How to Write Nonconformities That Hold Up: A Practical Guide for ISO Auditors

Why Most Nonconformities Fall Apart

Writing a nonconformity report sounds straightforward until you watch one get challenged, reinterpreted, or quietly closed without any real corrective action. It happens constantly. An auditor identifies a genuine gap, writes it up in a way that feels clear enough in the moment, and then three weeks later the organisation submits a response that completely misses the point. The corrective action addresses the symptom, not the cause. The finding gets closed. Nothing changes.

The problem is almost never the audit itself. The problem is how the nonconformity was written. A finding that holds up under scrutiny, drives meaningful corrective action, and survives a dispute with a defensive auditee is not an accident. It is the result of disciplined writing built on solid evidence, a clear reference to the requirement, and language that leaves no room for misinterpretation.

This article walks through exactly how to write nonconformities that hold up, whether you are an internal auditor closing out your programme or a lead auditor presenting findings at a certification audit closing meeting.

The Four Elements Every Nonconformity Must Have

Before you write a single sentence, understand that every defensible nonconformity contains four components. Miss any one of them and the finding becomes vulnerable.

1. The Requirement

State the specific clause and requirement that has not been met. This is not optional. A nonconformity without a referenced requirement is just an opinion. The requirement can come from the ISO standard itself, a documented procedure, a contractual obligation, or a legal requirement. Whatever the source, name it precisely.

For example, do not write the organisation does not control its documents properly. Write ISO 9001:2015 Clause 7.5.3(b) requires that documented information of external origin be identified and controlled. The organisation has not established a method for identifying or controlling externally sourced technical specifications used in production.

2. The Objective Evidence

This is the most critical element and the one most often handled poorly. Objective evidence is specific, verifiable, and factual. It is not a general impression, not a summary of what someone told you, and not a conclusion dressed up as evidence.

Good objective evidence includes document references with version numbers, record identifiers, names of personnel interviewed and what they said, physical observations with location and date, and system screenshots or data outputs. The test is simple: could another auditor walk in with your notes and verify the same finding independently? If yes, your evidence is solid. If no, keep digging.

3. The Statement of Nonconformity

This is the finding itself, written as a clear declarative statement. It should describe what was found, not what should have been found. Avoid prescriptive language that tells the organisation what to do. Your job is to identify the gap, not design the solution.

Compare these two versions. Weak: The organisation needs to improve its training records. Strong: Training records for three of five warehouse operators (Employee IDs W03, W07, W12) do not include evidence of competency assessment for forklift operation, contrary to the organisation's own Procedure WH-04 Revision 2, which requires documented evidence of competency assessment prior to unsupervised operation.

The second version is specific, referenced, and defensible. The first version is a recommendation dressed up as a finding.

4. The Classification

Classify the finding as major or minor. A major nonconformity indicates a systematic failure or a complete absence of a required element that puts the management system or its intended outcomes at significant risk. A minor nonconformity is an isolated or partial failure that does not undermine the system as a whole. Getting this classification right matters because it determines the corrective action timeline and, in a certification context, whether the certificate can be recommended.

If you want to go deeper on this distinction, the article Grading Nonconformities: Major, Minor and the Grey Zone covers the decision criteria in detail.

Writing the Objective Evidence Section

Most weak nonconformities fail at the evidence stage. Here is a practical approach to building evidence that stands up.

Be Specific About What You Sampled

Always record what you looked at, not just what you found. If you reviewed ten calibration records and three were non-compliant, say so. If you interviewed four people and two could not describe the emergency procedure, name the roles and the specific question you asked. Sampling context matters because it establishes the scope of the finding and protects you if the auditee later claims the sample was unrepresentative.

For example: A sample of ten calibration records was reviewed for the period January to June 2025. Records for Instruments INS-004 and INS-009 contained no evidence of calibration having been performed within the required 12 month interval. The last recorded calibration date for INS-004 was March 2023.

That is a finding you can defend. It is dated, referenced, and specific.

Record What You Observed, Not What You Concluded

There is a critical difference between observation and conclusion. The procedure was not followed is a conclusion. The work order for Job 4471 dated 14 May 2025 does not contain the supervisor sign-off required by Procedure MN-07 Step 4 is an observation. Write observations. Let the evidence lead to the conclusion naturally.

Avoid Hearsay as Primary Evidence

What someone told you during an interview can support a finding, but it should rarely be the only evidence. If a process owner tells you that calibration records are not being kept, follow that up with a direct review of the records. Verbal statements are useful for direction but they are weak as standalone evidence, particularly when the auditee later disputes what was said.

Common Writing Mistakes That Undermine Findings

Vague Language

Words like sometimes, occasionally, appears to, may not, and it seems that all weaken a finding. If you are not certain enough to write it as a definitive statement, you need more evidence. Qualified language invites the auditee to argue that the exception you found was just that, an exception, rather than a systemic issue.

Combining Multiple Issues into One Finding

This is a common trap. You find three related problems and bundle them into one nonconformity because they all seem to relate to document control. The result is a finding that is hard to close, hard to assign root cause to, and easy to partially address. Separate findings are cleaner, more actionable, and easier to verify at follow up.

Writing Conclusions Instead of Findings

A nonconformity is not a verdict. It is a documented gap between a requirement and what was observed. Avoid language like the organisation has failed to implement an adequate system or management has clearly not prioritised this area. These are judgements. Stick to what you found, where you found it, and what requirement it does not meet.

