Audit Types by Purpose
There are various purposes for which an audit could be conducted. This post provides a brief overview of each audit type and its purpose.
Verification of Corrective Action Audits
It's used to verify that corrective actions have been implemented as planned. The purpose of this audit is to ensure that the organization has taken all necessary steps to correct any problems identified during previous audits.
ISO 9001:2015 introduced the term “risk-based thinking”. In a risk-based audit approach, you set priorities to audit the areas considered to be riskier to achieve the company’s goal.
For example, a risk audit is performed when there is reason to believe that the organization may not comply with applicable laws or regulations. Risk auditing can help organizations identify areas where they need to improve their policies and procedures to reduce the likelihood of noncompliance.
Organizations hire a Certification Body (CB) to get certified to ISO 9001 requirements. The Certification Body employed for ISO 9001 registration should be accredited. This accreditation is provided by a member of the International Accreditation Forum (IAF), based on an accreditation audit.
Many countries have formed accreditation bodies to authorize ("accredit") the certification bodies. These accreditation bodies perform independent audits of certification bodies to determine whether they meet specific criteria. Once approved, these accreditation bodies issue certificates attesting that the CB meets the standards.
Here is a shortlist of accreditation bodies by country:
- United States of America - ANAB ( ANSI National Accreditation Board )
- China - CNAS ( China National Accreditation Service for Conformity Assessment )
- Australia and New Zealand - JAS-ANZ ( Joint Accreditation System of Australia and New Zealand )
- India - NABCB ( National Accreditation Board for Certification Bodies )
- United Kingdom - UKAS ( United Kingdom Accreditation Service )
- Canada - SCC ( Standards Council of Canada )
A compliance audit is required if your organization is subject to specific regulatory requirements. Compliance audits are usually performed when an organization is suspected of violating a law or regulation. The focus of compliance audit is to check if it complies with the internal and external requirements and is not the performance improvement.
An example of such requirement is Sarbanes Oxley Act . SOX requires companies to conduct annual compliance audits. An auditor will review the financial statements, accounting records, and other documents related to the business operations. If the auditor finds any evidence of fraud, he/she must report the findings to the appropriate authorities.
For Cause Audits
A for-cause audit is usually performed when an organization suspects it might be violating some law or regulation. It could be used to investigate allegations of misconduct made by employees, customers, suppliers, partners, etc.
For example, a for-cause audit may be conducted if the organization believes it has violated anti-bribery laws.
Surveillance audits are conducted by ISO 9001 certification bodies (CB) to monitor conformity with the requirements, to assure continued validity of the certificate. Surveillance audits are also known as "on-site" audits, because they are performed at the site of the company's operation. Typically the Certification Body conducts a full audit of the organization every 3 years, and it conducts an annual or semi-annual surveillance audit.