EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52021XC0226(01)

Commission Notice on a guidance document on the implementation of the provisions for the conduct of audits under Article 6 of Regulation (EU) 2017/625 of the European Parliament and of the Council 2021/C 66/02


OJ C 66, 26.2.2021, p. 22–32 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)



Official Journal of the European Union

C 66/22

Commission Notice on a guidance document on the implementation of the provisions for the conduct of audits under Article 6 of Regulation (EU) 2017/625 of the European Parliament and of the Council

(2021/C 66/02)


Regulation (EU) 2017/625 of the European Parliament and of the Council (1) provides in Article 6(1) that the competent authorities shall carry out internal audits or have audits carried out on themselves and shall take appropriate measures in the light of the results of those audits.

This guidance document is intended to assist national competent authorities in the application of the above-mentioned requirements. It has been elaborated by the Commission in co-operation with the Member States and is not legally binding (2). Only the Court of Justice of the European Union is competent to authoritatively interpret Union law.

Table of contents


Purpose and scope 24


Legal background 24


Definitions 24


Fundamental principles 25


Implementation of the audit process 25


Systematic approach 25


Transparency 26


Independence 27


Independent scrutiny 28


Principal objectives 28


Performing an audit 29


Audit planning and preparation 29


Conducting the audit 29


Audit reporting 30


Follow-up of audit output 31


Review and dissemination of audit results 31


Other issues 31


Resources 31


Auditor competence 32

1.   Purpose and scope

The guidance document provides guidance on the nature and the implementation of audit systems by competent authorities, as referred to in Article 3(3)(a) and (b) of Regulation (EU) 2017/625. The purpose of audit systems is to verify whether official controls, and other official activities (3), regulated by Regulation (EU) 2017/625 are effectively implemented and are suitable to achieve the objectives of the relevant legislation, including compliance with national control plans.

This guidance document seeks to describe the principles stemming from Regulation (EU) 2017/625 with regard to establishing national audit systems and carrying out internal audits, rather than stipulate detailed methods with a view to facilitating the application of the aforesaid principles across the diversity of Member State control and audit systems. The methods selected for applying those principles may vary depending on the size, nature, number and complexity of the competent authorities responsible for official controls throughout the Member States.

2.   Legal background

This guidance document is intended to assist Member States in the implementation of the provisions for conducting the audits provided for in Article 6 of Regulation (EU) 2017/625, which reads as follows:

Article 6

Audits of the competent authorities

1.   To ensure their compliance with this Regulation, the competent authorities shall carry out internal audits or have audits carried out on themselves and shall take appropriate measures in the light of the results of those audits.

2.   The audits referred to in paragraph 1 shall be subject to independent scrutiny and carried out in a transparent manner.

The delegated and implementing acts adopted under Regulation (EU) 2017/625, while not explicitly mentioned in Article 6, are also essential for ensuring compliance with Regulation (EU) 2017/625. Therefore, audits are to be carried out also to ensure compliance with these delegated and implementing acts.

3.   Definitions

For the purposes of this guidance document, reference is made to the definitions laid down in Article 3 of Regulation (EU) 2017/625, Articles 2 and 3 of Regulation (EC) No 178/2002 of the European Parliament and of the Council (4).


"Audit", as defined in Article 3(30) of Regulation (EU) 2017/625, means a systematic and independent examination to determine whether activities and the related results of such activities comply with planned arrangements and whether these arrangements are applied effectively and are suitable to achieve the objectives.

Other definitions that are relevant for the purposes of this guidance document:


"Audit body" means the body that carries out the audit process. This may be an internal or external entity.


"Audit universe" means an inventory of audit areas that is compiled and maintained by the audit body to identify areas for audit during the audit planning process.


"Audit system" means the combination of one or more audit bodies carrying out an audit process within or across competent authorities.


"Audit process" means the set of activities described in Section 5.1. (Systematic Approach) and Section 6. (Performing an Audit).


"Audit programme" means a set of one or more audits planned for a specific time frame and directed towards a specific purpose.


"Audit plan" means the description of the activities and arrangements for an audit.


