Compliance

Choosing FSVP supplier verification activities

Onsite audit, sampling and testing, or records review — how to pick the right verification activity per hazard.

Once your hazard analysis identifies hazards that require control at the foreign supplier, FSVP requires you to perform supplier verification activities to confirm those controls are working. The FDA gives you three options — picking the wrong one for the risk level is the most common audit finding.

Three verification activities (21 CFR 1.506):

  • Onsite audit — physical inspection at the supplier's facility, performed by a qualified auditor. Highest evidentiary weight.
  • Sampling and testing — laboratory testing of incoming product or raw materials against the controlled hazard.
  • Review of supplier's records — documented evidence of the supplier's preventive controls (HACCP plans, monitoring records, corrective actions, training logs).

Picking the right activity (severity-driven):

  1. Hazard requiring a preventive control AND severe outcome (e.g., Salmonella in ready-to-eat foods) — onsite audit at least every 12 months is the FDA's expectation. Sampling alone is not sufficient.
  2. Hazard requiring a preventive control AND moderate outcome — sampling/testing or records review is acceptable, frequency aligned with risk.
  3. Hazard adequately controlled by a customer downstream — written assurance from the customer plus periodic verification.

Food that's exempt from preventive controls (e.g., produce subject to the Produce Safety Rule) follows a separate path — FSVP can rely on the supplier's compliance with the applicable regulation.

TIP: Records review is the lowest-cost option but the lowest evidentiary weight. Use it for low-severity hazards or as a supplement to sampling — rarely as the only verification for a high-risk hazard.

Frequency rules:

  • Onsite audits required for severe-outcome hazards: at least annually
  • Sampling/testing: aligned with hazard probability — quarterly is common for moderate-risk imports
  • Records review: at minimum annually, with new records on every shipment

Document the rationale for the chosen frequency. "We audit annually" without a basis fails a records request.

WARNING: The auditor performing an onsite audit must be qualified — typically a third-party firm (SGS, Eurofins, NSF) or an in-house Qualified Individual with documented training. The supplier's own internal auditor doesn't count for FSVP purposes.

Related articles