What are First, Second, and Third-party Audits?
In the world of ISO Certification, there are several different types of audits, some of which are known under different names, often leading to confusion among those who aren’t experts in the field. To clear up any confusion surrounding this fundamental component of the certification process, this article will outline the various types of audits, specify the various terms attributed to them, and finally, explain the role and purpose of each type. There are three main categories of audits: first-party audits, second-party audits, and third-party audits.
What is First-party audits?
First-party audits, also known as internal audits, generally take place when an organisation seeks to assess a process or set of processes to determine whether it complies with its own requirements or those of a particular standard. When conducted effectively, first party audits are a great way of evaluating whether what is actually taking place in an organisation’s day to day operations conforms with what is documented in its procedures, policies, and systems.
In other words, internal audits help determine the level of consistency between the standards an organisation committed to on paper and the actions being implemented on the ground. First-party audits are typically conducted by an organisation’s own human resources and may consist of one or multiple people, depending on the size of the organisation.
However, the designated employee or group of employees must conduct their auditing activity independently and objectively. Therefore, selecting the right people for the job is of the utmost importance and is directly tied to the quality of the audit findings. To ensure objectivity, management should select employees which have no personal or professional connection with or loyalty to the area being audited. This is often impossible with smaller organisations, in which case management should use their best judgement to select an employee whom they believe can maintain an un-biased and impartial mindset.
Because this can prove to be difficult to achieve, some organisations resort to hiring external parties such as an independent consultant to conduct the audit on their behalf and ensure there isn’t a shred of bias in the audit findings. Internal audits are generally conducted in preparation for certification audits, and have the following benefits:
- Determining the effectiveness of the management system
- Identifying weaknesses and opportunities for improvement
- Helping organisations run a leaner operation
- Uncovering any non-conformances and determining appropriate corrective and preventive actions
- Maintaining compliance with organisational, regulatory, and standard requirements
Second-party audits in ISO concept
Second-party audits, also referred to as external or supplier audits are audits that are exclusive to the client and their supplier and have nothing to do with certification. They are commissioned by buyers or clients to ensure that the supplier they are considering meet their supplier requirements or the requirements of the contract they are being considered for.
There are a myriad of areas a buyer might want to audit. These depend on their areas of interest and may include the following: policies, procedures, documentation and controls requirements, traceability requirements, as well as environmental, quality, or safety requirements. Second party audits are generally conducted on site; however, they may also be conducted off site by reviewing the supplier’s documentation.
It is often believed that ISO certification holders won’t be required by buyers to undergo a second party audit. This could be true if the buyer’s area of interest happens to be the same as the one the supplier is certified against; however, many buyers will still choose to do their due diligence, especially if their requirements involve multiple areas or if they differ from those of ISO.
A second-party audit can prove to be an invaluable tool for organisations. Some of its benefits include:
- It helps establish a strong supply chain
- It enables buyers to manage risk
- Quality assurance
Third-party auditing is the auditing process that generally results in the obtainment and maintenance of certification. It is conducted by independent entities known as certification bodies or registrars. Third-party auditing involves three different types of audits and occurs when an organisation has decided to certify against a particular ISO standard. The three types of audits are what constitute the process of obtaining and maintaining ISO certification and are as follows:
- Certification audits
Certification audits are the audits conducted by certification bodies or registrars to confirm conformance against a particular ISO standard. These generally result, if all goes well, in the obtainment of ISO certification. They typically consist of two parts:
- Stage 1, which is typically conducted remotely, is the part where the auditor decides whether you meet the minimum criteria for the stage one audit. If you do, they will schedule the next phase.
- Stage 2 is conducted on site and consists of interviewing employees and reviewing documentation to verify whether it meets the standard’s requirements.
- Surveillance audits
Also known as maintenance audits, they consist of an ongoing periodic review of the organisation’s management system by the certification body or registrar to ensure that it continually complies with the standard’s requirements. They typically take place during years one and two following initial certification.
- Re-certification audits
Also referred to as renewal audits, they occur every 3 years from when the initial certification audit was concluded and seek to ensure that the management system has assessed and documented the organisational changes that have taken place over the course of the last three years and that the organisation has implemented all applicable trainings to address those changes.
- Surveillance Audit 1
The first surveillance audit only examines a set of mandatory processes and some of the other processes.
- Surveillance Audit 2
The second surveillance audit reexamines mandatory processes in addition to the other processes that were not reviewed in the previous year.