Some people might define first, second and third party as three types of audit but, as I’ve said elsewhere, I prefer to look on these as the three relationships that exist.
However, there are still three types but I’d define them as:
- Appraisal, and
Most audits fall across two of these types but I find it useful to look at each having a primary type that defines the auditor’s approach (or should define it).
The primary purpose here is to verify compliance with an agreed reference, usually a standard such as ISO9001. The conclusion of such an audit is binary – compliance or noncompliance, yes or no. Strictly speaking, any outstanding corrective actions mean noncompliance but, in practice, these may be treated as qualifications to a compliance conclusion, be satisfactorily addressed within an agreed timescale. It’s a practical response to the realisation that perfection is an ideal that is not truly achievable.
Certification audits fall cleanly into this type – the result is a certificate (or the lack of one). Certification audits are commonly performed by third parties, auditors who have no interest in the outcome.
Many organisations set out with this type in mind for their internal (first party) audits – that’s a valid approach is some cases but rarely the best, in my view.
Appraisal audits look beyond compliance with a standard per se; instead, they look to assess the capability to perform or supply. Strictly speaking, they’re still looking for compliance but with two notable differences:
- The standard may be less clearly defined, it might involve subjective aspects, it might not even be fully documented and may be flexible or negotiable.
- Not all nonconformances need be directed to the auditee.
The key here is that the conclusion will address degrees of compliance – it’s not a binary decision, pass or fail. The aim is to assess capability and the compliance aspect may conclude in one of four ways:
- An unqualified yes.
- A qualified yes (i.e. yes if the following is addressed).
- A qualified no (i.e. no but that could become yes if certain matters are addressed).
- An unqualified no.
Appraisal audits are commonly done within a supply chain, a customer auditing a supplier. Corrective or preventive actions can be addressed at either the organisation being audited; for a purchaser audit of a supplier, these would equate to a qualified yes if they do this or a qualified yes is we do this. Such audits will frequently have a second party relationship, though not always as third parties may also be engaged to conduct them.
However, routine internal (first party) audits are often more effective for an organisation when considered as this type and, despite the desirability of auditor independence, the they and we approach above is reduced to a we. That is not to say the auditor takes ownership of efforts to address findings (something that should be avoided whenever possible), rather a recognition of the relationship.
This type is where an audit is being used as part of an investigation into an event (usually an undesirable one). The audit will be looking at systems, documentation and other evidence relating to the event, to try and determine a cause. There will usually be one or more standards tabled and may be referenced in findings (bringing in a compliance aspect) but the prime objective of this type is to gather evidence. Another difference from the other two types is that these audits often is the starting assumption: rather than starting from a neutral basis and assessing compliance they start from an assumption of noncompliance as try to determine how.
Any of the three relationships (first, second or third party) can exist here.
A simplified overview and few audits fall cleanly into one type – most, if not all, include compliance considerations. The importance is to recognise the differences that may exist, identify what is relevant and work (or adapt) accordingly.