What is the difference between a nonconformity and an observation in an audit report?

A nonconformity is a failure to meet a specific requirement in the ISO standard or the organisation's documented procedures. An observation is a comment about current practice that may indicate a potential issue but does not constitute a breach of requirement. For example, if procedure requires weekly maintenance checks and you find maintenance was not done for three weeks, that is a nonconformity. If you observe that the maintenance log is kept in a format that is difficult to read and suggest a better format, that is an observation. Both are valuable, but they have different implications for corrective action and compliance.

Should I include my recommendations for corrective action in the nonconformity report?

No. Your role as an auditor is to report what you found and establish what compliance looks like. Your role is not to prescribe the solution. The organisation needs to determine how to correct the issue based on their context, resources, and constraints. If you specify the solution, you become invested in defending it rather than assessing whether the real problem was actually fixed. What you should do is describe clearly what compliance will look like so the organisation can design any corrective action toward that target.

How detailed should evidence be in a nonconformity report?

Detailed enough that another auditor could verify it. Include document numbers, dates, specific items reviewed, numbers of items sampled and numbers with the issue. For example, "Document number INV 2341 dated 15 November 2024" is specific. "Several invoices in the system" is not. Include enough detail that someone reading the report months later, without your verbal explanation, could understand exactly what you found and where to look to verify it.

What should I do if the organisation disagrees with the nonconformity I have reported?

Listen to their perspective and be willing to reconsider if they present evidence that contradicts your finding. However, if your evidence is solid and the requirement is clear, stand by your assessment. Disagreement often occurs because the organisation interprets the standard differently or because they have an undocumented practice they believe demonstrates compliance. Your role is to help them align actual practice with the written requirement or documented system. Detailed, evidence based reporting makes these conversations less confrontational.

How do I write a nonconformity report for something that is missing entirely, not just incomplete?

Follow the same structure. Identify what should exist per the standard or procedure. Describe the observable evidence of absence, such as "no procedure exists for supplier evaluation" or "no records of training assessment were found." Explain why this absence matters for the business. Describe what the organisation needs to implement. Missing elements are often the most serious nonconformities because they indicate a whole function was never designed into the quality management system, not just poorly executed.

Should nonconformity reports be written in the same style whether they are for internal audits or external certification audits?

Yes. The writing principles are identical. The difference is context and emphasis. In an internal audit, you are helping the organisation improve. In a certification audit, you are assessing whether they meet the standard. The nonconformity report itself should be equally thorough and clear in both situations. The surrounding audit report may have different tone, but the nonconformity section should stand on its own as a clear, evidence based, business relevant assessment of the gap.

How to Write a Nonconformity Report That Actually Gets Fixed

Most nonconformity reports never accomplish what they're supposed to. They sit in filing systems, trigger defensive responses from auditees, and result in corrective actions that address symptoms rather than root causes. The problem isn't the auditor's diligence in finding the nonconformity. The problem is how it gets documented and communicated. A nonconformity report is only as valuable as the action it generates, and that means everything hinges on how clearly you write it and how persuasively you demonstrate why the issue actually matters to the organisation.

On this page

Why Most Nonconformity Reports Fail

The typical nonconformity report reads like this: "Procedure XYZ was not followed. Evidence shows three instances where records were incomplete. ISO 9001 Clause 8.2.3 requires documented control of these processes." This is technically accurate. It identifies the problem. It cites the standard. And it accomplishes almost nothing because it gives the organisation no pathway to genuine improvement.

The failure happens because most auditors confuse reporting a nonconformity with writing a nonconformity report. Finding the gap is the audit work. Documenting it in a way that drives corrective action is entirely different. When you write a report that merely states what's wrong, you leave the recipient with a compliance checkbox exercise. When you write one that demonstrates the business impact and systemic nature of the problem, you shift the conversation toward real change.

Consider two versions of the same finding. First version: "Records of supplier evaluations were not maintained in accordance with procedure QP 4.2. Audit identified two instances where no evaluation documentation existed for suppliers added in the current financial year." Second version: "Supplier evaluation records are not being created at the point of supplier selection. Audit reviewed all 12 suppliers added in the past 18 months and found no documented evaluation criteria or assessment for eight of them. This creates risk in three areas: unqualified suppliers may enter the supply chain without verification of capability; the organisation cannot demonstrate due diligence to customers; and the quality management system requirement for supplier control is not being met." The second version tells a story. It explains consequences. It makes the case for action.

Build your ISO auditing skills

Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.

Browse courses

The Anatomy of a Nonconformity That Gets Fixed

A nonconformity report that actually drives corrective action has five essential elements, and they need to work together as a coherent narrative rather than as separate technical sections.

