BRC Issue 9 Section 2 Audit Preparation Checklist

Section 2 of BRC Global Standard for Food Safety Issue 9 is a fundamental requirement. Any non-conformance against a fundamental clause results in a major at minimum — and a major against Section 2 can mean the difference between Grade A and a failed audit. This checklist walks through every clause an auditor will assess, what evidence they expect to see, and where most sites get caught out.

Use this before your next audit — whether announced or unannounced. Work through it with your HACCP team, not alone at your desk. The gaps you find now are the ones you can fix. The ones the auditor finds are the ones that cost you.

Clause 2.1 — The HACCP Team

What the standard requires: A multi-disciplinary HACCP team with a designated team leader who has in-depth knowledge of HACCP principles (Codex CXC 1-1969). The team must include people with practical knowledge of the products, processes, and associated hazards. Where in-house expertise is insufficient, external expertise may be used — but the knowledge must be demonstrably transferred to the team.

Evidence to have ready:

• A current, named HACCP team list with job titles and roles within the team
• Training records for every team member — not just attendance certificates but evidence of competence. Auditors increasingly ask team members direct questions about hazard analysis methodology
• If external consultants were used, documented evidence of what they contributed and how that knowledge was transferred (meeting minutes, training sessions, handover documents)
• Evidence the team is genuinely multi-disciplinary: production, engineering, QA, hygiene as a minimum. A team consisting entirely of QA staff will be challenged

Common audit finding: The HACCP team leader cannot explain the basis for CCP determination or critical limit validation when asked directly. Having the right certificate on the wall is not the same as demonstrating competence.

Clause 2.2 — Prerequisite Programmes

What the standard requires: PRPs must be established, documented, maintained, and reviewed. They form the foundation on which the HACCP system is built. The HACCP team must verify that PRPs are effective before relying on them in the hazard analysis.

Evidence to have ready:

• A documented list of your PRPs with programme owners, review dates, and current status
• Monitoring records for each PRP — cleaning verification results, pest control reports, calibration records, training logs
• Evidence that PRP effectiveness is reviewed — not just that the PRP exists on paper, but that it works in practice. Auditors will cross-reference: if your hazard analysis says a hazard is controlled by a cleaning PRP, they will check whether cleaning records demonstrate that control is effective

Common audit finding: The hazard analysis states a hazard is controlled by a PRP, but there is no monitoring data to demonstrate the PRP is functioning. The link between hazard analysis and PRP evidence must be traceable.

Clause 2.3 — Product Description (Codex Step 2)

What the standard requires: A full description of each product or product group within the scope of the HACCP plan. This includes composition, origin of key ingredients, physical and chemical properties (pH, water activity), processing method, packaging system, storage and distribution conditions, shelf life, and labelling including allergen declarations.

Evidence to have ready:

• Current product descriptions that match what is actually being manufactured today — not what was being made when the HACCP plan was first written
• For each product group: confirmed pH range, water activity where relevant, storage temperature requirements, shelf life and the basis for it
• Allergen status of every product, cross-referenced to ingredient specifications

Common audit finding: Product descriptions are out of date. A reformulation six months ago changed an ingredient, but the HACCP plan product description was never updated. This cascades into the hazard analysis — if the product description is wrong, the hazard analysis built on it is unreliable.

Clause 2.4 — Intended Use (Codex Step 3)

What the standard requires: The intended use by the end consumer must be defined, including identification of vulnerable consumer groups. The HACCP team must also consider reasonably foreseeable misuse.

Evidence to have ready:

• Documented intended use statements for each product or product group
• Specific reference to vulnerable groups where relevant (infants, elderly, immunocompromised, pregnant women)
• Documented consideration of foreseeable misuse — for ready-to-heat products, this means acknowledging that consumers may under-heat or consume without heating

Common audit finding: Intended use is generic ("for general consumption") rather than specific. Auditors expect this section to demonstrate that the HACCP team has genuinely considered how the product will be used and what could go wrong.

Clause 2.5 — Process Flow Diagram (Codex Step 4)

What the standard requires: A flow diagram covering all stages from raw material receipt through to dispatch. Must include all process steps in sequence, inputs (water, packaging materials, processing aids, rework), outputs (waste, rework loops), and any outsourced processes.

