Tag Archives: manage

HACCP

Implementing a HACCP Plan to Address Audit Concerns in the Infused Market

By Daniel Erickson
1 Comment
HACCP

The increasing appeal and public acceptance of medical and recreational cannabis has increased the focus on the possible food safety hazards of cannabis-infused products. Foodborne illnesses from edible consumption have become more commonplace, causing auditors to focus on the various stages of the supply chain to ensure that companies are identifying and mitigating risks throughout their operations. Hazard Analysis and Critical Control Points (HACCP) plans developed and monitored within a cannabis ERP software solution play an essential role in reducing common hazards in a market currently lacking federal regulation.

What are cannabis-infused products?

Cannabis infusions come in a variety of forms including edibles (food and beverages), tinctures (drops applied in the mouth), sprays (applied under the tongue), powders (dissolved into liquids) and inhalers. Manufacturing of these products resembles farm-to-fork manufacturing processes common in the food and beverage industry, in which best practices for compliance with food safety regulations have been established. Anticipated regulations in the seed-to-sale marketplace and consumer expectations are driving cannabis infused product manufacturers to adopt safety initiatives to address audit concerns.

What are auditors targeting in the cannabis space?

The cannabis auditing landscape encompasses several areas of focus to ensure companies have standard operating procedures (SOP’s) in place. These areas include:

  • Regulatory compliance – meeting state and local jurisdictional requirements
  • Storage and product release – identifying, storing and securing products properly
  • Seed-to-sale traceability –  lot numbers and plant identifiers
  • Product development – including risk analysis and release
  • Accurate labeling –  allergen statements and potency
  • Product sampling – pathogenic indicator and heavy metal testing
  • Water and air quality –  accounting for residual solvents, yeasts and mold
  • Pest control – pesticides and contamination

In addition, auditors commonly access the reliability of suppliers, quality of ingredients, sanitary handling of materials, cleanliness of facilities, product testing and cross-contamination concerns in the food and beverage industry, making these also important in cannabis manufacturers’ safety plans.

How a HACCP plan can help

HACCPWhether you are cultivating, harvesting, extracting or infusing cannabis into edible products, it is important to engage in proactive measures in hazard management, which include a HACCP plan developed by a company’s safety team. A HACCP plan provides effective procedures that protect consumers from hazards inherent in the production and distribution of cannabis-infused products – including biological, chemical and physical dangers. With the lack of federal regulation in the marketplace, it is recommended that companies adopt these best practices to reduce the severity and likelihood of compromised food safety.

Automating processes and documenting critical control points within an ERP solution prevents hazards before food safety is compromised. Parameters determined within the ERP system are utilized for identification of potential hazards before further contamination can occur. Applying best practices historically used by food and beverage manufacturers provides an enhanced level of food safety protocols to ensure quality, consistency and safety of consumables.

Hazards of cannabis products by life-cycle and production stage

Since the identification of hazards is the first step in HACCP plan development, it is important to identify potential issues at each stage. For cannabis-infused products, these include cultivation, harvesting, extraction and edibles production. Auditors expect detailed documentation of HACCP steps taken to mitigate hazards through the entire seed-to-sale process, taking into account transactions of cannabis co-products and finished goods at any stage.

Cultivation– In this stage, pesticides, pest contamination and heavy metals are of concern and should be adequately addressed. Listeria, E. coli, Salmonella and other bacteria can also be introduced during the grow cycle requiring that pathogenic indicator testing be conducted to ensure a bacteria-free environment.

Harvesting– Yeast and mold (aflatoxins) are possible during the drying and curing processes. Due to the fact that a minimal amount of moisture is optimal for prevention, testing for water activity is essential during harvesting.

Extraction – Residual solvents such as butane and ethanol are hazards to be addressed during extraction, as they are byproducts of the process and can be harmful. Each state has different allowable limits and effective testing is a necessity to prevent consumer exposure to dangerous chemical residues.

