Yes, it is a written finding.
Wouldn't the risk from internal processes be more about food defense?
There is some overlap in actions, the difference for some items between fraud and defense is about intent. If it was for economic gain its probably fraud, if they want to cause injury or terror its defense.
The applesauce / cinnamon issue in the US is a good example of that overlap. The reason the cinnamon was adulterated with toxic lead was financial, but the result was casualties. Someone with the intent to cause injury could have done the same thing with even worse outcomes, because adequate measures weren't in place to catch it regardless of the intent.
To the point of internal processes generally, the fraud connection is usually going to be "at the door" or tied to incoming materials. Your vetting and testing procedures for new vendors or suppliers is certainly one of those internal processes. Past vetting and receiving you do have theft, diversion, overrun, or tampering that can happen internally as modes of fraud which could be perpetrated by your own personnel for their personal gain and to the detriment of the company.
Tampering: Legitimate product and packaging are used in a fraudulent way.
Overrun: Legitimate product is made in excess of production agreements.
Theft: Legitimate product is stolen and passed off as legitimately procured.
Diversion: The sale or distribution of legitimate products outside of intended markets.