Evidence to have ready:

• Current flow diagrams that accurately reflect actual operations — including any recent process changes, new equipment, or layout modifications
• Evidence that rework loops are shown — this is frequently missed and frequently challenged
• If you have multiple product types running on the same line, flow diagrams that capture the differences or a clear explanation of how product groups are covered

Common audit finding: The flow diagram does not match the factory floor. Equipment has been moved, a process step has been added or removed, or rework is happening but not shown. This is a straightforward major because it undermines everything that follows.

Clause 2.6 — On-Site Verification of Flow Diagram (Codex Step 5)

What the standard requires: The HACCP team must verify the flow diagram against actual operations by walking the production line. This must cover all shifts and operating patterns. Any discrepancy must be corrected and documented.

Evidence to have ready:

• A dated record of the most recent on-site verification, signed by the person who conducted it
• Evidence that all shifts were considered — if night shift operates differently, the verification must cover that
• Any amendments made to the flow diagram as a result of the verification, with dates

Common audit finding: No documented evidence that on-site verification was done. The HACCP team wrote the flow diagram at their desks and never walked the line to check it. Auditors will walk the line themselves and compare — if they find a discrepancy you missed, that is a major.

Clause 2.7 — Hazard Analysis (Codex Step 6, Principle 1)

What the standard requires: At every process step, all potential hazards must be listed — biological, chemical (including allergens), physical, and radiological. Each hazard must be assessed for likelihood of occurrence and severity of effect. Significant hazards must have identified control measures.

Evidence to have ready:

• A comprehensive hazard analysis covering every step in the flow diagram — not just the obvious ones
• All five hazard categories considered at each step (biological, chemical, physical, radiological, allergen). Allergens are assessed as chemical hazards
• A documented significance assessment methodology — severity × likelihood matrix applied consistently
• For each significant hazard: the identified control measure and whether it is a CCP, PRP, or OPRP
• Evidence the HACCP team considered: history of the product, published scientific data, codes of practice, and regulatory requirements (BRC 2.7.1)

Common audit finding: Hazard analysis is not comprehensive — hazards are missing for certain steps, or entire hazard categories have been overlooked. Radiological hazards are frequently absent. Allergen cross-contact at changeover steps is frequently not assessed. The hazard analysis should be the most thorough document in your HACCP system — if it looks like it was completed in an afternoon, auditors will question it.

Clause 2.8 — CCP Determination (Codex Step 7, Principle 2)

What the standard requires: A documented, systematic approach to determining which significant hazards require a CCP. The 2020 Codex revision removed the original decision tree but confirms decision trees remain a valid tool. Each determination must be recorded with reasoning.

Evidence to have ready:

• A completed decision tree or equivalent systematic assessment for every significant hazard
• Documented reasoning for each determination — not just a tick in a box, but a rationale that demonstrates the team understood the question
• Evidence that the team distinguished correctly between CCPs, OPRPs, and PRPs. A CCP must have a measurable critical limit, real-time monitoring, and immediate corrective action capability. If it does not meet all three criteria, it is not a CCP

Common audit finding: Too many CCPs — sites that designate 15 or 20 CCPs are almost certainly including controls that should be PRPs. Cleaning is not a CCP. Allergen labelling checks are not CCPs. Metal detection is typically a CCP. Thermal processing is typically a CCP. If your CCP list includes anything that cannot be monitored in real time with a measurable limit, revisit the determination.

Clause 2.9 — Critical Limits (Codex Step 8, Principle 3)

What the standard requires: Each CCP must have validated critical limits that are clearly defined, measurable or observable, and scientifically justified.

Evidence to have ready:

• Documented critical limits for every CCP — temperature, time, pH, water activity, or other measurable parameters
• Validation evidence for each critical limit: published kill curves, regulatory guidance, challenge test data, equipment manufacturer specifications, or expert opinion with documented rationale
• Evidence that critical limits are achievable in practice — if your critical limit is 75°C core temperature but your equipment regularly delivers 72°C, you have a problem

Common audit finding: No validation evidence for critical limits. The team set 75°C because "that is what everyone uses" but cannot produce the scientific basis. BRC 2.9.1 explicitly requires validation evidence — this is not optional.

Clause 2.10 — Monitoring (Codex Step 9, Principle 4)

What the standard requires: Each CCP must have a documented monitoring procedure specifying what is measured, how, the frequency, and who is responsible. Monitoring must be capable of detecting loss of control.

