The final stage of your ISO 9001 certification journey is in sight: the external audit. After a significant investment of time, resources, and team effort, the prospect of facing a non-conformity can be a source of considerable anxiety. Many organisations feel uncertain about what auditors are truly looking for, leading to stress and a fear of failing after dedicating so much to building a compliant Quality Management System.
This guide is designed to replace that uncertainty with confidence. We will demystify the audit by detailing the most common non-conformities our certified lead auditors encounter in the field. You will receive expert, actionable advice to proactively address these potential pitfalls, ensuring your QMS is not just compliant, but genuinely effective. By understanding these frequent challenges, you can prepare your team, streamline your documentation, and face your audit ready to achieve certification on the first attempt.
Understanding Non-Conformities: What Auditors Are Really Looking For
An ISO 9001 audit can feel intimidating, but understanding its core purpose helps demystify the process. At its heart, an audit seeks to verify that your Quality Management System (QMS) meets all requirements. A ‘non-conformity’ is simply the official term for any instance where this is not the case-a gap between your documented processes and your actual practices, or a failure to meet a specific clause of the iso 90001 standard. It is crucial to view this not as a penalty, but as a valuable, objective insight. The auditor’s role is not to find fault but to identify areas for strengthening your system, ensuring it delivers consistent quality and drives continual improvement.
Major vs. Minor Non-Conformities Explained
Auditors classify findings into two main categories, and understanding the distinction is key. The severity of a non-conformity directly impacts your certification journey.
- Major Non-Conformity: This indicates a significant breakdown or total absence of a required system or process. It poses a direct risk to the QMS’s integrity or its ability to deliver conforming products or services. For example, having no evidence that any management reviews have ever been conducted would be a major finding.
- Minor Non-Conformity: This is a single, isolated lapse or failure within an otherwise functional and compliant system. It does not represent a systemic failure. For instance, discovering one missing training record for a newly hired employee would typically be classified as a minor issue.
The Role of Objective Evidence
An auditor’s assessment is not based on opinion or assumption; it is built entirely on objective evidence. This includes any records, statements of fact, or other verifiable information relevant to the audit criteria. In the world of auditing, a core principle is: if it is not documented, it did not happen. These requirements are rooted in the fundamental principles of the ISO 9000 family of standards, which emphasize a factual approach to decision-making. Auditors will look for concrete proof of compliance, such as:
- Completed forms and checklists
- Meeting minutes
- Calibration records for equipment
- Internal audit reports
- Records of corrective actions
Beyond non-conformities, auditors may also issue an ‘Opportunity for Improvement’ (OFI). This is not a failure to meet a requirement but a positive, forward-looking observation. An OFI is a professional suggestion from the auditor on how a process could be enhanced, offering a direct path to making your QMS even more effective.
Category 1: Leadership and Context (Clauses 4 & 5)
Non-conformities related to Leadership (Clause 5) and Context of the Organization (Clause 4) are often the most critical an auditor can raise. Failures at this strategic level suggest that the Quality Management System (QMS) is not integrated into the business, but rather exists as a separate, superficial layer. These issues reveal a fundamental lack of commitment from the very top, which undermines the entire system’s integrity. When implemented correctly, the core principles of leadership and strategic alignment are precisely how ISO 9001 can transform your small business, making these non-conformities particularly damaging to both compliance and performance.
Non-Conformity: Lack of Management Commitment
An auditor will quickly identify when leadership treats the QMS as a box-ticking exercise. This is a major red flag, as genuine commitment is the engine that drives continual improvement. Without it, the system will inevitably fail.
- Symptom: Management review meetings are inconsistent, rushed, or poorly documented with no clear outcomes or assigned actions.
- Symptom: Necessary resources-including staff time, training, or essential tools-are not allocated to maintain and improve the QMS.
- Prevention: Schedule management reviews on a fixed, recurring basis. Ensure detailed minutes are taken, capturing decisions, action items, responsibilities, and deadlines.
