Food Safety Audits and Third-Party Certifications: SQF, GFSI, and What They Mean

You are responsible for every bite of food that leaves your kitchen. That responsibility extends well upstream — to the farms, processors, and distributors who supply your ingredients. Third-party food safety audits are the industry’s primary tool for verifying that your suppliers are operating safely. Understanding them isn’t optional. The FDA’s Food Safety Modernization Act (FSMA) made supplier verification a legal requirement, not a best practice.

Why Third-Party Audits Exist

The core problem with self-certification is obvious: nobody fails their own test. Third-party audits solve this by bringing in outside, unbiased organizations to assess supplier operations against a defined standard. The FDA explicitly requires that audits be conducted by outside organizations for fairness, and that auditors possess appropriate experience, training, and education in food safety.

Under FSMA, entities in the food supply chain must verify that their suppliers meet FDA food safety standards. When potential hazards could result in serious adverse health consequences or death — think contaminated produce, improperly processed meat — annual onsite audits are mandatory, not optional. As a restaurant operator, you may not be required to conduct these audits yourself, but you are responsible for confirming your suppliers have passed them.

The Major Audit Standards

Several audit frameworks dominate the U.S. food safety landscape. The FDA has formally recognized four major third-party food safety auditing standards as aligned with FSMA regulations. Each has a distinct origin and primary application.

SQF (Safe Quality Food) is managed by the Safe Quality Food Institute, part of the Food Marketing Institute. It operates at multiple certification levels — Level 1 covers food safety fundamentals, Level 2 addresses comprehensive food safety plans, and Level 3 adds quality management requirements. Critically for restaurant operators, SQF offers a dedicated Foodservice Program specifically designed for restaurant and foodservice operations, making it one of the most directly relevant certifications to request from suppliers.

BRC (British Retail Consortium) Global Standard originated in the UK but is widely adopted globally. It carries significant weight with retail and foodservice buyers and is recognized for rigorous assessment of food safety management systems. Suppliers serving national retail chains or large foodservice accounts frequently hold BRC certification.

FSSC 22000 is built around ISO 22000 and adds sector-specific prerequisite requirements. It is recognized under the Global Food Safety Initiative (GFSI) umbrella and is particularly common among large food manufacturers and processors.

AIB International (American Institute of Baking) has deep roots in bakery and food manufacturing auditing. Its scoring system is well-known in the industry and used extensively by grain, bakery, and food ingredient suppliers.

Primus GFS is the dominant standard in fresh produce, particularly fruits, vegetables, and packaged salads — the items most commonly found on your supplier invoices and most prominently listed on the FDA’s Food Traceability List.

What Audits Actually Evaluate

A third-party food safety audit is not a paperwork review. According to FDA guidance, the audit scope covers HACCP (Hazard Analysis and Critical Control Points) plans, Standard Sanitary Operating Procedures (SSOPs), and Good Management Practices (GMPs). Auditors physically inspect storage conditions, food production and processing areas, equipment and utensil condition, water and sewage systems, garbage disposal, pest control programs, and structural components of the facility.

Critical Control Points must be validated during the audit — meaning auditors confirm that the safety measures documented in a supplier’s HACCP plan are actually being implemented correctly. A supplier with a well-written HACCP plan that doesn’t match what’s happening on the floor will fail.

The HACCP framework itself is built around seven principles: hazard analysis, identifying critical control points, establishing critical limits, monitoring procedures, corrective actions, verification procedures, and record-keeping. When you request a supplier’s audit documentation, look for evidence that all seven principles are being actively managed, not just written down.

The GFSI Umbrella

The Global Food Safety Initiative is not an auditing body itself — it is a benchmarking organization that evaluates whether specific audit standards meet a defined threshold of rigor. SQF, BRC, FSSC 22000, Primus GFS, and several other standards are GFSI-recognized, which has become a de facto industry requirement for major food retail and foodservice buyers.

If your supplier holds any GFSI-benchmarked certification, it means their certification body passed an independent evaluation confirming the standard is scientifically sound and properly implemented. For practical purposes, GFSI recognition is the benchmark to look for when assessing whether a supplier’s certification is meaningful.

