In the world of quality management, there are three main categories of audits, which depend on the relationship between the auditor and the person being audited. These are called third-party audits, second-party audits, and first-party audits. Described below are these categories and an explanation on what falls under each one of them.
A third-party audit occurs when a company has decided that they want to create a quality management system (QMS) that conforms to a standard set of requirements, such as ISO9001 and hire an independent auditing company to perform an audit to verify that the company has succeeded in meeting these standards. These independent companies are normally known as certification bodies, and they are in the business of conducting audits to compare and verify that the QMS meets all the requirements of the chosen standard, and continues to meet the requirements on an ongoing basis. They then provide certification to companies that they assess as having achieved the standard. This can be used to give customers of the certified company confidence that the QMS meets the requirements of the chosen standard.
There are three types of audits used in this process, called certification audits, maintenance or surveillance audits, and re-certification audits.
A second-party audit is when a company performs an audit of a supplier to ensure that they are meeting the requirements specified in the contract. These requirements may include special control over certain processes, requirements on traceability of some parts of the service, requirements for specific documentation or records, or any of a host of other items of special interest to that customer. These audits can be done on-site by reviewing the processes or even off-site by reviewing documents submitted by the supplier. The customer can audit all or part of the contract. It is important to understand that a second-party audit is between the customer and the supplier and has nothing to do with becoming certified.
Many people think that second-party audits would not be necessary once a certification body certifies a company, but this is not necessarily true. Even if a third-party audit certifies you, any of your customers may still want to perform a second-party audit to look at elements of their contract, especially if these elements are not the same or sufficiently covered by the requirements set out in the standards the company has certified to.
First-party audits are better known as internal audits. This is when someone from the organization itself will audit a process or set of processes in the quality management system to ensure it meets the procedure that the company has specified. This person can be an employee of the organization or someone hired by the organization to perform the internal audits, such as a consultant, but the important thing is that the person is acting on behalf of the company rather than a customer or certification body. This type of audit is focused not only on whether the company processes meet the requirements of a standard, but all rules the company has set for itself. The audit will look for problem areas, areas where processes do not align with each other, opportunities for improvement, and the effectiveness of the quality management system. By design, these audits can and should be much more in depth than the other audits, since this is one of the best ways for a company to find areas to improve upon.