"Audit approach" means the degree of emphasis to be placed during an audit on the activities being audited (e.g. auditing compliance directly, with an initial focus on outputs and outcomes, versus auditing the control systems, with an initial focus on systems and controls).

For specific audit terminology, it may be of assistance to refer to the current versions of international standards such as ISO 19011, ISO 9000 and The Institute of Internal Auditors (IIA) (5).

4.   Fundamental principles

The audit systems should cover all official controls and other official activities at all stages of the Union agri-food production chain, covered by Regulation (EU) 2017/625, including the activities of all competent authorities regardless of their way of organisation or administrative level, and all agencies or control bodies involved. In order to achieve this, audit(s) should, where necessary, extend beyond and across administrative boundaries. Where multiple audit systems exist in a Member State, mechanisms should be put in place to ensure that, when combined, full coverage of all the above activities is achieved.

To build and maintain confidence in the integrity of the audit system, management and implementation of the audit process are to be transparent to all relevant stakeholders. In particular, there should be full transparency between the audit body and the auditee (see table in section 5.2 below). Ensuring the audit process is transparent in the eyes of other stakeholders is a way to promote confidence and assist in the dissemination of information, in particular the sharing of best practice within and between competent authorities.

Independence should be addressed at organisational, functional, audit process and auditor level. The audit body and audit team should be appointed by and report to top management of the competent authorities. A clear, documented mandate affording adequate power to conduct the audits should be provided. This mandate should include at least the purpose, responsibilities, authority and accountability of the audit body, and any other aspects, which are considered necessary to reach a satisfactory level of independence. The audit body and the audit team should not be involved in managing or supervising the control systems being audited.

Where control tasks are delegated, and the competent authority has chosen to audit rather than to inspect the delegated body, then the contractual obligations of that delegated body should include the acceptance of auditing requirements and the conditions thereof.

Independent scrutiny should be a regular and planned process, external to the audit body, to ensure that the audit system is capable of producing objective results and the competent authorities meet their obligations under Article 6(2) of Regulation (EU) 2017/625.

In addition to the specific guidance set out in this document, ISO 19011 may serve as a source for general guidance.

5.   Implementation of the audit process

5.1.   Systematic approach

The audit process should be managed in a systematic manner. To that end, the audit process should:

Be the result of a transparent planning process identifying risk-based priorities in line with the competent authority’s responsibilities under Regulation (EU) 2017/625.

Include multi-annual strategic planning which is:

the basis for setting goals and priorities;

a starting point for deciding which audit topics will be selected for audit; and

a basis for detailed annual planning.

Through strategic planning identify the audit universe: grouping it into auditable entities, identifying sources of information to inform the planning process and establishing selection criteria to be used for audit topic selection.

Establish an audit programme that ensures adequate coverage of all relevant areas of activity and all relevant competent authorities regulated by Regulation (EU) 2017/625 at an appropriate risk-based frequency over a period not exceeding five years. The audit programme may include information on types of audits, resources, timetable, review frequency (e.g. once a year or more frequently).

Be supported by documented procedures and records to ensure consistency and to demonstrate that a systematic approach is followed. Such procedures should cover:

Risk-based planning of the audit programme.

Generating audit findings, including the identification of evidence of compliance and non-compliance, as appropriate.

Preparing, approving and distributing audit reports.

Review of audit conclusions, in order to identify system-wide strengths and weaknesses in the control system, disseminate best practice and ensure the monitoring of corrective and preventive actions.

Be monitored and reviewed to ensure the audit programme's objectives have been met and to identify opportunities for improvement.

Where more than one audit programme is envisaged within a Member State, steps should be taken to ensure that such programmes are effectively coordinated, so as to ensure a seamless audit process across the relevant competent authorities. The audit programme(s) should also cover all relevant levels of the competent authority’s hierarchy.

5.2.   Transparency

In order to demonstrate the audit process is transparent, documented procedures should support a clearly defined audit planning process, which includes the establishment of audit objectives, criteria, selection of the audit approach and audit report approval and distribution mechanisms.

