Consulting, Internal Audit, Third-Party Audit: Who Checks What?

“Consultant, auditor, certifier, isn’t that all the same thing?” I hear this question from companies almost every week. And every time, it makes me wince a little. Because behind it sits not just a confusion of terms, but a trap that can cost real money: anyone who throws consulting, internal audit, and accredited third-party audit into one pot buys the wrong service at the wrong price, and later wonders why the certificate doesn’t hold up or why the regulator starts asking questions.

Let’s be honest: these three audit roles do not differ by a nuance. They differ in mandate, in responsibility, in independence, and in what is ultimately legally defensible. I’ll explain it here the way I’d explain it to a managing director at the kitchen table who has just been handed a quote for an “AI audit” and doesn’t know whether to buy.

Three mandates, three responsibilities

Before we talk about prices or providers, we need to sort the mandate cleanly. Each of the three roles has its own goal. Confuse them, and you buy the most expensive service for the least benefit.

1. Consulting (Implementer)

The consultant helps build. They help you stand up the management system to ISO/IEC 42001 or ISO/IEC 27001, write policies with you, define roles, train staff, run risk assessments, and close gaps. They are partial, on your side. That is not meant negatively, quite the opposite: a good consultant has one goal, that you become ready for certification. Full stop.

What consulting is not: an independent judgment. Whoever builds their own system cannot assess it objectively. That is not a question of morality but of human logic, nobody reliably finds their own blind spots. Exactly for that reason, consulting is separated from certification.

A consultant is like an architect. They build you a good house. But they are not the building inspector who signs off on it at the end.

2. Internal audit (first-party audit)

The internal audit examines your own management system, carried out by you, on behalf of top management. It is mandatory: ISO/IEC 42001 requires it just as ISO/IEC 27001 and ISO 9001 do. No internal audit, no certificate, because the standard explicitly demands a demonstrable self-assessment.

An internal audit can be performed by:

• Your own staff with auditor qualifications and sufficient independence from the area under review (never audit your own area).
• External auditors brought in as service providers when in-house know-how is missing, this is legitimate and very common among smaller and mid-sized companies.

What an internal audit is not: an accredited certificate. It is a mandatory step in the PDCA cycle of your management system, not external market evidence. But: whoever audits honestly here walks calmly into the certification body’s Stage 2 audit. Whoever cuts corners here builds the risk straight into the process.

3. Third-party audit (accredited certification audit)

The third-party audit is carried out by an accredited certification body, in Germany supervised by the national accreditation body (DAkkS). Only this body may issue an accredited certificate. This is the form that customers, authorities, and regulators accept as evidence.

This body is independent, bound by ISO/IEC 17021, and audits according to a clearly documented procedure in two stages (Stage 1: document review; Stage 2: on-site audit). The certification body’s auditor must not have advised you, nor built your system, nor be economically dependent on you.

I myself work as a Senior Lead Auditor ISO/IEC 42001 and Lead Auditor ISO/IEC 27001 (PECB), also on behalf of certification bodies, when they engage me as an external auditor. More than 1,200 documented audit hours across five European countries, the Netherlands, Scotland, Croatia, Serbia, Türkiye, and in five different sectors from aviation to precision engineering. But: consulting and an accredited certification audit are something I may not do for the same client. Never.

A quick aside: where does second-party fit in?

Sometimes the term second-party audit comes up. That is the supplier audit: you assess a supplier on your own behalf, not accredited, but as a customer toward the provider. Important: this is not a substitute for ISO certification. But it is a form I often work in, when a company engages me to audit one of its AI service providers or subcontractors.

When do I need what?

Here is the decision logic from my practice. It is not academic, it grew out of real engagements.

• You want to build ISO/IEC 42001 but don’t yet have a management system? → Consulting / gap analysis / implementation support. Build the system first, then audit it.
• You have built the system and want to know, before the certification audit, where it still falls short? → Internal audit by an external auditor (someone not involved in the build). A reality check before Stage 2.
• You want the accredited certificate? → Third-party audit via an accredited certification body. Full stop. No consultant may issue it.
• You want to assess an AI supplier you work with? → Second-party audit. Pairs well with a confidentiality agreement.
• You are already certified and need the annual surveillance? → Surveillance audit, again by the same certification body (re-certification every three years).

The mixing trap: why it burns when roles cross

In the market there are providers who offer everything from one hand: consulting plus audit plus “certificate.” That sounds convenient. But it is legally and substantively problematic. Reasons:

• Independence under ISO/IEC 17021: an accredited certification body may neither consult nor implement, otherwise it loses its accreditation.
• Credibility in the market: customers and supervisory authorities recognize very well whether a certificate comes from an accredited body or from a consultant who cobbled together their own logo.
• Liability in a dispute: if something goes wrong (a data protection breach, an AI bias incident, a regulatory proceeding), the authority examines who performed which audit for which purpose. Mixed roles weaken your defensive position.

My test when a client puts a provider’s “AI audit package” on the table: I ask who issues the certificate. If the answer is “we do”, hands off. If the answer is “through an accredited body such as TÜV, DEKRA, DQS or similar”, then I can take a closer look.

What I deliberately don’t do, and why that’s a mark of quality

A clear statement from my side: I am an auditor and a consultant. I can run internal audits, gap analyses, implementation support, supplier audits. I can also work as an external auditor for accredited certification bodies, as a subcontractor under their mandate.

What I do not do: issue my “own certificate.” That would be worthless, would destroy my brand, and would be misleading in marketing toward authorities and clients. “The AI Auditor” is a brand of FERNAU Präzisionstechnik GmbH, not a certification body. This separation is deliberate. It is my mark of quality.

Anyone who tells you they are consultant, auditor, and certifier in one has not understood the system. Or they are hoping that you don’t.

The two rules every managing director should know

If you remember only two things:

• Rule 1: Whoever builds you must not certify you. Consulting and accredited certification are separate, by standard, by accreditation rule, by common sense.
• Rule 2: Only accredited certification bodies issue accredited certificates. Anything else is a confirmation, but not market evidence in the sense of the standard.

With these two rules in your pocket, you can assess any audit offer in 30 seconds. And you save yourself expensive bad purchases, not only in euros, but in trust toward customers and regulators.