As defined in ISO 19011:2011—Guidelines for auditing management systems, an audit is a “systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [set of policies, procedures or requirements] are fulfilled.” Several audit methods may be employed to achieve the audit purpose.
There are three discrete types of audits: product (which includes services), process, and system. However, other methods, such as a desk or document review audit, may be employed independently or in support of the three general types of audits.
Some audits are named according to their purpose or scope. The scope of a department or function audit is a particular department or function. The purpose of a management audit relates to management interests such as assessment of area performance or efficiency.
An audit may also be classified as internal or external, depending on the interrelationships among participants. Internal audits are performed by employees of your organization. External audits are performed by an outside agent. Internal audits are often referred to as first-party audits, while external audits can be either second-party, or third-party.
3 Types of audits
Internal & external audits: first-, second-, and third-party audits
Purposes of audits
An auditor may specialize in types of audits based on the audit purpose, such as to verify compliance, conformance, or performance. Some audits have special administrative purposes such as auditing documents, risk, or performance or following up on completed corrective actions.
Companies in certain high-risk categories—such as toys, pressure vessels, elevators, gas appliances, and electrical and medical devices—wanting to do business in Europe must comply with Conformité Europeënne Mark (CE Mark) requirements. One way for organizations to comply is to have their management system certified by a third-party audit organization to management system requirement criteria (such as ISO 9001).
Customers may suggest or require that their suppliers conform to ISO 9001, ISO 14001, or safety criteria, and federal regulations and requirements may also apply. A third-party audit normally results in the issuance of a certificate stating that the auditee organization management system complies with the requirements of a pertinent standard or regulation.
Third-party audits for system certification should be performed by organizations that have been evaluated and accredited by an established accreditation board, such as the ANSI-ASQ National Accreditation Board (ANAB).
Performance versus compliance/conformance audits
Various authors use the following terms to describe an audit purpose beyond compliance and conformance: value-added assessments, management audits, added value auditing, and continual improvement assessment. The purpose of these audits goes beyond traditional compliance and conformance audits. The audit purpose relates to organization performance. Audits that determine compliance and conformance are not focused on good or poor performance. Yet performance is an important concern for most organizations.
A key difference between compliance/conformance audits and audits designed to promote improvement is the collection of audit evidence related to organization performance versus evidence to verify conformance or compliance to a standard or procedure. An organization may conform to its procedures for taking orders, but if every order is subsequently changed two or three times, management may have cause for concern and want to rectify the inefficiency.
A product, process, or system audit may have findings that require correction and corrective action. Since most corrective actions cannot be performed at the time of the audit, the audit program manager may require a follow-up audit to verify that corrections were made and corrective actions were taken. Due to the high cost of a single-purpose follow-up audit, it is normally combined with the next scheduled audit of the area. However, this decision should be based on the importance and risk of the finding.
An organization may also conduct follow-up audits to verify preventive actions were taken as a result of performance issues that may be reported as opportunities for improvement. Other times organizations may forward identified performance issues to management for follow-up.
4 Phases of an audit
Note: Requests for correcting nonconformities or findings are very common. Corrective action is action taken to eliminate the causes of an existing nonconformity, defect, or other undesirable situation in order to prevent recurrence (reactive). Corrective action is about eliminating the causes of problems and not just following a series of problem-solving steps. Preventive action is action taken to eliminate the causes of a potential nonconformity, defect, or other undesirable situation in order to prevent occurrence (proactive).
Excerpted from The ASQ Auditing Handbook, J.P. Russell, editor, ASQ Quality Press, 2013.
Why did you look up auditing?
Please let us know what auditing resources you would like to see in the Knowledge Center. If you would like a reply, please include an email address.