Referencing the Wrong Clause

This happens more than you would expect, particularly with internal auditors who are still building their knowledge of the standard. A nonconformity referenced against the wrong clause will be challenged, and rightly so. If the evidence points to a training gap, that is a Clause 7.2 issue, not a Clause 7.5 issue. Take the time to verify the clause reference before you finalise the finding.

The article What Is an Audit Finding vs Observation vs Nonconformity? is a useful reference if you are still working through these distinctions.

A Practical Template for Writing Nonconformities

Use this structure as your default format. It forces you to be specific and ensures all four elements are present.

• Requirement: State the clause and the specific obligation. For example, ISO 45001:2018 Clause 6.1.2.1 requires the organisation to have a process for ongoing hazard identification.
• Objective Evidence: Describe what you reviewed and what you found. Include document references, record identifiers, dates, and personnel roles where relevant.
• Statement of Nonconformity: Write a single clear sentence that names the gap. Start with what was found, not what was missing.
• Classification: State whether this is a major or minor nonconformity and provide a brief rationale if the classification is not obvious.

Here is a worked example for an ISO 45001 audit.

Requirement: ISO 45001:2018 Clause 6.1.2.1 requires the organisation to implement a proactive process for ongoing hazard identification that includes routine and non-routine activities.

Objective Evidence: The hazard register (Document OHS-REG-01, Revision 4, dated March 2024) was reviewed. The register contains 22 hazards identified during the initial system implementation. Interview with the WHS Manager (conducted 10 June 2025) confirmed that no hazard identification activities have been conducted since the register was created. Review of meeting minutes for the period January to June 2025 found no evidence of hazard identification being conducted or reviewed during toolbox talks, pre-start meetings, or management reviews.

Statement of Nonconformity: The organisation has not implemented an ongoing hazard identification process. The hazard register has not been updated since March 2024 and there is no evidence of hazard identification activities having occurred in the 15 months since that date.

Classification: Major. The absence of ongoing hazard identification represents a systemic failure of a core OH&S planning requirement, not an isolated lapse.

Presenting and Defending Your Findings

Even a well-written nonconformity can be challenged during a closing meeting. The best defence is preparation. Before you present, make sure your evidence notes are organised and you can locate the specific records you referenced. If an auditee disputes a finding, do not argue. Return to the evidence. Ask them to show you the record that demonstrates conformity. If they can, withdraw the finding gracefully. If they cannot, the finding stands.

Avoid the temptation to soften findings under social pressure. A lead auditor who rewrites a major as a minor because the auditee is upset is not doing anyone a favour. The organisation needs accurate findings to drive real improvement. Your credibility as an auditor depends on your findings being consistent and evidence based, regardless of the reaction they generate.

One practical tip: read your nonconformity statement aloud before you present it. If it sounds accusatory, imprecise, or unclear when spoken, revise it. The closing meeting is not the time to discover that your language is ambiguous.

Writing Nonconformities for Internal Versus External Audits

The standard of evidence required is the same whether you are conducting an internal audit or a third party certification audit. The difference is in the consequences and the audience.

For internal audits, your audience is management and the process owners responsible for corrective action. Write with enough detail that someone unfamiliar with the audit can understand exactly what was found and where. Internal nonconformities that are vague tend to generate vague corrective actions. The more precise your finding, the more targeted the response.

For external audits, your findings may be reviewed by the certification body's technical reviewer, the accreditation body, or the auditee's legal team in a dispute. The standard of precision needs to be high enough to withstand that level of scrutiny. Reference every document by its identifier and version. Record every interview with the role title and date. Leave no room for the finding to be reinterpreted.

If you are building your skills in this area, the article Writing Nonconformance Reports That Actually Drive Change covers the corrective action side of the equation in detail.

When Evidence Is Incomplete

Sometimes you identify a strong indicator of a problem but cannot gather enough evidence during the audit to write a clean nonconformity. In this situation, you have two options.

First, widen your sample. If two records look problematic, review five more before you close the session. Often the additional evidence either confirms the finding or reveals that it was an isolated exception rather than a systemic issue.

Second, if time does not allow for additional sampling, raise the issue as an observation or opportunity for improvement rather than a nonconformity. This is the honest approach. A nonconformity without sufficient evidence is not a nonconformity. It is a suspicion, and writing it up as a finding is a professional integrity issue. Document what you observed, note the limitation of your sample, and recommend that the area be included in the next audit cycle.

Building This Skill Through Practice

Writing nonconformities well is a skill, and like all audit skills it improves with deliberate practice and feedback. The most effective way to develop it is to write a draft finding immediately after each audit session, then review it against the four elements before you finalise it. Over time, the structure becomes automatic.

Peer review is also valuable. If you are working as part of an audit team, exchange draft findings with your colleagues before the closing meeting. A second set of eyes will catch vague language, missing references, and classification errors that you may have missed.

If you want structured training on this skill, the Lead Auditor courses at Audit Workshop include practical exercises in writing and defending nonconformities, with feedback from an experienced auditor who has raised findings across hundreds of real certification audits. The internal auditor courses cover the same writing principles at a level appropriate for those conducting internal programmes. Both are available as live virtual or self-paced options, so you can fit the training around your work schedule.