A nonconformance report that sits in a filing cabinet or gathers digital dust serves no one. Yet many organisations find themselves in exactly this situation: they invest time and money in internal audits, auditors identify genuine gaps, but the resulting nonconformance reports trigger minimal action and even less sustained change. The disconnect between identifying problems and actually fixing them costs organisations dearly in wasted compliance effort, repeated audit findings, and deteriorating system effectiveness. The difference lies not in what you find during an audit, but in how you document it.
On this page
Writing a nonconformance report that drives real change requires a fundamentally different approach from writing one that simply fulfils procedural requirements. It means understanding that the report is not primarily for the auditor or even for compliance documentation. It is a communication tool designed to compel action from the people who control resources, make decisions, and execute corrective measures. When you write with this purpose in mind, your report structure, language, evidence presentation, and tone all shift.
Understanding Why Most Nonconformance Reports Fail
Before exploring what works, it is worth understanding why so many reports fail to drive change. The most common problem is a complete disconnect between finding and context. An auditor discovers that preventive maintenance records for critical equipment are incomplete, documents this as a nonconformity, and files the report. The equipment owner sees a compliance tick box. No one connects the finding to the actual business risk: unscheduled downtime, production delays, customer impact. Without that connection, the finding becomes someone else's problem to fix on their own time.
A second failure point occurs when the nonconformance report lacks sufficient specificity. Reporting that "procedures are not being followed" tells management nothing about which procedures, in what circumstances, how frequently, or what the actual impact is. When faced with this vagueness, people either ignore it or interpret it through their own lens. The corrective action that results typically addresses the symptoms rather than the root cause, which means the same nonconformity surfaces again at the next audit.
The third common failure involves presenting facts without interpretation. An auditor observes that three out of eight calibration certificates on file are expired. They document this as a nonconformity and move on. But they do not explain what this means: that measurements made using uncalibrated equipment may be invalid, that test reports based on those measurements cannot be trusted, and that the organisation has potentially released non conforming product to customers. This contextual information is not a luxury. It is essential for generating the sense of urgency that motivates action.
Finally, many nonconformance reports fail because they do not actually prescribe a path forward. They identify what is wrong but assume that the auditee will figure out how to fix it. For complex systemic issues, this assumption is flawed. If the root cause involves inadequate resource allocation, unclear role definition, or systemic process weaknesses, the auditee needs guidance on where to start. The report that acknowledges this reality, even if it does not prescribe a solution, is more likely to trigger genuine remediation.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesThe Anatomy of an Effective Nonconformance Report
An effective nonconformance report serves multiple audiences simultaneously. It documents a finding for compliance purposes, but it also sells the urgency of the issue to decision makers, provides enough detail for the auditee to understand what needs to change, and offers a framework for developing corrective actions. This requires careful attention to structure and content.
The Audit Evidence Section
This section forms the foundation of credibility. It must be specific, factual, and directly observable. Rather than writing "maintenance procedures are not being followed," describe exactly what you found: "During the audit, I reviewed the equipment maintenance log for the CNC lathe from January through August 2024. The log showed scheduled maintenance on 22 January and 15 April, but no entries for the intervening six months. The equipment manufacturer's manual specifies quarterly maintenance. I interviewed the maintenance technician, who stated that time constraints had prevented the intermediate maintenance tasks from being completed." This level of specificity does three things: it removes ambiguity about what you actually found, it allows the auditee to understand the exact scope of the issue, and it provides sufficient detail that a corrective action team can build on it.
When gathering evidence, document source materials carefully. Rather than saying "interviews indicated that quality records were not being retained," record which interviews, with whom, on what date, and what specific statements support your conclusion. This documentation serves you if the auditee disputes the finding, but more importantly, it demonstrates to decision makers that this is a reasoned conclusion based on collected evidence, not an auditor's opinion.
For systematic issues, statistical evidence carries weight. If you observe that 12 out of 45 required training certificates are absent from employee files, say so. If design input records are incomplete for three out of eight recent projects, document this precisely. Numbers make the issue visible in a way that narrative descriptions sometimes do not.
The Requirement Section
This section states which standard, procedure, or requirement has not been met. The mistake most auditors make here is stopping too early. Writing "ISO 9001:2015 Clause 8.3 requires design input to be documented" is accurate but incomplete. It does not explain why this requirement exists or what organisation risk emerges from non conformance.
A stronger approach integrates the requirement with its purpose: "ISO 9001:2015 Clause 8.3 requires that design input be documented, reviewed, and approved before proceeding to design output. This requirement exists because design decisions made without documented input create risk of misaligned customer expectations, rework, and release of non conforming product. The organisation's design input procedure (DP 4.2) requires that all design input be recorded in the design input register, including source and approval date."
This fuller statement accomplishes two things. First, it anchors the requirement in actual business consequence, not just compliance obligation. Second, it prevents the common excuse that "the standard requires it but our procedure is different." By linking standard, procedure, and purpose together, you close this loophole and make the finding more defensible.
