One of the most persistent sources of confusion in ISO audit practice is distinguishing between an audit finding, an observation, and a nonconformity. Auditors, auditees, and quality managers routinely conflate these three categories, leading to inconsistent audit reporting, unclear corrective action priorities, and wasted management effort on low value issues. The distinction matters because it determines how the organisation responds, what evidence must be gathered, and ultimately whether the audit delivers genuine value. Understanding these three categories precisely is fundamental to conducting effective audits and managing system improvement properly.
On this page
Defining the Core Distinction
The three terms occupy different positions on a spectrum of audit findings. A finding is the broadest category: it is any factual observation an auditor identifies during an audit. An observation is a specific type of finding that identifies an area where the management system could be strengthened, but where no breach of the standard or documented procedures has occurred. A nonconformity is a finding that demonstrates failure to meet an explicit requirement of the ISO standard or the organisation's own documented procedures.
The distinction is not semantic. It shapes the audit report, the urgency of corrective action, the involvement of management, and whether certification bodies will consider the organisation compliant. Getting this classification wrong undermines the entire audit process. An auditor who reports minor system improvements as nonconformities creates alarm and diverts resources from genuine compliance gaps. Conversely, an auditor who downgrades a true nonconformity to an observation masks a serious control failure and compromises system integrity.
Understanding Observations
An observation documents something the auditor noticed during the audit that points to an opportunity for system improvement, but which does not constitute non compliance with the standard or procedures. Observations are constructive feedback that the organisation could choose to act on, but they are not mandatory corrections for compliance.
Consider a practical example. An ISO 9001 organisation has a documented procedure requiring all production non conformances to be recorded on a template within four hours of discovery. During an internal audit, the auditor reviews 30 production records over the past month. Twenty eight conform to the requirement. Two cases were recorded within eight hours. The procedure was not followed precisely, but the organisation's own data shows the non conformances were identified and addressed the same working day, before customer delivery, and the root cause analysis was completed within the required timeframe. This is a weak control, but not a failure to comply with the documented procedure if the procedure has no enforcement mechanism or if minor deviations within one working day are de facto acceptable in practice.
The auditor might observe: "Production non conformances are generally recorded promptly, but the timing of two records in the past month exceeded the four hour requirement. The organisation could strengthen this control by implementing a system alert or reminder for supervisors." This is an observation. The organisation is not required to take corrective action, but management can decide whether the recommendation adds value.
Observations are also used to flag positive findings or good practices the auditor has identified. These are sometimes called positive observations or opportunities for excellence. For example: "The supplier quality assessment programme now includes on site verification visits. This enhancement strengthens supplier oversight significantly and is a practice worth documenting in the procedure." This type of observation acknowledges strengths and encourages the organisation to maintain or build on them.
The key characteristic of an observation is that it does not demand corrective action for compliance purposes. Management can prioritise observations alongside other business initiatives and decide whether the investment in corrective action is justified. However, a pattern of observations in the same area, or an observation that points to systemic weakness, should alert management that a more serious nonconformity may emerge if the trend continues.
Understanding Nonconformities
A nonconformity is a failure to meet a requirement. It can be either a failure to meet the ISO standard itself, or a failure to meet the organisation's own documented procedures, which must comply with the standard. Nonconformities are mandatory to correct. They indicate a control failure that compromises system effectiveness and must be addressed through corrective action.
Nonconformities are further classified as major or minor. A major nonconformity is a failure that has the potential to result in non compliance with the standard or the organisation's ability to achieve its stated objectives. A minor nonconformity is an isolated or less significant failure that does not directly affect the organisation's ability to meet the standard. Certification bodies distinguish between major and minor nonconformities because the remediation pathway differs. A major nonconformity found during a certification audit may prevent certification or require re audit. A minor nonconformity can typically be corrected and verified through documentation review.
