There are three categories of audits; certification audits, surveillance audits and re-certification audits and three types of audits; first party, second party and third party audits.
Certification Audits or third party audits are conducted by an external third party to find out the conformance of the organization?s management to the international or national standard. As the ISO certificate is awarded for a period of three years, so the certification body or third party conducts a yearly surveillance audit to find out if the new system is being implemented correctly or not.
During the first or initial certification the external auditor will check to see if all the main elements of the management system are in place. All the SOP’s, Work Instructions, the Manual, Job Descriptions, Forms are in place. The auditor will check to see whether the processes are working as they are given in the documentation. The checking will be limited in its scope as only a few weeks or months may have passed since the new system has been put in place.
But on the other hand the ISO Certificate is issued for three years. For example if the certificate was awarded after audit in august 2015 and would be valid until August 2018. In this case the only way for the certification body to confirm that the system is being run as per the standard is to conduct yearly audits of the organization, for example in August 2016.?? This audit is known as the Surveillance Audit and are conducted once or twice a year. If it is conducted once a year then it will be conducted next in August 2017. In August 2018 the certificate would expire and the company will have to go for a re-certification audit.
The main purpose of surveillance audit is to check whether your system really works in everyday operations or not. It focuses on things that the certification audit was not able to check. For example are all incidents recorded or all measurements are being recorded, or all corrective actions are being recorded and implemented, whether the top management supports the new system.
A surveillance audit or visit will also focus on areas that were deemed weak in previous surveillance audit or certification audit. These minor nonconformities as well as other areas where the auditor has made observations are followed through and checked for improvements.
First Party audits are called Internal Audits. This happens when a person conducts and audit of a process or set of processes to ensure that it meets the procedure that the company has documented. The person can be an employee of the organization or someone hired such as an ISO Consultant. These audits are deeper than other types of audits because they look for problems in the processes, areas where the processes are not in alignment and the effectiveness of the management system. These audits are one of the best ways in which an organization can improve itself.
Second party audit occurs when a company undertakes an audit of a supplier to make sure that it is meeting the contract requirements. These requirements can include traceability of parts (documenting which parts are used in which products), special control of certain processes such as welding, requirements for specific documentation or requirements for special cleanliness or any other requirements which may be of interest to the customer. This audit can be done on-site or off-site by reviewing the documents submitted by the supplier. The customer can audit a part of the contract or the whole contract wherever he sees a need. It should be clarified that the second party audit is between the supplier and the customer and is not linked to becoming ISO certified.
There was an opinion that second party audits would not be required once a company becomes ISO certified but that did not prove to be the case. Even if you are certified by a third party, your customers may still want to carry out an audit to look at elements of their contract especially if their contract elements are different from ISO 27001.
A third party audit occurs when a company decides that they want to create a management system that conforms to and international standard like ISO 27001 Quality management System, ISO 14001 Environmental Management System, Occupational Health & Safety Management System or Social Accountability Management System etc. In such a case the company has to hire an external certification body to perform an audit to verify that the company has succeeded in this challenge. These third parties or independent companies are called certification bodies or registrars. These certification bodies are in the business of doing audits to verify that the management system meets all the requirements of that particular standard and continues to meet the requirements on a continuous basis.