3rd Party Audits and Clause 8.2.2



I am a Government contractor currently registered to 9001:1994. I am preparing to renew my certificate and advance to the 9001:2000 standard. In revieweing clause 8.2.2 on Internal Auditing I am thinking about the following: Use the audit report and data obtained from my 3rd party surveillance audits as objective evidence to make fact based decisions and to cover certain ISO requirements. These surveillance audits certainly are:
* conducted at planned intervals, and;
* the auditors are independant of the functions being audited (i.e. they are not auditing their own work)

If surveillance audits are examining certain components of my QMS why do I need to repeat this myself? (i.e. plan audits based on importance and status). How is my regisistar any different from any other third party vendor I would hire to subcontract out this work? I should be able to use the audit data from my registrar to document requirements like: Is my QMS effectivly implemented? Does my QMS conform to ISO requirements?

My rational: If I conduct audits in areas other than those covered by my registrar then I would fulfill the requirement to "conduct internal audits". I would also fulfill the requirement to base my audits on what's important to me (i.e. between myself and my registrar I cover all areas important to me). In addition, I plan audits on previous results (the registrar always checks my progress on previous audit findings from the last surveillance audit).

This is not an attempt to create a "paper QMS" that gets me a certificate on the wall. I'm just wondering why do I have to pay someone to audit me and then seemingly can't use the information provided to satisfy some of the requirements. Am I on Pluto ... or did I miss something when reading the standard?
Elsmar Forum Sponsor


Trusted Information Resource
age old question

Hello MrPhish,

Although I agree with your thinking and your rationale, your auditor will not. I beleive somewhere in their guildlines prevents them from allowing this. I too feel that a registrar is a vendor, and subontracting to assure the system meets the standards, and doing your own internal audits is a repeat of this process and adds no value (others will disagree with me on this).

Use the search function for more thoughts on this subject.

Welcome to the Cove!





I did think that I saw this type of guidance (i.e. auditor won't allow this to happen) somewhere. Maybe it was in my contract, but this guideance is not in the standard and that's what I should get graded on by my registrar. This is why I came here ... for feedback. thanks.

After three years of doing EXACTLY what the auditors tell me ... without any questions or challenges ... I'm ready to come out of my shell (because I've learned more than the sum of what I was taught) and start to question the auditors more. If my auditor is going to continue to inject THEIR suggestions into my QMS as policy ... maybe its time to get a new registrar.

Jim Biz

There is a big - long thread here discussing Audits- Audit types - wht type of audit is done when /why / by whom - When I get time later on this evening - I'll look it up & post a link toit

Al Dyer


Be a bulldog and don't accept everything an auditor or registrar says is gospel. Always remember that they work for you and can be replaced.;)


From one phish to another,

Unless the registrar's auditor has you over a barrel on a particular issue, always fight. The auditor will tell you how to fix the problem when they explain their side of the story.

So far as using the 3rd party auditor for your requirements of the quality system, they will never allow it. That's why they call them "internal"


In the words of WC Fields, "DRATS!

You mean I am foiled by one word "internal"? But wait a minute ... let's re-evaluate.

Quote form 8.2.2: "an audit program shall be planned, taking into concideration the status and importance of the procesess and areas to be audited, as well as the results of previous audits".

So when my 3rd party auditor (my registrar) conducted audits the data from these audits became = "results of previous audits" (no type of audit mentioned in standard, i.e. internal or surveillance).

Therefore, when I evaluate which areas I NEED to perform an "internal" audit on I should be able to use the "results of previous audits" (regardless of the source) to justify why I did not audit my compliance to ISO requirements ... because my "results of previous audits" (i.e. the registrar) has all ready done that for me. This should leave me free to conduct my "internal" audits on other important subjects like contract compliance.

Final look: I get a check mark for conducting "internal" audits. I get a check mark for conducting "internal" audits on the areas that I can prove are more important to my business. I don't have to conduct "internal" audits to review my ISO compliance because "the results of previous audits" have already confirmed I am in complaince. I get a check mark for maintaining an ISO compliant QMS ... I got the registrar's audit reports.

What do the lawyers think??

E Wall

Just Me!
Trusted Information Resource
If Phish's were lawyers...YOWZER What a SCARY Thought!!!! hehehehehe

Let get back to the basics (IMHO):

3rd Party audit - (Higher Level Sampling) Primary concern is compliance to the STANDARD and YOUR company QM, which trickles down to other level documents as pursued by the auditor.
* Achieve quality system registration
* Gain recognition
* Reduce need for 2nd party audits
* Increase competitiveness

1st Party audit (a.k.a. Internal Audit) - (Detailed Sampling) Audit your own processes which most direct much greater detail on the specifics found in lower level documents (specs, work instructions, records...)
* Satisfy quality system requirements
* Detect and correct problems prior to external audits
* Ensure effective quality system implementation
* Identify improvement opportunities

Internal audits are highly effective, proactive tools for ensuring that a quality system is in place and working effectively

FYI - For anyone interested:
2nd Party Audit -
* Can help customers select, grade and approve suppliers
* Can help suppliers improve their systems
* Develop a mutual understanding of quality


Let us know how your registrar reacts to your interpretation. I'm thinking you'll see some eyes rolling around in their sockets.

But what's the worst thing, another corrective action to complete............

