Internal and external audits are a commonly discussed topic in the implementation of management systems. According to ISO 19011, auditing is “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.”
The internal audit, or first-party audit, is a requirement described in all Management System Standards and it is usually performed by someone from the organization itself or a hired consultant. Internal audits act on behalf of the company rather than a certification body and are conducted on a set of processes to ensure they meet the organization’s internal requirements or standards.
The designated person performing the internal audit must be qualified and follow the standard requirements of management systems. This qualification implies a specific training that covers the requisites of the Reference Standard to be audited (for example ISO 9001, ISO 14001, OHSAS 18001, etc.). To avoid impartiality, the internal auditor cannot audit their own work.
An external audit is what we call a certification audit and it is when a certification body outside the organization is hired to ensure the company complies with the Reference Standard. This process involves a greater level of detail and strictly follows international accreditation standards.
In addition to first and third party audits, there is also a second-party audit. This is a common practice where a professional is hired by a company to perform an audit a compliance of requirements stated in their given contract. The customer may choose to audit all or part of the contract. It is important to note that a second-party audit does not grant certification to a company.
The audit processes are standardized and promote greater credibility to the management system, be it an internal audit to assess the compliance of the requirements or an external audit for certification.