In This Article
- The most common ISO 9001 audit findings relate to Clause 8 (Operation) and Clause 9 (Performance Evaluation)
- Calibration gaps, missing competence records, and incomplete management reviews are consistently top findings
- Root cause analysis failures are a recurring finding - organizations fix symptoms rather than underlying causes
- Many findings can be prevented by conducting thorough internal audits before the certification audit
- Understanding the difference between major and minor nonconformities helps prioritize corrective actions
Overview: Understanding ISO 9001 Audit Findings
ISO 9001 is the most widely certified management system standard in the world, with over one million certificates issued globally. Despite this maturity, certain audit findings appear repeatedly across industries, geographies, and organization sizes. Understanding these common pitfalls can help you prepare more effectively for your certification or surveillance audit.
Before examining specific findings, it helps to understand how auditors classify them:
| Finding Type | Description | Impact on Certification |
|---|---|---|
| Major Nonconformity | Absence or total breakdown of a system to meet a requirement, or a situation that raises significant doubt about the ability to deliver conforming products/services | Certification cannot be granted or may be suspended until resolved |
| Minor Nonconformity | Single observed lapse that does not indicate a systemic failure | Certificate can be issued with an accepted corrective action plan; must be closed by next surveillance |
| Observation / OFI | Area that could be improved but is not a conformity failure | No formal action required; recommended for consideration |
Experienced auditors look for evidence of a functioning system, not perfection. They understand that every organization has areas for improvement. What matters is that your QMS is genuinely implemented, monitored, and improved - not that every detail is flawless. Most findings are preventable with proper preparation and ongoing system maintenance.
Context and Leadership Findings (Clauses 4-5)
Finding: QMS Scope Does Not Reflect Actual Activities
What auditors see: The documented scope is vague, overly broad, or does not accurately describe the products, services, locations, and processes actually covered by the QMS. In some cases, the scope excludes activities that clearly affect product or service quality.
Why it happens: Scope statements are often drafted hastily during initial implementation and never revisited, or organizations copy generic scope language from templates.
How to prevent it:
- Write a scope statement that specifically describes your products, services, and key processes
- Ensure the scope aligns with what customers actually receive from you
- Review and update the scope when your business activities change
- If any requirements are not applicable, document a clear justification
Finding: Interested Parties Not Properly Identified
What auditors see: No documented analysis of interested parties and their requirements, or a superficial list that misses key stakeholders (regulators, industry bodies, end users).
Why it happens: Organizations focus only on direct customers and overlook other parties whose requirements are relevant to the QMS.
How to prevent it:
- Identify all parties with a legitimate interest in your quality performance
- Document their specific requirements (contractual, regulatory, statutory)
- Review this analysis at least annually or when circumstances change
Finding: Quality Policy Not Communicated or Understood
What auditors see: A quality policy exists on paper but staff cannot articulate its meaning or how it applies to their work. The policy may be posted on a wall but is treated as decoration rather than direction.
Why it happens: The policy is drafted by management without input from staff, communicated once during implementation, and never referenced again.
How to prevent it:
- Write a quality policy in language that employees can understand and relate to
- Communicate it through multiple channels (induction, meetings, displays, intranet)
- Reference the policy when making quality-related decisions
- Test awareness during internal audits by asking staff about the policy's meaning
Finding: Quality Objectives Not Measurable
What auditors see: Objectives like "improve quality" or "enhance customer satisfaction" with no defined metrics, targets, timelines, or assigned responsibilities.
Why it happens: Objectives are treated as aspirational statements rather than actionable targets.
How to prevent it:
- Apply the SMART framework: Specific, Measurable, Achievable, Relevant, Time-bound
- Assign each objective to a responsible owner
- Define how and when progress will be measured
- Report on objective achievement during management review
Planning Findings (Clause 6)
Finding: Risk-Based Thinking Not Evidenced
What auditors see: No evidence that the organization has considered risks and opportunities that could affect QMS outcomes. Processes operate without any documented consideration of what could go wrong or what opportunities exist for improvement.