The Finding Section
This is where you connect evidence to requirement. It is a simple statement of what evidence shows that the requirement is not being met. The key here is brevity and clarity. Do not retell the entire evidence section. Instead, draw the line between what you found and what the requirement demands.
For the maintenance example: "The audit evidence shows that scheduled preventive maintenance has not been completed quarterly on the CNC lathe for the period reviewed. The maintenance manual and the organisations maintenance procedure both require quarterly servicing. For six months of the eight month audit period, no maintenance activities were recorded, which represents non conformance to the requirement."
Notice the structure: this is what we found (no maintenance for six months), this is what is required (quarterly maintenance), therefore the requirement is not met. This format prevents ambiguity and makes it difficult for the auditee to misinterpret what you are saying.
The Business Impact Section
This is the section that drives change. It answers the question that matters most to decision makers: why should we care about this? What actually happens if we do not fix it? This is not opinion or speculation. It is tracing the logical consequence of non conformance to real business outcome.
Returning to the maintenance example: "Deferred preventive maintenance on critical production equipment increases the risk of unscheduled downtime. Over the audit period, the equipment logged one unplanned breakdown resulting in 14 hours of production loss. Maintenance records indicate that this breakdown was related to deterioration of a bearing assembly that would have been replaced during preventive maintenance. Based on production rate and current customer demand, this single failure cost approximately $4800 in lost throughput. Continued non conformance to preventive maintenance requirements will increase the frequency and severity of failures, potentially impacting on time delivery and customer satisfaction."
Notice that this section does not exaggerate or speculate wildly. It uses actual data where available (the observed breakdown) and draws logical connections (what would preventive maintenance have prevented). It translates risk into language that resonates with management: production loss, customer impact, cost. This is what motivates corrective action.
For issues where financial impact is difficult to quantify, frame the consequence in terms that matter: product safety, regulatory exposure, customer satisfaction, or operational efficiency. The point is to move beyond "this does not comply" to "this matters because."
The Systemic Nature Section
One question that almost always matters to management is: is this an isolated incident or a systemic problem? An operator who failed to follow a procedure on one occasion is a training opportunity. A process design that makes the procedure unworkable is a systemic problem requiring resource reallocation. These call for very different corrective actions.
Your nonconformance report should address this explicitly. "During the audit, I reviewed maintenance logs for six pieces of critical equipment. Four of the six showed similar patterns of deferred preventive maintenance, indicating a systemic issue rather than isolated non conformance. Interviews with the maintenance technician and production supervisors identified insufficient staffing during the audit period as the root cause. This suggests that the issue affects multiple assets and requires remediation at the systemic level, not just on the equipment audited."
This statement tells decision makers that this is not a one off fix but something that needs proper resource commitment. It shapes expectations about what an adequate corrective action will entail.
Distinguishing Nonconformity Severity and Classification
Organisations use different terminology for nonconformance severity. Some use major and minor, others use critical, major, and minor. The terminology matters less than clarity about what distinguishes each category and transparency about which category applies to your finding.
A major nonconformity typically indicates that a key requirement of the standard is not being met, that systemic failure has occurred, or that the issue has potential for significant adverse business impact. A minor nonconformity might involve isolated non conformance to a requirement, limited scope of issue, or lower risk consequence.
Your report should state clearly which classification you have assigned and the reasoning. "This finding is classified as a major nonconformity because: (1) the requirement affects a critical process (product design), (2) multiple projects show similar non conformance rather than isolated instances, and (3) the consequence is potential release of non conforming product." This clarity prevents disputes and sets expectations about corrective action scope.
Presenting Root Cause Observations
As an internal auditor, you may or may not have responsibility for identifying root causes. That responsibility often rests with the corrective action team. However, observations about possible root causes add significant value to your report, provided you present them as observations, not conclusions.
The distinction between audit findings and root cause analysis is important. Your job is to document what you found and whether it conforms to requirements. The auditee's job is to work backward from the finding to understand why it occurred. However, if your audit reveals clues about root cause, sharing these clues accelerates the corrective action process significantly.
Frame these observations carefully: "During interviews, the maintenance technician mentioned that scheduling preventive maintenance is difficult because production priorities often take precedence, and no clear mechanism exists for prioritising maintenance against production. This suggests that procedural awareness may not be the core issue, but rather systemic barriers to execution. Root cause analysis should explore whether policy, resource allocation, or process design is preventing conformance."
This approach provides a starting point for investigation without claiming to have done the investigation yourself. It respects the auditee's responsibility while contributing your perspective based on audit observations.
Language and Tone Matter More Than You Might Think
The language you use in a nonconformance report significantly influences how the auditee receives it. Accusatory language triggers defensiveness. Vague language triggers confusion. Dismissive language reduces engagement. The goal is neutral, factual language that creates no barriers to comprehension.
