Chapter – 9 : Nonconformity Reporting and Corrective Action

Nonconformity reporting and corrective action(s) are the last step for the onsite audit by the Lead
Auditor.
This chapter covers the following two sections of ISO 19011:2018 for performing audit activity.
I. Completing the audit
II. Conducting audit follow up
1.0 Audit Completion
The audit is completed when all planned audit activities have been carried out, or as otherwise
agreed with the audit client (e.g. there might be an unexpected situation that prevents the audit
being completed according to the audit plan).
Documented information pertaining to the audit should be retained or disposed of by
agreement between the participating parties and in accordance with audit program and
applicable requirements.
Unless required by law, the audit team and the individual(s) managing the audit program
should not disclose any information obtained during the audit, or the audit report, to any other
party without the explicit approval of the audit client and, where appropriate, the approval of the
auditee. If disclosure of the contents of an audit document is required, the audit client and
auditee should be informed as soon as possible.
Lessons learned from the audit can identify risks and opportunities for the audit program and
the auditee.
2.0 Audit Reporting
2.1 Objective evidence
For generating nonconformity report, objective evidence needs to be clearly reported.
The auditor collects objective evidence to ensure system is either matured or does not exist.
He must collect evidence where:
 The facility is not adequate or out of order; ( to check implementation)
 Any requirement has not been addressed
 Practice differs from what has been documented in system (to check implementation)
 The practice is not effective (to check effectiveness).
2.2 Nonconformity Reporting
Nonconformity reporting is done to report non-conforming audit findings. Nonconformity
reporting must be:
 Factual
 Understandable and traceable.
It is a means to raise formal notification of any issues at the time of finding.
The auditee is required to understand and give acceptance of the nonconformity.
2.3 Non–conformity Report (NCR)
The NCR covers following three points; and hence, it is three dimensional:
1. NC Statement (An element of the system which went wrong): What is the Problem?
Describe clearly, concisely and factually.
2. The Evidence (what, where or when actually was found): Where did it occur or When did it
occur? I.e., which department or activity or when?
3. Why it is Nonconformity? i.e., Against which requirement? The requirement (what was
supposed to be)

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 1 of 9

 Chapter – 9 : Nonconformity Reporting and Corrective Action
Wording of NCRs
 It is important to take care when preparing NCRs and ensure it is justified.
 Failure to achieve clear factual information will invite challenge on the findings at the
closing meeting.
 This will be particularly important in areas where the emphasis is placed on the following:
 Management Commitment
 Competence
 Communication
 Continual Improvement.
Care to be taken by auditor while creating NCR
 Don’t bias with any person or area;
 When in doubt, investigate! Go in depth;
 Remember that auditor is fact finder;
 Ensure selection of proper sample and also that sample is not given by audited but chosen
by Auditor;
 Do not generate NCR without collecting objective evidence;
 Identify the leads for further investigation.
2.4 Categorizing Nonconformities
Definition of Nonconformity
ISO Definition of Nonconformity: “The non-fulfillment of a requirement.”
ISO do not define major and minor nonconformities but they can be defined as follows –
2.4.1 Major
Major nonconformity is the absence or total breakdown of a control system to meet a
requirement of the standard. A number of minor nonconformities against one requirement can
represent a total breakdown of the system and thus be considered as a major nonconformity.
Nonconformity is said to be Major when there is:
 A single major system, product or service nonconformity; a lack of documented information
needed to satisfy an agreed requirement.
 Non-implementation of documented information and arrangements.
2.4.2 Minor
A minor nonconformity may be either a failure in some part of the organization’s management
system relative to the standard or a single observed lapse in following one item of a company’s
own system. In case of minor nonconformity, there are minor discrepancies or lapses in
discipline, or such mistakes are found only in one area.
2.4.3 Observations (Opportunities for improvement)
Certification audit and surveillance reports may contain “Observations” which relate to existing
conditions which, in the Auditor’s judgment, warrants clarification or investigation so as to
improve the overall status and effectiveness of the system.
2.5 Agreement on NCRs
 NCRs are usually agreed with the management’s authorized person following the Auditors
Team Meeting and before the Closing Meeting.
 Points raised in NCR can be clarified and checked.
 If a genuine error or misunderstanding has been made withdraw the NCR.
 Lead Auditor must get agreement of NCRs.
 Auditee must sign to say they agree with the NCRs.
 The auditee must nominate root cause corrective action.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 2 of 9

