Title 21

SECTION 1.652

1.652 What must an accredited third-party certification body include in food safety audit reports

§ 1.652 What must an accredited third-party certification body include in food safety audit reports?

(a) Consultative audits. An accredited third-party certification body must prepare a report of a consultative audit not later than 45 days after completing such audit and must provide a copy of such report to the eligible entity and must maintain such report under § 1.658, subject to FDA access in accordance with the requirements of section 414 of the FD&C Act. A consultative audit report must include:

(1) The identity of the site or location where the consultative audit was conducted, including:

(i) The name, address and the FDA Establishment Identifier of the facility subject to the consultative audit and a unique facility identifier, if designated by FDA; and

(ii) Where applicable, the FDA registration number assigned to the facility under subpart H of this part;

(2) The identity of the eligible entity, if different from the facility, including the name, address, the FDA Establishment Identifier and unique facility identifier, if designated by FDA, and, where applicable, registration number under subpart H of this part;

(3) The name(s) and telephone number(s) of the person(s) responsible for compliance with the applicable food safety requirements of the FD&C Act and FDA regulations

(4) The dates and scope of the consultative audit;

(5) The process(es) and food(s) observed during such consultative audit; and

(6) Any deficiencies observed that relate to or may influence a determination of compliance with the applicable food safety requirements of the FD&C Act and FDA regulations that require corrective action, the corrective action plan, and the date on which such corrective actions were completed. Such consultative audit report must be maintained as a record under § 1.658 and must be made available to FDA in accordance with section 414 of the FD&C Act.

(b) Regulatory audits. An accredited third-party certification body must, no later than 45 days after completing a regulatory audit, prepare and submit electronically, in English, to FDA and to its recognized accreditation body (or, in the case of direct accreditation, only to FDA) and must provide to the eligible entity a report of such regulatory audit that includes the following information:

(1) The identity of the site or location where the regulatory audit was conducted, including:

(i) The name, address, and FDA Establishment Identifier of the facility subject to the regulatory audit and a unique facility identifier, if designated by FDA; and

(ii) Where applicable, the FDA registration number assigned to the facility under subpart H of this part;

(2) The identity of the eligible entity, if different from the facility, including the name, address, FDA Establishment Identifier, and unique facility identifier, if designated by FDA, and, where applicable, registration number under subpart H of this part;

(3) The dates and scope of the regulatory audit;

(4) The process(es) and food(s) observed during such regulatory audit;

(5) The name(s) and telephone number(s) of the person(s) responsible for the facility's compliance with the applicable food safety requirements of the FD&C Act and FDA regulations;

(6) Any deficiencies observed during the regulatory audit that present a reasonable probability that the use of or exposure to a violative product:

(i) Will cause serious adverse health consequences or death to humans and animals; or

(ii) May cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences or death to humans or animals is remote;

(7) The corrective action plan for addressing each deficiency identified under paragraph (b)(6) of this section, unless corrective action was implemented immediately and verified onsite by the accredited third-party certification body (or its audit agent, where applicable);

(8) Whether any sampling and laboratory analysis (e.g., under a microbiological sampling plan) is performed in or used by the facility; and

(9) Whether the eligible entity has made significant changes to the facility, its process(es), or food products during the 2 years preceding the regulatory audit.

(c) Submission of regulatory audit report. An accredited third-party certification body must submit a completed regulatory audit report as required by paragraph (b) of this section, regardless of whether the certification body issued a food or facility certification to the eligible entity.

(d) Notice and appeals of adverse regulatory audit results. An accredited third-party certification body must notify an eligible entity of a denial of certification and must establish and implement written procedures for receiving and addressing appeals from eligible entities challenging such adverse regulatory audit results and for investigating and deciding on appeals in a fair and meaningful manner. The appeals procedures must provide similar protections to those offered by FDA under §§ 1.692 and 1.693, including requirements to:

(1) Make the appeals procedures publicly available;

(2) Use competent persons, who may or may not be external to the accredited third-party certification body, who are free from bias or prejudice and have not participated in the certification decision or be subordinate to a person who has participated in the certification decision, to investigate and decide appeals;

(3) Advise the eligible entity of the final decision on its appeal; and

(4) Maintain records under § 1.658 of the appeal, the final decision, and the basis for such decision.