Nonconformity Handling in Certification Audits

Nonconformity handling is one of the most operationally consequential phases of any certification audit, determining whether an organization retains, suspends, or loses its certified status. This page covers how certification bodies classify nonconformities, the procedural steps auditors and auditees must follow, the most common scenarios that trigger findings, and the decision boundaries that govern outcomes. The governing framework is anchored primarily in ISO/IEC 17021-1, the international standard that accreditation bodies such as ANAB and A2LA apply when recognizing management system certification bodies.

Definition and scope

A nonconformity, in the context of a certification audit, is a failure to fulfill a specified requirement — whether that requirement originates in a management system standard (such as ISO 9001 or ISO 45001), a regulatory mandate, or the certification scheme itself. ISO/IEC 17021-1:2015, Clause 9.4, defines the obligation of certification bodies to establish processes for identifying and following up on nonconformities detected during audits.

The scope of nonconformity handling extends across all audit types: initial certification audits, surveillance audits, recertification audits, and special audits triggered by complaints or significant organizational change. It applies equally to product-based and management system certification contexts, though the procedural specifics may differ between those two categories — a distinction covered in depth at product certification vs. management system certification.

Nonconformities are distinguished from observations and opportunities for improvement. Observations flag potential weaknesses that do not yet breach a requirement; nonconformities represent confirmed breaches. This distinction is not merely semantic — it dictates whether corrective action is mandatory before certification can proceed.

How it works

The nonconformity handling process in management system certification follows a defined sequence. Divergence from this sequence can itself constitute a procedural nonconformity for the certification body under IAF MD 2 (International Accreditation Forum Mandatory Document on Transfer of Accredited Certification).

Standard procedural sequence:

  1. Detection — The auditor identifies evidence of a requirement breach during document review, interviews, or on-site observation. The finding is documented with specific objective evidence, not general assertions.
    Classification — The auditor classifies the finding as either a major nonconformity or a minor nonconformity. Further details on this classification are provided in the subsequent section.
  2. Issuance — A formal nonconformity report (NCR) is issued to the auditee during or immediately following the audit. The NCR must reference the specific clause of the applicable standard that has been breached.
  3. Root cause analysis — The auditee conducts root cause analysis and submits a corrective action plan, typically within a timeframe specified by the certification body (commonly 30 days for minor nonconformities, shorter for majors — though scheme-specific rules govern the precise deadlines).
  4. Verification — The certification body reviews submitted evidence of correction. For major nonconformities, this often requires a follow-up audit visit rather than documentary review alone, per ISO/IEC 17021-1 Clause 9.6.5.
  5. Disposition — The certification body makes a certification decision: proceed, suspend, or withdraw certification depending on the nature and resolution status of findings.

The auditor who raises the nonconformity is not the individual who makes the certification decision. This separation is a structural impartiality requirement under ISO/IEC 17021-1 Clause 6.

Common scenarios

Nonconformities arise across every sector and standard, but certain failure patterns recur across initial and surveillance audits.

Documented information gaps — ISO 9001:2015 Clause 7.5 requires organizations to maintain and retain specified documented information. Auditors frequently raise nonconformities when procedures exist in name but lack evidence of consistent use — for example, calibration records that are incomplete or version-controlled documents that have not been formally approved.

Internal audit program failures — ISO 45001:2018 Clause 9.2 mandates a planned internal audit program. A common major nonconformity is an internal audit schedule that was not executed: auditors find that significant processes went unaudited in the preceding 12-month period.

Management review deficiency — ISO 14001:2015 Clause 9.3 specifies required inputs to management review. When meeting records omit required inputs — such as the status of corrective actions or results from monitoring — auditors raise nonconformities against the clause.

Supplier control breakdowns — In food safety and medical device contexts, supplier approval processes governed by standards like FSSC 22000 or ISO 13485 generate nonconformities when approved supplier lists are outdated or supplier performance data is absent.

Legal and regulatory compliance — Failure to identify applicable legal requirements, or evidence that identified requirements are not being monitored, is a consistent finding area across ISO 14001 and ISO 45001 audits (U.S. EPA and OSHA requirements frequently appear in these audits for U.S.-based facilities).

Decision boundaries

The classification of a nonconformity as major or minor is the primary decision boundary governing audit outcomes, and the distinction carries significant consequences.

Major nonconformity: Indicates the absence of a required element, a systematic or critical failure, or a situation that raises serious doubt about whether the management system is achieving its intended outcomes. Under ISO/IEC 17021-1 Clause 9.1.10.3, a major nonconformity prevents the granting of certification until it is resolved and verified. If a major nonconformity is raised during a surveillance audit on an organization already holding certification, that certification may be suspended pending resolution — a process governed by certification suspension and withdrawal procedures.

Minor nonconformity: Represents an isolated lapse or a single instance of non-fulfillment that does not indicate systemic breakdown. The certification body may grant or continue certification while requiring verified corrective action within a defined period.

A cluster of minor nonconformities against the same clause or process can be re-classified as a major nonconformity at auditor discretion — a judgment call that must be supported by documented objective evidence and is subject to review in any subsequent complaints and appeals process.

The IAF and its member accreditation bodies, including the ANSI National Accreditation Board (ANAB) and A2LA, enforce these classification standards through oversight audits of certification bodies themselves, creating a two-tiered accountability structure in which the accreditor monitors the certifier's nonconformity handling practices.

References

Read Next

Surveillance Audits and Recertification Without these ongoing verification activities, a certificate issued at one point in time would carry no assurance beyond that... Product Certification vs. Management System Certification Management System Certification Two fundamentally different models operate under the label "certification" in US and... Certification Decision Process and Authority This page covers the structural mechanics of that process, the authority requirements that must be in place before a decision...