First-, Second- & Third-Party Audits for medical device manufacturers & suppliers

In the quality management domain, there exists a number of names for various types of audits. In fact, there are so many audit names and types that it’s quite easy to become confused. Further complicating the issue is the fact that the same audit can have multiple titles in different contexts, meaning that for most of us, the whole concept of the audit is puzzling at best. So, let me try to clarify.

There are three basic audit categories in quality management: first-party audits, second-party audits, and third-party audits. The category that a particular audit fits into depends on the relationship that exists between the auditor and the auditee. Let’s take a closer look at these three categories, and common audit names that would fit into each.

Third-Party Audits

A third-party audit is applicable in situations where an organization implements its own Quality Management System (QMS) according to a standard set of requirements (like ISO 13485). Once they have created and operated this system for some time, the organization must hire a certification body, or registrar, who then sends its own auditor to determine whether the company’s QMS conforms to the requirements of the standard (the certification audit). If so, they will grant certification to the company, and then perform audits at regular intervals to verify that the organization continues to conform to the requirements during the length of certification (maintenance / surveillance audits). At the end of the certification term, it will be time for the re-certification audit.


Second-Party Audits

During a second-party audit, a customer conducts an audit of their supplier to verify that they meet the requirements laid out in the contract. Such requirements often involve traceability (tracking the parts used in particular products), additional controls over specialized processes (like milling or forging), special requirements on certain documents, advanced standards of cleanliness, or other requirements to meet the unique needs of the customer. During the audit process, the customer may review all or parts of the contract, examine processes on site, evaluate documents the supplier has submitted (off site), and anything else they decide to audit.

People often believe that second-party audits will no longer be needed once a supplier is certified against ISO 13485 by a registrar, but these audits really have nothing to do with the certification. Second-party audits take place between a customer and their supplier, and the customer is entitled to verify that their requirements are being met as specified in the contract, regardless of whether they align with ISO 13485 requirements.

First-Party Audits

First-party audits, or internal audits, occur when someone from inside the organization audits a process (or a set of processes) in the QMS to verify that it conforms to the specified procedure for that process. In this situation, the auditor may be either an employee of that organization, or a consultant hired by the organization, but the point is that the auditor is working on the organization’s behalf, and not that of a registrar or customer.

The internal audit not only looks at whether or not the organization’s processes comply with the ISO 13485 standard, but also whether the processes follow the company’s own rules. During the audit, the auditor will examine the overall effectiveness of the QMS, and look for opportunities for improvement, problems (or potential problems), and any areas where processes are out of alignment with each other. Organizations should make sure that their internal audits are thorough and complete, because they provide one of the best sources of improvement opportunities.

Know the difference, and don’t get confused

Should you conduct a second-party audit on one (or all) of your suppliers to be sure they are capable of meeting your requirements? How can you best prepare for, and learn from, third-party audits? What upgrades can you make to your first-party audits to help with continual improvement of your processes? Make sure you fully understand each of these types of audits, and what they can do for you – in this way, you will have a better idea of how to best use audits in your company to improve your QMS.

Why not find out more about the changes in ISO 13485 with this Infographic: What’s new in the 2016 revision of ISO 13485.