CALL US 1-888-553-2256

ISO 9001 Blog

Mark Hammar

First-, Second- & Third-Party Audits, what are the differences?

In the world of quality management there are many different names for several different types of audits – so many, in fact, that the categories can become confusing. Add to this the fact that several titles for audits can mean the same thing, and you have a recipe for misunderstanding that can cause uncertainty for many people. Here is where some explanation can help.

In quality management there are three main categories of audits, which depend on the relationship between the auditor and the person being audited. These are called third-party audits, second-party audits, and first-party audits. Below I will describe these categories and try to explain the typical audit names that fall under each.

Third-Party Audits

A third-party audit occurs when a company has decided that they want to create a quality management system (QMS) that conforms to a standard set of requirements, such as ISO 9001, and hire an independent company to perform an audit to verify that the company has succeeded in this endeavor. These independent companies are called certification bodies or registrars, and they are in the business of conducting audits to compare and verify that the QMS meets all the requirements of the chosen standard, and continues to meet the requirements on an ongoing basis. They then provide certification to companies that they approve. This can be used to give customers of the certified company confidence that the QMS meets the requirements of the chosen standard.

There are three types of audits used in this process, called certification audits, maintenance or surveillance audits, and re-certification audits. For an explanation of the relationship between certification, maintenance, and re-certification audits, see the section on “The Cycle of Maintaining ISO 9001 Certification for a Company” in ISO 9001 Certification: What is it for individuals and companies?

Second-Party Audits

A second-party audit is when a company performs an audit of a supplier to ensure that they are meeting the requirements specified in the contract. These requirements may include special control over certain processes (such as soldering or welding), requirements on traceability of parts (knowing which parts are used in which products), requirements for special cleanliness standards, requirements for specific documentation, or any of a host of other items of special interest to that customer. These audits can be done on-site by reviewing the processes or even off-site by reviewing documents submitted by the supplier. The customer can audit all or part of the contract – whatever they see a need to audit. It is important to understand that a second-party audit is between the customer and the supplier and has nothing to do with becoming certified.

Many people thought that second-party audits would not be necessary once a company is certified to ISO 9001 by a certification body, but this is not necessarily true. Even if you are certified by a third-party audit, any of your customers may still want to perform a second-party audit to look at elements of their contract, especially if these elements are not the same as the ISO 9001 requirements. This is not required by all customers, and is not required to be certified to ISO 9001 by a certification body, but it is specified in some contracts and there are some customers that choose to perform these audits.

First-Party Audits

First-party audits are often called internal audits. This is when someone from the organization itself will audit a process or set of processes in the quality management system to ensure it meets the procedure that the company has specified. This person can be an employee of the organization or someone hired by the organization to perform the internal audits, such as a consultant, but the important thing is that the person is acting on behalf of the company rather than a customer or certification body. This type of audit is focused not only on whether the company processes meet the requirements of a standard, but all rules the company has set for itself. The audit will look for problem areas, areas where processes do not align with each other, opportunities for improvement, and the effectiveness of the quality management system. By design, these audits can and should be much more in depth than the other audits, since this is one of the best ways for a company to find areas to improve upon.

For more information on how to structure internal audits, take a look at Five Main Steps in ISO 9001 Internal Audit.

Know the difference, and don’t get confused

Do you need to do second-party audits on your suppliers to better understand their capability to meet your needs? How can you gain more from your third-party audits? What needs to be done to improve your internal first-party audits to work toward improvement? By understanding the different types of audits and what they mean for you, you can more easily know how they can best be used in your organization to work toward improvement of the quality management system.

For a better understanding of the audit process, see this free online training: ISO 9001:2015 Internal Auditor Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 9001 standard.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

18 responses to “First-, Second- & Third-Party Audits, what are the differences?”

  1. RB Gonzales says:

    Would like to ask your opinion on this.
    Our CB refuses to give us their logo to certify that we’ve passed their Good Dsitribution Practices (GDP) and Good storage Practices (GSP) (both are guidelines under WHO) because they said the certification is under 2nd party audit.

    I thought something is not so right in classifying ours under a second party audit. Though the requirements on GDP and GSP, are normally applied for 2nd party audits, our company’s own initiative to get certified on these, clearly falls on the category of a 3rd party audit, similar to our intention to get certified with ISO.

    Appreciate you comments.

    • Strahinja Stojanovic says:

      Dear Gonzales,

      In order to be classified as second party audit, the CB would have to be hired by your client or some other company to perform the audit of your company. If you initiated the audit (and paid for it), than it is a third party audit.