Clear Statement of What Was Not Done

Start with the observable fact. Not interpretation, not analysis, not extrapolation. The actual thing that wasn't happening. This needs to be specific enough that if another auditor reviewed the same area, they would find the same evidence. Vague language like "processes were not adequately controlled" or "records were not properly maintained" forces the reader to guess what you actually saw. Instead write: "Maintenance records for the CNC machine in Department B show no calibration certification between March and September 2024. ISO 9001 Clause 8.6 requires calibration verification at specified intervals."

The key is observable evidence, not inferred problems. You saw records that were missing, or procedures that were not followed, or conversations that revealed no implementation. You did not see negligence or incompetence or organisational dysfunction. Stick to what you observed.

Evidence That Demonstrates Scope and Pattern

A single instance might be an anomaly. Two instances suggest an oversight. Three or more suggest a systemic issue. Your evidence section needs to show whether this is isolated or widespread because the corrective action required is entirely different in each case. If you found one incomplete form in a process that creates 50 forms per month, you're describing a sampling issue or a single operator error. If you found the issue across 40 percent of the sample, you're describing a failed process.

For each piece of evidence, document what you looked at and what you found. "Document number INV 4521 shows no approval signature. Document numbers INV 4518, 4519, 4520, 4522, and 4523 show the same issue. In a review of 15 invoices processed this month, 10 were unsigned at approval stage." Now the reader understands the scope. They can see that this isn't a training problem affecting one person. It's a system problem affecting the majority of transactions.

The evidence section is also where you need to be honest about limitations. If you sampled 20 items and found a problem in 15 percent of them, say that. If you observed the process on one day and cannot comment on other shifts, say that. Readers trust auditors who acknowledge the boundaries of their evidence. They become defensive when they feel like auditors are making sweeping judgments based on limited observation.

Explicit Link to Standard Requirements

This is not the place to be clever or assume shared understanding. State the specific requirement that is not being met. "ISO 9001 Clause 8.2.1 requires organisations to determine what communication with customers is needed, including information relating to products and services. This organisation's quality policy does not specify the responsibility for customer communication, and no procedure exists that defines what information is provided at each stage of engagement."

Organisations have different interpretations of how standards apply. Some read clauses broadly, some narrowly. Your job is to show the direct connection between what the standard explicitly requires and what the organisation is not doing. If the standard says "shall," quote the "shall." If you're working across multiple standards like ISO 9001 versus ISO 14001 versus ISO 45001, be precise about which standard applies and why. Never make it ambiguous about which requirement was breached.

Business Impact and Risk Consequence

This is the section that transforms a technical documentation issue into a management priority. What actually happens because this control is missing or failed? Who bears the consequence? What does it cost? What risk does it create?

For a nonconformity involving missing calibration records: "Without documented calibration verification, the organisation cannot confirm that measurements used in production are accurate. This affects the accuracy of quality control decisions and could result in out of specification products reaching customers. It also creates liability if a customer complaint arises and the organisation cannot demonstrate that measurements were verified at the time production occurred."

For a nonconformity involving missing supplier evaluation: "New suppliers have been added to the supply chain without documented assessment of their capability to meet requirements. This creates risk of supply chain failure, delivery delays, or quality issues from unqualified suppliers. It also means the organisation cannot demonstrate to customers that it has exercised due diligence in supplier selection."

Business impact makes the corrective action urgent. Technical violation alone makes it a checkbox. You want the recipient of the report reading this section and thinking, "We need to fix this," not "We need to document that we're thinking about fixing this."

Clarity on What Compliance Actually Looks Like

Many nonconformity reports tell you what's wrong but leave you guessing about what right looks like. Your report should show what the organisation should be doing, how often, and what the evidence of compliance would be. This is not prescription. You're not writing the corrective action. You're describing what the organisation needs to demonstrate.

"Compliance means the organisation maintains documented records showing that each supplier has been evaluated against defined criteria before being added to the approved supplier list. The evaluation should include assessment of quality capability, delivery reliability, pricing competitiveness, and financial stability. The evaluation should be documented on a standard form, signed and dated by the responsible approver, and maintained in the supplier file. Auditors should be able to select any supplier and find evidence that this evaluation occurred before the supplier was activated."

When you describe what compliance looks like in observable, measurable terms, you help the organisation design a corrective action that actually closes the gap rather than creating paperwork to document that a gap exists.

Structuring the Report for Maximum Clarity

The physical layout of your nonconformity report matters because poor structure forces readers to reassemble your thinking. A structure that works consistently is:

Nonconformity number and clause reference at the top
One sentence summary of what is not being done
Observable evidence with dates and specific items
Reference to the standard requirement with direct quotes where appropriate
Business impact and risk consequence
Description of what compliance looks like
Severity rating if your system uses one

Some organisations classify nonconformities as major (system failure or absence) or minor (isolated instance of non compliance). Use these categories if they exist in your quality management system, but do not let the category dictate your writing. A minor nonconformity can still be written persuasively. A major nonconformity that is written poorly still generates weak corrective actions.