The competent authorities should adopt the appropriate measures to ensure transparency, taking into account the relevant requirements of national and Union legislation and other conditions as appropriate. To that end, the competent authorities should consider encouraging practices that improve the transparency of the process. Some examples of such practices are listed in the Table below. When deciding on which measures to apply, the competent authorities should balance the need for transparency against the risk of undermining the audit system's ability to achieve its objectives. In order to optimise the benefits of transparency, it should be combined with balanced reporting, that is a proper mixture of verified compliance (positive findings) and areas for improvement (negative findings).

Table - Examples of practices maintaining the transparency of an audit process



Within competent authority

Across competent authorities (within Member States)

Public and other stakeholders

Access to documented audit body procedures


Consultation on planning of audit programme


Publication of audit programme

Submission of audit plan



Opportunity to comment on draft audit report



Distribution of final audit report


Publication of auditee’s comments on draft report

Publication of final audit report

Publication of summaries of final audit reports and of annual report

Publication of auditee’s action plan

Publication of follow-up results

Note: Competent authorities should select the practices (first column) and the extent to which they are applied (remaining columns) which are appropriate to their particular circumstances.

5.3.   Independence

Audit bodies should be free from any commercial, financial, hierarchical, political or other pressures that might affect their judgment or the outcome of the audit process. The audit system, audit body and auditors should be independent of the activity being audited and free from bias and conflicts of interest.

Full independence is not achievable in many circumstances. What is required is a level of independence that a reasonable outside observer would consider as sufficient to ensure the audits are conducted in a fair, objective and impartial manner and that the audit body and its auditors are not subject to undue influence or have a conflict of interest that would prejudice either the audit process or individual audits.

The audit body should be provided with sufficient qualified and competent staff, funding, infrastructure, and other resources needed to execute the audit programme. The audit body should be granted access to continuous professional development and relevant technical expertise.

The audit body should be free of undue influence at all levels of the audit process. In particular, approval of the audit programme and reports should not be influenced or hindered by the auditee. The audit body should have the freedom to develop the audit scope and objectives and have access to all premises and information that is necessary to achieve audit objectives.

A check should be carried out to ensure no conflict of interest exists for the audit body, the audit team or any attached technical expert. Members of the audit team should behave objectively, impartially, independently, without bias, with fairness, intellectual honesty, integrity, and declare a conflict of interest when appropriate. To that end, the rotation of auditors and/or of audit teams may assist in achieving this.

Where technical expertise required for the audit is only available within the competent authority being audited, measures should be taken to ensure the audit team remains independent. Where control activities are organised on a regional basis, technical experts could be exchanged in order to ensure they are independent. Where technical experts have to be sourced outside of the audit body, measures should be taken to ensure they are independent and have no conflict of interest that would compromise the independence of the audit team.

5.4.   Independent scrutiny

The process of independent scrutiny should be carried out by a person(s) from outside both the audit body and the organisation subject to internal audits with sufficient level of independence and expertise to scrutinise the audit process. Where a body or a committee has been established with a view to independent scrutiny of the audit process, one or more independent persons should be members of such body or committee.

Independent scrutiny should cover the whole audit process, including programming, planning and executing audits, reporting (including approval of reports), corrective action and follow-up. It should also cover the different threats to independence and mechanisms to manage them. Independent scrutiny is not an audit, however, such scrutiny can also be performed using an audit approach. The scrutiny can vary in scope, level of detail and intensity and should provide:

An objective evaluation of the effectiveness and independence of the audit process and audit body.

Feed-back for continuous improvement.

Confidence to the audit body, competent authorities' management and other stakeholders that the audit process is meeting the objectives of Article 6 of Regulation (EU) 2017/625.

Such scrutiny should be regular but the frequency may vary depending on the results of previous scrutiny and the internal controls applied by the audit body.

The competent authorities should ensure (6) that the process of independent scrutiny is documented, including: terms of reference, roles and responsibilities, confidentiality, code of ethics, rights and obligations, reporting and dissemination requirements.

The audit body should take action to remedy any shortcomings identified by the independent scrutiny.

