Common ISO 9001 Nonconformities and How to Avoid Them

Why the Same Nonconformities Keep Appearing

After conducting hundreds of ISO 9001 certification and surveillance audits across Australia and internationally, one thing becomes clear very quickly. The same nonconformities appear again and again. Different industries, different company sizes, different management teams, yet the same gaps show up in audit after audit.

This is not because organisations are careless. Most quality managers work hard to maintain their systems. The problem is usually that certain requirements are misunderstood, underestimated, or treated as box-ticking exercises rather than genuine system elements. This article walks through the most common ISO 9001 nonconformities that auditors raise, explains why they happen, and gives you practical advice on how to prevent them before your next audit.

Whether you are preparing for a certification audit, a surveillance visit, or running your own internal audit programme, understanding where organisations typically fall short will sharpen your focus and help you build a more robust quality management system.

Context of the Organisation: Clause 4

Shallow Context Analysis

Clause 4.1 requires organisations to understand their internal and external context and how it affects their ability to achieve intended outcomes. What auditors frequently find is a context analysis that was completed once during implementation and never revisited. The document exists, but it reads like a generic template with no real connection to the organisation.

Auditors look for evidence that the context analysis is current, meaningful, and linked to risk and planning decisions. If the last review was three years ago and the business has changed significantly since then, that is a nonconformity waiting to happen.

How to avoid it: Treat your context analysis as a living document. Review it at least annually, ideally as part of your management review. Tie specific internal and external issues directly to your risk register and quality objectives so there is a visible connection between context and planning.

Interested Parties Not Properly Identified

Clause 4.2 requires the organisation to identify interested parties and understand their relevant needs and expectations. A common finding is that the interested parties register lists only customers and ignores regulators, subcontractors, employees, or industry bodies. Another common issue is that the register lists interested parties without identifying which of their requirements are relevant to the QMS.

How to avoid it: Go beyond the obvious. Think about who has a stake in what you do and what they expect from you. Document specific requirements against each interested party and review the register when circumstances change.

Leadership and Planning: Clauses 5 and 6

Top Management Cannot Demonstrate Commitment

This is one of the most significant nonconformities auditors raise, and it often comes as a surprise to quality managers. ISO 9001 Clause 5.1 requires top management to demonstrate leadership and commitment through specific behaviours, not just by signing a quality policy.

When auditors interview senior leaders, they ask about quality objectives, customer satisfaction results, and how the management system supports strategic direction. If top management cannot answer these questions, or if they deflect everything to the quality manager, that is a problem. The standard is explicit that top management must be accountable for the effectiveness of the QMS, not just aware that one exists.

For more on what auditors look for when they sit down with senior leaders, see our article on how to audit leadership and commitment in ISO 9001.

How to avoid it: Brief your senior leaders before every audit. Make sure they understand the quality objectives, know the current customer satisfaction data, and can speak to how quality considerations influence business decisions. This is not coaching people to perform. It is making sure leadership genuinely engages with the system.

Quality Objectives That Do Not Meet Clause 6.2

Clause 6.2 requires quality objectives to be measurable, monitored, communicated, and updated as appropriate. Auditors routinely find objectives that are vague, have no targets, or have never been reviewed since the system was set up. Statements like “maintain customer satisfaction” or “improve quality” are not objectives. They are aspirations.

A related issue is that organisations set objectives but have no documented plan for how they will be achieved, who is responsible, what resources are needed, and how progress will be evaluated. Clause 6.2.2 requires all of this.

How to avoid it: Set objectives that are specific and measurable. Define a target, a timeframe, and a responsible person. Review progress at management review meetings and update objectives when they are achieved or when circumstances change. Our article on example quality objectives that pass an audit provides practical examples you can adapt.

Risk Based Thinking Treated as a Separate Document

Many organisations create a risk register to satisfy Clause 6.1 and then never connect it to anything else in the system. The risk register sits in a folder, gets reviewed once a year in isolation, and has no visible influence on objectives, operational controls, or improvement activities.

Auditors look for evidence that risk based thinking is embedded in how the organisation plans and operates, not just documented in a standalone register. If risks are identified but there are no corresponding controls, actions, or monitoring arrangements, the requirement has not been met in substance.

How to avoid it: Connect your risk register to your quality objectives, your operational controls, and your corrective action process. When a new risk is identified, ask what the organisation is doing about it and where that is reflected in the system.

Support: Clause 7

Competence Records Are Incomplete or Missing

Clause 7.2 requires organisations to determine the competence required for roles that affect quality, ensure people are competent, and retain documented information as evidence. This is one of the most consistently raised nonconformities across all industries.

Common issues include training records that exist but do not demonstrate that training was effective, competence matrices that were built at system implementation and never updated, and no evidence that competence was evaluated after training was completed. Attending a training course is not the same as being competent. The standard requires evidence of both.

How to avoid it: Build a competence framework that defines what is required for each role, how competence is assessed, and what the evidence looks like. Keep records up to date. When someone changes roles or when processes change, reassess competence requirements. For a detailed look at this, see our article on common ISO 9001 Clause 7 nonconformities auditors keep finding.

Document Control Gaps

Clause 7.5 covers documented information, and it generates a significant number of nonconformities. The most frequent issues include documents that are not version controlled, obsolete documents still in use, no approval process for new or revised documents, and records that cannot be retrieved when needed.

A particularly common finding is that procedures or work instructions on the shop floor or at workstations are outdated versions. The master copies in the system have been updated, but nobody checked whether the physical copies at the point of use were replaced.