Why it happens: Organizations interpret "risk-based thinking" as requiring a formal risk register (which is not mandated) and, finding it too complex, do nothing at all.
How to prevent it:
- Integrate risk consideration into your existing processes - it does not require a separate framework
- Document risks and opportunities in process documentation, meeting minutes, or a simple risk register
- Show evidence that identified risks have been addressed through actions or controls
- Review risks when planning changes or when external/internal issues evolve
Finding: No Evidence of Planned Change Management
What auditors see: Changes to the QMS, processes, or organizational structure have occurred without planning, impact assessment, or consideration of consequences.
Why it happens: Changes are implemented reactively in response to immediate needs without following a structured approach.
How to prevent it:
- Establish a change management process (it can be simple)
- Before making QMS changes, document the purpose, potential impact, resource needs, and responsibilities
- Maintain records of changes made and their outcomes
Support Findings (Clause 7)
Finding: Calibration Gaps for Monitoring and Measuring Equipment
What auditors see: Measuring equipment used to verify product conformity is out of calibration, has no calibration schedule, or calibration records are incomplete. In some cases, equipment is not traceable to national or international measurement standards.
Why it happens: Calibration schedules lapse, new equipment is introduced without being added to the programme, or organizations are unaware of which equipment requires calibration.
How to prevent it:
- Maintain a register of all monitoring and measuring equipment
- Define calibration intervals based on manufacturer recommendations, usage frequency, and criticality
- Track calibration due dates and set reminders
- Retain calibration certificates with traceability information
- When equipment is found out of calibration, assess the validity of previous measurement results
Finding: Competence Records Missing or Incomplete
What auditors see: No evidence that persons performing work affecting quality performance are competent, or competence criteria for key roles are not defined.
Why it happens: Competence is assumed based on job title or tenure. Training records are kept by HR but not linked to QMS competence requirements.
How to prevent it:
- Define competence requirements for each role that affects quality
- Maintain records of education, training, qualifications, and experience
- Conduct periodic competence assessments
- When training is provided, evaluate its effectiveness - not just attendance
Finding: Training Effectiveness Not Evaluated
What auditors see: Training is delivered but there is no evaluation of whether the training achieved its intended outcome. The only evidence is attendance records.
Why it happens: Organizations equate "training provided" with "competence achieved" without verifying the link.
How to prevent it:
- Evaluate training effectiveness through practical assessments, observation, tests, or performance review
- Document the evaluation method and results
- If training is not effective, take additional actions (retraining, mentoring, job aids)
Operation Findings (Clause 8)
Finding: Customer Requirements Not Adequately Reviewed
What auditors see: Orders or contracts accepted without formal review of requirements, or reviews that do not verify the organization's ability to meet the specified requirements. Differences between contract/order and previously communicated requirements are not resolved before acceptance.
Why it happens: In fast-moving environments, contract review is seen as a bottleneck. Verbal orders are accepted without documented confirmation.
How to prevent it:
- Implement a contract/order review process appropriate to your business
- Ensure requirements are clearly defined and agreed before work begins
- Retain records of reviews, including any changes to requirements
- For repeat orders, establish a process for confirming unchanged requirements
Finding: Design and Development Outputs Incomplete
What auditors see: Design outputs do not adequately address input requirements, lack acceptance criteria, or do not specify characteristics essential for safe and proper use.
Why it happens: Design processes are informal, with outputs reviewed casually rather than against documented input requirements.
How to prevent it:
- Ensure design outputs are traceable back to inputs
- Include acceptance criteria and essential product/service characteristics in outputs
- Conduct formal design reviews, verification, and validation at appropriate stages
- Retain records of all design activities and decisions
Finding: Supplier Evaluation Gaps
What auditors see: Suppliers providing critical materials or services have not been evaluated, or evaluations are outdated. Supplier performance is not monitored, and there are no defined criteria for selection or ongoing assessment.
