Second party audits sit in a peculiar middle ground in the audit landscape. They are not internal audits, where your own team checks your own systems. They are not third party certification audits, where an independent body grants you a certificate. Instead, second party audits are conducted by customers, suppliers, or contractual partners looking into your organisation's compliance and capability. For many Australian manufacturing, service, and logistics organisations, second party audits are a regular reality, yet few people understand their purpose, scope, or how to prepare for them effectively.
On this page
This matters because a poorly handled second party audit can damage customer relationships, lead to contracts being withdrawn, or expose gaps in your management systems before a certification auditor discovers them. Conversely, a well prepared organisation that understands the expectations can use second party audits as an opportunity to strengthen relationships and demonstrate genuine capability.
Understanding Second Party Audits: Definition and Context
A second party audit is an audit conducted by an external organisation that has a direct business relationship with the auditee. The auditing party is typically a customer, supplier, or strategic partner. In the ISO audit framework, this distinguishes second party audits from first party (internal) and third party (independent certification) audits.
The term "second party" can be confusing. From your perspective as the auditee, the second party is the customer or partner doing the auditing. From their perspective, they are conducting a first party audit of their supplier network. The terminology depends entirely on who you are in the transaction.
Second party audits are driven by contractual obligation or commercial necessity. A large manufacturer might audit all suppliers of critical components. A logistics company might audit its subcontractors. A retailer might audit its distribution partners. The motivation is straightforward: these organisations have financial and reputational exposure to your performance, so they want to verify your systems directly rather than relying on third party certification alone.
Under ISO 9001, ISO 14001, and ISO 45001, customer audits are explicitly acknowledged as a form of external audit input. They inform your organisation's management review and contribute to your understanding of compliance and performance. They are legitimate audits performed to established standards, even though they lack the independence and impartiality of a certification auditor.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesThe Difference Between Second Party and Third Party Audits
Understanding the distinction between second party and third party audits is essential for planning your response. The differences are not merely procedural; they reflect fundamentally different purposes and constraints.
Scope and Objective
Third party certification audits verify conformity to a standard. An ISO 9001 certification auditor assesses whether your quality management system meets the requirements of the standard. Their scope is defined by the standard itself, and their conclusion results in a certificate valid across the industry.
Second party audits are customer audits. Their scope is defined by the customer's requirements, their risk profile, and their contractual terms. A customer may audit only the processes that affect their product or service. They may focus on specific risks they perceive. They may require compliance with their own standards or specifications on top of ISO requirements. Their scope is narrower but often more intense in certain areas.
Auditor Qualifications and Independence
Third party auditors must meet strict criteria under ISO 19011. They must have formal qualifications, relevant industry experience, and ongoing training. They must be independent of the organisation being audited. Certification bodies are accredited by recognised bodies like IRCA or Exemplar Global, which verify auditor competence.
Second party auditors are employed by the customer. They may be competent and well trained, but they are not necessarily independent auditors in the formal sense. Some customers have professional audit teams; others deploy quality engineers or operational managers with limited audit training. This variability is one reason why second party audits can feel less structured than certification audits.
Compliance Framework and Remediation
Certification audits conclude with a single determination: pass or fail. Non conformities must be resolved, but the framework and timeline are transparent. There is appeal process if you disagree with findings.
Second party audits conclude with a customer report that may trigger various consequences. Some customers use a formal rating system. Others issue findings but lack a standardised process for closure. Some customers will work with you to resolve issues; others may immediately escalate to procurement or terminate the contract. The expectations and remediation pathways are less standardised.
Why Second Party Audits Matter in Supply Chain Management
Second party audits are a fact of life for most organisations in integrated supply chains. Understanding why they matter helps you position them correctly in your audit strategy.
From the customer's perspective, second party audits manage supply chain risk. If a critical supplier's system fails, the customer's product quality, delivery performance, or safety outcomes are at risk. A certification audit provides some assurance, but it does not verify that the supplier is actually delivering to the customer's specific requirements or that the supplier's staff understand the customer's expectations. Second party audits bridge that gap.
From a regulatory and contractual perspective, second party audits are often mandatory. Many customer contracts explicitly require the right to audit suppliers. In regulated industries such as pharmaceuticals, medical devices, aerospace, and defence, customer audits may be a compliance requirement. An organisation cannot simply refuse a second party audit if the customer has contractual rights to conduct one.
