What are first-party, second-party & third-party audits?

If you are starting out in environmental auditing, you may hear the terms: First-party, second-party or third-party auditing? What do these terms mean and what are the differences?

This article will look at what is meant by the terms First-party, second-party or third-party auditing.

In the world of environmental management, there are many different names for the different types of audits – so many, in fact, that the categories can become confusing. Add to this the fact that several titles for audits can mean the same thing, and you have a recipe for misunderstanding that can cause uncertainty for many people.

Here is some explanation that can help.

In environmental management, there are three main categories of audits, which depend on the relationship between the Auditor (carrying out the audit) and the Auditee (the person being audited).

These are called first-party, second-party or third-party audits.

So, lets look at each one of these types of audits in turn.

First-Party Audit
First-party audits are, often, called internal audit. This is an audit where someone from within the organization itself will audit a process or set of processes in the environmental management system to ensure it meets the procedure that the company has specified.

In terms of the Note 1 to the definition of an “audit” in ISO 19011:2018, “Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the organization itself”.

A first-part audit can be carried out by a person, who is an employee of the organization or someone contracted by the organization to carry out the internal audit, such as a consultant. The important issue to note is that the person is acting on behalf of the company rather than a customer or certification body.

This type of audit is focused not only on whether the company processes meet the requirements of a standard, such as ISO 14001:2015, but all the procedures that the company has set for itself. The audit will look for problem areas, areas where processes do not align with each other, opportunities for improvement, and the effectiveness of the quality management system. By design, these audits can and should be much more in depth than the other audits, since this is one of the best ways for an organisation to identify areas for improvement.

Typical names of first-party audits are:

You can find further useful information about first-party audits in ISO 19011:2018.

Second-Party Audits
A second-party audit is when an organisation with a pre-existing relationship, such as a customer performs an audit of a supplier to ensure that they are meeting the requirements, such as those specified in their contract.

In terms of the Note 2 to the definition of an “audit” in ISO 19011:2018, External audits include those generally called second-party audits”, where “Second party audits are conducted by parties having an interest in the organization, such as customers, or by other individuals on their behalf”.

These requirements may include special control over certain processes, requirements for pollution prevention or compliance evaluation, requirements for specific documentation, or any other requirements that are of special interest to that customer.

These audits can be done on-site by reviewing the processes or even off-site by reviewing documents submitted by the supplier. The customer can audit all or parts of the contract depending on the needs of the customer. It is important to understand that a second-party audit is between the customer and the supplier and has nothing to do with becoming ISO 14001 certification.

It was thought that second-party audits would not be necessary once a company is certified to ISO 14001 by a certification body, but this is not necessarily true.

Even if you are certified by a third-party audit, your customers may still want to perform a second-party audit to look at elements of their contract, especially if these elements are not the same as the ISO 14001 requirements. This is not required by all customers and is not required to be certified to ISO 14001 by a certification body, but it is specified in some contracts and there are some customers that choose to perform these audits.

Typical names of second-party audits are:

You can find further useful information about second-party audits in ISO 19011:2018.

Third-Party Audits
A third-party audit is when an external organisation (third-party) who undertakes an audit of an organisation, where the external organisation does not have a direct relationship to the Auditee organisation (the organisation being audited).

In terms of the Note 2 to the definition of an “audit” in ISO 19011:2018, “Third party audits are conducted by independent auditing organizations, such as those providing certification / registration of conformity or governmental agencies”.

The most recognised third-party audit is where an organisation has decided that they want to create an Environmental  Management System (EMS) that conforms to a standard set of requirements, such as ISO 14001, and contract with an independent Certification Body to perform an audit to confirm that the company meets these requirements.

Typical names of third-party audits are:

You can find further useful information about third-party audits in ISO 19011:2018 & for certification body audits, take a look at ISO/IEC 17021-1:2016.

As a useful reference, I have compared the first-party, second-party or third-party audits from the organisational perspective.

As we can see, the organisation has control over all aspects of a first-party audit. It chooses the Auditor, it is itself the Auditee, it can choose the standards to be used for the audit & the Audit Report and outcome are not release outside of the organisation.

Compare this with a second-party audit, where the Auditor is an external organisation that has a relationship with the Auditee & will use its own standards, whether that is a contact or other standard & the Audit Report and outcome will be known between these two organisations.

For third-party audits, there is no formal relationship with the Auditor other than they are being paid to conduct the audit, the standards are external & the Audit Report and outcome are known by the third-party.

I hope that this article has given you an insight into the three different types of audit based on the relationship between the Auditor and Auditee & opened the opportunities for you to consider how you could apply these types of audits within your organisation.

If you have any questions on the the different types of audits: First-party, Second-party and Third-party audits, please leave a comment below.

If you enjoyed this article, you should subscribe to our YouTube Channel – EMSmastery, where you can watch our videos, such as our video accompanying this article on What are first party, second party and third party Audits? and subscribe in our YouTube channel for new videos released each week.

#Audit, #Auditing, #ISO14001

Share this article on Social Media:

Leave a Reply