Return to the production non conformance example, but with different facts. The ISO 9001 procedure requires all production non conformances to be recorded on the designated template within four hours of discovery. During the audit, the auditor identifies that five non conformances in the past two months were not recorded in any form until six to ten days after they occurred. The organisation has no documented exception process. When asked about the delays, the supervisor states that he was busy and forgot to document them immediately. One of these delayed non conformances involved a product that had already been delivered to a customer. This is a clear nonconformity. The documented procedure was not followed, no evidence of a control system to ensure compliance exists, and the failure resulted in a delivery that was not captured in the non conformance system.
Whether this is classified as major or minor depends on context. If the unrecorded non conformance could have resulted in customer harm or regulatory non compliance, it is major. If the product was later identified as acceptable and the non conformance was operational rather than quality critical, it may be classified as minor. But it is unquestionably a nonconformity requiring corrective action.
The key characteristics of a nonconformity are clear: there is a requirement (standard or procedure), the evidence shows it was not met, and the failure must be corrected through formal corrective action with documented evidence of implementation and verification.
The Role of Documented Procedures
An important principle: a nonconformity can arise from failure to follow the standard itself, or from failure to follow the organisation's own procedures. This is why organisations must ensure their documented procedures actually comply with the standard. If a procedure is itself non compliant with the ISO requirement, then following that procedure does not exempt the organisation from the standard requirement. Both the procedure and the evidence of compliance must align with the standard.
Conversely, if the procedure is compliant with the standard and an employee simply fails to follow it, that is a nonconformity against the organisation's own system. The auditor does not need to prove the failure also violates the standard directly; the breach of the documented procedure is sufficient.
This distinction is critical for writing effective nonconformity reports that drive actual corrective action. The auditor must be precise about whether the nonconformity is against the standard requirement or the documented procedure, because the corrective action pathway differs. If the nonconformity is against the procedure, the organisation can correct it by ensuring compliance with that procedure. If the nonconformity is against the standard requirement, the organisation must either change the procedure or demonstrate why the current approach actually meets the standard through a different control mechanism.
Finding as the Umbrella Category
The term "finding" encompasses both observations and nonconformities. When an auditor gathers evidence and identifies something noteworthy, that is a finding. The auditor then classifies it as either an observation or a nonconformity. Not every finding requires corrective action; only nonconformities do.
In practice, some organisations and auditors use "finding" interchangeably with "nonconformity," which creates confusion. To maintain clarity, use "finding" as the broad category. A finding can be negative (nonconformity), neutral to positive (observation), or informational. An auditor might find that the organisation has exceeded a requirement or identified innovative controls that go beyond the standard. These are positive findings or observations, not nonconformities.
When planning an internal audit programme, organisations should clarify in their audit procedure or audit plan how findings will be classified and reported. This ensures consistency across auditors and prevents the confusion that arises when one auditor's observation is another auditor's nonconformity for the same situation.
Evidence Standards for Each Category
The level of evidence required differs by category. An observation requires sufficient evidence to demonstrate it is factual and relevant, but the standard of proof is straightforward. The auditor observed the situation directly or reviewed documentation showing the state of the system. The observation does not demand remediation, so a lower evidentiary threshold is appropriate.
A nonconformity requires robust evidence that directly shows the requirement was not met. The auditor must be able to point to the requirement (in the standard or the documented procedure) and provide clear evidence that it was breached. The evidence must be sufficient to withstand scrutiny from management and, if it is an external audit, from the certification body.
For example, suppose an ISO 9001 procedure requires that all customer contracts be reviewed for feasibility before acceptance. An auditor reviews ten recent customer contracts. Eight have a documented review and feasibility sign off. Two do not. The auditor asks the sales team why these two contracts lack documented review. The response is: "We know the customer well and knew we could deliver it, so we didn't think it needed formal review." This is evidence of a nonconformity because the requirement was not met and the organisation had no exception process documented. The auditor must document which contracts were missing the review and the dates they were entered into the system.
By contrast, suppose the auditor also observes during interviews that the sales team spends less than five minutes on the documented feasibility review for routine orders. The procedure specifies a review is required but does not specify how detailed it must be or how long it should take. The auditor notes this as an observation that the control might be more effective if the procedure clarified what constitutes an adequate review for different contract types. This observation is supported by evidence (interviews, observation of the five minute timeframe), but does not constitute a nonconformity because the requirement itself was technically met.
