Quality Assurance: Third-Party Audit Standards
Third-party audit standards govern the independent assessment of an organization's quality management system by an external body that holds no commercial or organizational interest in the outcome. These standards establish the criteria, competencies, and procedural requirements that auditors and certification bodies must satisfy to produce credible, legally defensible findings. In regulated industries — including aerospace, medical devices, food safety, and pharmaceuticals — third-party audit certification is a market access requirement, not a discretionary practice.
Definition and scope
A third-party audit is a conformity assessment conducted by an independent organization, distinct from the audited entity (first party) and its customers (second party). The term "third party" specifically denotes independence from the commercial relationship between supplier and buyer, a boundary defined in ISO/IEC 17021-1:2015, which sets competence and impartiality requirements for bodies providing audit and certification of management systems.
The scope of third-party audit standards covers:
- Certification body accreditation — The requirements an audit organization must meet to be recognized as competent, typically granted by a national accreditation body such as ANAB (ANSI National Accreditation Board) or A2LA (American Association for Laboratory Accreditation).
- Auditor qualification — Education, sector-specific experience hours, and demonstrated competency as specified in ISO 19011:2018, the guidelines for auditing management systems (ISO 19011:2018).
- Audit program structure — Planning, execution, reporting, and follow-up phases with defined documentation requirements.
- Impartiality obligations — Prohibitions on certifying bodies providing consultancy to the organizations they audit, as specified under ISO/IEC 17021-1, Clause 5.
The quality-assurance-regulatory-framework page addresses the broader statutory environment in which these standards operate across U.S. industries.
How it works
A standard third-party audit cycle under ISO 9001 or equivalent frameworks proceeds through 4 discrete phases:
- Application and contract review — The certification body evaluates the applicant's scope of certification, industry classification, and any impartiality risks. Conflict-of-interest screening is mandatory at this stage under ISO/IEC 17021-1, Clause 5.2.
- Stage 1 audit (documentation review) — Auditors assess the organization's quality manual, documented procedures, and readiness for Stage 2. This phase is typically conducted off-site or with limited on-site presence and produces a written readiness report.
- Stage 2 audit (on-site conformity assessment) — Auditors verify implementation and operational effectiveness across the management system. Findings are classified as major nonconformities, minor nonconformities, or observations. A single major nonconformity blocks certification until closed.
- Certification decision and surveillance — An independent certification decision-maker (separate from the audit team) grants or withholds certification. Certificates under ISO 9001 are valid for 3 years, with mandatory surveillance audits at 12-month intervals and a recertification audit in year 3 (ISO 9001:2015).
Findings that trigger corrective action feed directly into the organization's quality-assurance-nonconformance-reporting processes, with documented evidence of closure required before certification is issued or maintained.
Common scenarios
Third-party audit standards apply across distinct regulatory and commercial contexts, each governed by sector-specific overlays on the base ISO framework:
- ISO 9001 registration — The most broadly applied third-party certification globally, covering general quality management systems. Relevant to manufacturing, service providers, and government contractors.
- AS9100 (aerospace) — Built on ISO 9001 with aerospace-specific additions, administered through IAQG (International Aerospace Quality Group) and recognized under the OASIS database. Required by most prime contractors in the defense and commercial aerospace supply chain.
- IATF 16949 (automotive) — Superseded ISO/TS 16949 and is mandatory for suppliers to the major automotive OEMs. Audits are conducted only by IATF-recognized certification bodies, introducing an additional layer of body accreditation.
- FDA 21 CFR Part 820 / ISO 13485 (medical devices) — The U.S. Food and Drug Administration's Quality System Regulation under 21 CFR Part 820 aligns substantially with ISO 13485:2016. Third-party audits under ISO 13485 do not substitute for FDA inspections but are recognized in regulatory submissions in non-U.S. markets.
- SQF / BRC (food safety) — Safe Quality Food (SQF) and Brand Reputation through Compliance (BRCGS) certifications require annual unannounced or announced third-party audits by licensed certification bodies recognized under GFSI (Global Food Safety Initiative) benchmarking.
Decision boundaries
Not all external assessments qualify as third-party audits under accredited standards. The critical distinctions are:
| Assessment type | Conducted by | Independence level | Produces accredited certificate? |
|---|---|---|---|
| Internal audit | Employees of the audited organization | None | No |
| Second-party audit | Customer or customer-appointed auditor | Partial | No |
| Third-party audit | Accredited certification body | Full (ISO/IEC 17021-1) | Yes |
| Regulatory inspection | Government agency (FDA, FAA, USDA) | Full | No — produces inspection record, not certification |
The distinction between third-party certification and regulatory inspection is operationally significant. A third-party ISO 9001 certificate signals voluntary conformity to a management system standard. An FDA inspection under 21 CFR Part 820 is a statutory enforcement activity with authority to issue Warning Letters, consent decrees, or import alerts — outcomes that no voluntary certification body can impose.
Organizations selecting a certification body should verify ANAB or A2LA accreditation scope, confirm the body is listed in the relevant industry database (OASIS for AS9100, IATF portal for IATF 16949), and review the body's surveillance audit frequency commitments. The quality-assurance-independence reference page covers impartiality requirements in greater structural detail.
References
- ISO/IEC 17021-1:2015 — Conformity assessment: Requirements for bodies providing audit and certification of management systems
- ISO 19011:2018 — Guidelines for auditing management systems
- ISO 9001:2015 — Quality management systems: Requirements
- 21 CFR Part 820 — Quality System Regulation (FDA, eCFR)
- ANAB — ANSI National Accreditation Board
- A2LA — American Association for Laboratory Accreditation
- IAQG OASIS Database — International Aerospace Quality Group
- GFSI — Global Food Safety Initiative benchmarking requirements