Edibles– Hazards in cannabis-infused manufacturing are similar to other food and beverage products and should be treated as such. A risk assessment should be completed for every ingredient (i.e. flour, eggs, etc.), with inherent hazards or allergens identified and a plan for addressing approved supplier lists, obtaining quality ingredients, sanitary handling of materials and cross-contamination.

GMPFollowing and documenting the HACCP plan through all of the stages is essential, including a sampling testing plan that represents the beginning, middle and end of each cannabis infused product. As the last and most important step before products are introduced to the market, finished goods testing is conducted to ensure goods are safe for consumption. All information is recorded efficiently within a streamlined ERP solution that provides real-time data to stakeholders across the organization.

Besides hazards that are specific to each stage in the manufacturing of cannabis-infused products, there are recurring common procedures throughout the seed-to-sale process that can be addressed using current Good Manufacturing Practices (cGMP’s).  cGMPs provide preventative measures for clean work environments, training, establishing SOPs, detecting product deviations and maintaining reliable testing. Ensuring that employees are knowledgeable of potential hazards throughout the stages is essential.Lacking, inadequate or undocumented training in these areas are red flags for auditors who subscribe to the philosophy of “if it isn’t documented, it didn’t happen.” Training, re-training (if necessary) and documented information contained within cannabis ERP ensures that companies are audit-ready. 

Labeling

The importance of proper labeling in the cannabis space cannot be understated as it is a key issue related to product inconsistency in the marketplace. Similar to the food and beverage industry, accurate package labeling, including ingredient and allergen statements, should reflect the product’s contents. Adequate labeling to identify cannabis products and detailed dosing information is essential as unintentional ingestion is a reportable foodborne illness. Integrating an ERP solution with quality control checks and following best practices ensures product labeling remains compliant and transparent in the marketplace.

Due to the inherent hazards of cannabis-infused products, it’s necessary for savvy cannabis companies to employ the proper tools to keep their products and consumers safe. Utilizing an ERP solution that effectively manages HACCP plans meets auditing requirements and helps to keep cannabis operations one step ahead of the competition.

Soapbox

Third-Party Cannabis Safety Audits & How to Prepare in 7 Steps

By Tyler Williams
2 Comments

Unlike the food industry, the cannabis industry is still in its infancy. Which means there is not a push from retailers demanding cannabis farmers, extractors or manufacturers to get third-party audits. In fact, most grow operations supply into their own dispensaries. So why should a cannabis farmer, extractor or manufacturer get a third-party audit? Third-party audits are crucial to maintaining product safety and quality by providing a third set of eyes to verify what is working and what is not. Besides regulatory requirements and customers requiring your facility to get a third-party audit, there are numerous other benefits to receiving an audit. Some of these benefits include:

  • Improvement to product safety
  • Improvement to product quality and consistency
  • Meeting regulatory compliance
  • Eliminating potential risks and possible recalls
  • Marketing advantages over competitors who are not audited by a third-party
  • Improvement to consumer confidence and an increase to brand loyalty

How to Prepare for a Third-Party Audit

Working for a certification body, I am in the unique position to see numerous sites go through the certification process. In this position I have seen both extremes: Sites that spend 6-8 months and a lot of resources preparing for an audit, as well as sites that wait until the day before to even look at the audit standard. Unfortunately, the latter is almost always going to fail the audit. Here are seven steps for preparing for your next third-party audit.“By failing to prepare, you are preparing to fail.”– Benjamin Franklin

  1. Start Preparing Early

Think of your third-party audit as a college exam one month away. You could start studying for the exam now and get a real understanding of the material or you could wait until the day before to start your no-sleep, energy drink-fueled, 24-hour cram session. We all know which preparation method will get a better score on the exam. Now let’s apply that same strategy to your third-party audit. Once you have decided what audit is best for your site and have those specific standards in your hand, the clock starts ticking and you should already be preparing for the audit, whether it is one month or six months away.