Practical Classification Scenarios
Consider three real audit scenarios to crystallise the distinction:
Scenario 1: The Missing Training Record
ISO 9001 requires documented evidence of competence for employees in quality critical roles. An internal audit of the production department identifies that one recent hire completed the required induction training but no record of the training date, trainer name, or competency sign off exists. The training occurred, based on witness interviews, but was not documented. This is a nonconformity because the documented evidence requirement was not met, even though the training itself occurred. The organisation must generate the missing record or conduct re training with documented evidence. If multiple employees lack training records, this becomes a major nonconformity indicating a systemic control failure.
Scenario 2: The Procedural Deviation That Causes No Harm
ISO 14001 requires that environmental incidents and non conformances be recorded and investigated. The procedure specifies incidents must be reported to the environmental manager within 24 hours. An incident occurred 48 hours before it was reported because the employee involved did not notice the incident until later. When discovered, it was immediately reported and investigated. The requirement was not met (the 24 hour deadline was breached), but the organisation detected and managed the non conformance through its other controls. This is a minor nonconformity because the procedure was not followed, but the organisation should still correct it by reinforcing the reporting requirement or adjusting the deadline if 24 hours is unrealistic. However, it is still a nonconformity, not an observation, because the documented procedure was not met.
Scenario 3: The Strengthening Opportunity
An ISO 45001 audit identifies that incident investigation records are being completed but contain minimal detail about the underlying causes. The procedure requires investigation of "root causes," and the records do show some causal analysis. However, the investigations are often limited to the immediate cause (e.g., "worker did not see the hazard") rather than systemic causes (e.g., "hazard signage is unclear in high glare conditions; communication process during shift change did not ensure all workers were briefed on the temporary hazard"). The requirement is technically being met (investigation is occurring), but the investigation quality is poor and may miss systemic hazards that could affect other workers. This is an observation that the organisation should enhance investigation depth, not a nonconformity, because the requirement for investigation is being satisfied. Management can decide whether deeper investigation is justified by the potential risk reduction.
How External Auditors Classify Findings
Certification auditors follow similar logic but must also consider the implications for certification status. During a certification audit or surveillance audit, an external auditor will classify findings as nonconformities (major or minor) or observations. Major nonconformities typically prevent certification or require re audit. Minor nonconformities can be addressed post audit and verified through documentation. Observations are noted but do not affect certification eligibility.
External auditors are more conservative than internal auditors in classification. If there is ambiguity about whether something is a nonconformity, external auditors tend to classify it as such because their role is to verify compliance against the standard. Internal auditors can be more flexible because they understand the organisation's context and can discuss with management whether something represents a genuine control failure or a minor deviation from procedure that the organisation consciously accepts.
When preparing for an external audit, organisations should understand that external auditors will apply stricter evidentiary standards and stricter classification thresholds. An issue that an internal auditor might accept as an observation could be classified as a nonconformity by an external auditor. This is another reason why internal audit must be rigorous: it identifies issues before the certification body does.
The Importance of Audit Evidence
Accurate classification hinges entirely on quality audit evidence. An auditor cannot classify something as a nonconformity without documented evidence that the requirement was not met. Likewise, an auditor cannot classify something as an observation without clear evidence that something noteworthy exists. Gathering audit evidence that stands up to scrutiny requires understanding what evidence is relevant, sufficient, and reliable for each classification decision.
Relevant evidence directly addresses the requirement or the observation being made. Sufficient evidence is enough to support the conclusion without ambiguity. Reliable evidence is verifiable, documented, and free from bias. An auditor who gathers evidence poorly will misclassify findings. For example, if an auditor asks a single employee whether a procedure is being followed and bases a nonconformity on that one opinion, the evidence is not sufficient. The auditor must verify the claim through multiple sources: documentation, observations, and interviews with different people in different roles.