Compare these two versions of the same finding. Version 1: "Management has failed to ensure that preventive maintenance is performed on critical equipment. This is a serious compliance failure that puts the company at risk." Version 2: "The audit found that preventive maintenance scheduled for critical equipment was not completed during the review period. This non conformance to the maintenance procedure creates risk of unscheduled downtime and potential customer impact."
Both describe the same issue, but version 1 uses accusatory language ("has failed") and hyperbole ("serious compliance failure"), while version 2 presents facts and consequences. The second version is more likely to trigger problem solving and less likely to trigger defensiveness.
Avoid words that make subjective judgements: "inadequate," "inappropriate," "poor," "negligent." Instead, use specific observable facts. Rather than "supervision was inadequate," write "the supervisor was not present during the process." Rather than "the system is poor," write "the system is not meeting defined objectives." This shift from subjective to objective language makes your report stronger and less contestable.
Similarly, avoid hedging language that dilutes your finding. "It appears that," "it seems like," "possibly," "arguably" all weaken your report. Use them only when genuine uncertainty exists. If you have found something, say you have found it. If you are speculating, label it as such. "The audit found that maintenance was not completed" is stronger than "it appears maintenance may not have been completed."
Formatting for Usability
How your nonconformance report looks matters because form influences whether people actually read it. A dense paragraph of narrative text invites skimming. A well structured report with clear sections invites engagement.
Most effective nonconformance reports use a standard template with distinct sections for evidence, requirement, finding, impact, and root cause observations. Within each section, short paragraphs and clear topic sentences help readers navigate quickly to the information they need. Some organisations supplement narrative sections with tables when presenting multiple instances of non conformance or when comparison clarifies the issue.
Include enough white space that the document does not feel overwhelming. A two page nonconformance report with clear sections and adequate spacing is more likely to be read than a densely packed single page or a rambling four page narrative.
Handling Dispute and Auditee Response
Even the most carefully written nonconformance report will sometimes be disputed. The auditee may believe the finding is inaccurate, that the evidence is insufficient, or that the requirement is being misinterpreted. How you have written your report determines whether this dispute becomes productive dialogue or unresolvable conflict.
A well structured report with detailed evidence makes dispute more difficult because the facts are on the record. A report that presents evidence separately from conclusions makes it easier to have a conversation about interpretation. A report that acknowledges what you cannot know creates space for the auditee to provide additional context.
Build in space for the auditee's response. Some organisations include a section in the nonconformance report specifically for the auditee to provide additional information, context, or evidence. This approach signals that you are interested in accuracy, not in having the last word. It also sometimes reveals information that nuances your finding or validates it more strongly.
Clarity in audit objectives and scope prevents disputes before they start. If the auditee understands from the beginning what you will be auditing and why, they are less likely to feel blindsided by findings.
The Follow Through: Monitoring Corrective Actions
Writing an effective nonconformance report is only half the job. The report must lead to effective corrective action, and monitoring that action completes the cycle. Your report should specify what evidence you will use to verify that corrective action is complete.
For the maintenance nonconformity, this might be: "Effective corrective action will be demonstrated by: (1) completion of overdue preventive maintenance on all critical equipment, (2) maintenance logs showing that all scheduled maintenance has been completed on schedule for a period of six months following corrective action implementation, (3) revision of the maintenance scheduling process to ensure clear prioritisation mechanism exists, and (4) evidence that all relevant staff have been trained on revised procedures."
Being explicit about what evidence you will expect at follow up allows the auditee to plan their corrective action with your expectation in mind. It also prevents disputes later about whether the corrective action adequately addresses the finding. When a major nonconformity is found, follow up verification becomes critical and your original report should have laid the groundwork for that verification.
Integrating Nonconformance Documentation Into Continuous Improvement
The most effective organisations treat nonconformance reports not as compliance documents but as continuous improvement opportunities. Your report should be written with this in mind. This means providing enough detail that engineering teams can use findings to improve process design, that operations teams can use findings to identify resource constraints, and that management can use findings to prioritise strategic initiatives.
When you close a nonconformity after verifying corrective action, the learning should not stop. Collect the actual corrective actions taken, the results they produced, and the resources required. Over time, patterns emerge. Multiple nonconformities related to training might indicate that training delivery is inadequate. Multiple nonconformities related to resource constraints might indicate that capacity planning is failing. These patterns, visible in aggregate across multiple audit cycles, inform strategic decisions about system improvement.
Documenting audit observations in a structured way creates a foundation for continuous improvement. Your nonconformance reports are part of that documentation, and how you write them influences how effectively they can be used for improvement.
Audit Workshop offers accredited ISO Internal Auditor training that covers internal audit planning, execution, and reporting in depth. Our courses are recognised by Exemplar Global and designed for working professionals who need practical skills they can apply immediately.