  1. Get Management Commitment

It is essential to the entire cannabis safety and quality system to have commitment from top down. Without this, the site will not get the resources (people, equipment, money, time, etc.) they need to pass a third-party audit. Management commitment is so important that it is often seen as its own section in most modern audit standards. It is very easy for third-party auditors to identify when there is a lack of management commitment in a site. Therefore, if you don’t get management commitment, then you are already starting off the audit on a bad note.

  1. Create a To-Do-ListGMP

Think of the entire audit checklist or standard as your long to-do list. Some things, like attaining a certificate of analysis (COA) from a supplier, may only need to be done annually. While other things, such as ensuring employees are following Good Manufacturing Practices (GMPs), will need to be done continuously throughout day to day operations. Go through the audit checklist and separate what needs to be done annually, semiannually, quarterly, monthly and continuously throughout day to day operations. This will give you a list with all of the frequencies of each different requirement.

  1. Teamwork“Teamwork makes the dream work, but a vision becomes a nightmare when the leader has a big dream and a bad team.” – John C. Maxwell

The preparation of an audit should never rest on the shoulders of one person. Yet this is something I tend to see too often in both food and cannabis facilities alike. Your site should establish a cannabis safety and quality team of multidiscipline personnel that have an impact on product safety and quality. Once the team is established, various tasks from the to-do-list can be disbursed among all the members of the team. Collaboration is key to successfully preparing for a third-party audit, especially when the timelines are very stringent.

  1. Training

Training is essential to preparing for your third-party audit. This is what closes the gaps between what the safety and quality department have developed and what your front-line employees are applying. All employees should know what part of the audit standard applies to them. Additionally, employees should be trained on interview questions that the auditor might ask them during the audit. Helping them prepare for these types of questions will help ease their nerves and allow them to answer the questions with self-assurance when it comes time to the actual audit.

  1. Conduct Internal Audits

Conducting internal audits is not only a great way to prepare for your third-party audit, it’s a requirement. You should always use the audit checklist to observe your documents and facility to see where there are gaps. If possible, the person or team conducting the internal audit should never review their own work. Additionally, all issues or non-conformances should be noted, evaluated, corrected and closed out.

  1. Third-Party Pre-Assessment or Mock Audit (Optional)

A third-party pre-assessment or mock audit is the closest thing you can get to an actual audit. This is where a company would come in and evaluate your site to the specific standards and give a formal report over any deficiencies found during the assessment and how to fix them. This is a great way to test your preparedness before the actual audit.

How a Cloud QMS Can Get Cannabis Startups ISO 9001-Certified

By Mike Hansen
1 Comment

When it comes to compliance for cannabis startups, the ISO 9000 family of standards reigns supreme. Providing the guidelines for the concepts that make up a quality management system (QMS), the ISO family is composed of five standards: ISO 9000, 9001, 9002, 9003 and 9004. Outside of ISO 9001, ISO 9000 is the most important because it creates the foundation that guides all of the other standards.

ISO 9000 is split into two sections: fundamentals and vocabulary. Fundamentals covers the basic principles of quality management and the vocabulary section is a dictionary of quality management terminology. ISO 9000 is crucial because it provides direction on proper QMS implementation that will lead to achieving an ISO 9001 certification.

While the entire ISO 9000 family is focused on quality management systems that aim to help organizations “ensure that their products and services consistently meet customer’s requirements and that quality is consistently improved,” ISO 9001 is the only standard that lists actual requirements and requires certification.Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001

Quality Management Systems (QMS)

When conceptualizing “quality management,” it is best to think of it as an organization’s definition of how it will meet the quality requirements of customers and other stakeholders who are affected by its work. Implementing this requires an extensive alignment of company processes and procedural governance.

It’s easiest to think of a QMS as the facilitator of outlined processes that are required to fulfill ISO 9001 requirements. For example, if an organization has defined a change request process, it could use a cloud-based QMS to put that process in place. However, the benefits of a cloud-based QMS don’t have to end at ISO 9001. It can also help organizations comply with other regulations like GxP.

