I received an email from a QAQC Manager interalia stating, “I want to know what is surveillance audit, periodic audit and any other audit type you know.” Although I replied the email giving some clarification, however I think it would be better if I write a write-up on the subject matter.
First, we should understand what an audit is. International Standard ISO 9000:2005 defines an audit as “systematic, independent and documented process (set of interrelated or interacting activities which transform inputs into outputs) for obtaining audit evidence (records, statements of fact or other information which are relevant to the audit criteria and verifiable) and evaluating it objectively to determine the extent to which audit criteria (set of policies, procedures or requirements relating to audit) are fulfilled.”
Accordingly, an audit is a systematic, independent and systematic process. The purpose of an audit is to obtain audit evidence and evaluating it objectively against the audit criteria.
An audit can be categorized as one of the three audit types, which are as under:
- First party audit
- Second party audit
- Third party audit
First party audit is conducted by the organization itself (or conducted on behalf of the organization) for internal verification, review and other purpose. First party audit is also known as ‘internal audit’ and it is an internal management tool, by which an organization check the health of its management system. Organizations implementing management systems (such as ISO 9001:2008 QMS, ISO 14001:2004 EMS) are required to conduct internal audit at planned intervals.
Second party audit is conducted on a supplier or an organization (excepting a customer) by or on behalf of a party (such as a customer) having an interest in the organization. Second party audit is also known as supplier audit and it is a vendor assessment tool.
Third party audit is conducted for certification purpose and this type of audit is also known as certification audit. This type of audit is conducted by an external, independent audit organization (generally known as certification body or certification body). An organization that seeks certification to a management system is required to undergo certification audit. Certification body carries out three kinds of audit for certification purpose – (i) Adequacy audit – An audit of documentation, (ii) Onsite certification audit – Onsite verification of the management system, and (iii) Surveillance audit – Surveillance audit is a periodic audit (conducted from time to time) to ensure that organization still meets the requirements of the management system standard. Periodic audit is an audit for an intermediate period (e.g., one year) or an audit carried out at specified intervals – usually every one year.
Audit in ISO 9001:2008 QMS
ISO 9001:2008 QMS Standard, Clause 8.2.2, requires organization to conduct internal audit at planned intervals. Accordingly, conducting internal audit at planned intervals is must for an organization implementing ISO 9001:2008 QMS Standard. The Standard does not mention any requirement with regard to second party (supplier) audit or third party (certification) audit. Certification is not a requirement of the Standard. An organization may implement ISO 9001:2008 QMS Standard without obtaining its certification.
With best wishes,
Keshav Ram Singhal