Chapter – 9 : Nonconformity Reporting and Corrective Action
 The auditor can reject actions that do not address the root cause.
 Once agreement is found all NCRs must be closed out within the agreed time frame.
3.0 Corrective Action
Auditors should not accept “quick fix” corrective actions, such as: we will calibrate that
instrument or we will get him a copy of the document. Problems or deficiencies in the system
need to be analyzed to identify the root cause of the nonconformity. Root causes of un-
calibrated instruments usually lie in the system rather than with an individual. If the Auditor has
found non-calibrated measuring instruments, the auditees need to find out why they were not
calibrated, why someone not picked up that instruments were not calibrated and whether
people were able to use them whilst they were not calibrated. The Lead Auditor would then
describe the follow-up procedure and what happens next will depend on the client or
certification body and the audit objectives. Copies of the NCRs and the report are left with the
auditees or the Lead Auditor sends a full report at a later date depending on the procedure.
The auditees would then consider the nonconformities found and the corrective actions
needed. They would then plan and schedule the actions and implement and record them. They
would then check or re-audit the activity themselves to ensure the effectiveness of the
corrective actions taken before notifying the Lead Auditor who would then visit the site to check
the satisfactory closing of the nonconformities.
Closing out nonconformities is done by checking the evidence that the root cause of the
problem has been eliminated. This can be done by checking the process, checking procedures
and methods, equipment and materials, interviews, witnessing the test and/or calibration,
checking records and observing the process, and the output results of the process to identify
that the actions have been effective.
Typical examples of evidence the Auditor would expect to see for the closing of an NCR would
be evidence of a review of the cause or causes; e.g. how the problem arose, why it was not
detected by their own system, an analysis of the root cause using 5 W principle Charts or
Process Maps., This would be part of their corrective action system, a plan for making and
communicating any changes to the system and records of implementation action and checking
to see that the corrective action has been effective.
Examples would include records of the review of the NCR, record of the processes to decide
on the corrective action to be implemented, memos or other such documents communicating
to persons who will be affected by the change exactly what is to change, when, who will be
affected and who will be responsible? This would be particularly necessary to process changes
where we look at the planning to conduct and control the changes and inform all those who will
be affected by these changes. These can be checked by looking at procedures, asking the
people who are doing the task, checking controls, the monitoring records of the process and
outputs.
Corrective actions may require inputs from the highest levels of management, particularly if
associated with the policy or business objectives. Failure to make clear or communicate
policies or objectives would need corrective actions and auditors would have to check the
changes or clarifications made and the plan or means of communication, and they would have
to go and talk to those affected to ensure that the changes were understood and being
implemented. The organization may incorporate the corrective actions to be taken into their
improvement projects or plans to meet their objectives that could be part of their continual
improvement system.
 After the closing meeting the auditee organization must complete any agreed corrective
action.
 They need to analyze the problem to identify the root cause; plan, implement and record
the actions taken; and check or re-audit the corrective action to ensure it has been
effective. Record the items checked.
 They would then inform the Lead Auditor for follow-up