ISO 9001 Requirements

ISO 9001 requirements can sound very generic because they’re meant to be applied to any organization, big or small, in any industry. The key to ISO 9001 is the concept of continuous improvement, which is why specific requirements for what “quality” is are not defined. Rather, companies must create objectives and work toward improving processes to meet those objectives. That said, a certified QMS still must do the following:

  • Meet the requirements of other stakeholders, for example, customer requirements and regulatory standards
  • Ensure that employees receive training outlining the quality requirements
  • Determine and document the processes, their interactions and their results
  • Be able to produce records to prove that system requirements have been met
  • Constantly monitor quality management software performance
  • Address any risks that could result from changes
  • Perform internal audits and correct any issues
  • Continuously improve the QMS

From creation to disposal, document protocols must be clear and properly followed.With that in mind, ISO 9001’s purpose is to evaluate whether or not a QMS does a good job of managing processes while also being able to help organizations identify areas that need improvement. In simple terms, ISO 9001 helps companies who were making an excellent product most of the time, make an excellent product every time.

How can cloud quality management software help you get your ISO 9001 certification? Once you create processes that adhere to ISO 9001 quality management standards, you have to put them into practice. Enter: quality management software. But, how exactly does it help?

Optimal Time to Value

First, cloud-based software is the most cost-efficient to implement. Secondly, since a QMS needs to be accessible to every employee regardless of whether they work at HQ or on-site, cloud QMS are built to be mobile-friendly and easily accessed from any location.

Automated Document Lifecycles & Version Control

From creation to disposal, document protocols must be clear and properly followed. As up-to-date documents are an important factor in maintaining high levels of quality, the most recent versions of approved documents should be readily available while previous editions should be hidden away.

With cloud quality management software, workflows can automate the review and approval processes by automatically sharing documents with the right reviewers. Then, after the document has been approved, the changes will automatically be applied to the master document while the obsolete version is archived, helping to remove any chance of it being accidentally used after the update.

Easy Document Location & Metadata

According to ISO 9001, searching through an organization’s documents should be as easy as searching with Google. It’s an added bonus when the quality management software enables users to add custom metadata to documents. Metadata is just extra information that helps to define a document (like file size, type, date modified). With certain cloud-based QMS’, you can add custom metadata fields to make documents easier to find. For example, you can add an “expiration date” field that allows you to look up policies based on when they are set to expire.With the growing number of data breaches happening every year, it’s important to address the security components of a QMS.

Document Traceability

In order to pass any ISO 9001 audit, there needs to be a complete audit trail for every document, including active documents and the earlier archived versions. While this might seem like a big ask, cloud quality management software helps make this simple. Every single change to a document, regardless of whether it’s the current or past version, is tracked. When combined with automated workflows, you’re able to produce a precise log of every change made by every user.

Advanced User Permissions & Central File Ownership

With the growing number of data breaches happening every year, it’s important to address the security components of a QMS. Many of these issues can be resolved with user permissions, which is generally related to managing users’ editing and sharing access. The proper view, edit, and approval rights go a long way to reducing the risk of human error.

Another feature that may seem like common sense is central file ownership. When the organization owns all of its documents, there’s no need to worry that important files will be lost or deleted. With one owner, the damage that can be inflicted by malicious third-parties is also limited.

Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001. With the cloud as a foundation, these systems will continue to be assets for the cannabis industry as it gains momentum and expands more.

EVIO Logo

EVIO Labs Massachusetts Accredited to ISO 17025

By Aaron G. Biros
No Comments
EVIO Logo

EVIO Inc.’s Massachusetts lab announced yesterday they received ISO/IEC 17025 accreditation from the American Association for Laboratory Accreditation (A2LA). According to the Massachusetts Cannabis Control Commission, the body in charge of regulating the state’s cannabis industry, accreditation to ISO/IEC 17025: 2017 is a requirement for cannabis testing labs.