5.5.   Principal objectives

The purpose of audit systems is to verify competent authorities' compliance with Regulation (EU) 2017/625, and as well the functioning of the official control systems. To this end, and to comply with the requirements of Article 6 of Regulation (EU) 2017/625, the audit system should cover the following three points set out in Article 3(30) of Regulation (EU) 2017/625:


Verification that official controls are carried out in compliance with planned arrangements.

This is to provide assurances that competent authorities meet their general obligations (7) and that official controls are carried out as intended and that any instructions or guidelines given to staff carrying out such controls are followed.

Verification of this requirement may largely be addressed by document review, but should also include on-site verification. The audit team should have good generic audit knowledge and skills to address this audit objective.


Verification that planned arrangements are applied effectively.

Effectiveness is the extent to which the official controls produce an (intended) effect / achieve an objective. An adequately functioning official control system is expected, through its planned arrangements to verify compliance with the relevant legal requirements and, when non-compliances are detected, to take actions to mitigate or eliminate these non-compliances within an appropriate time interval. Additionally it should exercise a level of control and enforcement that can act as a deterrent to non-compliance and manage risks to safe food.

Verification of this requirement should include an assessment of the quality, reliability and consistency of the controls and should involve on-site audit activities. The audit team should have the relevant technical expertise in order to address this audit objective.


Verification that planned arrangements are suitable to achieve the objectives of official controls.

Suitability is about the "fitness for purpose" of the design and implementation of the control system to achieve the desired results, namely, the objectives of Regulation (EU) 2017/625, of the Member States’ multi-annual national control plans (MANCPs) or national policy objectives. This aspect is particularly relevant when there are indications that controls, performed in accordance with planned arrangements, are not achieving their planned results or objectives.

Verification of this requirement should include assessing the official controls, for example their planning, their frequency / intensity and the methods applied, having regard to the structure and risk profile of the production chain(s) and to production practices and volume. It should also look at constraints that may have influenced the planning or implementation of arrangements (8).

The audit team should have substantial knowledge and understanding of system auditing, together with relevant technical input to address this audit objective.

6.   Performing an audit

6.1.   Audit planning and preparation

The auditor (or audit team) should plan the audit in a manner which ensures that the audit is carried out in an efficient and effective way and in a timely manner.

The audit plan should provide an understanding, technical and legal, of the audit topic and the likely auditees, determine the audit objectives and scope, establish the audit criteria, identify key/risk areas, select the audit approach, and estimate resources and timing.

Audit criteria should include objectives stemming from the MANCPs, Regulations (EC) No 178/2002 and (EU) 2017/625, as well as specific requirements of relevant EU legislation and national legislation, if applicable.

Once the audit objectives, scope and audit criteria have been defined, the audit’s approach, methodology and techniques should be determined. The purpose of setting out the audit approach is to ensure that the audit objectives are achieved and sufficient appropriate audit evidence is collected to draw valid, reliable audit conclusions. The auditor (or audit team) should develop such approach using professional judgement.

The audit team should, at the audit planning stage, consider what audit evidence should be required. Planning the evidence needed and how, when and where to collect it is an integral part of the audit planning process. The quality of the evidence collected has a direct and significant effect on the audit findings and conclusions.

6.2.   Conducting the audit

Before commencing audit activity the audit team should ensure that the auditee is fully informed of the purpose, objectives and scope of the audit and of any requirements for contributions or assistance from the auditee, for example access to premises, documents or data either in advance of, or, during the audit.

Holding an opening meeting is a good opportunity to ensure that relevant information is communicated between the audit team and the key auditee staff. This meeting provides a forum to clarify audit objectives, ensure the audit plan is understood, establish working arrangements and address any outstanding issues.

When conducting an audit, the audit team should collect, verify and analyse/evaluate the audit evidence to ensure it is appropriate and sufficient to achieve the audit objectives, in particular on the compliance with the planned arrangements, the effectiveness of the implementation and the suitability of the planned arrangements to achieve the stated objectives. These activities should be recorded.

