What is the most common nonconformity raised against ISO 14001?

The most consistently raised nonconformities relate to the aspects and impacts register under Clause 6.1.2. Typical issues include incomplete identification of aspects across the lifecycle, significance criteria that are not applied consistently, and registers that have not been updated to reflect operational changes. These findings are common because the aspects register underpins the entire EMS, and any weakness in it creates gaps throughout the system.

What is the difference between a correction and a corrective action in ISO 14001?

A correction is an immediate action taken to address a nonconformity, such as cleaning up a spill or replacing a damaged containment bund. A corrective action goes further by identifying the root cause of the nonconformity and implementing changes to prevent it from recurring. ISO 14001 Clause 10.2 requires both, and auditors will check that root cause analysis has been conducted and that the effectiveness of the corrective action has been verified after implementation.

Can an ISO 14001 audit result in a major nonconformity for an outdated legal register?

Yes. If the compliance obligations register has not been reviewed for a significant period and does not reflect current legislative requirements or licence conditions, auditors may raise a major nonconformity against Clause 6.1.3. The severity depends on the extent of the gap and whether there is evidence of actual non compliance with legal requirements. A legal register that is simply overdue for review is more likely to attract a minor nonconformity, while one that misses active obligations entirely is more serious.

Does ISO 14001 require internal auditors to have formal training?

Yes. Clause 7.2 requires the organisation to ensure that persons doing work under its control that affects environmental performance are competent. Internal auditors are included in this requirement. Auditors must have appropriate education, training, or experience to conduct audits effectively. Simply being a long serving employee with knowledge of the site is not sufficient. Documented evidence of auditor training or competence assessment is expected.

How often should environmental objectives be reviewed?

ISO 14001 does not specify a fixed review frequency for environmental objectives, but they must be reviewed as part of management review under Clause 9.3, which must occur at planned intervals. In practice, most organisations review objectives at least annually. Objectives should also be reviewed when significant aspects change, when compliance obligations are updated, or when operational changes affect the organisation’s environmental performance. Objectives that have not been reviewed or updated for several years are likely to attract audit scrutiny.

What happens if internal audit findings are not closed before the certification audit?

Open internal audit findings with no evidence of corrective action are a significant concern for external auditors. They suggest that the internal audit programme is not functioning effectively as a tool for improvement. An external auditor may raise a nonconformity against Clause 9.2 for failure to address audit findings, and also against Clause 10.2 if corrective action processes have not been followed. In some cases, a large number of open findings can influence the overall audit conclusion, particularly at a surveillance or recertification audit.

Common ISO 14001 Nonconformities and How to Avoid Them

Why ISO 14001 Nonconformities Keep Appearing

ISO 14001 has been around since 1996, and the 2015 edition has been in use for nearly a decade. Yet certain nonconformities appear on audit reports with remarkable consistency. Certification bodies raise them. Internal auditors find them. And organisations fix them, only for the same issues to resurface at the next surveillance audit.

On this page

That pattern tells you something important. These are not obscure clauses that catch people by surprise. They are the core requirements of the standard, and the reason they keep generating findings is that organisations implement the letter of the requirement without building the underlying discipline to sustain it.

This article walks through the most common ISO 14001 nonconformities, explains why they occur, and gives you practical guidance on what to look for whether you are conducting an internal audit, preparing for a certification audit, or trying to strengthen your environmental management system before an auditor arrives. Note that the 2026 revision of ISO 14001 is now published, so some of the requirements discussed here have been updated. Where relevant, those changes are noted.

Aspects and Impacts: The Foundation That Often Cracks

The environmental aspects and impacts register is the engine room of an ISO 14001 EMS. Get it wrong and everything downstream suffers. It is consistently one of the most common sources of nonconformities, and the problems tend to fall into a few predictable categories.

Incomplete identification of aspects

Clause 6.1.2 requires organisations to identify environmental aspects associated with their activities, products, and services within the defined scope, taking a lifecycle perspective. The lifecycle perspective is where most registers fall short. Organisations document what happens on site during normal operations but fail to consider upstream activities like raw material sourcing, or downstream activities like product disposal and end of life.

