Mark Hammar Many companies going for an ISO 9001 certification audit wonder what will happen if the auditors find something wrong in the audit. Will they just leave in the middle of the audit? Will they refuse to grant you certification to ISO 9001? Will they never come back? These questions run through the heads of many ISO 9001 implementers as they await the certification audit, but it is not as bad as you fear. Here is a bit about how audit findings work, what nonconformities mean, and what you need to do about them.
How do audit findings work?
What happens in an audit is the auditor takes a set of criteria, such as the ISO 9001 requirements, along with your policies and procedures, and gathers evidence to verify if the criteria are being met. This evidence may be records, statements of fact, or other information that is relevant to the audit criteria. For example, the ISO 9001 requirements for control of records demand that you have controls to identify, store, protect, retrieve, and retain records. During the audit, the auditors will check the records you have to make sure that they meet all of these criteria.
Once the audit evidence is gathered, the auditors will compare the evidence to the criteria and determine if the criteria were met. The hope is that this comparison will show that the process is conforming to the criteria, but it can also show that it is non-conforming. When the audit finding is that the process is non-conforming, then an audit nonconformity is recorded in the audit report. This is not the end of the world.
What are audit nonconformities, and what do they mean?
During a registration audit, nonconformities are generally divided into two different types by certification bodies: major and minor. Both need to be addressed, but each can mean a different thing when it comes to your company certification being granted.
Major nonconformities are typically seen as a breakdown of a requirement of the Quality Management System (QMS). For instance, the ISO 9001 requirements state that you need to prevent the unintended use of obsolete documents, and to address this you may state in your procedure that employees are not to print out copies of documents to keep at their desk and must use the version available on your intranet. If the auditors found many different people across your company using printed versions of older procedures for their work, this could be seen as a major nonconformity.
A minor nonconformity is when there is a problem found that is more limited in scope throughout your company. If the evidence above for the printed versions of obsolete documents occurred only with one or two individuals in one department, then the problem would labeled as a minor nonconformity.
To answer the earlier question of the auditors leaving in the middle of an audit, this is an extremely rare occurrence and I have only heard of it once. This was when an audit was taking place and several major nonconformities were identified early in the audit, which indicated that the company was actually not ready because the QMS was not fully implemented. The termination of the audit was an agreement between the auditors and the company management, as it was seen as an unnecessary waste of resources to continue.
What do you need to do if a nonconformity is found?
It does not matter if an audit nonconformity is major or minor – you should address them in the same way, by correcting them using your corrective action process. The only real difference in this process between a corrective action raised internally in your company, and one raised due to a certification audit nonconformity, is who should review your plan’s adequacy and perform the follow up. With a certification audit nonconformity, this should be done with your certification body auditor, as they will record your response to the nonconformity in their audit report and follow up on the completion of the corrective action at their next audit.
What I have seen is that any minor nonconformities found in an audit will need to be addressed within a certain timeline, but the certification can be granted when the corrective action plan is received, and the audit team will follow up at the next maintenance audit by the certification body. Major nonconformities might mean that your certification will not be granted until the corrective action is in place and the certification body auditors come and verify that it is effective.
For more on the corrective action process, see this helpful article on Seven Steps for Corrective and Preventive Actions to support Continual Improvement.
Audit nonconformities are not the end of the world.
Because the overall goal of the Quality Management System is to make improvements in the system processes, any nonconformity should be viewed as one way to identify these needed improvements. Sometimes when you have an outside expert look at your processes they can see things that are not easily seen by an observer internal to your company. Use these findings to improve, and you will be getting the most for your money from your certification audit.
Download this free white paper: What to expect at the ISO certification audit: What the auditor can and cannot do to learn more about dealing with nonconformities.
