ASTM D8308-21

This document is not an ASTM standard and is intended only to provide the user of an ASTM standard an indication of what changes have been made to the previous version. Because
it may not be technically possible to adequately depict all changes accurately, ASTM recommends that users consult prior editions as appropriate. In all cases only the current version
of the standard as published by ASTM is to be considered the official document.
Designation: D8308 − 20 D8308 − 21
Standard Practice for
Cannabis/Hemp Operation Compliance Audits
This standard is issued under the fixed designation D8308; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope
1.1 Purpose—This practice identifies the minimum requirements for the planning, conduct, and reporting of compliance audits of
a cannabis/hemp business. It provides information on terms, procedures, and responsibilities.
1.2 Intent—The intent is to provide specific instruction needed to develop reliable audit programs and procedures that are used
to conduct audits that produce credible, consistent, and objective evidence and findings related to compliance with one or more
standards, regulations, policies, best practices, or quality specifications. This practice can be used internally for pre-audit
assessments to identify and correct operational gaps.
1.3 Organization—This practice is organized in the following manner:
Section
Scope 1
Referenced Documents 2
Terminology 3
Significance and Use 4
Audit Process Overview 5
Audit Programs 6
Audit Process 7
Record Management 8
Keywords 9
Roles and Responsibilities Annex A1
Auditor Qualifications and Staffing Annex A2
Scale, Objectives, and Perspectives of an Audit Annex A3
Process Diagrams Annex A4
1.4 Nothing in this practice shall preclude observance of federal, state, or local regulations which may be more restrictive or have
different requirements.
1.5 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility
of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of
regulatory limitations prior to use.
1.6 This international standard was developed in accordance with internationally recognized principles on standardization
established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued
by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
This practice is under the jurisdiction of ASTM Committee D37 on Cannabis and is the direct responsibility of Subcommittee D37.02 on Quality Management Systems.
Current edition approved Jan. 15, 2020Feb. 15, 2021. Published February 2020March 2021. Originally approved in 2020. Last previous edition approved in 2020 as D8308
– 20. DOI: 10.1520/D8308-20.10.1520/D8308-21.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
D8308 − 21
2. Referenced Documents
2.1 ASTM Standards:
D8229 Guide for Corrective Action and Preventive Action (CAPA) for the Cannabis Industry
3. Terminology
3.1 Definitions of Terms Specific to This Standard:
3.1.1 action plan, n—a plan to correct negative audit findings and close compliance gaps.
3.1.2 audit, v—see compliance audit.
3.1.3 audit authority, n—the entity that authorizes, or initiates, the audit process.
3.1.3.1 Discussion—
The audit authority may be internal to the audited entity, such as a department manager, a CEO, or the board of directors, senior
management not involved with the day-to-day operations of the operation/area(s) being audited; or external, such as a financial
stakeholder, a business customer, or a government authority having jurisdiction.
3.1.4 audit criteria, n—the set of requirements that are applicable to the objective and scope of an audit. Examples include
standards, regulations, laws, policies, best practices, quality specifications, and industry best practices.
3.1.5 audit data, n—data collected during an audit to support the audit findings. Examples: Photos, notes, documents, records,
forms, and answers.
3.1.6 audit finding, n—a statement of the audited entity’s conformity against the audit criteria at the time of the audit.
3.1.6.1 Discussion—
The audit finding is the good/bad, conformity/nonconformity statement that results from an evaluation of the audit data collected.
It can also be the collective conformity/nonconformity of each question or criteria. The audit finding(s) is not the audit data that
supports the audit finding.
3.1.7 audit objective(s), n—broad statement(s) of what the audit intends to accomplish.
3.1.8 audit plan, n—documentation that describes the objective, scope, specific responsibilities, schedule, logistics, deliverables,
completion requirements and other plan details for a particular audit.
3.1.9 audit program, n—an auditing body’s procedures, protocols, methods, and techniques for conducting an audit.
3.1.10 audit program supplier, n—an entity that develops and provides a program of audit procedures and protocols that can be
used repeatedly by auditing bodies to conduct consistent and reliable audits.
3.1.11 audit protocol, n—standard methods for the collection of audit data. Examples: Checklist or questions used during on-site
inspections, guides that define the types of records and documents required to provide objective evidence, and interview questions
and techniques.
3.1.12 audit report, n—a written summary that provides the context or objectives of the audit, relevant background information,
the audit findings, and objective audit data that provides evidence to support the findings.
3.1.13 audit scope, n—a description of what is to be audited.
3.1.13.1 Discussion—
The audit scope should include a description of the period under review, the audited entity, the audit criteria, and the elements being
audited, such as facilities, security, procedures, product packaging/labeling, and operational practices.