      In this case they must provide you with the certificate but using of a CB logo is defined by their own policies and internal rules, so if they choose not to allow you to use their logo or certification mark they have that right. What you need to do is to take a look at the contract with the CB and see what are their obligations towards your company regarding the certification mark usage and think twice before hiring again next year.

      • RB Gonzales says:

        Dear Strahinja,

        Thanks your comments are very helpful. And yes we paid for it, and it’s clear in our contract with them. As for the CB logo, they just indicated the limitations on how to use it. In their email to us, they said that “there is no applicable logo that can be used for 2nd party audits”, when we asked for the logo.

        It’s even been 6 months of constant follow up since we got our first certification, before they were able to issue our certificate, which they said is due to some of their internal technical reasons, and now it’s 8 months already until they finally answer why their CB logo doesn’t appear on the certificate, nor can they issue a version for our corporate communication materials. Yup, will definitely think twice about rehiring them. Thanks again Sir.

        • RB Gonzales says:

          Oops, I mean certification logo/mark instead of CB logo is what we’re asking. The one where the CB logo and the certification standard appears, like the ones they issued to other companies that they’ve audited for the same GDP and GSP standards.

          • Strahinja Stojanovic says:

            In that case you should be persistent and demand the certification mark but again, if they do not want to issue it to you, there’s nothing you can do

          • RB Gonzales says:

            I see. At least now I know that, at the end it’s pointless. So don’t need to try that hard. Guess it’s enough to express to them, that we know something, and that they can’t just fool us around. Super thanks for your time! I’m so happy, knowing were you stand on things set people free, hahah. Have a very happy day too.

  2. Strahinja Stojanovic says:

    Sorry to hear that, it didn’t even crossed my mind as a reason. Unfortunately you’ve paid a high price for this lesson.

    But it doesn’t have to be a tragedy, if your clients or the government doesn’t require accredited certificate, you will be fine.

  3. Riyaz Ahmed says:

    During a 3rd party audit, the auditor’s guide argues with the auditee over what the guide believes is a nonconformity with company processes. The guide turns to the auditor for support.
    1. How should a 3rd party auditor respond to the guide?
    2. What actions could the 3rd party auditor take ?

    • Strahinja Stojanovic says:

      It depends on what is the role of the guide, is he a person form inside of the company that guides the auditor across the organization or is he a technical expert brought by the auditor to help him with the audit.

      In first case, the auditor should ignore comments of the guide (regardless o whether the comments are positive or negative for the company) and if the guide is too annoying, the auditor can require other guide to be provided by the company.

      In the second case, the auditor should consider comments receiving from the guide but the auditor s the one who makes a decision whether something is nonconformity or not.

  4. wong says:

    what is the benefit of internal and external audit

    • Strahinja Stojanovic says:

      The aim of both kinds of audits is to check whether the system is compliant with requirements of the standard.

      Internal audit will be more in depth and detailed one and the external audit will provide you with different set of eyes so the external auditor will probably be able to see something for what internal auditors and employees in general have a blind spot.

  5. Shabbir Shahid says:

    Would you like to clear the concept of Man Hour in different Audits.

    • Strahinja Stojanovic says:

      Men hours are not defined for the audit, but audit days. In case of QMS (Quality Management System) or EMS (Environmental Management System) the audit days are calculated according to IAF MD 5 standard and depend on the number of employees, locations shifts, number of standard being audited, etc.

  6. Leslie Rillon says:

    Hi! Would like to request for your view on this.

    Our company hired a CB to perform audits of our different sites to ascertain their compliance to our internal Quality Management System. At the end of each audits a site is issued a certificate with the CB’s logo. Is this considered a first party audit or a third party audit?

    • Strahinja Stojanovic says:

      Hi Leslie,

      The certification audit is considered as third party audit. Second party audit is when your customers audit your organization and the first party audit is when the company audits itself.

      Best regards,


  7. Utkarsh Kumar says:

    What is the High Level Structure?

    • Strahinja Stojanovic says:

      Dear Utkarsh,

      High Level Structure is defined by the Annex SL, a document published by the ISO organization, and it basically represents the structure of the standard with 10 clauses and the arrangement of requirements in a way that the common requirements in different standard are located in the same clauses.

      Best regards,


  8. Samanzaar Layalli says:

    Good explanation to types of audit.
    Musharraf, CA, IRCA Lead auditor.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.