How to write an internal audit report for vineyard compliance

TL;DR
- A vineyard internal audit report documents your self-inspection of spray records, worker safety, pesticide storage, and re-entry intervals against the rules that apply to you.
- It needs a scope statement, findings that cite the violated standard by number, a corrective action plan with deadlines and owners, and a signature.
- Most state programs and buyer audits accept a one- to four-page format built around those four elements.
What is a vineyard internal audit report and why do you need one?
An internal audit report is a written record showing that you reviewed your own operation against a defined checklist of standards, found what was wrong, and committed to fixing it. That's the whole thing. It's not a confession, and it's not a formality you do for show.
The value is practical. When a state ag inspector, a certified auditor from a retail buyer, or a crop insurance adjuster shows up, they want proof that your compliance program is alive, not that you own a binder of policies nobody opens. A dated, signed audit report is that proof. Without one, you're asking a stranger to take your word.
For vineyards, the pressure to document self-inspection comes from several directions at once. The EPA Worker Protection Standard (WPS) at 40 CFR Part 170 requires that agricultural employers make pesticide safety information available and keep records, but the standard hands you no template [1]. State departments of agriculture, particularly in California, Washington, and Oregon, stack their own pesticide use reporting and record-retention rules on top. Then there are voluntary third-party food safety programs like GLOBALG.A.P. and SQF that many large winery buyers now require from their growers, and those programs ask for documented internal audits before they'll certify you.
Short version. You need one because regulators expect evidence of self-policing, and buyers increasingly demand it. For a working vineyard, that report is the difference between a smooth inspection and a scramble.
What regulations actually require vineyard audit documentation?
The core federal layer is the EPA Worker Protection Standard, revised in 2015, which applies to any agricultural establishment that uses or supervises the use of pesticides and has agricultural workers or pesticide handlers [9]. The WPS requires you to keep certain records, including pesticide application records with specific data fields, for at least two years [1]. California goes further. California Food and Agriculture Code Section 12981 requires licensed pest control advisers and growers applying restricted materials to file pesticide use reports with county agricultural commissioners on set timeframes, and the underlying records must be kept for three years [2].
Washington State's Department of Agriculture runs its own pesticide licensing and recordkeeping program under WAC 16-228, requiring application records within 30 days of each application [3]. Cornell Cooperative Extension has documented that New York growers face similar obligations under the New York Environmental Conservation Law Article 33 [4].
If you have workers, OSHA's Field Sanitation Standard at 29 CFR 1928.110 requires potable water, toilet facilities, and hand-washing facilities in the field, and inspectors do look for records showing these are maintained [5]. Heat illness prevention plans are required in California under 8 CCR 3395 and get enforced more each season [10].
None of these statutes say "write an internal audit report." What they say is: keep records, make them available, fix violations. An internal audit report is how you show you did all three in an organized way.
One thing worth saying plainly. If you ever face an enforcement action, a well-kept audit record showing you caught and corrected a problem before the inspection generally draws a lower penalty than the same problem found by an inspector with no evidence of self-correction. That's not a legal guarantee. It's consistent with how agency enforcement discretion works in practice.
What sections does a vineyard internal audit report need to include?
There's no single mandated format, so the structure below comes from what third-party auditors and state ag programs actually ask to see. Keep it to one to four pages for a small operation. Longer is not better.
1. Header and identification block
Date of the audit, the specific blocks or facilities covered, the name and title of the person conducting it, and the standards or checklist used as the reference. A finding means nothing if you can't tell what it was measured against.
2. Scope statement
One short paragraph on what you reviewed and what you didn't. If you audited spray records for the current season but not the equipment storage area, say so. Scope limits are honest, and they tell a reviewer exactly where to ask follow-up questions.
