How many types of Audits are there? Understand the different Audits for ISO Management System Standards

Published on: January 16, 2023

Learn what Internal and External Audits are, and what’s involved in becoming qualified to conduct ISO Management Systems Audits.

In business, there are several different types of audits you may come across. You may already be familiar with performance audits, operational audits, and payroll audits, but when it comes to the Certification process, did you know that audits are a major component?

The ISO Management System Standards are documents which provide businesses with requirements, specifications and guidelines that can be used consistently to ensure that their products, services and processes are fit for their purpose. In order to achieve Certification to these ISO Standards, businesses will need to develop and implement a Management System in line with these requirements. To achieve Certification, the business Management System must go through a series of auditing processes.

Continue reading to find out more about the different types of ISO audits, and how you can get qualified to perform them yourself.

What is an audit, and why do we do them?

Essentially, an audit is a systematic process where objective evidence is obtained and evaluated to determine if a business has fulfilled a set of criteria or requirements. Audits of a businesses Management System are conducted to check if a business is meeting the requirements of their chosen ISO Standard(s).

The International Organisation for Standardisation (ISO) has reiterated the importance of audits throughout the Certification process by publishing an ISO Standard with recommendations on how to perform them.

The ISO 19011:2018 Guidelines for auditing management systems Standard provides guidance on preparing audit programs, management of an audit program, planning and conducting management system audits, as well as guidance on the competence and evaluation of an auditor. If you want to learn more about the standard, you can read more here.

Types of ISO Audits

Types of ISO Audits

In a nutshell, within the ISO scope there are two audit categories:

  1. Internal Audits – An internal review of a businesses management system required by the ISO Management System Standards, prior to the external audits.
  2. External Audits – The auditing process conducted by Certification Bodies (CAB – Conformity Assessment Bodies) that should result in Certification for a business.

Let’s dive deeper into each type:

1. Internal Audits

Internal audits, sometimes called first-party audits, are performed by an organisation on its own systems and processes. They will assess the effectiveness of the business processes, including internal controls, risk management, and governance.

Internal Audits are a requirement of the ISO Management System Standards and need to be conducted before and after Certification is achieved. An Internal Audit consists of a full review of a businesses management system to ensure that it has met all of the ISO Standard requirements, as well as the organisation’s own requirements, before going for Certification.

Besides assuring that the organisation’s processes are meeting their chosen ISO Management Systems Standard(s) requirements, the internal audit is an excellent opportunity for the business to improve its systems and the effectiveness of its management system.

Internal Audits need to be scheduled at regular intervals, taking a risk-based approach, which means that higher-risk processes, or processes with more frequent issues, should be audited more often than others. All processes should be audited at least once every three years; however, it is recommended that for the first couple of years, all processes are audited annually.


Internal Audits do not result in Certification for the business. To put it simply, it is an internal review of processes required by the ISO Management System Standards, before a business can go for their external audits, which is when a business can achieve their Certification.

– How can you become qualified to conduct Internal Audits?

An Internal Auditor can be someone from within the organisation, although sometimes a business may choose to engage an external consultant to conduct their Internal Audits.

As defined in the ISO 19011:2018 standard, Internal Auditors must be trained and deemed competent to conduct internal audits. There also needs to be objectivity and impartiality throughout the audit process, which means that the auditors should not audit their own work or processes.

Our Management Systems Internal Auditor Training is an online course that covers all the principles of becoming an Internal Auditor, offering three levels of internationally recognised certificates, including the one for competency, which is required when the business goes for Certification of their Management System.

Delivered in a series of short videos that can be watched at a time that best suits you, this practical online course will provide you with the knowledge and qualification you need to become an ISO Management Systems Internal Auditor for the main ISO Management System Standards: ISO 9001:2015, ISO 45001:2018, ISO 14001:2015 and ISO 27001:2022.

It’s important to note that once a business achieves Certification, it will have to continue performing internal audits in order to keep meeting the standards’ requirements, and in preparation for the yearly Surveillance Audits, and the Recertification Audit in three years. Therefore, businesses can benefit long term by qualifying their team to ensure their internal audits are being performed on an ongoing basis and in conformance with the requirements.

External Audits
2. External Audits

External Audits are conducted by a party that isn’t directly associated with the business under audit. They are divided into two categories:

  • Second Party Audits are usually conducted on a supplier by someone who’s interested in the organisation under contracted conditions. These audits assure that the supplier is doing what it has promised to do, based on the contractual agreements.

    They should be performed by competent auditors, but not necessarily a Certification Body, as the outcome is not the issuing of a Certification.

    It’s also important to note that Second Party Audits often don’t follow a regular schedule, as they are only performed when requested by someone interested in the organisation to ensure they’re meeting contractual obligations.
  • Third Party Audits are the same as “Certification Audits”. These are performed when a business engages a Certification Body (formally called a Conformity Assessment Body – CAB) to ensure their Management System meets all the requirements of their chosen ISO Management System Standard(s). The successful outcome of these audits results in the issue of one or more ISO Certifications.

    The Third Party Audit, or Certification Audit, will happen according to the Certification cycle. This means that following the initial Certification Audit (year “zero”), the CAB will return to conduct yearly Surveillance Audits to ensure the business is still meeting the requirements, and are able to keep their Certification. Once issued, a Certification lasts for three years. Therefore, in the third year, the organisation will undergo a Recertification Audit to verify that its management system continues to fully operate according to all Standard requirements and a new Certificate is issued.
– How can you become qualified to conduct External Audits?

This is only applicable if you are interested in pursuing a career to work as an auditor on behalf of Certification Bodies. If this is the case, you will need to complete a Lead Auditor training course, and then start acquiring hours of auditing experience (both internal and/or external) to apply for a professional certificate.

Courses like PECB’s ISO/IEC 27001 Lead Auditor eLearning training will give you the necessary skills, knowledge and qualification to plan and perform external audits according to the requirements of a specific ISO Standard – in this case, the ISO/IEC 27001:2022 Information Security Management Systems Standard.

In a highly competitive job market, and as professionals increasingly look to explore independent career paths, becoming an auditor may bring numerous benefits. Our Management Systems Internal Auditor Training is a great way to become familiar with the ISO world, and explore new career opportunities. It will teach you how to conduct effective Internal Audits in accordance with the main ISO Management System Standards.

Click here to learn more about our Internationally Certified online course that combines theory and practical, with real-life examples and templates.
General Manager at <a href="" style="color: inherit">ICExperts Academy</a> and <a href="" style="color: inherit">ISO Certification Experts</a>

Andressa (alias Andy) is the General Manager of ISO Certification Experts and ICExperts Academy, heading our Marketing department and coordinating the internal improvement initiatives and projects. With an MBA in Project Management, and over 10 years of experience in customer service and project management across many industries, she brings valuable knowledge to the business and our operations. Alongside her professional expertise, Andressa holds a genuine passion for sustainability and the environment.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.