With so many different names for different types of audits. Are they really all that different, or just different names for the same thing?
In this article, we will help to explain what all these different audit types are.
To clarify one point right at the beginning all audits are either 1st, 2nd or 3rd party. A party is a term used for an organization involved in the audit. The other names we have are for specific types of audit, but they will still be either 1st, 2nd or 3rd party.
In a 1st party audit, there is only one party or organization involved. Another name for this is an internal audit as it is conducted by people from within the business.
Just to confuse things, 1st party or internal audits are sometimes contracted out for others to perform on behalf of the organization, however, while they are performed by another party they are still referred to as an internal audit.
All management system standards such as ISO 9001, ISO 14001, ISO 45001, ISO 27001 all require organizations to conduct internal audits.
In a 2nd party audit, there are two parties involved, the organization being audited and the organization wanting the audit to be conducted. The most common type of this audit is a supplier audit, where one organization, the customer, audits its suppliers to ensure they are conforming to their requirements.
As with 1st party audits, 2nd party audits can also be contracted out to others, but they would still be called a second party audit as there are only two key parties involved.
Other types of 2nd party audits include customer audits, where a supplier may audit a customer, an example being to ensure that their customer is using or representing their product correctly.
Governments conduct many 2nd party audits, although often they are contracted out to private businesses to conduct on their behalf. 2nd party audits conducted by or on behalf of government often behave like 3rd party audits, this is because governments are so large. These government audits include audits of transport businesses, training organizations, and recipients of government monies, such as charities providing a service to the community.
In a 3rd party audit, there are three parties involved, the organization being audited, the organization that it provides its services or products to (its customers), and the organization conducting the audit. The key difference here is the organization conducting the audit is independent of both other parties.
In most of these audits, the independent 3rd party issues a certificate to show that the organization they have audited has met the requirements of a standard. These audits are normally undertaken by Certification bodies and are where most of the audit names come from, such as initial, certification, surveillance and renewal.
We will look at these individually:
This describes the whole audit process of assessment that an organization goes through when it decides it would like its management system to be recognized as meeting a standard. These can also be called an initial or gap audit. The certification audit is in two stages: Stage 1 and stage 2.
These occur at least annually and confirm that your management system continues to work. The duration is less than the stage 2 audit – nominally a 1/3 to 1/2 of the time – and the focus should be on continual improvement and effective implementation.
Surveillance audits are sometimes called compliance audits as they are confirming that the organization is complying with its own management system.
This is performed just prior to the expiry of the certificate after three years and is essentially a repeat of the original stage 2 audit, although the auditors are more knowledgeable about the management system now.
The cycle then continues with annual surveillance audits and after three years another recertification audit. These audits can also be called renewal audits because the certificate is being renewed.
Audits do have different names and they do have different purposes, but they can be broadly categorized as either 1st, 2nd or 3rd party, and this means the number of primary parties or organizations involved in the audit.
1st party are also known as internal audits, and 2nd party audits are known as supplier or customer audits. Both 1st and 2nd party audits are normally about complying with organization-specific requirements, such as policies, procedures and contracts.
3rd party audits tend to be the most formal, and are conducted by an independent party, usually a certification body. To become certified an organization is audited at least twice; stage 1 and 2, and then continues to be audited at least annually to remain certified. These audits have varying names depending on the certification body.