The press release says this makes EVIO Labs Massachusetts one of only a few operating and accredited testing laboratories serving the state’s medical cannabis industry. With recreational sales coming shortly to the state, EVIO is preparing for a higher demand in their lab testing services. “We are very proud of all of the teams’ hard work that resulted in this advanced accreditation,” says James Kocis, lab director of EVIO Labs Massachusetts. “With the state-mandated laboratory regulations, EVIO upholds the high standards of testing and plays a pivotal role in ensuring consumer safety and confidence in the states burgeoning marijuana market.”

According to Adam Gouker, general manager at A2LA, EVIO Labs Massachusetts, based in Southborough, MA, is the first cannabis laboratory they accredited in the state. “A2LA is excited to expand our cannabis accreditation program into yet another state, promoting the value of independent third-party accreditation to support quality products in the industry,” says Gouker. “Having the opportunity to work with a prominent name in the industry such as EVIO Labs and assess their exceptional Massachusetts laboratory has been an additional bonus.”

EVIO LogoAccording to the A2LA press release, by achieving ISO/IEC 17025 accreditation, EVIO Labs Massachusetts demonstrates that they “have management, quality and technical systems in place to ensure accurate and reliable analyses, as well as proper administrative processes to ensure that all aspects related to the sample, the analysis, and the reporting are standardized, measured, and monitored.” It also requires that personnel are competent to perform each analysis.

EVIO Inc. operates in the cannabis testing market with lab services in a number of states, including Oregon, California and Florida among others. Their Florida location was the first accredited cannabis lab in the state and they recently earned the same accreditation for their Berkeley, California location.

Dr. Ed Askew
From The Lab

Quality Plans for Lab Services: Managing Risks as a Grower, Processor or Dispensary, Part 2

By Dr. Edward F. Askew
No Comments
Dr. Ed Askew

Editor’s Note: The views expressed in this article are the author’s opinions based on his experience working in the laboratory industry. This is an opinion piece in a series of articles designed to highlight the potential problems that clients may run into with labs. 

In the previous article, I discussed the laboratory’s first line of defense (e.g. certification or accreditation) when a grower, processor or dispensary (user) questions a laboratory result. Now let us look behind this paperwork wall to the laboratory culture the user will encounter once their complaint is filtered past the first line of defense.

It is up to the client (processor, grower or dispensary) to determine the quality of the lab they use.In an ISO 17025 (2005 or 2017) and TNI accreditation, the laboratory must be organized into management, quality and technical areas. Each area can overlap as in the ISO 17025-2017 standard or be required to remain as separate sections in the laboratory as in the ISO 17025-2005 or TNI 2009 standards. ISO 17025 standards (e.g. 2005 and 2017) specifically require a separation of monetary benefits for laboratory results as it applies to the technical staff. This “conflict of interest” (CoI) is not always clearly defined in the laboratory’s day-to-day practices.

One example that I have experienced with this CoI separation violation goes back to my days as a laboratory troubleshooter in the 1990s. I was called into a laboratory that was failing to meet their Department of Defense (DoD) contract for volatile organic hydrocarbon analyses (VOAs) of soil samples by purge trap-gas chromatography-mass spectroscopy. I was required to “fix” the problem. What I determined was:

  • The analytical chemists performing the VOAs analyses were high school graduates with no coursework in chemistry or biology.
  • There was no training program in place for these analysts in instrument use, instrument troubleshooting and interpretation of the analytical results.
  • The only training the analysts received was for simple instrument set-up and basic instrument computer software use. (e.g. Push this button and send results to clerks)
  • Clerks with a high school degree and no analytical chemistry training in the business office generated the final reports and certified them as accurate and complete.

None of the staff was technically competent to perform any in-depth VOAs analytical work nor was the clerical staff competent to certify the results reported.