For your organisation, second party audits provide direct feedback from customers about the effectiveness of your systems and your understanding of their needs. They are an input to supplier performance evaluation, but in reverse. Your performance in a second party audit directly influences whether the customer renews contracts, places larger orders, or moves business to competitors.
Common Triggers for Second Party Audits
Second party audits are not random. They are typically triggered by specific circumstances that raise the customer's concern or trigger a routine audit schedule.
Quality issues are the most common trigger. If you have shipped defective product, missed critical specifications, or had customer complaints traced back to your process, expect an audit. A customer audit after a quality failure is part inspection, part investigation, and part corrective action verification. The customer wants to understand what went wrong and whether your system has been fixed.
Delivery or schedule failures can trigger audits, particularly in just in time environments. If you have missed critical deadlines or been unable to scale production, the customer may audit your capacity planning, resource management, and production scheduling to understand whether the failure is systemic or isolated.
Regulatory or safety issues immediately trigger customer audits. If you have had a safety incident, a product recall, or a regulatory notice, your customers will want to verify that you understand the issue and have addressed it. These audits are often high stakes.
Routine supplier audits on a predetermined schedule are common with large customers. Many organisations audit all suppliers of critical materials or services on a two to three year cycle, regardless of recent performance. This is a risk management practice; the customer wants current evidence that your systems are operating as expected.
Changes in your organisation, such as ownership changes, facility relocations, significant process changes, or key staff departures, can trigger audits. Customers want to verify that organisational continuity is maintained and that changes have not degraded your capability.
Expansion of your business with the customer can trigger pre qualification audits. If you want to supply a new product line or enter a new market segment for the customer, they may audit you before expanding the contract.
How Second Party Audits Differ in Practice
The reality of managing a second party audit is quite different from managing a certification audit. These practical differences shape how you should prepare.
Planning and Notification
Third party certification audits are scheduled months in advance. You have time to prepare, address known weaknesses, and ensure key staff are available. Your certification body provides audit plans, timelines, and typically follows a predictable schedule.
Second party audits may arrive with little notice. Some customers provide two weeks' notice; others provide two days. The timing may not suit your production schedule. The auditor may expect access during peak production, when your staff are busiest and least available for interviews. You have limited ability to reschedule.
Scope Definition
Certification audits are scoped against the standard. You know what clauses will be audited and can align your systems accordingly.
Second party audits are scoped against the customer's requirements, which may be documented in a contract, a quality agreement, a supplier manual, or a combination of all three. The customer may expect compliance with their internal standards in addition to ISO requirements. The scope can be broad and loosely defined, or very specific and narrowly focused. You must clarify scope before the audit begins, but the customer may not have thought through exactly what they want to audit.
Auditor Interaction and Communication
Certification auditors are trained communicators who explain findings clearly and allow for auditee response. There are formal protocols for opening and closing meetings, and a clear process for nonconformity identification and remediation.
Second party auditors are customers first and auditors second. They may be direct and informal. They may ask loaded questions or make assumptions. They may communicate findings verbally during the audit rather than in a formal report. Some customers have professional audit teams; others deploy operational staff with little audit training. You must adapt to their style and expectations.
Findings and Remediation
Certification audits produce a clear report with clearly categorised findings. You have a defined timeframe (typically 28 to 30 days) to provide corrective action plans for non conformities.
Second party audits may produce a formal report, an email summary, or a verbal debrief. The customer may escalate findings immediately to procurement or management without giving you advance notice. Some customers specify remediation timelines; others expect immediate action. Some customers will accept your proposed corrective action; others want to see evidence of completion before they accept closure.
When to Conduct Your Own Audit Before a Second Party Audit
If you know a second party audit is coming, a proactive internal or pre audit assessment is often wise. This is not the same as an ISO internal audit required by your management system.
A pre audit assessment is a focused review of the specific areas the customer has indicated they will audit. The goal is to identify any obvious non conformities or gaps before the customer finds them. This gives you time to correct issues and demonstrates to the customer that you take their concerns seriously.
The timing is critical. Conducting a pre audit one week before the customer audit is too late; you will not have time to correct findings. Conducting a pre audit three to four weeks beforehand gives you time to address identified gaps. After corrections are made, you can document the changes to show the customer during the audit.