3. Findings table
This is the core of the document. Each finding gets a description of what you observed, the specific standard it relates to (name the regulation by number), a rating (conforming, minor nonconformity, major nonconformity), and an assigned owner. A table works well. Don't write findings as vague generalities like "records were incomplete." Write them as "Pesticide application record for Block 7, application date June 14, was missing the application rate per acre, required under 40 CFR 170.222(c)(4)."
4. Root cause note
For each nonconformity, one sentence on why it happened. Not to assign blame. Because corrective actions that ignore root cause tend to repeat. "Applicator used an older form that predated the 2022 field log update" is enough.
5. Corrective action plan (CAP)
For each finding: the specific action, who's responsible, and the deadline. Make deadlines realistic. If re-training a crew on re-entry intervals takes three weeks to schedule, say three weeks. A CAP with blown deadlines looks worse than a longer timeline you actually kept.
6. Verification and sign-off
A line for the vineyard manager or operator to sign and date, confirming the audit happened and the CAP was reviewed. If you have a second reviewer (an agronomist, a PCA, a compliance consultant), get their signature too. Two signatures make the document harder to dismiss.
7. Trend note (optional but recommended)
If this isn't your first audit, one paragraph comparing this year's findings to last year's. Three open majors last year, one open minor this year. That trajectory tells a story regulators and auditors like to see.
How do you write findings that will hold up under scrutiny?
This is where most internal audits fall apart. Growers write findings so vague they're useless ("recordkeeping needs improvement") or so alarming they read like a self-incrimination. Neither is right.
A good finding has four parts: what you observed, what you expected based on a named standard, the gap between the two, and the severity. That's it.
Weak finding: "Spray records were not always complete."
Strong finding: "Review of 23 pesticide application records for January 1 through June 30 found 4 records (17%) missing wind speed at time of application. California Food and Agriculture Code Section 12981 and county commissioner requirements specify wind speed as a required field. Severity: minor nonconformity. No restricted materials were involved."
The strong version is quotable, trackable, and shows you know the standard you're measured against. It also shows proportion. Four out of 23 records, all involving non-restricted materials, is a minor administrative gap, not a crisis.
Write findings the day of the audit, not a week later. Memory degrades, and details matter. UC Davis Cooperative Extension's winegrape guidelines treat contemporaneous recordkeeping as the baseline for any defensible compliance record [6].
Ratings language varies by program. The most common scale third-party auditors use runs: Conforming (no issue found), Observation (minor risk, no standard violated), Minor Nonconformity (standard violated, low risk or isolated), Major Nonconformity (standard violated, significant risk or systemic), and Critical (immediate health or safety risk, requires immediate action). Align your ratings to whatever program your buyers or insurers require.
What does a corrective action plan look like for a vineyard?
A corrective action plan (CAP) is not a promise. It's a schedule with owners and evidence requirements. The difference shows up the moment someone comes back to verify it.
For each finding, the CAP entry needs the finding number it references, the corrective action in plain language, the person responsible by name (more than "vineyard manager"), the completion date, and how you'll prove it's done.
Verification is the piece most growers skip. If your action is "retrain all handlers on re-entry intervals per 40 CFR 170.230," your verification evidence is a training sign-in sheet with dates and signatures. If the action is "replace the pesticide storage lock with a keyed padlock," the verification is a date-stamped photo.
| Finding # | Finding Summary | Action | Owner | Due Date | Verification Evidence |
|---|---|---|---|---|---|
| 01 | 4 of 23 records missing wind speed | Update field log form, retrain applicators | J. Martinez | 30 days | Revised form + training sign-in |
| 02 | Eyewash station not operational in spray shop | Replace eyewash unit | R. Chen | 7 days | Photo with date, work order |
| 03 | WPS central posting board not visible from main entrance | Relocate board to entrance kiosk | J. Martinez | 14 days | Photo with date |
Keep this table in the report and fill in the "Verification Evidence" column as actions close. That completed table is your close-out document. File it with the original audit report.
WSU Extension's guidance on agricultural worker safety documentation notes that closed corrective actions with verification evidence are the primary thing auditors use to judge whether a compliance program is functioning or just performing [7].
