A first-party audit is an internal audit . In ISO management system auditing terminology, first-party audits are performed by, or on behalf of, the organization itself to evaluate its own management system. Therefore, E. Internal audit is directly correct.
A first-party audit can also be carried out as a process audit when the organization audits one of its own processes to determine whether it is planned, implemented, maintained, and effective. Since internal audits under ISO 45001 are planned and conducted over processes, functions, and areas within the OH and S management system, D. Process audit also applies.
Why the other options are not correct:
A. Certification audit is a third-party audit , carried out by a certification body, not a first-party audit.
B. Surveillance audit is also a third-party certification body activity conducted after certification.
C. Regulatory audit is performed by a regulator or authority, not by the organization on itself.
F. External audit does not describe a first-party audit, because first-party audits are internal by definition.
Therefore, the two phrases that apply to a first-party audit are:
D, E
