CALL US 1-888-553-2256

ISO 9001 Blog

Mark Hammar

How to write a good ISO 9001 audit nonconformity?

The internal audit process is an important part of the ISO 9001:2015 requirements for implementing a quality management system (QMS). In a previous article, Five main steps in ISO 9001 internal audit, we discussed the main steps needed to have a good internal audit program. However, even if you are following the audit process as planned, it is important to know how to write down any nonconformities that you find in order to easily investigate them.

What is a nonconformity?

In terms of an audit, a nonconformity is any time you find evidence that a process has not been performed as it was planned and in accordance with the requirements from the standard. The intent of the audit is to compare the planned arrangements of the process against what is actually happening and verifying that the practices being used conform to what is planned. In short, we expect compliance when we audit, but when we find evidence that this is not the case, we have identified a nonconformity.

This is when a nonconformity statement needs to be made in the audit report.

If you are looking to improve your audit process and include more information from the ISO standard for auditing, the article 13 steps for ISO 9001 internal audit using ISO 19011 gives more information.

What are the guidelines for a good nonconformity statement?

So, how do you ensure that your nonconformity statement is good? It is important to remember why we are writing a nonconformity statement in the first place. The reason you are writing the statement in the audit report is to allow the auditee to take action to correct the nonconformity and to eliminate the cause.

In order to do this, there are some guidelines that should be followed:

ISO 9001 nonconformity – How to write it during an audit

  1. Include the requirement. In order to demonstrate that there is a problem, you need to ensure that the person who will address the nonconformity understands what the requirement is.
  2. Include what was wrong. You are writing the nonconformity so that the auditee can investigate what was wrong, so state what problem you found. You need to state the actual audit conclusion that you came to from the data that you obtained.
  3. Include audit evidence. There should be enough information for the person to immediately start investigating the problem. This means that you should include reference to the audit evidence that you found. This gives the auditee a place to start their investigations into the root cause of the problem so that corrective action can be implemented more quickly. Evidence is often given by referring to the actual documented information.

In summary, the audit nonconformity statement should give the person who needs to investigate the problem all the information they need to conduct the investigation. You want to present the detail that you found so that investigation can happen, but you do not want to assign blame or give instructions on what needs to happen. The auditor presents the problem found, not the solution that needs to be implemented.

To find out more about what needs to be in an audit report see this article: Writing a good QMS internal audit report.

The best practice for writing a good statement

While there is no mandatory way to write a nonconformity statement, there is a best practice that is used to help ensure that adequate information is presented to satisfy the guidelines presented above. This format is the “should be/as found” format. Using this format, it is easy to ensure that you document what is needed for the auditee.

Should be: This is a statement of what should have happened in the process. It is a statement from the ISO 9001:2015 standard, or the internal process details, which indicates what the planned arrangements are. This is important because if you cannot write a “should be” statement, then maybe you don’t really have a nonconformity. This helps to capture the intended process parameters, and not your own personal opinion of what should happen.

As found: This section really includes 2 parts. In the first part, you state your audit finding that is not meeting the “should be” requirement. Then you record the objective evidence you found to support this finding.

To demonstrate this practice, consider the following statement for an audit nonconformity. In this case, the contract review procedure defined that all contracts over $25,000 would be approved by the company president. The auditor found evidence that this was not occurring:

Should be: The contract review procedure states that all contracts over $25,000 will be approved by the company president.

As found: When reviewing a sample of 5 contracts, it was found that 3 of these contracts were over the $25,000 value but were approved by the sales manager. Contract details are; Contract# 2017001 – $30,000, Contract# 2017120 – $45,000, Contract# 2017380 – $27,000.

As you can see, this format easily identifies what is supposed to happen, what is actually happening that is not per the plan, and what evidence was found to support this statement. It is presented without assigning blame or presenting solutions and gives the person who needs to investigate, the information they need to start looking at the root cause of the problem.

For more information on what happens after an audit identifies a nonconformity see this article: How to deal with nonconformities in an ISO 9001 certification audit.

Good nonconformity statements make audit findings valuable

The reason that we need to ensure good nonconformity statements is so that those who need to correct the process can get to the root cause and corrective action quickly without wasting time. By reporting nonconformities with adequate detail, we can ensure that the internal audit process provides the best benefit for the company and helps improve the QMS in the best way possible.

To learn even more about how internal audit works in the QMS see this free online training ISO 9001:2015 Internal Auditor Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 9001 standard.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.