Why it happens: Supplier relationships are managed by procurement without quality involvement, or historical suppliers are "grandfathered" without evaluation.
How to prevent it:
- Define clear criteria for evaluating and selecting suppliers based on their impact on your product/service quality
- Evaluate all suppliers (including legacy ones) against these criteria
- Monitor supplier performance using metrics like delivery timeliness, defect rates, and responsiveness
- Re-evaluate suppliers at planned intervals
- Retain evaluation and monitoring records
Finding: Nonconforming Outputs Not Properly Controlled
What auditors see: Nonconforming products or services are not identified, segregated, or documented. In some cases, nonconforming product has been shipped to customers without proper disposition.
Why it happens: Informal processes for handling nonconformities, pressure to meet delivery deadlines, or unclear authority for disposition decisions.
How to prevent it:
- Establish a clear process for identifying and controlling nonconforming outputs
- Define who has authority to make disposition decisions (rework, accept on concession, scrap, return)
- Physically or logically segregate nonconforming items to prevent unintended use
- Retain records of all nonconformities, actions taken, and concessions obtained
Performance Evaluation Findings (Clause 9)
Finding: Internal Audit Programme Not Covering All QMS Processes
What auditors see: The internal audit programme only covers operational processes and neglects management system processes like management review, document control, competence management, or corrective action. Some processes have never been audited.
Why it happens: Internal audit programmes are developed based on departmental structure rather than QMS process coverage, or audit resources are limited and focused on perceived high-risk areas only.
How to prevent it:
- Map your audit programme to cover all QMS processes and all ISO 9001 clauses over the audit cycle
- Consider risk and previous audit results when determining frequency, but ensure full coverage
- Include "system" processes (document control, management review, corrective action) in your programme
- Track coverage to ensure no gaps over the three-year certification cycle
Finding: Management Review Inputs Incomplete
What auditors see: Management reviews that do not address all required inputs specified in Clause 9.3.2. Common omissions include the status of actions from previous reviews, external provider performance, adequacy of resources, and effectiveness of actions to address risks and opportunities.
Why it happens: Management review is treated as a brief update meeting rather than a comprehensive assessment of QMS performance. Agendas do not reference the standard's requirements.
How to prevent it:
- Use a management review agenda template that maps directly to Clause 9.3.2 requirements
- Prepare data and reports for each required input in advance
- Document discussions, decisions, and assigned actions with owners and deadlines
- Track action completion and report status at the next review
The most frequently missing management review inputs are: (1) effectiveness of actions taken to address risks and opportunities, (2) external provider performance data, (3) adequacy of resources assessment, and (4) status of previous action items. Use ISO 9001 Clause 9.3.2 as a checklist when preparing your agenda.
Improvement Findings (Clause 10)
Finding: Corrective Actions Not Addressing Root Cause
What auditors see: Corrective actions that are actually corrections (fixing the immediate problem) rather than corrective actions (eliminating the root cause to prevent recurrence). For example, reworking a defective product is a correction; investigating why the defect occurred and changing the process to prevent it is corrective action.
Why it happens: Organizations conflate "fix the problem" with "prevent the problem from recurring." Root cause analysis is not performed, or the analysis is superficial (e.g., "human error" without investigating why the error was possible).
How to prevent it:
- Train personnel on root cause analysis techniques (5 Whys, fishbone diagram, fault tree analysis)
- Require root cause analysis for all significant nonconformities
- Distinguish between correction (immediate fix) and corrective action (systemic prevention) in your records
- Verify effectiveness of corrective actions after implementation
- Consider whether similar nonconformities could occur elsewhere and extend actions accordingly
Finding: No Evidence of Continual Improvement
What auditors see: The QMS is maintained at a steady state with no evidence of proactive improvement activities beyond corrective actions. Processes, objectives, and performance metrics remain static year over year.
Why it happens: Organizations achieve certification and enter "maintenance mode," focusing only on closing audit findings rather than genuinely improving.