How often should vineyards conduct internal audits?
Once a year is the floor. Twice a year is what most third-party food safety programs actually expect, and there's a good reason. The spray season creates most of your compliance exposure, so an audit before the season starts (to confirm records, training, and equipment are ready) and one after harvest (to close out the season's records) fits the operational calendar.
If you've had a major nonconformity in the last 12 months, added a new pesticide, or had turnover in handler roles, audit more often. New handlers under the WPS must get safety training before they handle pesticides or enter treated areas during the restricted entry interval, and a mid-season audit can catch that gap before an inspector does [1].
Small operations (under 10 acres, one applicator, one or two workers) can run a credible audit in two to three hours with a good checklist. Larger vineyards with multiple blocks, contract labor, and restricted material use need a full day, and should hand the audit to someone who didn't also make the applications, so fresh eyes land on the records.
No federal rule sets audit frequency for vineyards. The twice-a-year cadence comes from GLOBALG.A.P. requirements and from hard-won experience: programs that audit once a year tend to find the same findings year after year.
What should be on a vineyard compliance audit checklist?
Your checklist decides whether the audit is meaningful or theatrical. Build it from the actual regulations that apply to you. The minimum for most U.S. vineyards:
Pesticide records (40 CFR 170 and state requirements)
- Application records complete (product name, EPA reg number, location, date, rate, applicator name, REI, PHI)
- Records stored and accessible for the required retention period (2 years federal, 3 years California)
- Pesticide use reports submitted to county or state on schedule
- Restricted materials permits current
Worker Protection Standard (40 CFR Part 170)
- WPS safety training documented for all workers and handlers
- Central posting board in place with required information (safety data sheet, pesticide application information, emergency contact)
- Re-entry interval information posted at field entry points during REI
- Decontamination supplies available at the application site and for workers
- Handler PPE available, clean, and in good condition
- Pesticide safety information (WPS safety poster) displayed
Storage and equipment
- Pesticide storage locked, labeled, ventilated, with spill containment
- Eyewash station operational and inspected monthly (log present)
- Spray equipment calibrated and calibration records on file
Worker health and safety
- Field sanitation (water, toilet, handwashing) available and documented (29 CFR 1928.110)
- Heat illness prevention plan written and current for heat-risk days (California: 8 CCR 3395)
- Emergency action plan with nearest hospital route posted
Buyer or certification requirements (if applicable)
- GLOBALG.A.P. or SQF control points reviewed
- Food safety plan current
- Traceability records complete
Cornell Cooperative Extension and UC Davis both publish adapted checklists specific to New York and California grape production [4][6]. WSU Extension has similar materials for Washington [7]. Use those as starting points and add any state-specific items your county ag commissioner has flagged.
How do you handle findings that involve a past pesticide violation?
This is where people get nervous, and the nerves make sense. If your audit turns up what looks like a WPS violation or a missed pesticide use report, the real question is whether documenting it makes your legal position worse.
The general answer, from legal practice and from state ag agency guidance, is that documenting it in a controlled internal audit, with a corrective action, is almost always better than not documenting it. Agencies have enforcement discretion. A self-identified, self-corrected violation backed by a functioning audit program usually draws a lower penalty or a corrective notice rather than formal enforcement. An inspector who finds the same violation with no evidence of self-monitoring tends to escalate.
For a missed pesticide use report to a county commissioner, the practical move is to file the late report promptly, note in the audit record that you caught the gap and filed late, and fix your submission process going forward. Most county commissioners accept late reports with little consequence for a first-time gap when you explain it.
Possible WPS violations involving worker exposure or inadequate training are more serious. If you think workers may have entered a treated area during a restricted entry interval without required PPE, talk to a licensed pest control adviser and possibly the county ag commissioner before your next inspection. Documenting the finding is still right. So is getting professional guidance on remediation.
