ISO 9001 Lead Auditor Training

Module 3   ISO 9001 Quality Management System Audits

3.4.1 External Audits
These are audits done outside one's own organization and there are at least two distinct types of external audit   second and third party.

3.4.2 Second Party Audits
These audits, carried out by one company on another, originally came from the idea of an organization auditing its suppliers. There are a number of reasons why an organization may wish to audit its suppliers.

1. One method to satisfy clause 7.4.1 of the Standard
2. Input to selecting, grading, and approving suppliers
3. Help to improve supplier Quality Management Systems
4. Mutual understanding of quality requirements

ISO 9001 Lead Auditor Training - Many major organizations carry out second party audits to advise user departments of areas of weakness in suppliers so appropriate contract and/or surveillance mechanisms can be instigated if the supplier is to be given work. It can also highlight likely additional costs.

3.4.3 ISO 9001 Third Party Audits
As a result of the growth in interest in Quality Assurance during the 1960s and 1970s, more and more second party audits were being carried out. Some companies in certain fields had to employ people whose sole task was to accompany visiting auditors around the company! Clearly this state of affairs was helping nobody, particularly the supplier.

After considerable discussions at national levels, the ISO 9000 scheme was introduced to rationalize all the assessment schemes as a third party audit operated by an independent body that would certify companies as conforming with the Standard (or not, as the case may be). Various bodies became registration bodies (Registrars) and BSI, UL, SGS, DNV, and NQA are prominent examples.

It was also recognized there should be a body overseeing the activities, principles, and policies of the Registrars. In the USA, that body is the RABQSA. RABQSA International, Inc. was formed January 1st, 2005 from the merger of the Registrar Accreditation Board and The Quality Society of Australasia International. In Canada, it is the Standards Council of Canada.

The RAB/QSA has developed a National Accreditation Program (NAP) for accrediting Registrars. Any organization wishing to become a Registrar needs to satisfy the various requirements of initial and periodic assessments by the RAB/QSA.

There are different types of registration, but the main interest here is on the Registrar’s Quality Management System assessment and registration. On payment of an initial fee to the Registrar, they will assess your Quality Management System to ISO 9001 and, depending on the results of the assessment, the organization would become registered.

This is an indication that, at the time of assessment, the organization had the management systems in place to potentially supply product (within the scope of the assessment) in conformity with customer requirements. Thereafter, the organization pays an annual fee for the continuing assessment visits by the Registrar.

ISO 9000 Auditor Training - Accredited Registrars also publish a ‘Register of Certified Companies’ that includes all Registered Firms. This means that other organizations could use it and might not, in many cases, feel the need to audit those companies. This scheme has grown steadily and many organizations are beginning to take advantage of the benefits. 

For example, buying organizations may use the Registrar’s ‘Register of Certified Companies’ to provide some assurance about their suppliers, and selling organizations can use it as a marketing feature. Certainly it saves buying organizations the cost of carrying out audits, and selling organizations the cost and disturbance of undergoing audits.

3.4.4 First Party Audits
First party audits are carried out by an organization on itself to confirm to management that their documented quality management system is working effectively. An organization’s own defined and documented system forms the basis for this audit.
Reasons for a first party audit:

1. ISO 9001 clause 8.2.2 requires it
2. Control and feedback mechanism for management
3. Correction of nonconformities before external bodies find them
4. Systematic improvement of the organization

ISO 9000 Training - Some thought would, of course, generate further reasons. As in second party, if the audits are done only for reason (1) or (3) above, the value is going to be limited. By establishing an internal audit program, management is making available an extremely useful and powerful tool for improving business, and for assessing the effectiveness of the quality management system.

Of course, in considering (3) above, it means that if an organization is to find for itself the kinds of nonconformities that external bodies are likely to find, it should, if possible, carry out its audits in a similar way to the Registrars. It must be remembered that all audits are based on sampling; therefore, there is no guarantee that all nonconformities will be found during the internal audit process.

Related ISO Lead Auditor Training Resources:

"Understanding ISO 9001" provides a detailed explanation of each ISO 9001 clause (requirements).

ISO 9001 FAQ provides answers to commonly asked questions about the ISO 9000 family of quality management standards.