For a pre audit, you should engage someone with audit experience but preferably someone not directly involved in the processes being assessed. An ISO internal auditor with experience in supplier audits is ideal. The pre auditor should use the customer's specific requirements as the audit criteria, not just the ISO standard.
Documentation is crucial. Create a small report of findings with corrective actions and evidence of completion. This becomes a powerful tool during the customer audit: when they find a potential issue, you can show them the documented evidence that you identified and fixed it before their audit. This demonstrates maturity and proactive management.
Preparing Your Organisation for a Second Party Audit
Preparation for a second party audit follows a similar structure to preparing for a certification audit, but with different emphasis and detail.
Review the Audit Brief and Customer Expectations
The customer will typically provide an audit plan or brief that outlines the scope, timing, and focus areas. Read this carefully and clarify any ambiguities. If the brief says they will audit "supplier management" but you do not manage suppliers (you only subcontract delivery logistics), clarify what they actually mean. If the brief references a customer standard you do not have, request a copy and study it.
Meet with the customer contact to confirm expectations. If they specify they will audit your ISO 9001 system against the standard, confirm that. If they say they will audit against their own quality manual, make sure you have the right version. Ask specifically what outcomes the customer expects from the audit: are they looking for a pass or fail, or are they gathering evidence of competence?
Conduct an Internal Review
Have your quality manager or an experienced internal auditor conduct a focused review of the processes the customer has indicated they will audit. Look for obvious gaps or areas where your actual practice does not match your documented procedures. If documentation is out of date, update it. If staff are not following procedures, address it before the audit.
Pay particular attention to the customer's specific requirements. If you are an ISO 9001 certified organisation audited by a customer, you are expected to be fully compliant with ISO 9001. You are also expected to meet any specific requirements in the customer contract or quality agreement. Review these customer specific requirements carefully; they are often areas where organisations slip.
Ensure Documentation is Current and Available
Have your quality manual, documented procedures, and relevant records organised and accessible. Do not hide documents or make auditors hunt for them. If your procedures are documented in electronic systems, ensure the auditor has access or arrange for staff to retrieve relevant records quickly.
Ensure records are complete. If you are required to maintain calibration certificates for measuring equipment, calibration records should be in order and easily located. If you track supplier performance, have that data readily available. The customer auditor will ask to see records, and delays in finding them waste time and frustrate the auditor.
Assign a Liaison and Prepare Staff
Assign a single point of contact who will coordinate the audit, manage logistics, and facilitate access to processes and staff. This person should have authority to make decisions and should not be the technical expert in every area; their role is to facilitate, not to defend.
Brief relevant staff that an audit is occurring and explain why. You do not need to coach staff to say specific things, but staff should understand the general purpose and should be available and cooperative. If staff know an audit is coming, they are less likely to be defensive or dismissive when the auditor asks questions.
Ensure staff know what records they are expected to maintain and where those records are kept. If a process operator cannot locate the last five production records or cannot explain how they verify product specifications, that gap is likely to be identified in the audit.
Conducting a Second Party Audit: What to Expect
Second party audits follow a general structure similar to any other audit, but the atmosphere and depth of inquiry can vary considerably.
The opening meeting typically involves the customer auditor, your audit liaison, and any relevant process owners. The auditor will outline their scope, their timeline, and how they will conduct the audit. Use this meeting to clarify anything unclear in the audit brief. Confirm which areas they will visit and which records they want to review. Discuss any time constraints or facility access issues upfront.
The auditor will then typically conduct document reviews, process observations, and staff interviews. They may ask staff directly about their understanding of procedures and their compliance with requirements. They will observe work being performed and compare observation to documented procedures. They will request records to verify that work is being done as documented.
The depth and thoroughness depend partly on the auditor's competence and partly on the customer's risk perception. A customer auditor investigating a quality failure will dig deeply. A routine compliance audit may be more superficial.
The closing meeting is where the auditor summarises their findings. In a certification audit, the auditor is careful not to indicate pass or fail before the report is issued. In a second party audit, the customer auditor may be more direct. They may tell you they found non conformities or that they are satisfied with your performance. This verbal feedback is valuable; listen carefully and take notes.
Managing Second Party Audit Findings
How you manage findings after a second party audit significantly influences the customer relationship and your ability to retain or grow the business.
First, clarify the finding. If the customer report is vague or if you did not get clear verbal feedback at the closing meeting, contact the customer immediately to understand exactly what they found. Do not assume you understand the issue. Ask for specific examples and clarification of the expectation you did not meet.
