An audit is a process performed to gather evidence that support an organization’s compliance to specific requirements. Audits can be Internal (first party audits) or External (second and third party audits). The differences between the two types of external audits generates some confusions that we will clarify in this article.
The main differences rely on the interests between the organization performing the audit and the one being audited, and in the purpose of the audit.
- Second party audits are external audits that occur when one organization audits another with which it either has, or is going to have, a contract or agreement for the supply of goods or services. They can also be done by regulators or any other external party that has a formal interest in an organization. These are usually done to verify operating conditions of a supplier to ensure it meets applicable requirements.
- Third party audits are also external audits that are done independent of the organization being audited. They are performed by independent organizations such as registrars (certification bodies) or regulators, usually for certification, registration or verification purposes.
The reasons why these are performed also serves to set them apart.
Second party audits are carried out to:
- Help customers ensure that suppliers have proper capabilities and controls in place.
- Improve communication between both organizations.
- Promote a clear understanding of the customer’s expectations.
- Provide a path for the transfer of knowledge and good practices between both organizations.
- Build customer confidence that the supplier will comply with legal and other applicable requirements.
- Create good and mutually beneficial working relationships.
Third party audits are performed to:
- Verify compliance to a specific standard or regulation.
- Demonstrate compliance with all the requirements of a standard such as ISO 9001, ISO 14001, OHSAS 18001 to customers and other stakeholders.
- Give confidence to customers that the best business practices are being implemented regarding quality, environmental or other management systems.
As mentioned before a second party audit is usually done by a customer and a supplier that wish to establish a business relationship and, in some cases, the audit is one of the requirements necessary to seal the deal.
On the other hand, third party audits can be mandatory (depending on the standard/regulation and the industry sector) or they can be voluntary. In both cases, the organization wishing to be audited will have to contract the services of a qualified organization to perform an independent and objective audit.
Both types of audits are done prior to executing a contract (Second party) or obtaining a certification/registration (Third party) and they both require periodic surveillance audits for verification purposes.
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.