When I pointed out these discrepancies to the laboratory management, they declined to make any changes. The laboratory management had a direct monetary interest in completing all analyses at the lowest costs within the time limit set by DoD. If the laboratory did not complete the analyses as per the DoD contract, DoD would cancel the contract and not pay the laboratory.

The DoD, in a “Double Blind” test sample, later caught this laboratory.. A Double Blind test sample is used to check to see if the laboratory is performing the tests correctly. The laboratory does not know it is a test sample. So if the laboratory is cheating, they will be caught.This does not mean that all laboratories have staff or management issues

Once the laboratory was caught by DoD with the Double Blind, laboratory management claimed they were unaware of this behavior and management fired all analytical staff performing VOAs and clerical staff reporting the VOAs results to show DoD that it was a rogue group of individuals and not the laboratory management. The fired staff members were denied unemployment benefits as they were fired with cause. So, the moral to this story is if the analytical staff and specifically the clerical staff had wanted to hold the laboratory management accountable for this conflict of interest, they may have been fired, but without cause. The staff would have kept their reputation for honesty and collected unemployment benefits.

I have witnessed the “CoI above repeatedly over the last 30+ years both in laboratories where I have been employed and as a consultant. The key laboratory culture problems that lead to these CoI issues can be distilled into the following categories:

  • Financial CoI: In the financial CoI, the laboratory management must turn out so many analytical test results per day to remain financially solvent. The philosophical change that comes over management is that the laboratory is not producing scientific results, but is instead just churning out tests. Therefore, the more tests the laboratory produces, the more money it makes. Any improvement in test output is to be looked upon favorably and anything that diminishes test output is bad. So, to put this in simple terms: “The laboratory will perform the analyses quickly and get the report sent to the user so the laboratory can be paid. Anything that slows this production down will not be tolerated!” To maximize the Return on Investment (RoI) for the laboratory, management will employ staff that outwardly mirrors this philosophy.
  • I Need This Job CoI: This is the CoI area that poor quality lab technical staff and clerical staff most readily falls into. As outlined in the example above, both the analytical staff and clerical staff lacked the educational credentials, the technical training to be proficient in the use of the analytical instruments, ability to identify problems performing the analytical methods or complications in reporting analytical results. That means they were locked into the positions they held in this specific laboratory. This lack of marketable skills placed pressure on these staff members to comply with all directives from management. What happened to them in the end was regrettable, but predictable. Management can prey on this type of staff limitation.
  • Lack of Interest or Care CoI: This form of CoI is the malaise that infects poor quality laboratories, but can reach a level in management, quality and technical areas as to produce a culture where everyone goes through the moves, but does not care about anything but receiving their paycheck. In my many years of laboratory troubleshooting this type of CoI is the most difficult to correct. Laboratories where I had to correct this problem required that I had to impress on the staff that their work mattered and that they were valued employees. I had to institute a rigorous training program, require staff quality milestones and enforce the quality of work results. During my years of laboratory troubleshooting, I only had to terminate three laboratory staff for poor work performance. Unfortunately after I left many of these laboratories, management drifted back to the problems listed above and the laboratory malaise returned. This proves that even though a laboratory staff can achieve quality performance, it can quickly dissolve with lax management.

So, what are the conclusions of this article?

  • Laboratory culture can place profit over scientific correctness, accuracy and precision.
  • Laboratory management sets the quality of staff that determines the analytical results and report quality the user receives.
  • Laboratory quality can vary from acceptable performance to unacceptable performance over the lifetime of the laboratory depending on management.
  • This does not mean that all laboratories have staff or management issues. It is up to the client (processor, grower or dispensary) to determine the quality of the lab they use.

The next article in this series will introduce the user to the specific Quality Control (QC) analyses that an acceptable laboratory should perform for the user’s sample. These QC analyses are not always performed by accredited laboratories as the specific state that regulates their cannabis program does not require them. The use of these QC samples is another example of how laboratory’s with poor quality systems construct another paper work wall.