For referenced ASTM standards, visit the ASTM website, www.astm.org, or contact ASTM Customer Service at service@astm.org. For Annual Book of ASTM Standards
volume information, refer to the standard’sstandard’s Document Summary page on the ASTM website.
D8308 − 21
3.1.14 audit team, n—one or more auditors responsible for conducting an audit. The audit team may be supported by technical
experts and auditors-in-training.
3.1.15 audited entity, n—a facility, organization, or part thereof, that is the subject of an audit.
3.1.16 auditing body, n—the organization that plans and conducts an audit, and provides the audit report.
3.1.16.1 Discussion—
For an internal audit of a small operation, a single person might take on the responsibilities of the auditing body, the lead auditor,
the audit team, and the auditor. For a large external audit, it could be a large audit firm.
3.1.17 auditor, n—a person qualified to conduct an audit. A member of an audit team.
3.1.18 authorityauthorities having jurisdiction, n—an external organization, office,organizations, offices, or individualindividuals
responsible for enforcing the requirements of a code or standard, or for approving equipment, materials, an installation, procedures,
or procedures.products.
3.1.18.1 Discussion—
In the context of this standard,practice, this is typically a government department or agency.one or more government departments
or agencies. In most cases, multiple authorities are involved such as cannabis agencies, food, fire, building, worker, and consumer
health and safety agencies. Requirements from city, state, and country agencies may apply and multiple jurisdictions that have
authority over international and cross-border trade may apply.
3.1.19 cannabiscannabis/hemp operation, n—a person, group of persons, non-profit entity, or business entity that cultivates,
processes, manufactures, tests, distributes, stores, dispenses, sales, or otherwise handles cannabis/hemp, or products containing
cannabis/hemp.
3.1.20 compliance audit (audit), n—a comprehensive, systematic, documented, and objective assessment of an audited entity to
evaluate and report objective evidence of compliance relative to predefined and mandated laws, regulations, standards, or policies
audit criteria.
3.1.20.1 Discussion—
In this standard,practice, the term “audit” refers to compliance audits that may or may not include an audit for the accuracy of
financial books and records or the accuracy of information technology records.are based on mandatory or voluntary criteria.
3.1.21 compliance gap, n—a condition that does not meet the requirements conform to a mandatory criteria of one or more
applicable standards, regulations, policies, best practices, or quality specifications.mandated laws, regulations, standards, or
policies.
3.1.21.1 Discussion—
In this practice, the term “gap” is used to refer to nonconforming conditions based on either mandatory or voluntary criteria.
3.1.22 documents, n—written policies, processes, procedures, plans, standards, specifications, and other written information that
governs the conduct of a business. Documentation also includes records.
3.1.22.1 Discussion—
Records are a form of documentation. It is not uncommon to use the term document to refer to records. The special characteristic
of a record is that it documents that some action or event has occurred, or been witnessed. A record does not change since it reflects
past events. Documentation such as plans and procedures can be changed but previous versions may be retained as a record.
3.1.23 independence, n—a condition characterized by organizational standing where an auditor is free to conduct an audit without
being controlled or influenced by others.
3.1.24 lead auditor, n—an auditor designated to lead and manage the audit.
3.1.25 objective evidence, n—information collected that someone when reviewing an audit report can inspect and evaluate for
themselves.
3.1.25.1 Discussion—
D8308 − 21
Objective evidence included in an audit report allows others to substantiate that the audit was actually performed as indicated, that
the criteria for the audit were upheld by a proper assessment, and that the findings are valid.
3.1.26 objectivity, n—a condition characterized by the absence of bias, influences, and conflicts of interest that affect or have the
potential to compromise audit findings.
3.1.27 open audit issue, n—a potentially negative audit finding that cannot be verified or resolved without additional time and
information.
3.1.28 period under review, n—the time interval over which conditions at the audited entity are evaluated against audit criteria.
3.1.29 physical inspection, n—first-hand observation and assessment of the audited entity conditions.
3.1.30 records, n—an audited entity’s documentation and other forms of recorded information. Examples: Inventory records, point
of sale records, maintenance logs, pesticide application logs, usage logs, incident reports, batch records, and training records.
3.1.30.1 Discussion—
Records are information about events or conditions at a point in time. A procedure is a document that can be changed and updated.
The previous unchanged version of the procedure can be saved as a record. Other examples include inventory records, point of
sale records, maintenance logs, pesticide application logs, usage logs, incident reports, corrective actions, preventive actions, root
cause analysis, batch records, and training records.
