What Does it Mean to get a Nonconformance During an Audit?

For companies that are new to management system certification the prospect of getting a nonconformance can be unnerving and may lead to feelings of unease. These trepidations are truly unwarranted as the nonconformance process is a natural and often beneficial part of the certification experience.

To begin with – it is expected that the audit process at large will contribute to the improvement of the auditee’s management system. This ideal is expressed in ISO 19011:2018 clause 5.5.2d under the concept of “Audit Objectives” where it states that “Identification of opportunities for potential improvement of the management system” is an intended objective for any audit (whether performed by a certification body or not.)

Improvement itself is a concept that has been promoted by the ISO going back over 20 years to the publication of ISO 9001:2000 where the concept of “Continuous Improvement” was first introduced and positioned as a concept tied in with all established processes. The idea was that the organization should also be seeking improvement (both for itself and for customers.) In the 2015 version of ISO 9001 this idea remains and has been furthered by its pairing with the concept of Risk Based Thinking.

Bearing all of this in mind, certification body auditors are trained to write nonconformances whenever they find them. At this juncture, it’s important to remember that just because an auditor has written a nonconformance does not mean that the audited organization is “stuck with it.” All certification bodies train their auditors to be open to further discussion and review of additional evidence from the auditee if a nonconformance is of questionable merit. If these discussions result in the nonconformance still being written, the auditee is allowed to request what the industry calls an “appeal.” The appeals process varies from one certification body to the next but all accredited certification bodies are required to provide one.

Assuming that all parties concerned are in agreement on the nonconformances; the next step is to resolve the nonconformances in a documented fashion. The industry requires that this response take the following three-part form:

1. Correction
2. Root Cause Analysis
3. Corrective Action

Correction is a defined term is ISO 9000: “Action to eliminate a detected nonconformity.” Correction is best understood as the actions needed to resolve the immediate issue cited by the auditor. It is the act of “putting out the fire” as the popular euphemism goes. For example, if the nonconformance was written for a missing training record, the Correction would simply be to create the training record in question.

It is also expected that the audited organization will ensure that no other similar instances of the cited issue exist. In our prior example this would mean that the audited organization has confirmed that there are no other missing training records. This furtherance of the Correction is sometimes referred to as “read across”, “horizontal deployment”, or “extent analysis.” Some certification bodies will even provide a designated space for this step to be captured.

Root Cause Analysis intends to identify the systemic cause of the cited issue. It is common for newer organizations to presume human error as the underlying cause, but this is incorrect thinking. Organizations must look at the complete situation and all related aspects in identifying the true root cause. This means that the organization needs to consider what controls have been established to ensure consistency and effectiveness of a process – and why those controls failed and led to an audit nonconformance. Many organizations may find it useful to use a root cause analysis tool such as fishbone or 5 why. Such organizations would also do well to recognize that in some cases it is possible that there may be more than one contributing cause.

If an organization has done an effective job of determining the Root Cause, the Corrective Action should come very easily. I often have to remind organizations and people that are new to ISO 9001 that Root Cause statements and Corrective Action statements should be “mirror images” of each other. For example – if the root cause analysis has concluded that a process failed because the established work instruction wasn’t specific enough about a particular step, the corrective action would be to add details to the work instruction. Corrective Actions must be systemic in order to be effective. They must extend beyond people remembering to perform an action or complete a step. They must include new or improved process controls that will ensure the steps are completed.

Once you have formulated your Correction, Root Cause Analysis, and Corrective Action statements you will be expected to document these on the certification body’s provided format and send it to your auditor. Most of the time the auditor will provide a review and approval within a very short period of time. It is of course always possible that this review may lead to auditor rejections and a need for revision, but most of the time if you’ve done an effective job these remedial steps won’t be necessary.

By virtue of the steps your organization has completed in formulating your response to the nonconformance your management system will have achieved the ideal of improvement. Each successive audit will help you refine your system even further as your auditor develops a deeper understanding of who you are and how you operate.

PJC believes that nonconformances are beneficial to the certification experience. We offer industry experts with decades of experience in responding to nonconformances in an effective manner that helps your company achieve improvement. Contact us today to see what we can do for you!

Subscribe here to receive updates on this and other standards, training, etc.

Call for more information: 1-888-248-0256