- Prevention: Leadership must actively participate in, and champion, the QMS. They should lead discussions, review performance data, and allocate the budget and resources required for success.
Non-Conformity: Poorly Defined QMS Scope
The scope statement defines the boundaries of your QMS. If it is vague, inaccurate, or does not reflect the reality of your operations, any audit findings can become systemic. A poorly defined scope is a foundational crack that compromises the entire structure of your iso 90001 certification.
- Symptom: The documented scope is ambiguous (e.g., “provides services”) or fails to include all relevant products, services, and locations.
- Symptom: Justifications for excluding certain clauses of the standard are weak, illogical, or non-existent.
- Prevention: Clearly and precisely define the physical and operational boundaries of your QMS. Document what your organization does, the products and services it provides, and which sites are covered.
- Prevention: If you exclude any part of the standard, provide a robust and logical written justification explaining why it is not applicable to your operations.
Non-Conformity: The Quality Policy is Just a Poster
The quality policy should be the guiding star for all quality-related activities. If it is merely a framed document on the wall that employees cannot explain, it fails to meet the requirements of the standard. It must be a living document that influences daily work and strategic direction.
- Symptom: When asked, employees are unable to explain the quality policy or how it applies to their specific role and responsibilities.
- Symptom: The policy is never referenced in strategic planning, management reviews, or when setting quality objectives.
- Prevention: Conduct regular training to ensure all staff understand the quality policy and its practical meaning for their roles. Use real-world examples.
- Prevention: Make the policy a central point of discussion in management meetings. Use it as a benchmark when making decisions and setting new objectives.
Category 2: Documentation and Records (Clause 7.5)
Documentation and records, covered under Clause 7.5, represent one of the most common areas for minor non-conformities during an iso 90001 audit. While often dismissed as mere “paperwork,” the control of this documented information is foundational to a credible Quality Management System (QMS). When an auditor finds poor document control, it immediately casts doubt on whether approved procedures are actually being followed across the organization.
This is not about creating unnecessary bureaucracy. It is about ensuring consistency, control, and the overall integrity of your quality processes. Without reliable documentation and records, a QMS lacks the objective evidence needed to prove its effectiveness.
Non-Conformity: Inadequate Document Control
This issue arises when the processes for creating, approving, and distributing documents are weak or non-existent. An auditor may find different teams using different versions of the same form, leading to inconsistent outputs. Without a formal system, it is impossible to ensure that everyone is working from the most current, approved information.
- Common Symptoms: Employees are found using outdated procedures or forms; there is no clear process for approving or issuing new documents.
- Effective Prevention: Implement a simple but effective version control system on all documents (e.g., Version 1.1, Rev. Date 2023-10-26). Establish a master document list that tracks the current version of every controlled document and define a clear workflow for review and approval.
Non-Conformity: Missing or Incomplete Records
While document control manages the “how,” records provide the “proof.” They are the objective evidence that your QMS is functioning as intended. Extensive ISO 9001 research highlights that the value of certification is tied to the verifiable implementation of these processes. If records of crucial activities like equipment calibration, employee training, or internal audits are missing, illegible, or cannot be found, an auditor has no choice but to issue a non-conformity.
- Common Symptoms: Records required by the standard are not kept (e.g., management reviews, supplier evaluations); existing records are illegible, hard to find, or stored insecurely.
- Effective Prevention: Identify and list all records your QMS requires you to maintain, including defined retention periods. Ensure all records are stored in a logical, secure, and accessible manner, whether physically or electronically, so they can be retrieved easily for an audit.

Category 3: Operational Failures (Clause 8)
Clause 8 of the ISO 9001 standard covers the operational processes of your business-the core activities that create your product or deliver your service. Non-conformities in this category are particularly serious because they directly impact quality and customer satisfaction. They often reveal a critical disconnect between the documented procedures in your Quality Management System (QMS) and what actually happens on a daily basis.