Don't use the audit report to minimize or bury findings. Write what you found. A report that names a minor gap and shows you fixed it is a compliance asset. A report that soft-pedals a real problem, and then the problem resurfaces, is a liability.
How do you format and store the completed audit report?
Format matters less than people think. A clean, dated, signed PDF or a printed document in a binder is fine. What matters is that it has the elements above, that it's signed, and that you can find it in under two minutes when someone asks.
Keep the current year and the prior two years accessible. Federal WPS records carry a two-year retention requirement [1]. California pesticide use records require three years [2]. File the audit report on the same retention schedule as your underlying records, because the audit only means something if the records it references are also on hand.
If you use software to manage spray records and field logs, some platforms generate audit-ready record exports that make the review faster. VitiScribe, for example, builds the spray record around the fields required by 40 CFR 170 and California CDFA reporting, so the records you'd pull during an audit are already in a shape auditors recognize. The report itself still needs your judgment and your signature. Software doesn't write findings.
For multi-block or multi-vineyard operations, keep a separate audit report per physical location or permit, unless your compliance program runs under a single license. Mixed-location reports confuse auditors and make block-specific findings hard to verify.
Attach the corrective action close-out document (the CAP with completed verification evidence) as an appendix to the original report. That way the full story, finding to action to verification, lives in one file.
How do vineyard internal audits differ from third-party audits?
The mechanics look similar, but the purpose and weight are different. A third-party audit is run by an accredited certifier (GLOBALG.A.P., SQF, or a state food safety program) with no stake in your operation. Their finding is a certification decision. Your internal audit is a management tool.
Internal audits are supposed to happen more often and run more candid than third-party audits. The point is to find problems before an outsider does. Growers who treat the internal audit as a dress rehearsal for the third-party audit tend to undercount findings, then get surprised when the certifier finds more.
Third-party auditors generally review your internal audit reports as evidence of self-governance. GLOBALG.A.P. control point AF 2.1 requires growers to carry out an internal self-assessment against the standard at least once per certification period, and auditors expect to see the written output [8]. Show up for your third-party audit with no internal audit records, and that alone can be a minor nonconformity against the program.
The other real difference is confidentiality. Your internal audit report is your document. A third-party audit report may go to your buyer or the certification body. Keep that split in mind when you decide how much candid detail to put in each.
Where can vineyard managers find reference checklists and templates?
Several public resources are genuinely useful and free.
UC Davis Cooperative Extension publishes the UC IPM Pest Management Guidelines for Grapes, which include recordkeeping requirements relevant to a California compliance audit [6]. Their agricultural labor compliance resources also cover WPS documentation.
WSU Extension's viticulture and enology program has produced worker safety and pesticide recordkeeping guidance specific to Washington vineyards, and its Pesticide Safety Education Program materials include checklist frameworks [7].
Cornell Cooperative Extension's New York State IPM program covers integrated pest management documentation for vineyards, including which records support a compliance review [4].
The EPA's Worker Protection Standard pages publish the full regulatory text, the required WPS safety poster, and a plain-language guide to the records agricultural employers must keep [1]. The OSHA Field Sanitation Standard is available in plain-language form on OSHA's agricultural operations pages [5].
For California specifics, the California Department of Food and Agriculture's pesticide program pages and your county agricultural commissioner's office are the authoritative sources for which fields belong on a pesticide use report and when it's due [2].
If you're chasing GLOBALG.A.P. certification, their Control Points and Compliance Criteria document (updated regularly) is downloadable from their site and is the most complete audit checklist for grape growers dealing with buyer requirements [8].
Build your audit from these authoritative checklists rather than a generic template, and the report is genuinely defensible. VitiScribe's record templates are built against the same regulatory frameworks, which speeds the data-gathering phase of an audit when your records are already structured correctly.
What are common mistakes vineyards make in internal audit reports?
The most common mistake is writing conclusions instead of findings. "Pesticide records were generally in order" is a conclusion. It tells a reviewer nothing. What did you look at? How many records? What did you find?
