Exemplar Global certified courses from USD 99. Save while it lasts. Enrol today.
Internal Audits

What Happens When an Internal Audit Finds a Major Nonconformity?

AW

Team @ Audit Workshop

Internal Audits13 min read
What Happens When an Internal Audit Finds a Major Nonconformity?

Discovering a major nonconformity during an internal audit is one of those moments that separates competent auditors from those who fumble the response. The finding is already made. The evidence is documented. Now comes the harder part: managing the fallout, triggering the right corrective actions, and ensuring the organisation actually fixes the root cause rather than just papering over the symptom. This article walks through what happens next, what your organisation must do, and how to handle the situation in ways that strengthen rather than damage your management system.

Understanding What Constitutes a Major Nonconformity

Before discussing what happens after discovery, you need clarity on what qualifies as major. ISO standards themselves do not define "major" and "minor" nonconformities. That distinction belongs to your organisation and your auditors. However, the consensus in auditing circles is consistent: a major nonconformity represents a significant failure or absence of a requirement from the ISO standard that either directly impacts the management system's ability to function or poses a credible risk to the organisation's objectives.

Practical examples help here. An ISO 9001 organisation that has no evidence whatsoever of management review occurring for six months has a major nonconformity because management review is a foundational requirement. A manufacturing facility with no documented procedure for handling customer complaints in an ISO 9001 system is major. An ISO 14001 organisation that cannot demonstrate it has identified any environmental aspects in a particular operational area is major because that identification is a mandatory step in the system. By contrast, a procedure that exists but lacks one required signature line, or training records that are missing dates but otherwise complete, would typically be minor.

The distinction matters because your response will differ significantly. A major nonconformity demands escalation, rigorous investigation, and systematic correction. A minor nonconformity requires attention but allows more flexibility in the response timeframe and corrective action approach.

Become a certified ISO auditor
Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.
Explore Courses
Exemplar Global Recognised Training ProviderRecognised Training ProviderRTP No. 310970

Immediate Reporting and Communication

Once a major nonconformity is identified, the auditor must report it formally before or at the closing meeting of the audit. Suppressing it, downgrading it, or sitting on the finding until after the audit is complete is a breach of auditing integrity. The auditee (the organisation being audited) has a right to know immediately what has been found.

For internal audits, this typically happens in a closing meeting or closing discussion. The auditor should present the nonconformity clearly, explaining the requirement that has not been met, the evidence observed, and why it qualifies as major. This is not the moment for ambiguous language or hedging. Use direct statements: "There is no documented procedure for [requirement]. This is a breach of [clause number]." Avoid softening language like "possibly" or "it appears." The evidence either supports the finding or it does not.

The internal auditor should expect questions and clarification requests. The auditee's management may dispute the classification. They may argue that the requirement is being met in an undocumented way or that circumstances mitigate the finding. Listen to these arguments, but do not change your classification simply because the auditee objects. If you are confident in your evidence and your interpretation of the standard, stand firm. If the auditee raises a legitimate point that you had not considered, take note and discuss with your audit manager or quality manager. However, do not downgrade a major nonconformity to minor simply to avoid friction.

Immediately after the closing meeting or within the next working day, provide a written summary of the nonconformity. This summary should include the audit date, the standard clause involved, a clear description of what is missing or non compliant, the evidence gathered, and the assessment of major status. This document becomes part of the audit trail and will inform the corrective action process.

Escalation and Management Review

A major nonconformity triggers formal escalation within the organisation. In most ISO managed companies, the quality manager, operations manager, or equivalent receives immediate notification. The finding is not treated as a routine audit item to be logged and forgotten. It goes into the management system's issues register or corrective action system with high priority.

In many organisations, a major nonconformity also triggers discussion at the next management review meeting. ISO 9001 clause 9.3 specifically requires that the results of internal audits are considered as input to management review. This does not mean every finding goes to management review, but major nonconformities absolutely do. The leadership team needs to understand what has failed and what the implications are.

This is also the point at which the organisation's management decides whether the major nonconformity is so serious that it threatens certification status or the integrity of the management system. A certified organisation with a major nonconformity that has existed undetected for months may face questions about whether certification should be suspended. An organisation pursuing certification that has a major nonconformity will not be certified until that nonconformity is closed and verified.

Escalation does not mean panic. It means the finding receives attention from the right people with the authority to investigate, allocate resources, and approve corrective actions. Managing corrective actions after an ISO audit requires a structured approach, and that process begins here with proper escalation.

