Creating a Risk-Based Audit Framework – Internship Project

Earlier this year, we had the pleasure of sponsoring an internship in collaboration with Wageningen University and Research (WUR). This is a project summary that describes the context, project objectives, methodology, and outcomes. The primary goal of the project was to develop a risk-based audit framework for categorizing food products, identifying high-risk areas in the supply chain, and prioritizing auditing.

Why risk-based auditing?

Food safety and quality have been significant areas for actors in the agri-food supply chain in recent years, prompting the adoption of audit cultures at all supply chain steps.

Risk-based auditing has largely replaced traditional auditing in the last decade. Audits require a significant amount of time and resources. Traditional auditing is time-consuming and resource-intensive, requiring the same amount of time, resources, and audit frequency regardless of the company’s risk potential, and significant risks may go undetected.

As a result, audit managers and auditors must increase their effort in priority areas while decreasing it in non-priority areas. Risk-based auditing increases the likelihood of revealing risks, provides management with a more up-to-date picture of where the most significant organizational risk lies, and uses a company’s risk model to determine when and where auditors should investigate.

The project aimed to create a risk-based audit framework to assist food and beverage businesses in (1) categorizing food products based on their risks, (2) identifying higher risk areas in the supply chain, and (3) prioritizing auditing to efficiently allocate audit resources.

The five research questions.

The goal of this project was to answer the five research questions using two data collection methods, a semi-structured literature review and expert interviews. The research questions (RQs) listed below were developed:

  • RQ1. How could food and beverage businesses categorize products according to their risk?
  • RQ2. Where are the higher risks in the supply chain?
  • RQ3. What are the criteria to prioritize auditing based on RQ2?
  • RQ4. How should a risk-based framework look like using the findings of RQ1-3?
  • RQ5. To what extent do leaders of the audit organizations validate the developed risk-based framework (in RQ4)?

The semi-structured literature review addressed RQ1, RQ2, and RQ3, and RQ4 was addressed using the findings of RQ1-3. RQ5 was addressed in the expert interview.

The results.

The results of the literature review revealed that (1) the intrinsic and extrinsic properties of foods, (2) consumer use and end-users, (3) the ability to produce toxins, the likelihood of containing hazardous chemicals, undeclared or unintentional allergens, and physical hazards are criteria that could be used to categorize food products based on risks.

It also revealed that manufacturing, distribution/transportation, and retailing are high-risk areas of the supply chain for microbial hazards. Farming, suppliers, and manufacturing are all high-risk areas in the supply chain for allergens, chemicals, and physical hazards.

Furthermore, it demonstrated (1) the size and number of employees in the facility, (2) the audit scope, (3) the plant’s compliance history, (4) the complexity of manufacturing processes, (5) the type of product or ingredients, (6) previous audit results, and (7) the volume of product processed or distributed as criteria for prioritizing auditing of manufacturing plants.

It was found that (1) geographical location, (2) supplier importance and size, (3) new suppliers, (4) position in the value chain, (5) supplier with pending corrective actions and poor audit results, (5) supplier who contravenes regulations, and (6) supplier with more non-conformities are criteria to prioritize suppliers’ auditing.

The risk-based audit framework.

All of the findings from the semi-structured literature were used to create a risk-based framework representing the elements mentioned to assist audit organizations in better identifying where high risk exists in their businesses. Knowing where to audit more and better allocating resources for risk-based auditing is the result.

Audit leaders interviewed validated all elements of the risk-based audit framework except the facility size, employee count, and audit scope as criteria for prioritizing auditing. They also provided additional criteria for categorizing food products, high-risk areas in the supply chain, and criteria for prioritizing auditing. The project’s final product was a refined risk-based audit framework.

For more information on the risk-based audit framework, please contact us at

By Marc Cwikowski
November 4, 2022

Share This Post

Leave a Reply