What Are the Three Types of ISO Audits?


There are three types of Internal Organization for Standardization (ISO) audits: first-party audits, second-party audits, and third-party audits. However, only the third-party audit results in an ISO certification.

First-Party Audits

First-party audits, or internal audits, are typically performed inside a company to measure the strengths and weaknesses relative to its internal business objectives. This ISO audit is basically a conformity assessment to check for compliance gaps and prepare an organization for an external ISO certification audit, i.e., a third-party audit.

Typically, the auditors performing a first-party audit will be employees of the enterprise; however, they shouldn’t have a vested interest in the results of the audit. 

Second-Party Audits

A second-party audit, or external audit, is usually performed at the request of a customer (or a company contracted to act on the customer’s behalf) on a supplier of products or services. 

The second-party audit ensures that the supplier is doing what it says it’s doing based on the contractual agreements in place. In this case, qualified staff members or employees of an outside consulting firm can perform a second-party audit.

A company will likely want to combine a second-party audit with a first-party audit so it will know if it’s ready for an ISO certification.

Third-Party Audits

The third-party audit is the certification audit. An organization typically undertakes a third-party audit when it wants to achieve an ISO certification. During the certification audit, a certification body auditor assesses whether an enterprise complies with the appropriate ISO standard. If so, the certification body auditor will award the certification.

The American Society for Quality identifies three types of audit: a process audit, a product audit, and a system audit.

A process audit verifies that a company’s processes meet the requirements for the particular standard for which the organization is seeking certification. 

As part of this audit process, the auditor may:

  • Check conformance to defined requirements, such as time, accuracy, temperature, pressure, composition, responsiveness, amperage, and component mixture.
  • Examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions) followed, and the measures collected to determine process performance.
  • Check the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, as well as training and process specifications.

A product audit scrutinizes a particular product or service, such as hardware, processed material, or software, to evaluate whether it conforms to the relevant standard.

A system audit examines a management system. A system audit is a documented activity that verifies, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements.

Since most ISO standards that are eligible for certification govern systems, e.g., quality management systems, information security management systems, food safety management systems, environmental management systems, ISO certification audits are generally system audits.

There are over 23,000 ISO standards, including the ISO 9000 family of standards that govern quality management systems. ISO 9001 is the only standard in this group eligible for certification. ISO 14001 offers direction on how to develop an effective environmental management system. And ISO 27001/27002 is an information security standard.

What Happens if Your Company Fails an ISO Audit

If an organization fails an ISO audit, it must take corrective action to remedy the problems. There are certain things a company can do to fix the issues and achieve the ISO certification, including:

  1. Analyze the situation: The auditor’s non-conformance report will describe whether there was a “minor non-conformance” or a “major non-conformance.” 
    • A minor non-conformance means the auditor has found minor gaps in the enterprise’s ISO compliance. For example, maybe the company didn’t follow one ISO requirement or an individual didn’t have the necessary documentation to demonstrate compliance.
    • A major non-conformance indicates that the management system under examination has a fatal flaw and is missing something critical that’s necessary to achieve organizational goals or protect customers. For example, maybe the company didn’t implement a critical procedure or requirement or the organization hasn’t taken the necessary preventive or corrective action to ensure compliance.
  2. Take corrective action: A minor non-conformance won’t prevent an organization from achieving an ISO certification as long as it immediately takes the necessary corrective action to rectify the problems outlined in the report. However, a major non-conformance will preclude certification. To achieve certification, the enterprise will have to schedule another audit.