Root Cause Analysis and Investigation

The organisation must now conduct a root cause analysis. This is mandatory under ISO 9001 clause 8.5.2 and similar requirements in ISO 14001 and ISO 45001. The purpose is not to explain away the nonconformity but to understand why it occurred in the first place. If you simply implement a surface level fix without addressing the root cause, the nonconformity will likely recur.

A proper root cause analysis typically involves asking "why" multiple times. For example, if a procedure is missing, why does it not exist? Was it never written? Was it written but lost? Did someone assume it was not needed? Were there resource constraints? Was there a miscommunication about responsibility? Each answer might reveal a deeper issue. Perhaps the responsibility matrix is unclear and nobody believed they owned the procedure. Perhaps there was a gap in the induction process for new staff who should have known to create the procedure. Perhaps there is a cultural issue where procedures are written but not maintained as the business evolves.

Root cause analysis should involve the people closest to the work, not just management directives from above. If the nonconformity relates to a production process, speak with the people running that process. They often know exactly why the requirement is not being met. The investigation should also consider whether the issue is isolated to one area or whether it indicates a systemic problem across the organisation.

Document the root cause analysis formally. Record the investigative steps taken, who was interviewed, what was reviewed, and what was concluded about the root cause or causes. This documentation becomes evidence that a genuine investigation occurred and is essential when the auditor comes back to verify that the corrective action has been effective.

Developing and Approving Corrective Actions

Once the root cause is understood, the organisation develops corrective actions designed to eliminate that root cause and prevent recurrence. This is different from a quick fix. A quick fix might mean creating a missing procedure within a week. A corrective action might involve creating the procedure, training all relevant staff, revising the responsibility matrix, updating the induction program, and implementing a quarterly procedure review cycle to ensure procedures remain current.

Corrective actions should be documented in detail. A good corrective action record includes the nonconformity reference, the root cause, the corrective action (what will be done), who is responsible for implementation, the deadline, and what evidence will demonstrate that the action has been completed. Some organisations also require a statement of how the action addresses the root cause, ensuring that the corrective action is not a tangent.

For a major nonconformity, corrective actions are approved by senior management or the quality management committee, not just delegated to an administrator. The approval step confirms that management understands the issue and commits resources to fixing it. Without this approval step, corrective actions can stall when competing priorities emerge.

The timeline for corrective action implementation should be realistic but urgent. A major nonconformity that relates to a missing procedure might be closed within two to three weeks. A nonconformity that requires process redesign or system changes might require eight to twelve weeks. However, the organisation should not use extended timelines as an excuse for slow progress. The corrective action plan should outline interim milestones, not just an end date.

Implementation and Evidence Gathering

Once approved, the corrective action must be implemented. This is where theory meets reality. The responsible individuals must actually do the work. For a missing procedure, this means writing the procedure, having it reviewed for clarity and accuracy, obtaining necessary approvals, and communicating it to all staff who need to follow it. For a process issue, it means making the operational changes, ensuring staff understand the new approach, and monitoring compliance initially.

The organisation should gather evidence during implementation, not just after. If the corrective action involves training, maintain training records showing who was trained, what was covered, and when. If it involves implementing a new procedure, keep the draft versions, approval emails, communication records, and evidence of staff acknowledgment. If it involves monitoring or measurement, collect the actual monitoring data. This evidence will be reviewed during the verification audit.

Implementation should be visible. If the corrective action is being delayed or stalled, the responsible individual should alert management immediately rather than waiting until the verification audit and having to admit the action is not complete. Many organisations benefit from a simple tracking system or dashboard that shows the status of all corrective actions, making delays visible to leadership.

Verification and Auditor Sign Off

The organisation cannot simply declare that the corrective action is complete and move on. The nonconformity must be verified closed by the auditor or someone in an independent audit role. This verification step is critical because it introduces objectivity. The person who implemented the corrective action is not the best judge of whether it worked.

Writing nonconformance reports that actually drive change requires clear acceptance criteria at the outset, and those criteria should be established in the original nonconformity report or in the corrective action plan. The verification should check that those criteria have been met.

For a missing procedure, verification means confirming that the procedure exists, has been approved, is accessible to relevant staff, and is actually being followed in practice. It is not enough to check the document exists on the server. The auditor should observe work, interview staff, and confirm that the procedure is genuinely embedded in operations. If the procedure exists but nobody is using it, the corrective action has failed.