Common Mistakes That Undermine Your Report

Writing with assumptions is perhaps the most common error. You assume the reader knows what procedure you're referring to, knows what the process looks like, knows why the standard matters. They do not. Write as though the reader has no prior knowledge of this area. "Maintenance records for equipment" is vague. "The maintenance register for the Haas CNC machine located in Department B, serial number 4521, shows no entry for preventive maintenance between March 12 and September 4, 2024" is clear.

Another common mistake is mixing observation with interpretation. "The procedure was clearly not being followed" is interpretation. "The procedure requires sign off by the supervisor. Of 20 documents reviewed, 14 showed no supervisor signature" is observation. Let the evidence speak. Do not editorialise about what it means. Your evidence section should contain facts. Your impact section should contain meaning.

Blaming individuals is counterproductive and is not your role. Never write "The operator did not follow procedure" or "The manager was not enforcing requirements." Write "The procedure for equipment changeover requires documented inspection. Of three changeovers observed, none were documented." This focuses attention on the system failure rather than the person, which is where corrective action needs to be directed. When an internal audit finds a major nonconformity, the response needs to address systemic causes, not individual performance.

Being too brief is also a trap. One or two sentence nonconformity reports seem efficient but often generate corrective actions that miss the point. "Records were not maintained per procedure QP 3.1" tells you that something is missing. It does not tell you whether three records or three hundred records are missing. It does not tell you whether this is a brand new process no one understands or a mature process that people are deliberately ignoring. It does not tell you what the business consequence is. Length serves a purpose when it adds clarity.

Finally, avoid language that sounds judgmental or confrontational. "Completely inadequate controls over supplier management" will trigger a defensive response. "The current process for supplier approval does not include a documented evaluation step" is factual and invites discussion rather than conflict. Your role is to report, not to condemn.

Tailoring Your Report for Different Audiences

The nonconformity gets written once but read by multiple people: the process owner responsible for correction, the quality manager who oversees corrective action, senior management who reviews compliance performance, and external auditors who assess whether the correction was effective. Each reader has different concerns and different contexts.

The process owner needs clarity on what specifically was not done and what the corrective action needs to address. The quality manager needs to understand scope and severity to prioritise corrective actions across the whole system. Senior management needs to understand business impact to justify the investment in correction. External auditors need to see clear, objective evidence that is verifiable.

This does not mean writing different reports. It means writing one report that serves all these purposes by being comprehensive and clear. Include specific evidence so the process owner can act. Include scope and pattern so the quality manager can prioritise. Include business impact so management understands importance. Include clear compliance criteria so external auditors can verify correction.

Using Nonconformity Reports as a Tool for Organisational Learning

A well written nonconformity report does something that poorly written ones never achieve: it teaches the organisation something about itself. It shows where systems are breaking down. It reveals assumptions that were not shared. It exposes gaps between documented procedure and actual practice. These insights are valuable if the organisation can extract them from the nonconformity report.

This happens when your report is specific enough that the organisation can see patterns. Three nonconformities in different departments but all related to missing approval signatures might indicate a training gap. Three nonconformities related to missing records might indicate a system design issue where the process was not documented before implementation. Three nonconformities related to incomplete decisions might indicate time pressure or resource constraints.

When you write your nonconformity report, think about what pattern it might reveal when combined with other nonconformities. Write it in a way that helps the organisation see those patterns. A report that says "procedure not followed" is isolated. A report that says "approval step requires supervisor sign off on the form. This was observed as incomplete in 35 percent of transactions across all three shifts and all five operators" helps the organisation see this is a system problem, not an operator problem.

This is why becoming an ISO internal auditor requires development beyond technical audit skills. You need to understand how organisations learn from audit findings and how to write in a way that enables that learning. You need to see the connection between clear reporting and actual improvement.

Follow Up and Verification

Your nonconformity report is only complete when you have confirmed that the corrective action actually closed the gap. This is not about signing off paperwork. It is about verifying that the system change has been implemented and is being sustained.

The follow up conversation should return to the elements you established in your report. Did the organisation implement a process that ensures the compliance criteria you described? Can they demonstrate it? Can you observe it working? If the nonconformity was about missing supplier evaluations, your follow up should confirm that evaluations are now being completed for all new suppliers, that they are documented on the standard form, and that they are occurring before suppliers are activated. You verify against your compliance description, not against some other standard.

Document your verification. "Follow up audit 6 January 2025 confirmed that 12 new suppliers added since correction date have documented evaluation forms in their files, signed by the approver, completed before supplier activation." This closes the loop and provides evidence that the nonconformity was actually resolved.

Audit Workshop offers accredited ISO auditor training at Foundation, Internal Auditor, and Lead Auditor levels for ISO 9001, ISO 14001, and ISO 45001. Our courses are Exemplar Global recognised and include practical exercises, case studies, and assessment support.