An auditor will look for evidence that your operations are controlled, consistent, and capable of meeting requirements. Failures here indicate that the QMS is not fully integrated into the organization’s work, a common challenge on the journey to iso 90001 certification.
Non-Conformity: Lack of Process Control
This occurs when work is performed inconsistently or without following established guidelines. An auditor may observe an employee using a different method than the one documented, or find that critical process outputs are not being measured.
- Symptom: Work is not performed according to defined procedures, work instructions, or drawings.
- Symptom: Monitoring and measurement criteria for processes (e.g., temperature, pressure, time) are not defined or followed.
- Prevention: Ensure procedures are practical, clear, and readily accessible to all relevant staff.
- Prevention: Define and monitor key metrics that confirm your processes are effective and under control.
Non-Conformity: Ineffective Supplier Management
Your final product quality is heavily dependent on the quality of the raw materials and services you procure. A non-conformity is often raised when there is no objective evidence to show how external providers are selected, monitored, and re-evaluated.
- Symptom: There are no clear, documented criteria for selecting or evaluating suppliers.
- Symptom: Poor supplier performance (e.g., late deliveries, defective materials) is not addressed or documented.
- Prevention: Establish and consistently apply clear criteria for supplier selection, evaluation, and re-evaluation.
- Prevention: Maintain records of supplier performance reviews and any corrective actions taken.
Non-Conformity: Poor Control of Nonconforming Outputs
When a product or service fails to meet specifications, it must be controlled to prevent its unintended use or delivery. Auditors will look for a robust system to identify, segregate, and decide on the disposition of these nonconforming outputs.
- Symptom: Defective products are not properly identified, segregated, or controlled.
- Symptom: There is no clear, documented process for what to do when a nonconforming product or service is found.
- Prevention: Implement a clear, simple procedure for identifying and quarantining nonconforming outputs, such as using distinct facility signage from Vorix Signs to clearly mark designated quarantine zones.
- Prevention: Keep detailed records of all nonconformities, including their nature, the actions taken, and the final disposition.
Managing the fine details of operational control can be a significant challenge. Overwhelmed by operational details? Let our experts conduct a gap analysis.
Category 4: Improvement and Review (Clauses 9 & 10)
The final categories of non-conformity relate to Clauses 9 (Performance Evaluation) and 10 (Improvement). These clauses represent the ‘Check’ and ‘Act’ stages of the Plan-Do-Check-Act cycle. This is where the true, lasting value of a Quality Management System (QMS) is realized. A non-conformity here often reveals that a QMS is merely a static set of documents rather than a living system designed for continual improvement. An effective system must learn from its mistakes and evolve.
Non-Conformity: Weak Corrective Action Process
Auditors frequently find that when a problem occurs, the resulting corrective action only addresses the immediate symptom. The root cause is often overlooked, meaning the issue is likely to reappear. For example, simply retraining an employee for a mistake without investigating why the process allowed the error to happen is an insufficient response.
Prevention Strategies:
- Train your team in simple but effective root cause analysis techniques, such as the ‘5 Whys’, to dig deeper into systemic issues.
- Always implement a verification step to confirm that the corrective action was effective and has prevented recurrence of the problem.
Non-Conformity: Ineffective Internal Audits
Internal audits are a critical tool for self-assessment, but they are often treated as a low-priority task. Common findings include infrequent audits that fail to cover all processes over time, or auditors who lack independence from the area they are assessing. An internal audit should be a rigorous health check for your QMS, not a formality.
Prevention Strategies:
- Develop a formal internal audit schedule that ensures all aspects of your QMS are reviewed within a defined cycle (e.g., over one to three years).
- Ensure internal auditors are properly trained and, crucially, are impartial and objective.
Non-Conformity: Management Review as a Tick-Box Exercise
The management review is the cornerstone of QMS governance. However, it can easily become a perfunctory meeting where a checklist is completed without meaningful analysis or strategic decision-making. If the meeting produces no clear actions or resource commitments, it fails to meet the intent of the iso 90001 standard.
