A second-party audit is typically performed by an organization (often a customer) on an external provider (supplier) to evaluate their capability and performance—i.e., to determine whether they can consistently meet requirements.

ISO 9001:2015 supports this purpose through its requirements for control of externally provided processes, products and services, where the organization must evaluate and monitor external providers:

ISO 9001 requires the organization to “determine and apply criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers based on their ability to provide processes or products and services in accordance with requirements.” ➜ This aligns directly with Option B (evaluate an external provider’s management system), because evaluating a provider’s system/process controls is a primary way to confirm their ability to meet requirements.

ISO 9001 also requires analysis/evaluation of data including “the performance of external providers.” ➜ This reinforces that ISO 9001 expects organizations to evaluate suppliers, which is the practical purpose of a second-party audit.

Why the other options are not correct under ISO 9001 context:

A (certify) is not the purpose of a second-party audit; certification is done by an independent third-party certification body, not by a customer/supplier relationship.

C (inspect products) can be one control activity, but ISO 9001’s requirement is broader—evaluate/monitor/re-evaluate the provider’s capability and performance, not only inspect output.

D (approve processes) may occur as a result of evaluation, but ISO 9001 explicitly emphasizes evaluation and monitoring, making B the best definition.