Audit evidence needs to be compared to the audit criteria and the audit objectives to allow the audit team produce audit findings and present persuasive audit conclusions. Only audit evidence that is appropriate and sufficient will effectively support audit findings, conclusions and recommendations (where applicable) which are capable of withstanding challenge and satisfy internal and external review.

In the closing meeting, the audit team presents the results of the audit and there should be an opportunity for:

Discussion of preliminary findings and conclusions with the management of the auditee and obtaining management feedback on them.

The auditee to correct misunderstandings and to discuss the preliminary findings and conclusions and to provide further information or clarification in support of their position.

The auditee to provide their views on the conduct of the audit.

The audit team may review the preliminary findings and conclusions based on further analysis of the evidence collected or further evidence to be submitted.

Any relevant auditee feedback provided should be recorded and considered when reporting on the audit and in the conduct of future audits.

6.3.   Audit reporting

The audit report is a very important part of the audit to:

Provide relevant assurances about the functioning of the processes subject to audit.

Identify and disseminate good practices.

Identify areas of non-compliance or weakness and bring them to the attention of the auditee for corrective and, or, preventive action.

Prepare a basis for follow-up of the action taken by the auditee in response to audit recommendations.

Provide an opportunity to communicate with wider stakeholders, where applicable.

An audit report should be objective, persuasive and timely.

In order to be objective the audit team should, when reporting, present relevant evidence including any that may be opposed to or not supportive of its opinion or conclusion. Selective presentation of evidence should be avoided and opinions of the audit team not supported by sound evidence should not be reflected in the report. Reporting should be balanced and not focus exclusively on negative elements. The report should contain positive statements where the auditee’s activities are found to be well organised and performed.

A persuasive audit establishes its credibility by presenting valid, evidence-based findings, logical conclusions and practical, realistic and relevant recommendations. The report should be logically structured leading the reader through the process from the purpose of the audit, the audit objectives and scope through findings and conclusions to recommendations. There should be clear coherence between evidence, findings, conclusions and recommendations.

Conclusions should address the compliance with the planned arrangements, the effectiveness of the implementation, and the suitability of the planned arrangements to achieve the stated objectives, as appropriate (see section 5.5). They should be based on objective evidence. In particular, where conclusions are drawn as to the planned arrangements' suitability to achieve the stated objectives, evidence may be obtained from the compilation and analysis of results from several audits. In this case conclusions should extend beyond the boundaries of individual establishments, units of authorities and authorities.

Recommendations should be directed at eliminating or correcting the reasons why the auditee failed to meet the audit criteria. Recommendations should not prescribe the action to be taken by the auditee but instead specify the result to be achieved by the auditees' intervention of corrective and/or preventive action.

Minimum content of the report should include:

the identification of audit, dates, places, and the auditee

the audit objectives, scope, methodology, and criteria

the audit findings (and related evidence), conclusions and, where applicable, recommendations.

Depending on the policy of the audit body the audit team may, or may not, be identified in the report.

6.4.   Follow-up of audit output

Where appropriate, an action plan should be drawn up and delivered by the auditee. It should propose time-bound corrective and preventive actions (9) to address any recommendation resulting from the audit. The audit team (10) should assess the suitability of the action plan and may be involved in verifying its subsequent implementation:

The action plan enables the audit team to assess whether the proposed corrective and preventive action is sufficient to address the recommendations of the audit report. Action plans should include risk-based prioritisation, responsibility for implementation and time frames for completion of corrective and preventive action. A variety of action plans could be considered satisfactory. It is for the auditee to choose from the various options available.

Corrective and preventive action should not be confined to addressing specific technical requirements but should, where appropriate, include system-wide measures (for example communication, cooperation, coordination, reviewing and streamlining of control processes). A root cause analysis of any non-compliance should be conducted by the auditee in order to determine the most appropriate corrective and preventive action. Any differences of opinion between the auditee and audit team should be resolved.

Close-out: Mechanisms should be established to ensure that action plans are appropriate and that corrective and preventive actions are effectively completed in a timely manner. Procedures for verifying the close out of the action plan should be agreed between the auditee and the audit team.