Prevention Strategies:
- Use a standard agenda for every management review that is directly based on the required inputs and outputs listed in Clause 9.3.
- Ensure all decisions are documented as clear, assigned action items with deadlines to drive accountability and progress.
Mastering the principles of review and improvement transforms your iso 90001 system from a compliance burden into a powerful engine for business excellence. Navigating this journey with confidence requires expert guidance. To learn more about building a robust QMS, visit alignquality.com.
Navigate Your ISO 9001 Audit with Confidence
Preparing for your iso 9001 audit is not merely about avoiding penalties; it is a vital opportunity to reinforce your commitment to quality. The most common non-conformities often stem from foundational gaps in leadership engagement, inconsistent documentation, and lapses in operational control. By proactively addressing these areas, you transform your Quality Management System from a set of rules into a powerful framework for continual improvement and enhanced customer satisfaction.
The certification journey can seem complex, but you do not have to navigate it alone. At Align Quality, our experts are here to provide clear, methodical guidance. With support from Certified ISO 9001 Lead Auditors, our proven 5-Stage Certification Process, and extensive multi-industry experience, we ensure your system is robust, compliant, and ready for scrutiny. Let us help you turn audit preparation into a strategic advantage.
Book Your Free Consultation to Get Audit-Ready With Confidence and take the first step toward a seamless and successful certification.
Frequently Asked Questions
What is the difference between a minor and a major non-conformity?
A major non-conformity represents a systemic failure, such as the complete absence of a required process. A minor non-conformity is an isolated lapse or a single deviation from a procedure. For example, failing to have a documented management review process is major, whereas one missing signature on a completed form would likely be considered minor. Both require formal corrective action to resolve effectively and maintain compliance.
How long do we have to fix a non-conformity after an audit?
The timeline for addressing a non-conformity is determined by your certification body. Typically, organizations are given 30 to 90 days to submit a corrective action plan and evidence of its implementation. Major non-conformities may require a follow-up audit to verify the fix, while minor issues can often be closed remotely once sufficient evidence has been provided to the auditor, ensuring a streamlined resolution.
Is it possible to fail an ISO 9001 certification audit completely?
Yes, it is possible to fail an ISO 9001 certification audit. This typically occurs if an organization has multiple major non-conformities or demonstrates a systemic breakdown of its quality management system. However, auditors prefer to see companies succeed. Failure is usually a last resort when there is a clear lack of commitment to meeting the standard’s requirements, rather than an outcome for minor, correctable issues.
What happens if we receive a non-conformity during our surveillance audit?
Receiving a non-conformity during a surveillance audit follows the same corrective action process as an initial audit. You must identify the root cause, implement a solution, and provide evidence to the auditor within a specified timeframe. Failing to resolve the finding can jeopardize your certification status, potentially leading to suspension. This underscores the importance of maintaining your QMS between audits to ensure ongoing compliance.
How can a thorough internal audit program prevent external audit failures?
A thorough internal audit program is your best defense against external audit failures. It functions as a dress rehearsal, allowing you to identify and correct non-conformities before the certification auditor arrives. This proactive process not only resolves issues internally but also demonstrates a robust commitment to continuous improvement. A well-managed internal audit system is a cornerstone of a successful quality management system and a key indicator of audit readiness.
Does one minor non-conformity mean we lose our certification?
No, a single minor non-conformity will not result in the loss of your certification. It is viewed as an opportunity for improvement within your quality management system. Your organization will be required to implement a corrective action and demonstrate its effectiveness to the auditor. Certification is only at risk if non-conformities are systemic, numerous, or if corrective actions are consistently ignored or ineffective over time.
What is the best way to respond to an auditor’s finding?
The best way to respond to an auditor’s finding is with professionalism and a cooperative attitude. Listen carefully to understand the issue and ask for clarification if necessary. Acknowledge the finding without becoming defensive. Thank the auditor for identifying an area for improvement and confirm your commitment to implementing a robust corrective action. This approach demonstrates control over your processes and respect for the audit journey.