3.1.31 working papers, n—paper, electronic documentation, or both developed or collected by the auditing body and its auditors
relating to an audit. Examples: Planning and preparation background information, responses to checklist and questions, photos and
other media, copies of documents and records, and notes and descriptions about the audit findings. Audit data is a subset of working
papers.
4. Significance and Use
4.1 Intended Use—This practice is intended for use by parties who either develop, plan, and conduct internal or external audits,
or are interested in the audit process since they are the subject of compliance audits or they mandate such audits to occur.
4.2 Audits—Audits are conducted by an auditor or audit body that is independent of the entity being audited. Individuals that
conduct an assessment of an operation or product that they are directly involved with or have a vested interest in, is technically
not an audit. These assessments might be a pre-audit or gap assessment. This practice can be used for these types of activities and
the rigor of a true audit may not be as critical.
4.3 Terms and Concepts—The definition of terms in Section 3 and the perspectives on scale, objectives, and types of audits in
Annex A3 provide concepts that help clarify the different roles involved in an audit, the various elements of an audit, and how this
standardpractice applies to different situations. This standardpractice is written in terms that accommodate audits for different
objectives and sizes.
4.4 Application—Compliance audits are used to identify gaps between some criteria and the actual operational conditions.
Knowledge of compliance gaps are used to assess various risks, guide corrective action and action, preventive action, root cause
analysis, improvement efforts, prevent fines and penalties, or provide stakeholders an objective evaluation of an operation and its
potential safety, financial, or other risks. A user of this practice should understand and adapt the audit concepts, process, and
responsibilities in this practice to their specific organizational structure and situation.
4.5 Audit Scale—The scale of an audit can range from an internal audit of a small single operation with fewer than ten employees
to an external audit of a large corporation with facilities at multiple international locations. In either case, large or small, the
principles in this practice shall be followed to produce objective and credible results.
4.6 Audit Criteria—As the cannabiscannabis/hemp industry develops globally and continues to gain acceptance, both new and
previously established standards, regulations, policies, and best practices are being developed, adopted, evolving, and applied to
this industry. Due to this evolving nature, diligent attention is needed by auditing bodies to maintain up-to-date audit criteria and
protocols.
D8308 − 21
5. Audit Process Overview
5.1 An audit involves a minimum of three activities: audit preparation, conducting the audit, and reporting findings. In addition,
it is in the audited entity’s best interest to address and resolve compliance gaps and have a follow-up audit conducted.
5.2 Preparation—Prior to conducting an audit the auditing body plans, coordinates, organizes, and communicates the activities for
conducting an effective and efficient audit.
5.3 Conducting the Audit—The audit is conducted per plan by the audit team member(s) to assess the operation by collecting
objective evidence, working papers, and audit findings. The audit activities can occur remotely, during an on-site visit, or both as
specified by the audit plan.
5.4 Reporting—The audit findings, objective evidence, and working papers are organized to produce a clear and concise audit
report. Depending on the objectives and scope, the audit report is shared with the audit authority, the audited entity, or others as
defined in the plan. Reporting the audit findings occurs after conducting the audit is completed; however, preparatory reporting may
occur earlier in the process.
5.5 Follow-upFollow-Up Audit—In most cases the objective of an audit is to identify and execute corrective/preventive actions
to address compliance gaps and reduce various risks. A follow-up audit can be conducted to verify that such actions have resolved
the gaps.
5.6 Section 7 provides the details of the audit process. A diagram of the audit process data flow between the process elements and
an activity flowchart is provided in Annex A4.
6. Audit Programs
6.1 An audit program is the procedures, protocols, methods, and techniques for conducting an audit. An auditing body may
develop a unique audit program for a single use, develop a repeatable audit program, or acquire a repeatable audit program from
an audit program supplier. An audit program can be paper based or a software application.
6.2 Audit Program Credibility—The credibility of an audit report starts with the quality of the audit program used along with the
skill of the auditor(s) to conduct the audit and produce a useful report. The purpose and objectives of an audit program shall be
clear in order to ensure it is used in alignment with the objectives of a particular audit.
6.3 Consistency—A well-designed audit program brings consistency to the methods and techniques used to conduct audits, report
findings, and conduct follow-up audits. coordinate corrective and preventive actions, and conduct follow-up audits to confirm the
corrective actions resolve the issues reported.
6.4 Audit Criteria—An audit program is based on criteria from one or more standards, regulations, policies, best practices, or
quality specifications. The authority and version of the criteria used by the program shall be clearly stated.Sources of criteria can
be from but not limited to:
(1) Internal policy, procedure, specification;
(2) Standard bodies;
(3) Customer specification;
(4) One or more authorities having jurisdiction for local operational requirements; and
(5) One or more authorities having jurisdiction where products are shipped to and further processed or marketed.
