Auditing is an on-site verification activity, such as inspection and/or examination of a process or quality system, to ensure compliance to defined requirements where the defined requirements are either derived from a standard, a regulation or both. An audit scope can cover an entire organization or might be limited to process, department, function or production step.
There are mainly two types of audits based on the who is auditing the organization – Internal Audits and External Audits. Both of these are described below:
First Party audits : – also called as internal audits
A first-party audit is an internal audit conducted by auditors who are employed by the organization being audited but who have no vested interest in the audit results of the area being audited. The auditors can be employees or outsourced personnel. The audit is performed to measure the strengths and weaknesses of an organization against its own procedures or methods and/or against external standards adopted by (voluntary) or acts or regulations applicable to the business domain of the organization for example HIPAA Act or PCI DSS. These audits helps the organization to find out the gaps and fix them to raise their own assurance level. First party audits do not lead to any certification achievement but internal audits are a mandatory requirement for almost all certifications.
Second Party Audits: External Audit
A second-party audit is a type of external audit performed on a supplier by a customer or by a contracted organization on behalf of a customer. Scope of second-party audits is subject to the rules of contract and may be limited to the specific process, product or location of the supplier depending upon the requirements of the customer. Second-party audits tend to be more rigorous and formal than first-party audits because audit results could influence the customer’s purchasing decisions. Again Second party audits are process or product specific and do not result in any kind of certification. They are generally more stringent in nature.
Third Party Audits : External Audit
A third-party audit is performed by an audit organization independent of the customer-supplier relationship and is free of any conflict of interest. Independence of the audit organization is a key component of a third-party audit. Third-party audits may result in certification, registration, recognition, an award, license approval, a citation, a fine, or a penalty issued by the third-party organization or an interested party. Third party audits are generally conducted against a well established criteria such as an ISO standard, SOC requirements etc.
Important Information : First and Second party auditors follow the ISO 19011:2011 standard while third party certification bodies stick to ISO/IEC 17021:2015 standard. Both of these standards outline the requirements of auditing. If you are planning to jump into auditing field I recommend you to read these standards as soon as possible – even before you take up the lead auditor course.