Verification may be conducted during a follow up audit, a surveillance audit (for certified organisations), or a formal verification meeting. The method depends on your organisation's practices and the nature of the corrective action. Complex actions might warrant a dedicated verification audit. Simple actions might be verified during the next scheduled internal audit or through a desk review supported by interview.

Once verified, the auditor signs off on the nonconformity closure. This means formally documenting that the nonconformity has been addressed and that there is reasonable confidence it will not recur. The organisation then updates its nonconformity register, archives the corrective action file, and incorporates any lessons learned into the broader management system.

Communicating the Finding and Response to Interested Parties

Depending on the nature of the nonconformity, the organisation may need to communicate the finding to external parties. For certified organisations, if a major nonconformity exists at the time of a surveillance audit, it will be documented by the certification body and may be communicated to customers or stakeholders depending on contractual obligations or industry practice.

Some industries require notification of regulatory bodies if certain types of nonconformities occur. For example, a medical device manufacturer with a major nonconformity in process validation might be obliged to notify the regulator. A food manufacturer with a major food safety nonconformity might face regulatory reporting requirements. Organisations should understand their specific regulatory obligations.

Internally, transparency matters. Staff should understand what the nonconformity was, why it mattered, and what corrective action was taken. This reinforces the importance of the management system and shows that nonconformities are treated seriously. Many organisations include major nonconformities and their closure in internal newsletters, team briefings, or management review presentations.

Preventing Future Major Nonconformities

The final step is using the experience to prevent similar nonconformities in the future. How to plan an internal audit programme involves identifying risk areas where major nonconformities are most likely to occur, and a major finding reveals one such area.

Consider whether the root cause indicates a systemic weakness in your management system. If the issue was a missing procedure, does your organisation have a process for identifying when procedures are needed? If the issue was failure to follow a procedure, does your training and induction program adequately cover that procedure? If the issue was ineffective management review, does your management review meeting structure allow for adequate scrutiny of system performance?

Use the nonconformity as input to management review and as a basis for preventive actions. A preventive action differs from a corrective action in that it addresses something that has not yet failed. For example, if one procedure was missing and a corrective action was developed to create it, a preventive action might be to conduct a comprehensive audit of all required procedures across the organisation to identify others that might be missing before they are found in an audit.

Review your internal audit schedule and scope. If the major nonconformity existed for an extended period before being found, perhaps the audit frequency or depth in that area was insufficient. Adjust the audit plan accordingly. If the nonconformity relates to a high risk process, ensure that process is audited annually or more frequently going forward.

Audit Workshop offers accredited ISO Internal Auditor training that covers internal audit planning, execution, and reporting in depth. Our courses are recognised by Exemplar Global and designed for working professionals who need practical skills they can apply immediately.

Frequently Asked Questions

There is no universal standard timeframe. ISO standards require that corrective actions be effective and timely, but do not specify "days" or "weeks". For a certified organisation, if a major nonconformity is found during a surveillance audit, the certification body will specify a timeframe for closure, typically 30 to 90 days depending on the severity and the body's policies. For internal audits, the organisation sets the timeline based on the complexity of the corrective action. A procedure that needs to be written might be closable in two to four weeks. A process redesign might require two to three months. The key is that the timeline is realistic, documented, and met. Extensions should be rare and require management approval.
Start Learning

Ready to Build Real Audit Skills?

Join practitioners training with ISO auditors who've conducted 500+ external certification audits.

ISO 9001:2015 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 45001:2018 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 14001:2026 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
Exemplar Global Recognised Training Provider digital badge

Audit Workshop is an Exemplar Global Recognised Training Provider

Globally Recognised, Certified Training

Pass an Exemplar Global Certified course and you earn a Certificate of Attainment and an Exemplar Global digital badge. Audit Workshop graduates can apply for third-party Personnel Certification through Exemplar Global.

  • 12 months of Graduate certification
  • Access to Exemplar Global Community
  • Access to self-coaching assessment
  • Access to webinars, events, and online resources
Learn Anytime

No fixed schedule. Start, pause, and pick up exactly where you left off.

Instant Certificate

Download your digital certificate the moment you complete the course.

Practical Content

Every lesson is built from real-world ISO auditing experience.

Lifetime Access

Course materials are yours to keep and revisit long after you complete.