In this article, we will help to explain what all these different audit types are.
To clarify one point right at the beginning all audits are either 1st, 2nd or 3rd party. A party is a term used for an organization involved in the audit. The other names we have are for specific types of audit, but they will still be either 1st, 2nd or 3rd party.
1st party audits
In a 1st party audit, there is only one party or organization involved. Another name for this is an internal audit as it is conducted by people from within the business. Just to confuse things, 1st party or internal audits are sometimes contracted out for others to perform on behalf of the organization, however, while they are performed by another party they are still referred to as an internal audit. All management system standards such as ISO 9001, ISO 14001, ISO 45001, ISO 27001 all require organizations to conduct internal audits.
2nd party audits
In a 2nd party audit, there are two parties involved, the organization being audited and the organization wanting the audit to be conducted. The most common type of this audit is a supplier audit, where one organization, the customer, audits its suppliers to ensure they are conforming to their requirements. As with 1st party audits, 2nd party audits can also be contracted out to others, but they would still be called a second party audit as there are only two key parties involved. Other types of 2nd party audits include customer audits, where a supplier may audit a customer, an example being to ensure that their customer is using or representing their product correctly.
Governments conduct many 2nd party audits, although often they are contracted out to private businesses to conduct on their behalf. 2nd party audits conducted by or on behalf of government often behave like 3rd party audits, this is because governments are so large. These government audits include audits of transport businesses, training organizations, and recipients of government monies, such as charities providing a service to the community.
3rd party audits
In a 3rd party audit, there are three parties involved, the organization being audited, the organization that it provides its services or products to (its customers), and the organization conducting the audit. The key difference here is the organization conducting the audit is independent of both other parties. In most of these audits, the independent 3rd party issues a certificate to show that the organization they have audited has met the requirements of a standard. These audits are normally undertaken by Certification bodies and are where most of the audit names come from, such as initial, certification, surveillance and renewal. We will look at these individually:
This describes the whole audit process of assessment that an organization goes through when it decides it would like its management system to be recognized as meeting a standard. These can also be called an initial or gap audit. The certification audit is in two stages: Stage 1 and stage 2.
- Stage 1 audit
The auditor reviews the organization's documentation to ensure they are ready for the Stage 2 audit. This stage 1 audit reviews information like the scope of the system, statutory and regulatory requirements, the management system as it is documented, and that key aspects such as management reviews and internal audits have been conducted. This audit can be performed on site or off site, although on-site is preferable. It is sometimes called a documentation review, although this is becoming less common.
- Stage 2 audit
Evaluates the extent to which the management system has been implemented and its effectiveness. This audit is always performed on site, and the duration will depend upon the number of workers and the complexity of the organization and its processes. If the organization achieves a satisfactory result the management system will be certified, and a certificate issued. This certificate lasts for three years.
Once an organization has become certified, audits continue to occur at defined intervals, and these audits have a variety of names.
The organizations conducting these 3rd party audits are called certification bodies or CB’s, and these CB’s are audited by accreditation bodies that ensure they meet international standards. This means that a certificate issued by one CB in one country is equivalent to a certificate issued by a different CB in another country.
These occur at least annually and confirm that your management system continues to work. The duration is less than the stage 2 audit – nominally a 1/3 to 1/2 of the time – and the focus should be on continual improvement and effective implementation. Surveillance audits are sometimes called compliance audits as they are confirming that the organization is complying with its own management system.
This is performed just prior to the expiry of the certificate after three years and is essentially a repeat of the original stage 2 audit, although the auditors are more knowledgeable about the management system now. The cycle then continues with annual surveillance audits and after three years another recertification audit. These audits can also be called renewal audits because the certificate is being renewed.
Audits do have different names and they do have different purposes, but they can be broadly categorized as either 1st, 2nd or 3rd party, and this means the number of primary parties or organizations involved in the audit.
1st party are also known as internal audits, and 2nd party audits are known as supplier or customer audits. Both 1st and 2nd party audits are normally about complying with organization-specific requirements, such as policies, procedures and contracts.
3rd party audits tend to be the most formal, and are conducted by an independent party, usually a certification body. To become certified an organization is audited at least twice; stage 1 and 2, and then continues to be audited at least annually to remain certified. These audits have varying names depending on the certification body.