Audit Types & Establishing an Audit Programme

Key Takeaways

  • Audits are classified by who conducts them: first-party (internal), second-party (an interested party such as a customer), or third-party (an independent certification body).
  • A combined audit covers two or more management-system disciplines at one site, while a joint audit means two or more auditing organizations cooperate on one visit.
  • An audit programme is the arrangements for a set of one or more audits planned for a specific time frame and directed toward a specific purpose, per ISO 19011:2018 Clause 5.
  • Establishing a programme follows a sequence: set objectives, determine and evaluate risks and opportunities, establish the programme's extent and resources, then establish supporting procedures.
  • Programme risks include mismatched auditor competence and poor scheduling; programme opportunities include combining nearby audits and aligning timing with data availability.
Last updated: July 2026

Audit Types & Establishing an Audit Programme

Quick answer: Audits are classified by who conducts them — first-party (internal), second-party (an interested party such as a customer), or third-party (an independent certification body) — and two or more can be combined at one site or run jointly by two auditing organizations. Above the level of a single audit sits the audit programme: the coordinated arrangements an organization makes to plan and run a set of audits over a defined time frame, built through a sequence of objectives, risk/opportunity evaluation, and resourcing decisions defined in ISO 19011:2018 Clause 5.

Classifying Audits by Who Conducts Them

Audit typeConducted byTypical purpose
First-party (internal)The organization itself, or someone acting on its behalfFeeding management review, supporting a self-declaration of conformity, driving continual improvement
Second-partyAn interested external party — most often a customer, or an auditor acting on a customer's behalfSupplier qualification and ongoing contractual assurance
Third-partyAn independent external certification or accreditation bodyCertification against ISO 9001, regulatory compliance, accreditation

Two variations combine audit visits without changing this basic classification:

  • A combined audit happens when two or more management systems of different disciplines — for example a quality management system and an environmental management system — are audited together at one auditee, typically to reduce disruption and cost.
  • A joint audit happens when two or more auditing organizations cooperate to audit a single auditee on the same visit, usually still issuing separate reports.

Don't confuse the two: combined describes how many management-system disciplines are covered in one visit (QMS plus EMS, audited by one team, against two sets of criteria); joint describes how many separate auditing organizations are cooperating on that visit (two certification bodies sharing a site visit, each against its own scope). A single visit can, in principle, be both combined and joint at once — for example, two certification bodies jointly auditing an organization's integrated QMS/EMS management system.

What an Audit Programme Is

ISO 19011:2018 defines an audit programme as the arrangements for a set of one or more audits planned for a specific time frame and directed toward a specific purpose. A programme might cover a single site's annual internal-audit schedule, or a certification body's full surveillance cycle across dozens of clients. Establishing a sound programme follows a repeatable sequence.

Step 1: Establishing Audit Programme Objectives

Programme objectives should be consistent with the organization's strategic direction and support its quality policy and QMS objectives. Typical objectives include verifying conformity to requirements, evaluating the organization's ability to meet applicable statutory, regulatory, and contractual requirements, evaluating the effectiveness of the management system in achieving its intended results, and identifying opportunities for improvement. These objectives directly drive how the programme is sized: a certification body whose objective includes closely monitoring a client with a history of major nonconformities will schedule more frequent or longer surveillance visits to that client than to a client with a clean track record.

Step 2: Determining and Evaluating Programme Risks and Opportunities

Before committing resources, the person managing the audit programme should identify what could threaten it and what could improve it.

  • Risks commonly include planning failures (poor scheduling, insufficient time on-site), inadequate audit-team competence for the technical complexity involved, ineffective communication of the programme, and inappropriate handling of confidential information.
  • Opportunities commonly include combining or scheduling audits close together to reduce travel, aligning audit timing with periods when performance data is naturally available, and better matching auditor competence to specific site or process needs.

Weighing risks against opportunities is what allows the audit programme manager to justify decisions about frequency, duration, and team assignment rather than applying a one-size-fits-all schedule.

Step 3: Establishing the Audit Programme

With objectives and risk/opportunity analysis in hand, establishing the programme itself involves several concrete decisions:

  • Roles and responsibilities — designating who manages the audit programme and confirming that person has the competence to do so, including knowledge of audit principles, methods, and the relevant management-system standard.
  • Extent of the programme — the number, duration, frequency, and types of audits (first-, second-, or third-party; combined or single-discipline) and the locations or functions to be covered.
  • Programme resources — financial resources for travel and time; audit methods to be used; the number and competence of individual auditors and audit teams needed; supporting technology; and, where relevant, training needs identified for the audit team.

For a lead auditor sitting the CQI/IRCA exam, the practical takeaway is that "resources" is broader than headcount: it includes the technology needed to support remote audit activities, the accommodation and travel budget for multi-day site visits, and the ongoing professional development that keeps auditors' competence current against revised standards.

Step 4: Establishing Procedures for the Programme

Finally, the organization documents procedures that address planning and scheduling audits, ensuring the competence and conduct of auditors, selecting appropriate audit teams and assigning their roles, conducting the audits themselves, and managing and retaining the resulting records. These procedures are what allow the programme to run consistently even as different people manage it over time, and they set up the implementation activities — selecting methods, assigning team leaders, and managing outcomes — covered in the next section.

A well-run audit programme is not simply "the collection of audits we happen to do." It is a deliberately designed system, driven by objectives tied to the organization's own quality policy, sized against real risks and opportunities, and resourced to deliver credible, evidence-based conclusions audit after audit.

Test Your Knowledge

A retailer sends its own quality engineer to evaluate a new component supplier's QMS before signing a purchase contract. Which audit type is this?

A
B
C
D
Test Your Knowledge

Which of the following is most accurately described as an audit-programme RISK rather than an audit-programme OPPORTUNITY?

A
B
C
D