Assess whether the finding is a genuine non conformity (you are not meeting a requirement), an observation (you met the requirement but could improve), or a misunderstanding (you are actually compliant but the auditor did not understand your system). Be honest in this assessment. Some organisations defensively claim findings are misunderstandings when they are actually genuine gaps. This erodes customer trust.
If the finding is genuine, develop a corrective action plan that addresses the root cause, not just the symptom. The customer will expect you to prevent recurrence, not just fix the immediate issue. If you shipped defective product because inspectors were not checking a critical dimension, the corrective action is not "the inspector will now check that dimension." The corrective action is "we have reviewed our inspection procedures, trained all inspectors on the critical dimension, implemented a verification step in the control plan, and established a monthly audit of the inspection process."
Provide evidence of completion. Do not just tell the customer you have fixed the issue. Provide documented evidence: updated procedures, training records, updated inspection records from the period after correction, photographs of process changes. This evidence demonstrates seriousness and gives the customer confidence in the correction.
Keep the customer informed. If they expect corrective action within 30 days, provide an update at day 15. If you encounter unexpected obstacles, notify the customer early rather than missing the deadline. Customers respect transparent communication.
Using Second Party Audit Results to Improve Your Management System
Second party audit findings should feed into your internal audit programme and your management review. They are data about how your systems are performing from a customer perspective, and they should inform your risk management and resource allocation.
If a customer audit identifies a gap in supplier management, that finding should be considered in your next internal audit of supplier processes. If a customer audit reveals that staff do not understand a critical procedure, that finding should trigger a training need analysis and updates to your training programme.
Document second party audit results in your management review. They are an input to the effectiveness assessment of your management system and should be considered alongside internal audit results, customer complaints, and regulatory compliance data. Some organisations find that customer audit findings conflict with their own assessment of system effectiveness, which is valuable information about where your self assessment may be optimistic or where customer expectations differ from your understanding.
Build a culture where second party audits are not feared but embraced as an opportunity to understand customer needs more deeply. Some leading organisations use second party audits proactively to verify that their systems are genuinely delivering customer value, not just meeting standard requirements.
The Relationship Between Second Party and Third Party Audits
Second party audits and third party certification audits serve different purposes but complement each other in a comprehensive audit strategy.
A certification audit provides independent verification that your management system meets the standard. It is comprehensive and impartial, but it does not address customer specific requirements. Many organisations have certification but do not meet specific customer expectations, which is why customers conduct their own audits.
A second party audit verifies that you are meeting that specific customer's requirements and expectations. The customer's scope may be narrower than a certification audit, but it is typically more intense in the areas that matter to the customer's business.
Ideally, your organisation should be confident that you would pass a certification audit and that you would satisfy a second party audit from your major customers. This requires alignment between your management system (which is structured to meet the standard) and your customer specific processes (which are structured to meet customer requirements). In many organisations, this alignment is imperfect; procedures are documented to meet ISO requirements, but staff actually follow customer processes that are not fully reflected in documented procedures. This misalignment often becomes visible during an audit.
One approach is to use internal audit planning to cover both standard requirements and customer specific requirements systematically. Rather than having one internal audit process for ISO compliance and a separate process for customer compliance, integrate them. When you audit supplier management, audit against both the ISO 9001 requirement and your major customer's specific expectations for supplier audits.
Building a Second Party Audit Capability in Your Team
If your organisation receives regular second party audits and you want to reduce the risk of findings that damage customer relationships, consider developing audit capability within your team.
This does not necessarily mean certification as an ISO lead auditor. However, having staff who understand audit methodologies, can ask effective questions, and can gather evidence objectively is valuable. An internal auditor trained in supplier audit techniques can conduct a pre audit assessment before a customer audit and can identify gaps that customers are likely to find.
If you regularly conduct audits of your own suppliers, you should ensure your audit teams are competent. This requires training, experience, and feedback. Some organisations invest in formal ISO auditor training for their supplier audit teams; others develop capability through mentoring and experience. The investment in competent auditors is worthwhile if audits are a regular part of your business.
Audit Workshop offers accredited ISO Internal Auditor training that includes comprehensive coverage of supplier and second party audit techniques. Our courses are Exemplar Global recognised and built around real audit scenarios.
