3rd Party Audits and Clause 8.2.2



I am a Government contractor currently registered to 9001:1994. I am preparing to renew my certificate and advance to the 9001:2000 standard. In revieweing clause 8.2.2 on Internal Auditing I am thinking about the following: Use the audit report and data obtained from my 3rd party surveillance audits as objective evidence to make fact based decisions and to cover certain ISO requirements. These surveillance audits certainly are:
* conducted at planned intervals, and;
* the auditors are independant of the functions being audited (i.e. they are not auditing their own work)

If surveillance audits are examining certain components of my QMS why do I need to repeat this myself? (i.e. plan audits based on importance and status). How is my regisistar any different from any other third party vendor I would hire to subcontract out this work? I should be able to use the audit data from my registrar to document requirements like: Is my QMS effectivly implemented? Does my QMS conform to ISO requirements?

My rational: If I conduct audits in areas other than those covered by my registrar then I would fulfill the requirement to "conduct internal audits". I would also fulfill the requirement to base my audits on what's important to me (i.e. between myself and my registrar I cover all areas important to me). In addition, I plan audits on previous results (the registrar always checks my progress on previous audit findings from the last surveillance audit).

This is not an attempt to create a "paper QMS" that gets me a certificate on the wall. I'm just wondering why do I have to pay someone to audit me and then seemingly can't use the information provided to satisfy some of the requirements. Am I on Pluto ... or did I miss something when reading the standard?


Trusted Information Resource
age old question

Hello MrPhish,

Although I agree with your thinking and your rationale, your auditor will not. I beleive somewhere in their guildlines prevents them from allowing this. I too feel that a registrar is a vendor, and subontracting to assure the system meets the standards, and doing your own internal audits is a repeat of this process and adds no value (others will disagree with me on this).

Use the search function for more thoughts on this subject.

Welcome to the Cove!





I did think that I saw this type of guidance (i.e. auditor won't allow this to happen) somewhere. Maybe it was in my contract, but this guideance is not in the standard and that's what I should get graded on by my registrar. This is why I came here ... for feedback. thanks.

After three years of doing EXACTLY what the auditors tell me ... without any questions or challenges ... I'm ready to come out of my shell (because I've learned more than the sum of what I was taught) and start to question the auditors more. If my auditor is going to continue to inject THEIR suggestions into my QMS as policy ... maybe its time to get a new registrar.

Jim Biz

There is a big - long thread here discussing Audits- Audit types - wht type of audit is done when /why / by whom - When I get time later on this evening - I'll look it up & post a link toit

Al Dyer


Be a bulldog and don't accept everything an auditor or registrar says is gospel. Always remember that they work for you and can be replaced.;)


From one phish to another,

Unless the registrar's auditor has you over a barrel on a particular issue, always fight. The auditor will tell you how to fix the problem when they explain their side of the story.

So far as using the 3rd party auditor for your requirements of the quality system, they will never allow it. That's why they call them "internal"


In the words of WC Fields, "DRATS!

You mean I am foiled by one word "internal"? But wait a minute ... let's re-evaluate.

Quote form 8.2.2: "an audit program shall be planned, taking into concideration the status and importance of the procesess and areas to be audited, as well as the results of previous audits".

So when my 3rd party auditor (my registrar) conducted audits the data from these audits became = "results of previous audits" (no type of audit mentioned in standard, i.e. internal or surveillance).

Therefore, when I evaluate which areas I NEED to perform an "internal" audit on I should be able to use the "results of previous audits" (regardless of the source) to justify why I did not audit my compliance to ISO requirements ... because my "results of previous audits" (i.e. the registrar) has all ready done that for me. This should leave me free to conduct my "internal" audits on other important subjects like contract compliance.

Final look: I get a check mark for conducting "internal" audits. I get a check mark for conducting "internal" audits on the areas that I can prove are more important to my business. I don't have to conduct "internal" audits to review my ISO compliance because "the results of previous audits" have already confirmed I am in complaince. I get a check mark for maintaining an ISO compliant QMS ... I got the registrar's audit reports.

What do the lawyers think??

E Wall

Just Me!
Trusted Information Resource
If Phish's were lawyers...YOWZER What a SCARY Thought!!!! hehehehehe

Let get back to the basics (IMHO):

3rd Party audit - (Higher Level Sampling) Primary concern is compliance to the STANDARD and YOUR company QM, which trickles down to other level documents as pursued by the auditor.
* Achieve quality system registration
* Gain recognition
* Reduce need for 2nd party audits
* Increase competitiveness

1st Party audit (a.k.a. Internal Audit) - (Detailed Sampling) Audit your own processes which most direct much greater detail on the specifics found in lower level documents (specs, work instructions, records...)
* Satisfy quality system requirements
* Detect and correct problems prior to external audits
* Ensure effective quality system implementation
* Identify improvement opportunities

Internal audits are highly effective, proactive tools for ensuring that a quality system is in place and working effectively

FYI - For anyone interested:
2nd Party Audit -
* Can help customers select, grade and approve suppliers
* Can help suppliers improve their systems
* Develop a mutual understanding of quality


Let us know how your registrar reacts to your interpretation. I'm thinking you'll see some eyes rolling around in their sockets.

But what's the worst thing, another corrective action to complete............

Looking forward to your response


I think if you rely on your 3rd party to give you an accurate assessment of the effectiveness of your QMS you will be sadly misguided. It is not the purpose of internal audit to merely check for compliance to the standard, you must also check against the requirements of the companies QMS, and check effectiveness. It sounds to me like you are trying to do the bear minimum to keep an ISO cert, clearly your customer focus, top management commitment, and commitment to continual improvement are almost zero.
Top Bottom