How to prevent it:
- Use management review outputs, data analysis results, and internal audit findings to identify improvement opportunities
- Implement improvement projects beyond corrective action (process optimization, technology upgrades, customer experience improvements)
- Track and demonstrate improvement trends over time (reduced defects, improved delivery, higher customer satisfaction)
- Encourage staff to propose improvement ideas and recognize contributions
- Review and evolve quality objectives to drive continuous advancement
Prevention Strategies: Preparing for a Successful Audit
Before the Audit
| Activity | Timing | Purpose |
|---|---|---|
| Thorough internal audit | 6-8 weeks before | Identify and close nonconformities before the certification body finds them |
| Management review | 4-6 weeks before | Demonstrate top management oversight and ensure all inputs are addressed |
| Document review | 3-4 weeks before | Verify all documents are current, approved, and reflect actual practice |
| Evidence organization | 2-3 weeks before | Ensure records are accessible, organized, and demonstrate consistent implementation |
| Staff briefing | 1-2 weeks before | Prepare personnel who may be interviewed on what to expect and how to respond |
During the Audit
- Be transparent: Do not try to hide problems. Auditors are trained to detect evasion, and honesty builds trust
- Answer what is asked: Respond to the auditor's question specifically. Do not volunteer additional information that opens new lines of inquiry
- Show evidence: Auditors need documented evidence, not verbal assurances. Have records ready and organized
- Ask for clarification: If you do not understand a question, ask the auditor to rephrase it
- Designate a guide: Assign a knowledgeable person to accompany the auditor and facilitate access to evidence and personnel
Ongoing Best Practices
- Live your QMS: Operate your QMS throughout the year, not just before audit time
- Regular internal audits: Spread internal audits throughout the year rather than conducting them all at once
- Process owner accountability: Ensure each process has an identified owner responsible for its performance and improvement
- Data-driven decisions: Regularly analyze performance data and act on trends before they become nonconformities
- Customer feedback loop: Actively seek, monitor, and act on customer feedback and complaints
The best audit preparation is a well-functioning QMS that operates every day - not a last-minute scramble before the auditor arrives. When quality management is genuinely part of how you run your business, audits become a validation exercise rather than a stressful event.
Frequently Asked Questions
What is the most common ISO 9001 audit finding?
The most common ISO 9001 audit finding is incomplete or missing calibration records for monitoring and measuring equipment (Clause 7.1.5). Calibration schedules frequently lapse, new equipment gets introduced without being added to the calibration programme, or records lack traceability to national or international measurement standards. Close behind are competence record gaps (Clause 7.2) and incomplete management review inputs (Clause 9.3).
What happens if you get a major nonconformity?
If a major nonconformity is raised during your audit, certification cannot be granted or maintained until the issue is resolved and verified by the auditor. A major NC indicates an absence or total breakdown of a system to meet a requirement, or raises significant doubt about the organization's ability to deliver conforming products and services. A follow-up verification audit is typically required, which adds cost and time to the certification process.
How many nonconformities are normal in an ISO 9001 audit?
For a first certification audit, 2-5 minor nonconformities is typical and not a cause for concern. Experienced auditors expect to find some areas for improvement in every organization. Zero findings may even raise questions about audit thoroughness. What matters is that findings are addressed with effective corrective actions that include genuine root cause analysis, not just quick fixes.
Can an auditor fail you for not having a quality manual?
No, an auditor cannot raise a nonconformity for the absence of a quality manual under ISO 9001:2015. The 2015 revision deliberately removed the mandatory quality manual requirement that existed in the 2008 version. However, you must still have all documented information explicitly required by the standard, including the QMS scope, quality policy, quality objectives, and various operational records.
How long do I have to close nonconformities?
Typically, minor nonconformities must be closed within 90 days, though the exact timeframe varies by certification body. You must submit a corrective action plan that includes root cause analysis and evidence of implementation. Major nonconformities often require a verification audit to confirm closure before certification can be granted or maintained. It is advisable to begin corrective action immediately after the audit closing meeting rather than waiting.