First-, Second- & Third-Party Audits, what are the differences?

In the world of quality management there are many different names for several different types of audits – so many, in fact, that the categories can become confusing. Add to this the fact that several titles for audits can mean the same thing, and you have a recipe for misunderstanding that can cause uncertainty for many people. Here is where some explanation can help.

In quality management there are three main categories of audits, which depend on the relationship between the auditor and the person being audited. These are called third-party audits, second-party audits, and first-party audits. Below I will describe these categories and try to explain the typical audit names that fall under each.

ISO 9001 First, Second & Third-Party Audits: The differences

Third-Party Audits

A third-party audit occurs when a company has decided that they want to create a quality management system (QMS) that conforms to a standard set of requirements, such as ISO 9001, and hire an independent company to perform an audit to verify that the company has succeeded in this endeavor. These independent companies are called certification bodies or registrars, and they are in the business of conducting audits to compare and verify that the QMS meets all the requirements of the chosen standard, and continues to meet the requirements on an ongoing basis. They then provide certification to companies that they approve. This can be used to give customers of the certified company confidence that the QMS meets the requirements of the chosen standard.

There are three types of audits used in this process, called certification audits, maintenance or surveillance audits, and re-certification audits. For an explanation of the relationship between certification, maintenance, and re-certification audits, see the section on “The Cycle of Maintaining ISO 9001 Certification for a Company” in ISO 9001 Certification: What is it for individuals and companies?

Second-Party Audits

A second-party audit is when a company performs an audit of a supplier to ensure that they are meeting the requirements specified in the contract. These requirements may include special control over certain processes (such as soldering or welding), requirements on traceability of parts (knowing which parts are used in which products), requirements for special cleanliness standards, requirements for specific documentation, or any of a host of other items of special interest to that customer. These audits can be done on-site by reviewing the processes or even off-site by reviewing documents submitted by the supplier. The customer can audit all or part of the contract – whatever they see a need to audit. It is important to understand that a second-party audit is between the customer and the supplier and has nothing to do with becoming certified.

Many people thought that second-party audits would not be necessary once a company is certified to ISO 9001 by a certification body, but this is not necessarily true. Even if you are certified by a third-party audit, any of your customers may still want to perform a second-party audit to look at elements of their contract, especially if these elements are not the same as the ISO 9001 requirements. This is not required by all customers, and is not required to be certified to ISO 9001 by a certification body, but it is specified in some contracts and there are some customers that choose to perform these audits.

First-Party Audits

First-party audits are often called internal audits. This is when someone from the organization itself will audit a process or set of processes in the quality management system to ensure it meets the procedure that the company has specified. This person can be an employee of the organization or someone hired by the organization to perform the internal audits, such as a consultant, but the important thing is that the person is acting on behalf of the company rather than a customer or certification body. This type of audit is focused not only on whether the company processes meet the requirements of a standard, but all rules the company has set for itself. The audit will look for problem areas, areas where processes do not align with each other, opportunities for improvement, and the effectiveness of the quality management system. By design, these audits can and should be much more in depth than the other audits, since this is one of the best ways for a company to find areas to improve upon.

For more information on how to structure internal audits, take a look at Five Main Steps in ISO 9001 Internal Audit.

Know the difference, and don’t get confused

Do you need to do second-party audits on your suppliers to better understand their capability to meet your needs? How can you gain more from your third-party audits? What needs to be done to improve your internal first-party audits to work toward improvement? By understanding the different types of audits and what they mean for you, you can more easily know how they can best be used in your organization to work toward improvement of the quality management system.

For a better understanding of the audit process, see this free online training: ISO 9001:2015 Internal Auditor Course.

Advisera Mark Hammar
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.