The Internal Organization for Standardization (ISO) has three types of audits: first-party, second-party, and third-party. Only the third-party audit, however, results in an ISO certification.

Audits are a crucial part of modern corporate governance and risk management; and ISO standards are a popular, well-known body of work to help organizations with risk management. In this article we’ll explore those three types of ISO audits so you know which ones make sense for you, under what circumstances.

What Is Auditing?

An audit is a disciplined, rigorous effort to verify facts about a business. For example, an audit might examine a quality control system to assure that it’s operating according to specifications; or test cybersecurity controls to assess how well those controls do or don’t work. An audit could be performed by a company’s own internal audit function, or by an external auditor hired to audit a specific part of the company’s operations.

Three primary categories of audits exist:

Process Audit

A process audit assesses whether procedures are operating within predetermined parameters. It measures conformity to these standards by comparing the process in question against specified instructions or criteria (such as, for example, an ISO standard). A process review could:

  • Verify compliance with specifications for timing, precision, temperature, pressure, composition, responsiveness, amperage, and component mix.
  • Examine the environment, the techniques (procedures, instructions) used, the measures gathered, and the resources (equipment, materials, people) used to convert the inputs into outputs to determine process performance.
  • Examine whether the process controls provided via procedures, work instructions, flowcharts, and training are adequate and effective.

Product Auditing

In a product audit, a specific product or service (such as hardware, processed materials, or software) is examined to see whether it complies with specifications (such as performance standards or customer requirements).

System Audit

This is an audit of the management system for a business process. Essentially, a system audit examines whether the company has put effective controls in place to govern a business process for long periods – say, how a company designs and monitors its manufacturing process.

  • A quality management system audit assesses whether a current quality management program complies with corporate standards, contractual obligations, and legal requirements.
  • An environmental system audit looks at an environmental management system, and safety system audits look at a safety management system (similar to how a food safety system audit looks at a food safety management system).

See also

Automating GRC: The Next Frontier in Risk Management

First-Party Audits

First-party audits are the internal audits we mentioned earlier. Typically they are performed by a company’s own staff to measure how well the company is (or isn’t) achieving business objectives. This ISO audit is a conformity assessment to check for compliance gaps and to prepare an organization for an external ISO certification audit (that is, a third-party audit).

Usually first-party auditors will be enterprise employees, but they shouldn’t have a vested interest in the audit results.

Second-Party Audits

A second-party audit, or external audit, is usually performed at the request of a customer (often by an audit firm contracted to act on the customer’s behalf) on a supplier of products or services.

The second-party audit assures that the supplier is doing what it has promised to do, based on the contractual agreements. In this case, qualified staff members or employees of an outside consulting firm can perform a second-party audit.

A company will likely want to combine the results of a second-party audit with its own first-party audits, so the company will know when it’s ready for an ISO certification.

Third-Party Audits

The third-party audit is a certification audit. An organization typically undertakes a third-party audit when it wants to achieve an ISO certification. During the certification audit, a “certification body auditor” (that is, an auditor formally certified to perform audits for ISO standard in question) assesses whether an enterprise complies with the appropriate ISO standard. If so, the certification body auditor will award the certification.

As part of this audit process, the auditor may:

  • Assess the company’s adherence to the ISO standard’s requirements. These could include (but are not limited to) time, temperature, responsiveness, and component mixture.
  • Look closely at the resources, methods, and environment the company uses to transform inputs into outputs and the criteria used to determine performance.
  • Examine the process controls to assure they are both efficient and effective. The auditor may also take a closer look at daily operations and training procedures to verify that the expectations for the standard have been met.

Since most ISO standards that are eligible for certification govern systems (for example, quality management systems, information security management systems, food safety management systems, and environmental management systems), ISO certification audits are generally system audits.

There are more than 23,000 ISO standards – including the ISO 9000 family of standards, which govern quality management systems. ISO 9001 is the only standard in this group eligible for certification. ISO 14001 offers direction on how to develop an effective environmental management system. And ISO 27001/27002 is an information security standard.

What Are the Benefits of a Third-Party Audit?

Investing in a third-party audit can demonstrate to potential customers that your information systems and business procedures follow strict standards for security, availability, integrity, privacy, and confidentiality. Would-be customers can then feel more comfortable working with you, knowing that your operations meet the rigorous ISO standards for performance.

This becomes even more true when considering cybersecurity and data privacy. Hackers are now a constant threat, and customers want to know before they hand over valuable information to a business (such as yours) that the business has taken serious steps for data protection. Achieving ISO certification gives them that assurance.

Is a Third-Party Audit External?

Yes. Third-party audits are conducted by independent auditors, for a separate party’s benefit. An audit firm not connected to the supplier-customer relationship conducts a third-party audit without any potential conflicts of interest.

What Happens if Your Company Fails an ISO Audit?

If an organization fails an ISO audit, it must take corrective action to fix the problems. There are certain steps a company can take to remedy its problems and achieve ISO certification, including:

  1. Analyze the situation. The auditor’s non-conformance report will describe whether there was a “minor non-conformance” or a “major non-conformance.”
    • A minor non-conformance means the auditor has found some gaps in the enterprise’s ISO compliance, but only a few. For example, maybe the company didn’t follow one ISO requirement, or an individual didn’t have the necessary documentation to demonstrate compliance.
    • A major non-conformance indicates that the management system has a fatal flaw and is missing something essential to achieve organizational goals or protect customers. For example, maybe the company didn’t implement an essential procedure or requirement, or the organization hasn’t taken the required preventive or corrective action to assure compliance.
  2. Take corrective action. A minor non-conformance won’t prevent an organization from achieving an ISO certification so long as the company immediately takes the necessary action to rectify the problems outlined in the report. A significant non-conformance, on the other hand, denies certification. To achieve certification, the enterprise will have to schedule another audit.

Manage ISO Audits With ZenComply

The ZenComply compliance workflow management system is an easy, user-friendly tool that identifies high-risk areas before they become problems.

ZenComply’s workflow management tools simplify compliance paperwork via a single dashboard that shows your control efficacy in real-time. By supporting your replies to auditor questions, you can create an audit trail while implementing corrective actions necessary to pass the audit.

ZenComply’s single source of information platform reduces the need for follow-up requests from external auditors by supplying the required paperwork and facilitating stakeholder relationships with internal and external parties.

Schedule a demo to learn more about how ZenComply helps businesses manage compliance.

Automating GRC: The Next Frontier
in Risk Management