7.   Review and dissemination of audit results

Audit results and, where applicable, feedback should be considered while planning future audit programmes and in the context of the review of the audit process.

The implications of audit findings or non-compliances for other sectors, regions or other competent authorities should be considered, particularly in Member States where controls are performed by several competent authorities or are decentralised.

Internal audits provide an independent evaluation of the effectiveness and suitability of the official controls to achieve objectives. Therefore, audit results should be made available to Member States' relevant competent authorities to assist them in developing and improving their control systems and reviewing their MANCPs.

Audit results may also identify examples of best practice, which should be disseminated. These examples may be used by the auditee in other areas or by other entities engaged in similar activities to improve their processes. For this purpose, reports should be made available to other sectors and regions within the Member State and to the Commission, when requested.

8.   Other issues

8.1.   Resources

Member States should ensure that competent authorities have sufficient implementing powers (legal and administrative), and resources, with the appropriate competences, to establish, implement and maintain an effective audit system.

The human and related resources required to manage, monitor and review the audit process should be made available, bearing in mind that all competent authorities and their control activities within Regulation (EU) 2017/625 should be audited. In order to have the necessary expertise to fulfil the purpose and scope of the audit and audit programme(s), the audit team may include any combination of general and technical specialist auditors and technical experts.

General guidance on the resources required for auditing is provided in ISO 19011.

8.2.   Auditor competence

Auditor competence and selection criteria should be defined under the following headings:

Generic knowledge and skills,

Audit principles, procedures and techniques; management/organisational skills,

Specific technical knowledge and skills,

Personal attributes (11),


Work experience,

Auditor training and experience.

It is essential to put a mechanism in place to ensure auditors are consistent and their competencies are maintained. Competencies required by audit teams may vary depending on the area they are auditing within the control or supervision systems. The auditors should have the required technical knowledge and skills and be familiar with the subject matters for the training of staff performing official controls and other official activities, set out in Chapter I of Annex II to Regulation (EU) 2017/625.

(1)  Regulation (EU) 2017/625 of the European Parliament and of the Council of 15 March 2017 on official controls and other official activities performed to ensure the application of food and feed law, rules on animal health and welfare, plant health and plant protection products, amending Regulations (EC) No 999/2001, (EC) No 396/2005, (EC) No 1069/2009, (EC) No 1107/2009, (EU) No 1151/2012, (EU) No 652/2014, (EU) 2016/429 and (EU) 2016/2031 of the European Parliament and of the Council, Council Regulations (EC) No 1/2005 and (EC) No 1099/2009 and Council Directives 98/58/EC, 1999/74/EC, 2007/43/EC, 2008/119/EC and 2008/120/EC, and repealing Regulations (EC) No 854/2004 and (EC) No 882/2004 of the European Parliament and of the Council, Council Directives 89/608/EEC, 89/662/EEC, 90/425/EEC, 91/496/EEC, 96/23/EC, 96/93/EC and 97/78/EC and Council Decision 92/438/EEC (Official Controls Regulation) (OJ L 95, 7.4.2017, p. 1).

(2)  The term "should" in this guidance document means good practice, not a binding requirement.

(3)  According to Article 1(5) of Regulation (EU) 2017/625, Article 6 of the same regulation also applies to other official activities. For the purpose of this guidance document, when "official controls" are mentioned, "other official activities" are also included.

(4)  Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (OJ L 31, 1.2.2002, p. 1).


(6)  Some degree of flexibility is expected as responsibility for independent scrutiny varies within Member States.

(7)  Under Article 5 of Regulation (EU) 2017/625.

(8)  Root cause analysis can be an important tool in assessing suitability.

(9)  In this context "corrective action" means action to eliminate the cause of a non-conformity and to prevent recurrence while "preventive action" means action to eliminate the cause of a potential non-conformity (to prevent occurrence of a non-conformity) or other potential undesirable situation.

(10)  Some degree of flexibility is expected as responsibility for follow-up varies between Member States' competent authorities.

(11)  Auditors should have an independent mind, be ethical, open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, assertive, self-reliant and open to improvement.