A typical finding might read:

The aspects and impacts register does not consider the lifecycle of products or services as required by Clause 6.1.2. No aspects have been identified for the procurement of materials or for the end of life disposal of the organisation’s outputs.

Another common gap is the failure to consider abnormal operating conditions and reasonably foreseeable emergency situations alongside normal operations. Many registers only capture routine activities.

Significance criteria that are not applied consistently

Most organisations have a method for determining significance, typically a scoring matrix based on factors like frequency, severity, and regulatory sensitivity. The nonconformity arises when the criteria exist on paper but the scoring in the register does not reflect them. Auditors will pull three or four aspects and work through the scoring with the person responsible. If the numbers do not add up, or if the same type of aspect is scored differently in different parts of the register without explanation, you have a problem.

Registers that are never updated

Aspects and impacts registers are living documents. When a new process is introduced, a chemical is substituted, or a new site is added to scope, the register must be reviewed. Finding a register that was last updated two years ago, despite significant operational changes in that period, is a straightforward major nonconformity against Clause 6.1.2 and often also against Clause 6.3 which addresses planning of changes. The 2026 edition has strengthened requirements around change management, making this even more important going forward.

For a detailed walkthrough of what auditors check in this area, see our article on ISO 14001 aspects and impacts: what auditors check and why.

Become a certified ISO auditor

Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.

ISO 9001 ISO 14001 ISO 45001 ISO 27001 ISO 42001

Explore Courses

Recognised Training ProviderRTP No. 310970

Compliance Obligations: Legal Registers That Do Not Do Their Job

The compliance obligations requirement under Clause 6.1.3 generates a steady stream of nonconformities. Organisations often confuse having a legal register with actually managing compliance obligations.

The register exists but is not current

This is the single most common compliance obligation finding. The register was built during the initial implementation, perhaps with help from a consultant, and has not been reviewed since. Legislation changes. New regulations come into force. Licences are renewed with updated conditions. If the register does not reflect these changes, it cannot serve its purpose.

Auditors will ask: when was this register last reviewed? Who is responsible for monitoring legislative changes? What process exists to identify new or amended obligations? If the answers are vague or the review date is years old, expect a finding.

Obligations identified but not evaluated for compliance

Clause 9.1.2 requires organisations to evaluate their compliance with applicable legal requirements and other compliance obligations. A common pattern is that the register lists the relevant legislation but there is no evidence that the organisation has actually checked whether it is complying with each requirement. The register and the compliance evaluation are two separate activities, and both must be done.

Conditions of licences and permits not captured

Many organisations capture the relevant Acts and Regulations but miss the specific conditions attached to their environmental licences, development approvals, or discharge permits. Those conditions are compliance obligations too, and they are often the most operationally specific and the most likely to be breached.

Environmental Objectives: Vague, Unmeasured, and Disconnected

Clause 6.2 requires environmental objectives to be measurable, consistent with the environmental policy, and supported by a plan that identifies what will be done, who is responsible, when it will be completed, and how results will be evaluated. Nonconformities in this area are almost always about substance rather than existence. The objectives exist, but they do not meet the standard’s requirements.

Objectives that cannot be measured

Objectives like improve our environmental performance or reduce our environmental impact are not objectives under ISO 14001. They are aspirations. An objective must be measurable. That means a baseline, a target, and a unit of measure. Auditors will ask: how will you know when you have achieved this objective? If the answer is unclear, the objective does not conform.

No documented plan for achieving objectives

Many organisations document their objectives but do not document the plan. Clause 6.2.2 is explicit: the organisation shall maintain documented information on its environmental objectives and the plans to achieve them. Finding a list of objectives with no associated actions, owners, timelines, or resources is a straightforward nonconformity.