Supplier Quality Audits: A Critical Factor in Ensuring GMP Compliance

By Amy Scanlin
1 Comment

Editor’s Note: This is an article submission from the EAS Consulting Group, LLC team.

To Audit, or not to audit? Not even a question! Audits play a crucial role in verifying and validating business practices, ensuring suppliers are meeting their requirements for Good Manufacturing Practices (GMPs), and most importantly, protecting your interests by ensuring that you consistently receive a compliant and quality product. Audits can help ensure sound business procedures and quality systems, including well-established SOPs, verification and documentation of batch records, appropriate sanitation practices and safe storage and use of ingredients. Audits can also identify deficiencies, putting into motion a corrective action plan to mitigate any further challenges. While a detailed audit scheme is commonplace for established industries such as food, pharmaceuticals and dietary supplements, it is equally important for the cannabis industry to ensure the same quality and safety measures are applied to this budding industry.

If the question then is not whether to audit, perhaps the question is how and when to audit, particularly in the case of a company’s suppliers.This is an opportunity to strengthen the working relationship with each side demonstrating a commitment to the end product.

Supplier audits ensure first and foremost that the company with which you have chosen to work is operating in a manner that meets or exceeds your quality expectations – and you should have expectations because ultimately your product is your responsibility. Any issues that arise, even if they are technically the fault of a supplier, become your issue, meaning any enforcement action taken by your state regulators will directly impact your business. Yes, your supplier may provide you with a batch Certificate of Analysis but you should certify their results as well.

Audits are a snapshot of a moment in time and therefore should be conducted on a regular basis, perhaps biennially or even annually, if they are a critical supplier. In some cases, companies choose to bring in third-party auditors to provide an objective assessment of suppliers. This is especially helpful when the manufacturer or customer does not have the manufacturing, compliance and analytical background to accurately interpret data gathered as part of the audit. With the responsibility for ensuring ingredient identity and product integrity falling on the manufacturer, gaining an unbiased and accurate assessment is imperative to reducing the risk to your business.

Conducting a supplier audit should be well planned in advance to ensure both sides are ready. The audit team must be prepared and able to perform their duties via a combination of education, training and experience. A lead auditor will oversee the team and ultimately will also oversee the results, verifying all nonconformities have been properly identified. They will also work with the supplier to conduct a root cause analysis for those nonconformities and develop a corrective action plan to eliminate them from occurring in the future. The audit lead will also verify follow-up results.

Auditors should discuss with the supplier in advance what areas will be observed, what documentation will need to be ready for review and they should conduct their assessments with professionalism. After all, this is an opportunity to strengthen the working relationship with each side demonstrating a commitment to the end product.This is your chance to ensure your suppliers are performing and will meet your business, quality and product expectations.

Auditors must document that ingredient identity and finished product specifications are verified by test methods appropriate for the intended purpose (such as a whole compound versus a powder). State regulations vary so be certain to understand the number and types of required tests. Once the audit is complete and results are analyzed, you, the manufacturer, have an opportunity to determine if the results are acceptable. Remember, it is your product, so ultimately it is your responsibility to review the available data and release the product to market, you cannot put that responsibility on your supplier.

Quality Agreements as Part of a Business Agreement

There are opportunities to strengthen a partnership at every turn, and one way to set a relationship on the right path is to include a quality agreement as part of a business agreement. A quality agreement lays out your expectations for your suppliers, what you are responsible for and is a living document that, once signed, demonstrates their commitment to upholding the standards you expect. Just as with a business agreement, have any quality agreements reviewed by an outside expert to ensure the wording is sound and that your interests are protected. This is just another step in the development of a well-executed business plan and one that solidifies expectations and provides consequences when those expectations are not met.

Supplier audits must be taken seriously as they are opportunities to protect your brand, your business and your consumers. Enter into an audit as you would with any business endeavor – prepared. This is your chance to ensure your suppliers are performing and will meet your business, quality and product expectations.

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.