Evidence to have ready:

• Monitoring procedures for every CCP, specifying the parameter, method, frequency, and responsible person
• Actual monitoring records — signed, dated, with real data. Not just ticks or "OK" entries but actual temperature readings, actual times, actual measurements
• Evidence that monitoring records are reviewed by an authorised person, not just filed

Common audit finding: Monitoring records show the same reading every time (e.g. "75°C" for three months straight). Real processes have variation. If every record shows exactly the same number, the auditor will conclude the records are being completed retrospectively or fabricated. Real data has variation — and that variation, within limits, is evidence the system is working.

Clause 2.11 — Corrective Actions (Codex Step 10, Principle 5)

What the standard requires: Pre-determined corrective actions for each CCP, covering what to do with non-conforming product, how to restore control, root cause investigation, and records.

Evidence to have ready:

• Documented corrective action procedures for every CCP — written before a deviation occurs, not invented in the moment
• Records of any actual deviations and the corrective actions taken, including product disposition decisions
• Evidence of root cause investigation — not just "retrained the operator" but genuine analysis of why the deviation occurred

Common audit finding: Corrective actions are reactive rather than pre-determined. The standard requires that procedures are in place before a deviation happens. If an auditor asks "what happens if this CCP fails?" and the answer is "we would investigate," that is not pre-determined — that is hoping for the best.

Clause 2.12 — Verification (Codex Step 11, Principle 6)

What the standard requires: Activities other than monitoring to confirm the HACCP system is working. Includes review of the HACCP plan, review of CCP records, review of deviations and corrective actions, testing, internal audits, and external audits. Must be done at planned intervals.

Evidence to have ready:

• A verification schedule showing what verification activities are planned, their frequency, and who is responsible
• Records of completed verification activities — internal audit reports, CCP record reviews, testing results, calibration records
• Evidence that verification findings led to action where needed — not just reports filed, but improvements made

Common audit finding: Verification is confused with monitoring. Monitoring is the real-time check at the CCP. Verification is the periodic check that the entire system is working as intended. If your only "verification" activity is reading CCP records, the programme is incomplete.

Clause 2.13 — Documentation (Codex Step 12, Principle 7)

What the standard requires: All HACCP documentation must be version controlled, authorised, and current. Records must be retained for a defined period.

Evidence to have ready:

• A master list of HACCP documents with version numbers, approval dates, and approval signatures
• Evidence that superseded documents are archived, not destroyed and not still in circulation on the factory floor
• A defined retention period for records, considering product shelf life and legal requirements

Common audit finding: The HACCP plan on the factory floor is not the current version. The office has version 7, the production area has version 5. Document control sounds mundane but it is one of the easiest majors to pick up — and one of the easiest to prevent.

Clause 2.14 — Review of the HACCP Plan

What the standard requires: The HACCP plan must be reviewed whenever there is a change to product, process, equipment, or ingredient — and at minimum annually. The review must be documented.

Evidence to have ready:

• A dated record of the most recent annual review with agenda, attendees, discussion points, and actions arising
• Evidence that triggered reviews were conducted when changes occurred — new ingredient, new supplier, process modification, equipment change, adverse audit finding, customer complaint, regulatory change
• Evidence that review actions were completed and signed off, not just raised and forgotten

Common audit finding: Annual review was conducted but has no substance — a signature on a form saying "reviewed, no changes" without evidence that anything was actually examined. If no changes were needed, the review record should show what was examined and why no changes were required. A blank sign-off is a red flag.

Before the Auditor Arrives — Final Checks

Walk your own factory floor with this checklist. Check every CCP monitoring point is functioning and records are current. Confirm the flow diagram on the wall matches reality. Ask two or three production staff what they would do if a CCP failed — if they do not know, your training programme has a gap. Check that your most recent annual review record is complete and accessible. Confirm all team members listed on the HACCP team are still employed and still in those roles.

The sites that achieve Grade A consistently are not the ones with the most sophisticated systems. They are the ones where the system is genuinely used, genuinely understood by the people operating it, and genuinely maintained between audits — not just polished the week before.

Written by Anthony Oakes, food safety professional with 30+ years in food manufacturing. Founder of SafetyCore.