Third-Party Audit Compliance for Quality Systems

Third-party audit compliance refers to the structured process by which an independent external body evaluates an organization's quality management system against a defined standard, regulatory requirement, or contractual specification. This page covers the definition and scope of third-party audits, the mechanics of how they are conducted, the contexts in which they arise, and the criteria used to determine audit type and appropriate response. For organizations operating under ISO 9001, FDA quality system regulations, or sector-specific frameworks, understanding third-party audit requirements is essential to maintaining certification status and regulatory standing.

Definition and scope

A third-party audit is conducted by an entity with no financial or operational stake in either the auditing organization or its customers. This independence distinguishes it from first-party audits (internal self-assessments) and second-party audits (customer or supplier evaluations). Third-party audits typically result in a formal determination — certification, registration, regulatory clearance, or a finding of noncompliance — that carries legal or commercial weight.

The scope of third-party audit compliance spans three primary domains:

1. Certification audits — conducted against voluntary management system standards such as ISO 9001:2015, AS9100 Rev D, or IATF 16949:2016, resulting in certification issued by an accredited certification body (CB).
2. Regulatory inspections — conducted by government agencies such as the U.S. Food and Drug Administration (FDA) or the Occupational Safety and Health Administration (OSHA), resulting in observations, warning letters, or enforcement actions.
3. Accreditation assessments — conducted by bodies such as the American Association for Laboratory Accreditation (A2LA) or ANAB, evaluating laboratories and conformity assessment bodies against ISO/IEC 17025 or ISO/IEC 17011.

The International Accreditation Forum (IAF) and its regional equivalents govern accreditation of certification bodies, establishing the multilateral recognition agreements that make certificates valid across borders. Auditors conducting ISO certification audits must hold credentials aligned with ISO 19011:2018, the international guideline for auditing management systems.

How it works

Third-party audits follow a defined lifecycle regardless of the issuing body. The phases below reflect the structure described in ISO 19011:2018 and mirrored in FDA inspection procedures under 21 CFR Part 820 (ecfr.gov).

1. Application and audit program planning — The organization formally engages a certification body or receives notice of a regulatory inspection. The CB or agency defines the audit scope, applicable clauses or regulations, and the audit team composition.
2. Document review (Stage 1 for certification audits) — The auditor reviews the quality manual, documented procedures, and document control compliance records to assess system maturity before the on-site visit.
3. On-site audit (Stage 2 / inspection) — Auditors collect objective evidence through interviews, observation of processes, and review of records. Findings are classified as Major Nonconformances, Minor Nonconformances, or Observations (in certification audits) or as 483 Observations and Warning Letter citations (in FDA inspections).
4. Audit report issuance — A formal written report documents all findings with references to the specific clause or regulatory citation violated.
5. Corrective action and closure — The organization submits a corrective and preventive action (CAPA) plan with root cause analysis and implementation evidence. Certification bodies typically require closure within 30 to 90 days for major findings before granting or maintaining certification.
6. Surveillance and recertification — ISO certification bodies conduct annual surveillance audits between the 3-year recertification cycle. FDA may conduct follow-up inspections tied to the Voluntary Action Indicated (VAI) or Official Action Indicated (OAI) classification.

Common scenarios

Third-party audit compliance obligations arise in several distinct operational contexts:

Initial certification — An organization seeking ISO 9001:2015 certification for the first time undergoes a two-stage audit (document review followed by on-site assessment). Certification is granted only when all major nonconformances are closed to the CB's satisfaction.

Supplier qualification audits — Original equipment manufacturers in aerospace and automotive sectors require sub-tier suppliers to hold AS9100 or IATF 16949 certification as a contractual condition. The supplier quality compliance function within the prime contractor monitors certificate validity through databases such as OASIS (Online Aerospace Supplier Information System) maintained by the International Aerospace Quality Group (IAQG).

FDA pre-approval inspections (PAI) — Before approving a new drug application (NDA) or biologics license application (BLA), the FDA may conduct a manufacturing site inspection under 21 CFR Part 820 or 21 CFR Parts 210–211 to verify that production systems match submitted specifications.

Notified body assessments (EU MDR) — Medical device manufacturers targeting the European market under EU Regulation 2017/745 must engage an EU-designated Notified Body for conformity assessment. Although this is a non-US regulatory pathway, U.S.-based manufacturers with global distribution commonly integrate Notified Body audit cycles with their FDA Quality System Regulation compliance programs.

Decision boundaries

Determining the correct audit type and preparation strategy depends on three primary variables: the applicable standard or regulation, the accreditation status of the auditing body, and the classification of audit findings.

Certification audit vs. regulatory inspection — Certification audits produce a certificate with defined validity (typically 3 years under ISO programs). Regulatory inspections produce enforcement records that become part of the public docket (FDA Establishment Inspection Reports are accessible via FOIA). Failing a certification audit delays or suspends a certificate; failing an FDA inspection can trigger import alerts, consent decrees, or criminal referrals.

Major vs. minor nonconformance — A major nonconformance under ISO 9001 indicates either the complete absence of a required element or a systematic breakdown that calls the integrity of the quality management system into question. A minor nonconformance reflects an isolated lapse. The distinction determines response timelines and whether certification is withheld pending correction.

Accredited vs. non-accredited third parties — Only certificates issued by IAF-recognized accredited certification bodies carry internationally recognized standing. Audits by non-accredited bodies may satisfy contractual due diligence requirements but do not produce ISO certification and should not be represented as equivalent.

Organizations that maintain a risk-based compliance approach typically prioritize audit preparation resources according to finding severity, regulatory agency jurisdiction, and customer contractual requirements rather than treating all third-party audits as equivalent in consequence.

References

• ISO 19011:2018 — Guidelines for Auditing Management Systems (ISO)
• ISO 9001:2015 — Quality Management Systems Requirements (ISO)
• 21 CFR Part 820 — Quality System Regulation (FDA / eCFR)
• International Accreditation Forum (IAF)
• International Aerospace Quality Group (IAQG) / OASIS Database
• American Association for Laboratory Accreditation (A2LA)
• ANSI National Accreditation Board (ANAB)
• FDA Inspections, Compliance, Enforcement, and Criminal Investigations