Top management requests auditors from the organisation’s compliance department to audit the production process in order to ensure the final product meets quality requirements = First-party audit
Auditors from the buyer’s organisation audit their raw material supplier to ensure the supply fulfils the order and contract = Second-party audit
Auditors from an independent certification body conduct an audit of the organisation to verify conformity with an ISO Standard for certification purposes = Third-party audit
The organisation has been audited against two management system standards in one audit = Combined audit
Explanation: According to the ISO/IEC 27001 standard, there are three main categories of audits: internal, external, and certification1. An internal audit, also known as a first-party audit, is an audit conducted by the organisation itself, or by an external party on its behalf, for management review and other internal purposes12. An external audit, also known as a second-party audit, is an audit conducted by a customer or other interested party on a supplier or contractor to verify compliance with contractual or other requirements12. A certification audit, also known as a third-party audit, is an audit conducted by an independent certification body to verify conformity with an ISO standard for certification purposes12. A combined audit is an audit where two or more management system standards are audited together3.
References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO 27001 Audit Types and How They are Conducted23: The Four ISO 27001 Audit Categories, Explained4