Recording and Reporting Findings
The audit report must clearly distinguish between observations and nonconformities. Many organisations use an audit report template or system that captures this classification explicitly. The report should include:
- The requirement (from the standard or the documented procedure)
- The evidence gathered (what the auditor found)
- The classification (observation or nonconformity)
- If a nonconformity: major or minor classification
- If a nonconformity: the specific clause or requirement breached
- A clear description of the finding that is factual and not accusatory
The report should avoid language that mixes classification categories. For example, do not write "This is a minor observation of a nonconformity." Either it is an observation or a nonconformity. Also avoid vague language like "needs improvement" without specifying whether the current state actually breaches a requirement. "Needs improvement" often masks a classification decision that the auditor has not made clearly.
Well written audit reports will benefit the auditor, the organisation, and any external reviewer. The organisation can act decisively on nonconformities and prioritise observations appropriately. Management knows exactly what must be fixed for compliance and what is discretionary. If the certification body reviews the audit report later, it can verify that the auditor has applied consistent classification logic.
Corrective Action Implications
Classification of findings directly determines corrective action requirements. A nonconformity requires a corrective action plan that includes: identification of the root cause, the corrective action to be taken, the person responsible, the target completion date, evidence of implementation, and verification that the nonconformity has been resolved. Many organisations require that nonconformities be tracked in a corrective action register and reviewed at management review.
An observation does not mandate corrective action, but the organisation should decide whether to treat it as a management improvement initiative. Some observations are genuinely valuable and warrant action. Others may be lower priority or require further analysis before action is justified. The key is that management makes an active decision rather than ignoring observations or treating them as informal feedback.
When an external audit identifies a nonconformity, the certification body will require evidence of corrective action before the organisation can be certified or recertified. When an internal audit identifies a nonconformity, the organisation must correct it to maintain system integrity and to be ready for external audit. This is why internal auditors should not downgrade genuine nonconformities to observations; doing so defers a necessary correction and increases the risk that the certification audit will identify the same issue.
Common Classification Errors
Auditors commonly misclassify findings in several ways. The most frequent error is upgrading an observation to a nonconformity without sufficient evidence. For example, an auditor might observe that a document revision process seems slow or that management review meetings lack detailed discussion of certain topics. Without evidence that the procedure itself is not being followed or that the ISO requirement is not being met, these observations should not be classified as nonconformities. The auditor is making an assumption that the current state is inadequate without evidence of non compliance.
The opposite error is downgrading a nonconformity to an observation to avoid seeming harsh or to appease the auditee. An auditor might find that a documented procedure is not being followed, but feels that the outcome is acceptable and does not report it as a nonconformity. This is inappropriate. If the procedure is not being followed and there is no documented exception process, it is a nonconformity regardless of whether the outcome happened to be acceptable.
A third error is confusing a nonconformity with the root cause or corrective action. For example, an auditor might find that a procedure is not being followed because staff were not trained. The finding is the nonconformity (procedure not followed). The root cause is lack of training. The corrective action is to provide training and verify compliance. The auditor should not classify the lack of training as the nonconformity itself; that would be speculating about the cause before the organisation has investigated.
Classification Across ISO Standards
The same classification principles apply across all ISO standards. ISO 9001, ISO 14001, ISO 45001, and other management system standards all require auditors to identify whether a finding is an observation or a nonconformity based on whether a requirement has been met. The specific requirements differ by standard, but the logic of classification remains identical.
For example, under ISO 9001, a nonconformity might involve failure to control customer data. Under ISO 14001, it might involve failure to manage environmental aspects. Under ISO 45001, it might involve failure to assess hazards. But in each case, the auditor is asking the same question: Does the evidence show that a documented requirement was not met?
Understanding this universal principle makes it easier to transition between standards. An auditor trained in ISO 9001 classification logic can apply the same reasoning to ISO 14001 or ISO 45001. The standards change, but the classification framework remains consistent.
Audit Workshop offers accredited ISO auditor training at Foundation, Internal Auditor, and Lead Auditor levels for ISO 9001, ISO 14001, and ISO 45001. Our courses are Exemplar Global recognised and include practical exercises, case studies, and assessment support.








