that this is a fraud issue.
The auditor mentioned in the scope of the audit products, which demonstrably were not produced at the time of the audit. This incorrect audit put product safety at risk and/or led to a breach of law.
The auditor systematically informs in case of unannounced audits the respective company/ies before the audit date about the exact audit date or about a certain audit date timeframe, which is less than the time frame defined for unannounced audits in respective IFS regulations.
All examples mentioned above are not exclusive, further topics which generally put product safety at risk and/or result in a breach of law or are based on a fraud issue can be also decided by the sanction committee as a Level 1 breach and can be assessed with 15 or 20 “negative points” depending on the case.
II. 3 (2) b) Level 2
Very poor performance of an auditor, requiring immediate and radical improvement measures: Incorrect behavior during an audit and/or breach of IFS rules in view of the required procedures of the certification process, which does not generally put product safety at risk and/or does not result in a breach of law. Relevant is only such law which is associated with the IFS certifications.
Examples for Level 2 breaches for auditors
The auditor provides incorrect information in the audit report not relating to product safety.
An auditor conducted an audit as lead auditor without any further co-auditor (or expert if this might be allowed according to current IFS rules) and did not have the scope approval for the product scope/s of the company. Additionally even if this auditor would apply for the missing scope/s approval at IFS office he/ she would not get the approval due to missing work or audit experience. This performance of the audit as not approved IFS auditor for the respective scope/s did not put product safety at risk and/or led to a breach of law.
An audit was conducted by an auditor (alone or in an audit team) not having the product scope/s and/or technical scope/s approval required to perform the audit. The missing product scope/s or technology scope/s is/are required to guarantee a qualitative and comprehensive audit of the company, but this audit performance did not put product safety at risk.
An audit was conducted by an auditor not having a current IFS approval for a certain standard at the time of the audit, but the auditor is already an approved IFS auditor for at least one IFS standard. This performance of the audit as not approved IFS auditor for the respective IFS standard did not put product safety at risk.
Indications in the CV of an auditor are demonstrably not correct.
The auditor mentioned in the audit report audit durations at certain audit days, but it is evident that these audit durations are wrong. There is objective evidence available, that the wrong audit durations were notified in the audit report on purpose and not just as a typing mistake.
In an individual case the auditor informs a company in case of an unannounced audit before the audit date about the exact audit date or about a certain audit date timeframe, which is less than the time frame defined for unannounced audits in respective IFS regulations.
An auditor is completely missing the requested regular training in accordance with IFS regulations and according to the rules defined in the IFS standards.
All examples mentioned above are not exclusive, further topics which show very poor performance of an auditor requiring immediate and radical improvement measures can be also decided by the sanction committee as a Level 2 breach and can be assessed with 4 or 6 “negative points” depending on the case.
II. 4 Definitions
IFS: All standards marketed by IFS MANAGEMENT under the brand of “International Featured Standards”.
II. 5 Penalties for auditors
Penalties for auditors will not be monetary penalties but demands to take part at internal trainings at the respective certification body responsible for the involved audit or to take part at courses organized by IFS or to get an Integrity Witness Audit (see Table II.5 below).
Note:
Breaches and “negative points” for auditors are individual-related and are independent from the certification body the auditor is connected to.
Within the period of limitation of 2 years all “negative points” assessed for an auditor will be summarized and if within 2 years in summary 20 “negative points” are reached, then this will lead to the same consequences as described below when reaching 20 “negative points” due to a Level 1 breach (suspension for 3 months).
Table II. 5
Level of breach and connected “negative points”
Obligations and/or penalties for the auditor
Level 2 breach (4 “negative points”)
Attendance at an internal CB training within 3 weeks from receipt of the letter with the decision about a breach.
Level 2 breach (6 “negative points”)
Attendance at an internal CB training within 3 weeks from receipt of the letter with the decision about a breach.
Demand to fulfill one of the following obligations (depending on the topic, which led to the assessment of this Level 2 breach); the obligation will be decided by the sanction committee:
To take part in an IFS training course (the kind of course to be defined by the sanction committee based on the topic leading to the breach) within 1 year after the decision date of the sanction committee about the breach.
To pass an Integrity Witness Audit to be planned within 1 year after the decision date of the sanction committee about the breach (procedure as described for Integrity Witness Audits in chapter III of this Annex).
Level 1 breach
(15 “negative points”)
Attendance at an internal CB training within 3 weeks from receipt of the letter with the decision about a breach.
Demand to fulfill both of the following obligations:
To take part in an IFS training course (the kind of course to be defined by the sanction committee based on the topic leading to the breach) within 1 year after the decision date of the sanction committee about the breach.
To pass an Integrity Witness Audit to be planned within next 3 months after the decision date of the sanction committee about the breach (procedure as described for Integrity Witness Audits in chapter III of this Annex).
Level 1 breach
(20 “negative points”)
Suspension for 3 months
Demand to take part in an IFS training course (kind of course to be defined by the sanction committee based on the topic leading to the breach) within this time frame of 3 months
Integrity Witness Audit has to be planned and to be passed for one of the first 3 IFS audits of this auditor after suspension (procedure as described for Integrity Witness Audits in chapter III of this Annex).
If an auditor gets a Level 1 breach within 2 years after his/ her first suspension the termination of his approval as IFS auditor will be announced and he will have to pass again the written and oral examination as for initial approval.
If an internal training has to be carried out for the auditor the respective certification body responsible for the involved audit has to send evidences for the trainings to IFS Quality Assurance within 3 weeks from receipt of the letter with the decision about a breach.
In general the costs concerning Integrity on-site Checks, Integrity Witness Audits, training courses organized by IFS the auditor is obliged to take part in or sanction committee costs, if they have been occurred for the case or will be necessary due to the penalties, have to be paid by the respective certification body responsible for the involved audit.
Note:
For non-exlusive auditors it is defined in chapter 6.3 of the General terms and licensing conditions of IFS Management GmbH ("IFS Management") for "IFS Auditors" that in case of re-registration after a suspension the non-exclusive Auditor undertakes and accepts that he/she has to bear the costs for the IFS training course as well as the Integrity Witness Audit.
II. 6 Period of limitation
The period of limitation for previously committed breaches and the assessed “negative points” is 2 years for auditors.
Example 1:
Breach assessed 10.05.2018
Period of limitation (2 years) for this breach starts 10.05.2018
No further breach assessed until 10.05.2020 -> breach and linked “negative points” lapse
Example 2:
Breach assessed 10.05.2018
Period of limitation (2 years) for this breach starts 10.05.2018
Further breach assessed on 15.10.2018 -> 2 breaches and the linked “negative points” in summary
Further breach assessed on 06.07.2019 -> 3 breaches and the linked “negative points” in summary
No further breach assessed until 10.05.2020 -> 1st breach and linked “negative points” lapse, but 2nd and 3rd breach and the linked “negative points” in summary remain.
Issue Date: January 2018