Second most common: no root cause. If you write that four records were missing a required field but never explain why, you'll write the same finding next year.
Third: corrective actions with no deadlines or owners. "We will improve our training program" is not an action. "J. Martinez will update the handler training slide deck to add REI information and conduct training by August 15" is an action.
Fourth: auditing only the records you're confident about. That's audit theater. A real internal audit reviews the highest-risk areas even when you're not sure what you'll find. If restricted material use is your most complicated regulatory area, that's where the audit should spend the most time.
Fifth: no sign-off. An unsigned audit report has almost no evidentiary value. Get the responsible person's signature and date it.
Sixth: losing the report. File it somewhere you can retrieve in two minutes. A compliance record you can't produce on request might as well not exist.
Frequently asked questions
Do vineyard operators legally have to write internal audit reports?
No federal statute or California, Washington, or Oregon regulation specifically requires a document called an 'internal audit report.' What the regulations require is that certain records be kept and available. The audit report is the organized way to show you reviewed those records, found any gaps, and corrected them. Third-party food safety programs like GLOBALG.A.P. do explicitly require written internal self-assessments as a condition of certification.
How long should a vineyard internal audit report be?
For a small to mid-size operation, one to four pages is the target. A header, a scope statement, a findings table, a corrective action plan, and a sign-off block. Longer documents are not more credible. What matters is that every section has real content. A two-page audit with specific findings and dated corrective actions beats a ten-page document full of boilerplate.
Who should conduct the vineyard internal audit?
Ideally someone other than the person who made the applications being reviewed, because fresh eyes catch more. For small operations where that's not possible, the vineyard manager can self-audit, but it takes real discipline to stay candid about gaps. Some growers hire their PCA or a compliance consultant for the annual audit to get genuine independence. That cost is usually a few hundred dollars and is worth it if you're heading into a buyer audit or certification renewal.
What's the difference between a pesticide application record and an audit report?
A pesticide application record documents a single spray event: product, rate, date, location, applicator, REI. It's required by 40 CFR Part 170 and state law. An audit report reviews many application records (and other compliance areas) against the regulatory standard, names the gaps, and records what you'll do about them. One is a raw record. The other is the analysis of those records.
Can I use a spreadsheet or do I need special software for vineyard audit records?
A spreadsheet or even a printed form works fine for the regulator. There's no requirement to use software. The tradeoff is speed: if your spray records, re-entry interval tracking, and worker training logs already sit in a structured digital system, pulling them together for an audit is faster. Whatever format you use, the records need to be legible, dated, signed where required, and retrievable for the full retention period.
How do I rate the severity of findings in a vineyard audit?
The most common scale is Conforming (meets the standard), Observation (potential risk, no violation), Minor Nonconformity (isolated violation, low risk), Major Nonconformity (systemic or higher-risk violation), and Critical (immediate health or safety risk). Align your language to whatever program your buyers or certifiers require. A critical finding, like a worker entering a treated area during an REI without PPE, needs immediate corrective action, not a 30-day plan.
What WPS records do I need to have ready before an audit?
Under 40 CFR Part 170 you need pesticide application records (at least 2 years), handler training records, evidence of the central posting board with required information, decontamination supply records, and documentation of any early-entry activities with required PPE noted. California adds pesticide use reports filed with the county commissioner and, for restricted materials, the permit itself. Have all of these organized before the audit begins.
How do buyer audit requirements differ from regulatory requirements for vineyards?
Regulatory requirements (WPS, state pesticide laws) set legal minimums. Buyer audit programs like GLOBALG.A.P. or SQF add requirements on top: internal self-assessments at defined intervals, traceability records linking each lot to field-level inputs, and food safety plans. A vineyard that meets every legal minimum can still fail a buyer audit if it lacks the documented self-governance those programs require. Know which programs your buyers demand before they tell you at the gate.
What happens if an inspector finds a violation that my internal audit missed?