Objectives not linked to significant aspects

Environmental objectives should be driven by significant aspects, compliance obligations, and risks and opportunities. When objectives appear to have been chosen arbitrarily, with no visible connection to what the aspects and impacts register identifies as significant, auditors will question whether the planning process is functioning as intended.

Operational Controls: Where the System Meets Reality

Clause 8.1 requires organisations to establish, implement, control, and maintain processes needed to meet EMS requirements and to implement the actions identified in planning. This is where many systems fall apart, because the documents say one thing and the site does something different.

Controls not implemented for significant aspects

If an aspect has been identified as significant, there must be controls in place to manage it. Auditors will trace from the aspects register to the operational controls and then to the site. If a significant aspect has no corresponding procedure, work instruction, or operational control, that is a nonconformity. If the control exists on paper but is not being followed on the floor, that is also a nonconformity, and often a more serious one.

Contractors and suppliers not covered

Clause 8.1 extends to outsourced processes, contractors, and suppliers. Many organisations manage their own operations reasonably well but have no mechanism for communicating environmental requirements to contractors working on site or for verifying that those requirements are being met. Spill kits that contractors never use, hazardous materials brought on site without notification, and waste disposed of incorrectly by contractors are all audit trail items that lead back to this clause.

Emergency preparedness plans that are not tested

Clause 8.2 requires organisations to establish processes to prepare for and respond to potential emergency situations. The nonconformity is rarely that no plan exists. It is that the plan has never been tested through drills or exercises, or that the plan refers to equipment, contacts, or procedures that no longer reflect current site conditions.

Monitoring, Measurement, and Compliance Evaluation

Performance evaluation under Clause 9 is another consistent source of findings. The standard requires organisations to monitor, measure, analyse, and evaluate their environmental performance. It also requires a separate and deliberate evaluation of compliance with legal and other requirements.

Monitoring without documented results

Many organisations monitor environmental parameters such as energy consumption, water use, or waste volumes but do not retain the results in a way that allows trend analysis or comparison against objectives. Clause 9.1.1 requires documented information as evidence of the results. Spreadsheets that are overwritten each month, or monitoring data that exists only in the memory of the person who collected it, do not satisfy this requirement.

Compliance evaluation not conducted at defined intervals

Clause 9.1.2 requires the organisation to evaluate its compliance with legal requirements at planned intervals. Many organisations rely on the internal audit programme to cover compliance, but the internal audit and the compliance evaluation are separate requirements. If there is no documented compliance evaluation, separate from the audit programme, expect a finding.

Management review inputs incomplete

Clause 9.3 requires management review to consider a defined list of inputs, including the status of compliance obligations, the achievement of environmental objectives, and the results of monitoring and measurement. Finding that management review meetings occur but do not address all required inputs is a common nonconformity. This is particularly true for smaller organisations where management review is informal and undocumented.

Internal Audit: The Requirement That Audits Itself

Internal audit under Clause 9.2 generates findings at almost every certification audit. The requirements are clear, but implementation is often weak.

Audit programme not risk based

The standard requires the internal audit programme to take into account the environmental importance of the processes concerned and the results of previous audits. Many programmes audit every clause every year regardless of risk or past performance. That approach is not wrong, but if the programme cannot demonstrate that higher risk areas receive more attention, or that previous findings have influenced the programme, auditors will question whether the programme is genuinely risk based.

Auditor competence not demonstrated

Internal auditors must be competent. Clause 7.2 applies to internal auditors as much as to anyone else with EMS responsibilities. Finding that internal audits are conducted by staff with no documented training in auditing, or that the same person audits their own area of responsibility, are both findings. The independence requirement is not optional.

Findings not followed through to closure

Internal audit findings must be reported to relevant management and corrective actions must be taken without undue delay. Finding a stack of open nonconformities from previous internal audits with no evidence of root cause analysis or corrective action is one of the most damaging patterns an external auditor can encounter. It suggests the internal audit programme is generating paperwork rather than driving improvement.