When conflicts exist between the criteria from different sources, document the decision and rationale for the audit criteria used
in the audit plan and in the audit report if not otherwise provided to the recipients of the report. The authority and version of the
criteria used by the program shall be clearly stated.
6.5 Audit Protocols—Audit criteria are used to develop audit protocols. The audit criteria are interpreted and converted into
question or checklist protocols that guide the collection of objective evidence during visual inspections, interviews, and the review
of documents and records. The quality of an audit is dependent on the depth and specificity of these protocols. To illustrate this
D8308 − 21
point, the question “does management care about worker safety?” can result in a simple and subjective yes or no answer. It should
be replaced with several questions that draw out objective evidence of the actions taken by management that have led to worker
safety.
6.6 Program Procedures and Guidelines—The procedures and guidelines to use the program in a manner that produces accurate
and credible results shall be documented. These procedures and guides are especially important for newer auditors. The guides can
include but are not limited to objective evidence collection guides, instructions to collect data sources such as the times or shift
that the observations were made, locations, departments, special conditions, and names of people interviewed, interview
techniques, observation techniques, and document and record review methods. Audit bodies that develop their own programs may
consider these procedures and guides as proprietary information.
6.7 Qualifications and Training to Use the Audit Program—The qualifications and training required for an auditor to perform
audits following the framework of an audit program shall be defined, documented, and provided to auditors that use the program.
The time required to prepare, conduct, and report results can be wasted if a quality audit program is not used or the audit is
conducted poorly.
7. Audit Process
7.1 Audit Initiation:
7.1.1 An audit requires resources. Audits are is initiated and approved by someone. someone that can provide the resource for the
audit and define alignment with business objectives. It may be a manager, the CEO, a board of directors, or a stakeholder.
stakeholder that is typically not involved with the day-to-day operations of the entity being audited. In this practice, this role is
referred to as the audit authority. An authority having jurisdiction may mandate an audit but this does not make them the audit
authority. The request to have an audit conducted may come in different forms and may or may not be clearly communicated in
which case the audit body will need to gain clarification of the request for an audit and its objectives.
7.1.2 The audit authority or their delegate selects the audit body that will prepare and conduct the audit.
D8308 − 21
7.2 Audit Preparation:
7.2.1 Someone is going to plan, coordinate, organize, and communicate the activities for conducting the audit. This is primarily
the responsibility of the auditing body, but others are involved. Depending on the scope and scale of the audit, the auditing body
may be an internal auditing department, a single employee, an external audit contractor, or a large audit firm. Typically the lead
auditor will perform or lead the preparation activities. The result of the preparation activities is an audit plan.
7.2.2 An audit plan shall be developed and documented or an existing plan refined that addresses:
(1) theThe objective and scope of the audit;
(2) identificationIdentification of stakeholders;
(3) background information;Identification of applicable authorities having jurisdiction;
(4) Identification of applicable audit criteria;
(5) Background information;
(6) descriptionDescription of the audit program to be used;
(7) auditAudit process and procedures;
(8) audit schedule;Audit schedule and timeframes;
(9) Audit logistics;
(10) Audit resources;
(11) Corrective action and follow-up plans;
(12) Personnel responsibilities;
(13) Documentation and records to be produced; and
(14) audit logistics.Suggested improvements to the audit process and plans.
Each of these plan elements is covered in the following sections. The sequence presented below does not imply a sequence to
be followed. As the plan details emerge the elements should be enhanced and updated.
7.2.2.1 Objective and Scope of the Audit—Understanding the objective of an audit is important in order to select applicable criteria
and develop or acquire appropriate protocols. An objective to identify compliance gaps to drive corrective/preventive actions may
require different protocols than an objective to show evidence of investment risk for potential investors. In cases where there is
not a clear and established mandate, it may be necessary to coordinate with the audit authority to understand or even help develop
the purpose and objectives of the audit. Any intent to conduct corrective action and perform a follow-up audit, or not, shall be
understood and included in the plan objectives. The audit scope should include a description of the period under review, the audited
entity, the audit criteria, and the focus of the audit such as facilities, security, food safety, quality management systems, information
security, occupational safety, product packaging/labeling, fire safety. The risk associated with the business case for performing an
audit should be described. The level of risk can inform the type, level of detail, and frequency of the audit and follow on audits.
7.2.2.2 Identification of Stakeholders—The stakeholder(s) that will receive a copy of the audit report shall be noted as well as
others involved such as the audit authority, audited entity, auditing body, audit team, audit leader, and other team members.