How to avoid it: Establish a clear document control process and make sure everyone who uses documents understands it. Conduct periodic checks to verify that documents in use match the current approved versions. Treat document control as an operational discipline, not an administrative task.

Awareness: More Than a Poster on the Wall

Clause 7.3 requires people to be aware of the quality policy, relevant quality objectives, their contribution to the effectiveness of the QMS, and the implications of not conforming to requirements. Auditors test this by talking to workers directly, not by reviewing induction records.

It is common for workers to know that their organisation is ISO certified but to have no idea what the quality policy says, what the current quality objectives are, or how their role connects to customer satisfaction. That gap is a nonconformity.

How to avoid it: Do not rely solely on induction training and a policy poster. Communicate quality objectives at team meetings. Make the connection between individual tasks and customer outcomes visible and real. Ask your own people these questions before an auditor does.

Operations: Clause 8

Inadequate Control of Externally Provided Processes

Clause 8.4 is one of the most frequently raised nonconformities in certification audits. It requires organisations to control externally provided processes, products, and services. The type and extent of control must be based on the potential impact on the organisation's ability to meet customer requirements.

What auditors commonly find is that supplier evaluation criteria are vague or inconsistently applied, approved supplier lists are out of date, and there is no evidence that suppliers are monitored on an ongoing basis. Organisations often have a supplier approval process on paper but cannot demonstrate it is being followed in practice.

A related issue is that when things go wrong with a supplier, the nonconformity is corrected but the root cause is not addressed and the supplier evaluation record is not updated to reflect the performance issue.

How to avoid it: Define clear criteria for supplier approval and ongoing evaluation. Keep your approved supplier list current. Document supplier performance monitoring and use it to inform purchasing decisions. When a supplier causes a quality problem, update their evaluation record and consider whether additional controls are needed.

Nonconforming Outputs Not Properly Controlled

Clause 8.7 requires organisations to identify and control outputs that do not conform to requirements, to prevent unintended use or delivery. Nonconformities under this clause typically involve a lack of segregation of nonconforming product, unclear disposition records, or no evidence that the root cause was investigated.

A common scenario is that nonconforming products are identified and tagged, but the disposition decision is not recorded, or the same type of nonconformity keeps appearing with no corrective action initiated because each occurrence is treated as an isolated event rather than a systemic issue.

How to avoid it: Make sure your nonconforming output process includes clear segregation, documented disposition, and a trigger for corrective action when the same type of nonconformity recurs. Review nonconforming output data at management review to identify trends.

Performance Evaluation: Clause 9

Internal Audit Programme Not Covering All Processes

Clause 9.2 requires organisations to conduct internal audits at planned intervals to provide information on whether the QMS conforms to requirements and is effectively implemented. A very common finding is that the audit programme covers some clauses and processes but consistently skips others, particularly areas like management review, customer satisfaction monitoring, or supplier control.

Another frequent issue is that internal audits are conducted but the audit programme has not been reviewed and updated based on previous audit results or changes in the organisation. The programme runs on autopilot rather than being risk based.

How to avoid it: Build an audit programme that covers all processes and clauses across the certification cycle. Use risk and previous audit results to determine frequency. Review and update the programme at least annually. If you want to understand the full requirements, our article on ISO 9001 Clause 9.2 explained covers everything the standard requires.

Management Review Is Incomplete

Clause 9.3 specifies mandatory inputs that must be reviewed by top management. These include customer satisfaction data, quality objective performance, audit results, supplier performance, and the effectiveness of actions taken on risks and opportunities, among others.

What auditors commonly find is that management reviews are conducted but the minutes show only a subset of the required inputs were discussed. Customer satisfaction data might be covered but supplier performance is absent. Or the review happens but there is no evidence that outputs included decisions on improvement actions and resource needs.

How to avoid it: Use a structured agenda that maps directly to the required inputs in Clause 9.3.2. Document the outputs clearly, including decisions made and any actions assigned. Keep the minutes specific enough that an auditor can see what was discussed and what was decided.

Improvement: Clause 10

Corrective Actions Without Root Cause Analysis

Clause 10.2 requires organisations to react to nonconformities, determine their causes, and take action to prevent recurrence. The most common finding under this clause is that corrective actions address the symptom but not the cause. The problem is fixed in the short term, the form is completed, but the same issue reappears months later.

Another common issue is that corrective actions are raised but never verified for effectiveness. The action is marked as closed when the task is completed, not when there is evidence that the nonconformity has not recurred.

How to avoid it: Require root cause analysis for every corrective action. Use structured methods such as the 5 Whys or fishbone analysis. Set a review date after closure to verify effectiveness. Do not close a corrective action until you have evidence the root cause has been addressed, not just the immediate problem.

Putting It All Together

The nonconformities described in this article are not obscure or technical. They are gaps in the fundamentals: genuine leadership engagement, meaningful planning, competent people, controlled documents and processes, and a corrective action system that actually learns from problems.

The best defence against these findings is a well-run internal audit programme that tests the system honestly before the certification body does. Internal audits should not be rehearsals for external audits. They should be genuine assessments that find real gaps and drive real improvement.

If you want to develop the skills to identify these issues yourself and conduct audits that add genuine value, Audit Workshop offers practical ISO 9001 internal auditor and lead auditor training delivered by an experienced practitioner who has conducted over 500 external certification audits. The training is built around real audit scenarios, not theory, and is available in live and self-paced formats to suit working professionals.