There are three types of Internal Organization for Standardization (ISO) audits first-party audits, second-party audits, and third-party audits. However, only the third-party audit results in an ISO certification.
First-party audits, or internal audits, are typically performed inside a company to measure the strengths and weaknesses relative to its internal business objectives. This ISO audit is basically a conformity assessment to check for compliance gaps and prepare an organization for an external ISO certification audit, i.e., a third-party audit.
Typically, the auditors performing the first-party audit will be employees of the enterprise; however, they shouldn’t have a vested interest in the results of the audit.
A second-party audit, or external audit, is usually performed at the request of a customer (or a company contracted to act on the customer’s behalf) on a supplier of products or services.
The second-party audit ensures that the supplier is doing what it says it’s doing based on the contractual agreements in place. In this case, qualified staff members or employees of an outside consulting firm can perform a second-party audit.
A company will likely want to combine a second-party audit with a first-party audit so it will know if it’s ready for an ISO certification.
The third-party audit is a certification audit. An organization typically undertakes a third-party audit when it wants to achieve an ISO certification. During the certification audit, a certification body auditor assesses whether an enterprise complies with the appropriate ISO standard. If so, the certification body auditor will award the certification.
The American Society for Quality identifies three types of audit: a process audit, a product audit, and a system audit.
A process audit verifies that a company’s processes meet the requirements for the particular standard for which the organization is seeking certification.
As part of this audit process, the auditor may:
- Assess the company’s adherence to the standard’s requirements. These could include (but are not limited to) time, temperature, responsiveness, and component mixture.
- Look closely at the resources, methods, and environment the company uses to transform inputs into outputs, as well as the criteria used to determine performance.
- Examine the process controls to make sure that they are both efficient and effective. The auditor may also take a closer look at daily operations and training procedures to ensure that the expectations for the standard have been met.
A product audit scrutinizes a particular product or service, such as hardware, processed material, or software, to evaluate whether it conforms to the relevant standard.
A system audit examines a management system. These audits are designed to assess a system objectively in order to verify that the system itself is effective and its development has been in line with standard requirements and documented appropriately.
Since most ISO standards that are eligible for certification govern systems, e.g., quality management systems, information security management systems, food safety management systems, environmental management systems, ISO certification audits are generally system audits.
There are over 23,000 ISO standards, including the ISO 9000 family of standards that govern quality management systems. ISO 9001 is the only standard in this group eligible for certification. ISO 14001 offers direction on how to develop an effective environmental management system. And ISO 27001/27002 is an information security standard.
What Happens if Your Company Fails an ISO Audit
If an organization fails an ISO audit, it must take corrective action to remedy the problems. There are certain things a company can do to fix the issues and achieve the ISO certification, including:
- Analyze the situation: The auditor’s non-conformance report will describe whether there was a “minor non-conformance” or a “major non-conformance.”
- A minor non-conformance means the auditor has found minor gaps in the enterprise’s ISO compliance. For example, maybe the company didn’t follow one ISO requirement or an individual didn’t have the necessary documentation to demonstrate compliance.
- A major non-conformance indicates that the management system under examination has a fatal flaw and is missing something critical that’s necessary to achieve organizational goals or protect customers. For example, maybe the company didn’t implement a critical procedure or requirement or the organization hasn’t taken the necessary preventive or corrective action to ensure compliance.
- Take corrective action: A minor non-conformance won’t prevent an organization from achieving an ISO certification as long as it immediately takes the necessary corrective action to rectify the problems outlined in the report. However, a major non-conformance will preclude certification. To achieve certification, the enterprise will have to schedule another audit.