We glibly talk about auditing as if it were one single tool or discipline: “We need to get our internal audit programme back on schedule” or “I’m off to audit a supplier” or “Our ISO9001 audit is due next week” – different tasks that need different approaches. I expect most people will be able to recognise there might be a difference when we define them as:
- First party audit (FPA),
- Second party audit (SPA), or
- Third party audit (TPA),
but will they fully understand it. Some people will use the above to define three types of audit but I prefer to say it defines three distinct audit relationships. I’ll keep “Audit Types” as a heading for another slice of cabbage. For now, let’s consider the above three relationships:
First Party Audit
This is where there is a close relationship between the auditor and auditee. It’s likely that both will be employed by the same organisation, although with distinct lines of communication to senior management to maximise independence. However, there can not be complete independence as both parties will (should) share the common goal of maximising the organisation’s performance. That is not to say the auditor will take ownership of any corrective action (that is something to be avoided whenever possible) but has an interest in identifying areas of improvement as well as seeking evidence of compliance.
Second Party Audit
The relationship here, again, is working to a common goal but not as colleagues. There is a contractual relationship in place (or there will be if the auditor reports favourably) and we have what is sometimes defined as a “master:slave” situation. Some may consider that the auditor holds the power and can dictate to the auditee – that may still be the case when the latter is keen to accommodate in order to win work – but it is rarely efficient in the longer term. Better to recognise that each party wants what is best for his or her own organisation and employ the skill (on both sides) to finding common ground that leads to the best mutual arrangement.
Third Party Audit
This is usually where we start to consider compliance as the primary audit objective, but that’s for another post. The relationship here is that of independence. There might be a contract between the auditor and auditee (especially if it is for certification – ISO9001, et. al.) but it is not a contract regarding the auditee performance; the auditor has no investment in that. Furthermore, the auditor rarely has authority to require or even recommend outwith anything outwith the auditing contract, which is usually limited by reference to a certification standard.
This only a basic introduction and these are far from being the only relationship considerations; just a starter and it’s part of the auditor’s responsibility to more fully understand the relationship in place for each audit.