Looking forward to your response


I think if you rely on your 3rd party to give you an accurate assessment of the effectiveness of your QMS you will be sadly misguided. It is not the purpose of internal audit to merely check for compliance to the standard, you must also check against the requirements of the companies QMS, and check effectiveness. It sounds to me like you are trying to do the bear minimum to keep an ISO cert, clearly your customer focus, top management commitment, and commitment to continual improvement are almost zero.
Thread starter Similar threads Forum Replies Date
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
V TS 16949 3rd Party (Certification Body) Audits of Remote Sites IATF 16949 - Automotive Quality Systems Standard 11
CarolX Definition 1st, 2nd and 3rd Party Audits - Definition Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 29
ScottK Is using a 3rd party auditor for supplier audits a big trend? Supplier Quality Assurance and other Supplier Issues 14
Leaf Fan When do 3rd Party audits turn to 2nd party audits? Customer and Company Specific Requirements 1
L Evaluation of Readiness of Organization for 3rd Party Audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
L 3rd party audit issues - No audit agenda received a week before the audit Registrars and Notified Bodies 7
A " I, as a 3rd party auditor, retain the obligation to determine whether or not the process is "effective"... Discuss. Registrars and Notified Bodies 5
L Acquiring software from 3rd party company IEC 62304 - Medical Device Software Life Cycle Processes 8
K 3rd party auditor for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
H Starting my own 3rd party inspection company Service Industry Specific Topics 6
Mikey324 External calibration - Finding in our 3rd party audit General Measurement Device and Calibration Topics 58
A Becoming an ISO27001 3rd Party Auditor Career and Occupation Discussions 4
A Non-Conformances Found After 3rd Party Sorting Supplier Quality Assurance and other Supplier Issues 12
G Do HIPAA Rules Apply to a 3rd Party Logistics Shipper? Other US Medical Device Regulations 2
J Extent of 2017/745: providing 3rd party mass produced devices to NHS patients EU Medical Device Regulations 0
S AIAG CQI Auditor Qualification and 3rd Party Certification Requirements General Auditing Discussions 2
M 3rd Party Sorting and Inspection Company Certification Service Industry Specific Topics 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
M CE self-certify, or needs testing by 3rd party? CE Marking (Conformité Européene) / CB Scheme 12
A CAR from 3rd party AS9100D auditor - Root cause dilemma AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 45
S ISO 9001:2015 Gap Analysis - In-House or 3rd Party? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
O IATF 16949 3rd party auditor training sources IATF 16949 - Automotive Quality Systems Standard 1
M IATF 16949 - Multiple Locations - 3rd party audit scope IATF 16949 - Automotive Quality Systems Standard 1
J 3rd Party Certification and QMS Revisions Registrars and Notified Bodies 4
Sidney Vianna Proposed Change to 3rd Party Audit Process - Limiting Scope of Audit Registrars and Notified Bodies 19
armani How to 3rd Party Audit ISO 9001 Clause 7.1.6 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
armani How to approach ISO 9001:2015 Clause 7.1.6 when 3rd Party Auditing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Stijloor Calculating (3rd Party) Audit Days for Company with Seasonal Employees General Auditing Discussions 3
L Release of Audit Results Report to 3rd Party ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
C 60601-1 13.1.2 - Passive Device Energized by 3rd Party Device IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
C Looking for 3rd party audit firm for unique contract, have RFP General Auditing Discussions 1
Manix Should a 3rd Party Auditor Audit against IATF rules and not just the ISO standard? General Auditing Discussions 4
S AAMI EC57 for ECG Medical Device - Seeking 3rd Party Test Laboratory US Food and Drug Administration (FDA) 5
V Is the CQI-9 Heat Treat Assessment performed by a 3rd Party Auditor APQP and PPAP 1
D AS 9104/1 has New Requirements for 3rd Party Auditors AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
A 3rd Party Audit Finding Not Clear - 4.1 Outsourced Processes AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 36
R 3rd Party Audit Comment - Identify ISO Clauses/Sub Clauses to each Process Quality Management System (QMS) Manuals 45
J Contents of DMR (Device Master Record) when manufacturing is by 3rd party 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
C Measuring Equipment on Injection Machine should be Calibrated by 3rd party? General Measurement Device and Calibration Topics 21
C Policy for 3rd Party Auditing of Sequencing Facilities IATF 16949 - Automotive Quality Systems Standard 6
D Using IMDS database with 3rd party Intermediate Trade Company RoHS, REACH, ELV, IMDS and Restricted Substances 2
S ANVISA Audit by 3rd Party? Other Medical Device Regulations World-Wide 4
W Do 3rd party testing labs need NRTL certification to perform testing for FDA conforma ISO 13485:2016 - Medical Device Quality Management Systems 3
Howard Atkins ISO/TS 16949 3rd Party Automotive Auditors Group on LinkedIn ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 1
S Customer Requesting 3rd Party Audit Report (AIB) - Help! Quality Manager and Management Related Issues 17
QMMike Telephone Billing - Cramming Scheme 3rd party billing company Coffee Break and Water Cooler Discussions 5
Howard Atkins Right to Appeal 3rd Party (Registrar aka CB) Findings General Auditing Discussions 23
V 18001 2nd stage 3rd party Top Management Questions (Training Assignment) General Auditing Discussions 8
E Should FDA implement 3rd party (PMAs) reviews? What are the pros and cons of doing so Other US Medical Device Regulations 2

Similar threads

Top Bottom