1 ISO Audit Results and Nonconformities

by Miriam Boudreaux, published July 17, 2009

There are some misconceptions about what ISO audit

findings are. In this article, I attempt to explain clearly
what audit findings are, what types of findings may be
generated in an audit and the guidelines that is widely
use to categorize audit findings.

What are the results of audits?

Depending on the audit style adopted by the organization or the audit procedures for the
company, the audit report for internal audits, may list all 4 different types of findings as
explained below or only some. The organization may decide that only nonconformances (NCNs) will be reported on the internal audit report. TheISO 9001:2008
standard requires organizations to have a documented procedure for how audits will be
carried out, however it does not specify how exactly audit findings should be reported. So
it is up to the company to decide what and how audit findings are handled.
External audits are handled somewhat different. While each registrar has their own
procedure as to how audits are conducted and how reports are issued, most registrars
will issue various types of findings, such as noteworthy efforts, observations,
opportunities for improvement and non-conformances. It is important to note that
registrars, based on accreditation body guidelines, would not require action or response
on any finding type except for non-conformances.

What are Findings?

ISO Audits do not result in a grade, percentage or score. The results of ISO audits are
findings. Findings can be good or bad. A few types of findings are:

Praises or noteworthy efforts

These are areas that were observed during the audit and that are seen as
excellent examples of implementation of the requirements of the standard.
Noteworthy efforts are also given when the practices are seen as best in
class. They could also be issued when the company has shown significant
improvement in certain areas from prior audits. Noteworthy efforts do not
require any action. When provided in the audit report, it is done for reporting
purposes only and to show to the organization areas where they can feel
proud of.

Observations
Observation are simply pointed out by the auditor as areas being in
compliance but very close to becoming a nonconformance or that given
additional evidence could transform into a nonconformance. Observations
can be looked as accidents waiting to happen. We at Mireaux advice our
clients to treat observation very seriously and in fact incorporate them into
the organizations as preventive actions and handle them as such. This helps
tremendously with the balancing of corrective and preventive action most
organizations have a real hard time to issue preventive actions. It also makes
effective use of audit reports by taking into account the auditor efforts and
experience.

Non-conformances
Non-conformances or NCNs are areas where the organizations quality
management system does not comply with one of the requirements of the
standard or where the organization failed to show evidence of compliance.
Non-conformances have a clear requirement that was not met and there is
clear evidence of what was seen or not seen. Non-conformances have 3
elements:
o

Requirement

Non-conformance

Evidence

Nonconformities are in essence, just another type of finding, however it is the

one that everyone concentrates on and what the organization worries more
about.

Opportunities for Improvement

Opportunities for improvement are areas that are not necessarily wrong or
not meeting the requirements of the standard. Unlike observations,
opportunities for improvement are not accidents waiting to happen but rather
these are practices that have been implemented poorly and either do not add
value or consist of several non value added steps. Auditor usually point
opportunities for improvement, when they believe based on their expertise
and expanded view of quality management systems-that those practices
could be enhanced or done more efficiently.

Grading or classifying Nonconformities

Some registrars classify their non-conformances into major and minor, such as in major
nonconformance and minor non-conformance. Other registrars classify nonconformances as Category 1 and Category 2. Those terms are basically
interchangeable:
o

Major non-conformances or Category 1

Are those findings where an element of the ISO standard has not
been met or where there is a significant breakdown in the quality

management system. A group of Minor NCNs in the same

specific area of the standard may also be elevated to category 1.
Minor NCNs that have not been properly addressed after a whole
audit cycle may also be elevated to category 1.
o

Minor non-conformances or Category 2

Minor nonconformities are those where there is a minor lapse on the quality
management system and where basically it is evident that the system or requirement has
been established and for the most part are implemented correctly.
ISO Non-conformances generated from internal audits are typically not even classified as
major or minor and are simply reported as non-conformances in the audit report.
efore defining the difference between minor and major, we need to understand that a
nonconformity is the nonfulfillment of a requirement. In other words, a specified requirement is
not being met.
A Minor Nonconformity would be the failure to conform to a requirement that in the auditors
judgment and experience is not likely to result in a failure of the quality management system. It
may be a single observed lapse or isolated incident where there is minimal risk of nonconforming
product being released to the customer.
Examples of minor nonconformities would be a document with an unauthorized change, a
missing training record, a purchase order released without approval, or an instrument past its
calibration date.
A Major Nonconformity would be the total breakdown of the quality management system or one
of its processes, or the failure to address a key ISO 9001 requirement. It would be a
nonconformity that in the auditors judgment and experience would likely result in the system
failure or materially reduce its ability to assure controlled processes and products.
It would also be a major nonconformity if the failure would result in the probable shipment of
nonconforming or uninspected product, or materially reduce the usability of the product for its
intended purpose. Minor nonconformities against the same ISO 9001 clause may be the trivial
many that are grouped into a major nonconformity.
Examples of major nonconformities would be the absence of a required documented procedure,
critical purchases made from unapproved suppliers, document changes routinely made in an
unauthorized way, or product being shipped without completion of required tests.
Some organizations have dropped minor and major designations due to the difficulty in classifying
them and the resulting debate with the audited areas. However, some organizations use the
minor and major designations to match the approach of their certification body and to require a
more rapid response for serious nonconformities. Regardless of the severity level, the
nonconformities must be addressed with corrective action.

If you want to classify a nonconformity as minor or major, one approach is to look at the
frequency, detection, and impact of the nonconformity.
Frequency: How often is the problem likely to be repeated?
Detection: Would the system likely detect it before release?
Impact: What would be the impact if it remains uncorrected?
If a problem rarely happens, is easily detected, and has no direct impact on the customer, it
would be recorded as a minor nonconformity. If a problem frequently happens, is difficult to
detect, and will impact the customer if not corrected, it would be identified as a major
nonconformity.
What about a minor nonconformity that continues to be found after corrective action has
completed? You should write up the nonconformity again and write a separate nonconformity
against the corrective action process. If the minor nonconformity continues to repeat, then a
major nonconformity should be written against the ineffective corrective action process.
In some cases, a process may be found conforming, but still an area of concern. These
observations may be written as Opportunities for Improvement. Since they are potential problem
areas, the organization can consider taking preventive actions for these observations. Corrective
actions are taken for the reported nonconformities.
Many nonconformity reports are poorly written. Follow these 6 Cs for improved statements:

1. Complete (contains all the related facts)

why unmet requirement
what objective evidence
where which work area
when the date and shift
who by title, if relevant
2. Correct (accurately conveys the facts)
3. Concise (fully explained in brief terms)
4. Clear (understood for prompt action)
5. Categorized (minor or major, if used)
6. Confirmable (traceable and verifiable)
An audit is only successful if it is the catalyst for prompt and effective corrective action for
nonconformities and possible preventive action for opportunities for improvement. A complete and
correct nonconformity report is essential. It must be clearly and concisely expressed to initiate the
right action.
If you are interested in one of our auditor courses, please see our Training page for course
listings, description and class schedule.