Using Audit Documentation for Vendor Qualification

Requesting audit documentation should be a standard step in your supplier onboarding process. What to ask for:

Audit certificate: Confirms the supplier passed the most recent audit and the expiration date of the certification. Certification is typically valid for one year, with annual recertification required.

Audit report: The full report, not just the certificate, reveals the score breakdown, any non-conformances found, and whether corrective action plans were completed. A supplier who passed with a 95% score and no critical findings is a different risk profile than one who passed at 72% with several corrective actions.

Corrective action documentation: When non-conformances are found during an audit, suppliers must document what corrective actions they took. Receiving this documentation gives you insight into how seriously a supplier takes food safety problems.

Certification body accreditation: Confirm the organization conducting the audit is accredited to perform certification under that standard. Unaccredited auditors issue worthless certificates.

For ongoing relationships, build supplier audit documentation into your vendor management calendar. Set reminders 60 days before certification expiration to request updated documentation. A supplier whose certification lapses without a planned renewal is a supplier whose food safety discipline has slipped.

→ Read more: Food Safety and HACCP

Connecting Audits to FSMA Supplier Verification

The FDA’s Food Traceability Rule, effective January 20, 2026, established new documentation requirements for restaurants with more than $250,000 in annual food and beverage sales. The Food Traceability List covers fresh fruits and vegetables, shell eggs, nut butters, cheeses, and seafood — products found in nearly every restaurant. For these items, restaurants must maintain Key Data Elements (KDEs) tracking each product’s journey through the supply chain.

Third-party audit certifications from your suppliers directly support this traceability requirement. When you maintain records of your suppliers’ SQF or BRC certificates alongside their KDE documentation, you have the foundation of a defensible food safety program. The FDA encourages restaurants to work directly with their suppliers to establish efficient methods for storing and accessing this required information.

Building an Internal Supplier Verification System

The practical implementation doesn’t need to be complex. A shared folder or spreadsheet organized by supplier, containing copies of current certifications, audit reports, and corrective action records, is the minimum viable system. For operators with more than a handful of suppliers, vendor management software can automate certificate expiration tracking and document storage.

Your verification process should include:

• Requiring third-party audit certification as a condition of supplier approval
• Collecting and filing current certification documents before first order
• Tracking certification expiration dates with calendar reminders
• Requesting updated documentation annually or upon recertification
• Noting any audit non-conformances and following up on corrective actions
• Conducting periodic review of supplier certification status across your entire vendor list

For high-risk suppliers — those providing items on the FDA Food Traceability List, raw proteins, or allergen-containing ingredients — consider scheduling annual conversations about their food safety programs beyond just reviewing documents.

→ Read more: Food Traceability Compliance

→ Read more: Food Traceability Suppliers

When a Supplier Can’t Provide Documentation

Some smaller or regional suppliers, particularly local farms and artisan producers, may not hold formal third-party certifications. This doesn’t automatically disqualify them, but it does shift the verification burden to you. In this case, alternatives include:

• Requesting a farm or facility visit to evaluate practices firsthand
• Reviewing any applicable state or local inspection records
• Requesting references from other restaurant operators who use the supplier
• Asking the supplier to complete a self-assessment questionnaire aligned with Good Agricultural Practices (GAPs) or Good Manufacturing Practices (GMPs)

Document whatever verification you perform. If a food safety incident involves an ingredient from a supplier without formal certification, your documentation of alternative verification measures demonstrates due diligence.

Practical Starting Point

If you haven’t formalized supplier verification yet, start with your highest-volume and highest-risk suppliers. Ask each one for their current food safety certification. If they have one, file it. If they don’t, have a direct conversation about their food safety practices and decide whether their alternative verification is sufficient for your risk tolerance.

→ Read more: Health Department Scoring

The goal isn’t bureaucracy — it’s knowing, with documented confidence, that every supplier you rely on is operating a food-safe facility. Third-party audits are the most reliable way to get that confidence without auditing every supplier yourself.