A missed finding doesn't automatically make your situation worse with an inspector, but it does weaken the argument that your audit program works. If the violation is serious, the enforcement consequence depends on the violation itself, not the audit record. The practical protection of a good audit program is that it catches most problems before an inspector arrives, which lowers the chance of enforcement in the first place.
How do I document corrective actions that involve retraining workers?
Keep a training sign-in sheet with the date, the topic covered (referenced to the specific regulation, e.g. 'Re-entry intervals under 40 CFR 170.230'), the trainer's name, and each worker's signature or printed name with signature. Attach this sheet to the corrective action plan as verification evidence. If training was in Spanish or another language, note the language used. UC Davis and WSU Extension publish WPS training materials in multiple languages.
Should internal audit reports be kept confidential?
Your internal audit report is a private management document. You're not required to hand it to regulators proactively, and you should be thoughtful about who outside your organization sees it. If you're pursuing third-party certification, the certifier will review it. If you're in litigation or an enforcement proceeding, it may be discoverable. Keep the document candid and accurate; a report written to look good rather than be accurate is not a useful compliance tool and can create problems if it conflicts with other records.
How do small vineyards handle audit requirements without a dedicated compliance staff?
Most small vineyards (under 20 acres, family-operated) manage compliance with no dedicated staff by building recordkeeping into the daily routine, so the records exist when audit time comes. A pre-season and post-season checklist review, run by the vineyard manager against a checklist built from WPS and state pesticide requirements, is enough. Budget two to three hours twice a year. The UC Davis and WSU Extension checklists referenced in this article are free starting points.
What should I do if I find a serious violation during my internal audit?
Stop the activity if it's ongoing. Address any immediate worker safety risk first. Then document the finding accurately in the report, write a corrective action with a short deadline, and consult your licensed pest control adviser. For anything involving possible worker pesticide exposure or a missed restricted materials report, consider contacting your county agricultural commissioner proactively. Self-reporting with a corrective action plan generally results in more favorable treatment than a violation an inspector finds first.
Sources
- EPA, Worker Protection Standard for Agricultural Pesticides (40 CFR Part 170): WPS requires pesticide application records to be kept for at least two years and mandates safety training, posting, and decontamination requirements for agricultural workers and handlers.
- California Department of Food and Agriculture, Pesticide Use Reporting Program: California Food and Agriculture Code Section 12981 requires pesticide use reports to be submitted to county agricultural commissioners and underlying records to be retained for three years.
- Washington State Department of Agriculture, Pesticides program: WAC 16-228 requires Washington pesticide applicators to maintain application records and submit them within 30 days of each application.
- Cornell Cooperative Extension, New York State IPM Program: Cornell Cooperative Extension documents that New York grape growers face pesticide recordkeeping obligations under New York Environmental Conservation Law Article 33.
- OSHA, Field Sanitation Standard (29 CFR 1928.110): OSHA's Field Sanitation Standard requires agricultural employers to provide potable water, toilet facilities, and handwashing facilities for field workers and to maintain these facilities.
- UC IPM, Pest Management Guidelines for Grapes (UC Agriculture and Natural Resources): UC IPM guidelines for grapes emphasize contemporaneous recordkeeping as a baseline for defensible compliance records.
- WSU Extension, Pesticide Safety Education Program: WSU Extension guidance on agricultural worker safety documentation notes that closed corrective actions with verification evidence are the primary factor auditors use to assess whether a compliance program is functioning.
- GLOBALG.A.P., Integrated Farm Assurance Crops standard: GLOBALG.A.P. control point AF 2.1 requires growers to carry out an internal self-assessment against the standard at least once per certification period and to produce written documentation of that self-assessment.
- EPA, Agricultural Worker Protection Standard: The WPS was revised in 2015 and applies to any agricultural establishment that uses or supervises the use of pesticides and employs agricultural workers or pesticide handlers.
Last updated 2026-07-11