If you are building or strengthening your internal audit capability for ISO 14001, our article on ISO 14001 internal auditor: what you need to know before you start covers the foundations in detail.

Documented Information: Too Much, Too Little, or Not Controlled

Documented information requirements under Clause 7.5 generate a consistent set of findings that are often minor individually but can signal deeper system weaknesses when they appear together.

Required documented information missing

ISO 14001 specifies certain items that must be maintained as documented information. These include the scope of the EMS, the environmental policy, the aspects and impacts register, compliance obligations, objectives and plans, and the results of monitoring and evaluation. Finding that any of these are absent or cannot be located is a straightforward nonconformity.

Documents not reviewed or approved

Clause 7.5.2 requires documented information to be created and updated in a manner that includes appropriate review and approval. Procedures that exist as drafts, documents without version numbers, or records that cannot be traced to an approved source all fall into this category.

Obsolete documents in use

Clause 7.5.3 requires the organisation to control documented information to ensure that obsolete versions are not inadvertently used. Finding printed procedures on the floor that differ from the current version in the document management system is a finding that appears in almost every industry sector.

Leadership and Top Management Commitment

Clause 5 requirements around leadership are harder to audit but generate significant findings when the evidence is absent. The standard requires top management to take accountability for the effectiveness of the EMS, not just to endorse it.

Environmental policy not communicated

The environmental policy must be communicated within the organisation and be available to interested parties. Auditors will ask workers at various levels whether they are aware of the policy and what it means for their work. If frontline staff have never seen the policy or cannot describe its relevance to their role, that is a finding against Clause 5.2 and often also against Clause 7.3 which covers awareness.

Top management not demonstrating active involvement

This is a softer finding but an important one. The standard requires top management to demonstrate leadership and commitment, not just to sign off on documents. Evidence of active involvement includes participation in management review, visible communication of environmental priorities, and resource allocation decisions that reflect genuine commitment. When management review minutes show that the CEO was not present and the EMS manager presented to an empty room, auditors will question the depth of leadership commitment.

The 2026 revision of ISO 14001 has introduced additional expectations around climate change consideration and the integration of sustainability thinking at the leadership level. Organisations transitioning to the new edition should review their leadership evidence against those updated requirements. Our ISO 14001:2026 transition guide covers what has changed and what you need to do before the April 2029 deadline.

Corrective Action: Fixing Symptoms Instead of Causes

Clause 10.2 requires organisations to react to nonconformities, determine their root cause, and implement corrective actions to prevent recurrence. The quality of corrective action responses is consistently poor across industries.

Corrections confused with corrective actions

A correction fixes the immediate problem. A corrective action addresses the root cause so the problem does not recur. Many organisations close nonconformities by documenting the correction without any root cause analysis. The same finding then appears at the next audit. Auditors will check whether root cause analysis was genuinely conducted and whether the corrective action addresses the cause rather than the symptom.

Effectiveness not verified

Clause 10.2 requires the organisation to review the effectiveness of any corrective action taken. This means going back after the action has been implemented and checking whether it worked. Many corrective action registers show actions as closed with no evidence that effectiveness was ever verified.

How to Use This Knowledge Before Your Next Audit

If you are preparing for a certification audit or a surveillance visit, use this list as a pre audit self assessment. Walk through each area with the person responsible. Ask the same questions an auditor would ask. Look for the same gaps.

If you are an internal auditor planning your programme, prioritise these areas. They are the most likely sources of findings, and finding them internally is far better than having an external auditor find them first.

If you are a quality or environmental manager who has just received a nonconformity report, look beyond the specific clause cited. Many of these findings are symptoms of the same underlying issue: a system that was implemented but never properly embedded into daily operations.

Building genuine auditor capability is the most reliable way to catch these issues before they become external findings. Audit Workshop offers ISO 14001 internal auditor and lead auditor training that is grounded in real audit practice, not just standard interpretation. If you want to develop the skills to find and fix these issues yourself, explore the ISO 14001 internal auditor training options available through Audit Workshop.