Types of ISO Audits
Kevin Lehner
January 12, 2021
There are three different types of ISO audits, first party, second party and third party. The following is a brief discussion of these types of ISO audits.
Third Party ISO Audit Type
Third-party audits are conducted by an independent 3rd party such as a certification body. Certification bodies (CBs) obtain their authority to perform audits and issue certification through accreditation bodies (ABs) like the ANSI National Accreditation Board (ANAB) or the United Kingdom Accreditation Service (UKAS). ABs get their authority to accredit CB through their membership to the International Accreditation Forum (IAF) .
Organizations often use third party certification to demonstrate to customers or other interested parties that they can be trusted as a good, sustainable business partner. Third party certification can also be used by the organizations leadership, board of directors or other interested parties as evidence of he effectiveness of the management systems.
Legitimate third party ISO certificates carry marks of the IAF and Accreditation bodies like ANAB. Some CBs claim to be accredited but are not.
So always check a CBs accreditation before engaging them for certificating services or when relying on their certificates for information about an organizations management system status.
Accredited CBs are prohibited from performing "consulting services" to the organizations that they audit and certify. ABs monitor this activity closely and other potential threats to impartiality of the CB. Accredited management system CB are accredited by the BA to the requirements of ISO 17021:2015.
Second Party ISO Audit Type
Second party audits are performed by independent organizations not owned or operated by the organizations being audited. Consultancies offer these services to their clients which are often referred to as independent internal or compliance audits.
Organizations offering second party audit services are not accredited by an AB but may hold other certifications from personal certification services like Exemplar Global. Auditors preforming these audit need to be objective but can also provide consulting services to the auditee before or as part of the internal audit. Regulatory compliance audits performed by independent organizations and audits performed by customers are also considered second party audits.
First Party ISO Audit Type
First party management system audit are performed by an organization on itself by employees and are another type of internal audit. These audits can be broad covering one or more management systems standards. They can also be vary narrow focusing on one part of the management system or on a specific product characteristic or customer requirement.
First party audits need to be performed by competent Auditors. The auditors also need to be independent of the area being audited. First party auditors auditing their own departments or areas are not considered independent or impartial. It is also sometimes difficult for auditors to objectively audit their peers or their supervisors and management because of their close relations ship to the organizations and potential concerns about their continued employment if they should make negative findings during the audit.