7.2.2.3 Identification of Applicable Authorities Having Jurisdiction—This is typically one or more government departments or
agencies. In most cases, multiple authorities are involved such as cannabis/hemp agencies, food, fire, building, worker, and
consumer health and safety agencies. Requirements from city, state, and country agencies may apply and multiple jurisdictions that
have authority over international and cross-border trade may apply.
7.2.2.4 Identification of Applicable Audit Criteria—Include a list of the audit criteria. The criteria are determined by the purpose
and scope of the audit and can include government laws and regulations, industry recognized standards, criteria established by
certification bodies, company policies and procedures, or other defined criteria.
7.2.2.5 Background Information—Background information can be useful to understand the scale, scope, and nature of the pending
audit when developing the audit plan. Background information may consist of records, documents, site descriptions, operation and
maintenance manuals, compliance inspection reports, previous audit reports, notices of violations, and other relevant information.
7.2.2.6 The Audit Program—An audit program can be developed by the auditing body, acquired from an audit program supplier,
or a combination of both. In either case, the program needs to be understood and be applicable to accomplish the objectives of
the audit. Section 6 covers the requirements of an audit program. The plan shall include a description of the audit program to be
used including the authority and version of the criteria that the audit program is based on. Any procedural details that impact the
planning, schedule, coordination, or logistics of the audit plan shall be documented. Any audit program methods and techniques
that are proprietary to the auditing body dodoes not have to be included in the plan.
D8308 − 21
7.2.2.7 Audit Process and Procedures—To ensure a smooth and efficient audit process, include procedures in the audit plan that
guide the actions of the auditing body, the audit team, the audited entity, and other stakeholders. Proprietary procedural details that
are used internally by the auditing body do not have to be included in the plan.
7.2.2.8 Audit Schedule—A schedule of audit activities shall be developed and documented including major preparation and
reporting activities. The schedule shall clearly document the expected timeframes and timeline between the auditing body and the
audited entity with respect to the audit execution, reporting audit findings, corrective action, any follow-up audits, and closure as
applicable.
7.2.2.6 Background Information—Background information can be useful to understand the scale, scope, and nature of the pending
audit when developing the audit plan. Background information may consist of records, documents, site descriptions, operation and
maintenance manuals, compliance inspection reports, previous audit reports, notices of violations, and other relevant information.
7.2.2.9 Audit Logistics—Issues such as identifying site contacts, scheduling site visit(s), site security and access authorization, use
of safety equipment, lodging, transportation, on-site workspace, internet access, special communication situations, on-site meals,
and other details should be addressed and documented in the plan.
7.2.2.10 Audit Resources—The resources required to conduct the audit shall be listed in the plan. Consider the labor required, time,
material, the cost for lodging, transportation, and other logistical needs.
7.2.2.11 Corrective Action and Follow-Up Plans—The plan and schedule for activities after conducting the audit and reporting the
findings. These activities can include corrective and preventive actions, root cause analysis, and a follow-up audit or assessment.
7.2.2.12 Personnel Responsibilities Plan—Documentation of the key roles and responsibilities of stakeholders and personnel
involved with the successful outcome of the audit process.
7.2.2.13 Documentation and Records Plan—An inventory of the documentation and records that will be produced as a result of
the audit process and the plans for delivery, security, retention, and disposal of these documents and records.
7.2.2.14 Suggested Improvements To the Audit Process and Plans—Address and incorporated as applicable improvement ideas
that were captured during a previous audit. 7.7.1 specifically includes an activity to capture improvement suggestions. An audit
body that regularly performs audits should establish key performance indicators (KPIs) and collect performance data to guide the
audit process and planning improvements.
7.2.3 Audit Plan Approval—Prior to conducting the audit, the plan shall be presented to the audit authority to obtain agreement
that the audit, as planned, will accomplish their intent and presented to the audited entity to ensure that they support the audit plan.
7.2.4 Audit Team Formation and Preparation—As required by the scale and scope of the audit, assemble the audit team. Team
members may or may not be called upon to support preparation activities. Prior to conducting the audit, the team should be briefed
on the objectives, procedures, logistics, schedule, and other plan details. Any training on methods and techniques shall be
completed.
7.3 Conducting the Audit:
7.3.1 Opening Meeting—An opening meeting should be held, to bringingbring together and introduce the audit team to members
of the audited entity staff that will be involved or support the audit and when available the audit authority. This meeting should
also share the audit plan and scope. The meeting should facilitate the subsequent collection of information by the audit team and
encourage discussion of any questions or concerns. The audited entity should provide an overview of the facility operations for
the audit team during this opening meeting.
7.3.2 Data Collection Protocols—Th
...