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 3 of 9

 Chapter – 9 : Nonconformity Reporting and Corrective Action
4.0 Audit Report
4.1 Introduction
This section describes the audit team’s activities of collecting information and analyzing the
information gathered during the audit, compiling the report, and reporting the findings at the
closing meeting. It describes the production of value adding reports, writing of Non-conformity
Reports and the system of follow-up and closing out of the nonconformities.
4.2 Reporting the Audit Findings
At the completion of the Audit Plan an Audit Team Meeting is scheduled and held to enable the
Lead Auditor to collect together all the findings of the team and to reach conclusions regarding
the findings and the compliance of the auditee organization with the audit criteria. The auditors
would identify the strengths and weaknesses of the organization and complete Non-conformity
Reports (NCRs) for deficiencies found.
The Lead Auditor should consider opportunities for improvement provided by the audit
evidence and identification of benefits. The auditor should give examples where good practice
used in one area of an organization can be used effectively to improve another area. The
provision of consultancy and advice on how to correct deficiencies will depend on the audit
objectives; however, Auditors should try to add value to their reports by explaining why there is
a problem or deficiency and the benefits to the organization in correcting the situation. He
should note any such opportunities in the report. The Lead Auditor should chair and control the
closing meeting, the length of which is dependent on the size and complexity of the
organization, the likely compliance with the audit criteria and the number of Auditors.
The Lead Auditor normally goes round each Auditor in turn to collect, confirm and collate Non-
conformity Reports (NCRs).
The Lead Auditor must ensure that the Auditors have obtained sufficient information and
evidence with which to draw a conclusion of nonconformity. The rule is “if in doubt leave it out”.
The Lead Auditor should then complete the Audit Team Report Form and / or follow the agreed
procedure on reporting as described in the opening meeting.
The normal procedure would then be to invite the QMS coordinator into the meeting and go
through and agree on the NCRs with him / her prior to the Closing Meeting to resolve any
disagreements. The Auditors should have sufficient evidence to be able to prove their
conclusions of nonconformity.
4.3 Recommendations of the audit
If the audit is an initial or registration assessment, the Lead Auditor would make
recommendations to the certification body as to whether certification should be granted or not.
Lead Auditors would report to the certification body both on the compliance of the auditees and
the performance of the team.
In the case of a third party assessment, the audit report may be a summary report presented to
the management before leaving,, or it may be written and sent at a later date. The report
distribution is agreed between the parties and is subject to strict confidentiality as audit reports
contain information which may be damaging to the organization’s reputation. The report should
reflect the findings and tone of the audit, being a clear and concise account of the events.
The certified organizations are confirmed as still meeting the requirements of the standard by
the certification body conducting periodic surveillance audits. The general requirements for the
competence of organization are checked for being updated and current and effectively
implemented.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 4 of 9

 Chapter – 9 : Nonconformity Reporting and Corrective Action
5.0 Audit Follow–up Activities
5.1 Conducting audit follow-up
The outcome of the audit can, depending on the audit objectives, indicate the need for
corrections or for corrective actions, or opportunities for improvement. Such actions are usually
decided and undertaken by the auditee within an agreed time frame. As appropriate, the
auditee should keep the individual(s) managing the audit program and/or the audit team
informed of the status of these actions.
The completion and effectiveness of these actions should be verified. This verification may be
part of a subsequent audit. Outcomes should be reported to the individual managing the audit
program and reported to the audit client for management review.
 It may be necessary to perform a follow-up audit to verify the effectiveness of any
corrective action carried out. Corrective action and subsequent follow-up audits should be
completed within a time period agreed to by the auditee, in consultation with the Auditor. In
majority of the cases the documentary evidences are submitted for closure of
nonconformity.
 Agreed corrective actions are followed-up by verifying the documentary evidence
submitted.
6.0 Closing Meeting
The Lead Auditor completes the audit report and calls the closing meeting.
The closing meeting with the auditee organization is then held to formally report the findings of
the audit to the top management and to formally close the audit. The Lead Auditor chairs this
closing meeting and would normally have an agenda which may be either formal or informal.
He would normally re-state the audit objectives and how they were met. The Lead Auditor
should comment on the performance and cooperation of the organization audited and
highlights any difficulties found if the audit did not go according to plan and any areas not
covered.
An overview of the organization’s compliance is normally presented indicating both strengths
and weaknesses and appreciating the efforts that the auditees have put into the system’s
development and improvement.
A summary of the findings is presented to top management giving details if asked. The
findings would include the recommendations for certification if this was a certification audit or
approval or not for a supplier audit. Certification Auditors do not make recommendations to
clients regarding the means of corrective actions. Consultancy Audits often recommend what
actions should be taken to correct deficiencies.
Depending on procedures, the Lead Auditor may ask the auditees to nominate corrective
actions to rectify any deficiencies found or he may leave copies of the NCRs with the
organization and give them time to review the problems and decide on the best way of
rectifying them.
The auditees would complete the sections for nominating corrective actions and send them to
the Lead Auditor for checking and approval. If in the opinion of the Lead Auditor the actions
would not cure the problem he would return the forms asking for better corrective actions.
The correctives action process should allow organization to identify the causes of
nonconformity by completing a root cause analysis. By analyzing the root cause of the problem
the organization can be assured that the corrective action will eliminate the nonconformity and
stop its re-occurrence.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 5 of 9

 Chapter – 9 : Nonconformity Reporting and Corrective Action
6.1 Closing Meeting agenda
 Record presence of participants.
 Re-state the scope, including exclusions and objectives.
 Thank for cooperation.
 Return any company documents used by the audit team to the company representative.
 Summarize findings, including strengths and weaknesses.
 Explain nonconformities, defining major and minor if applicable.
 Give recommendations as to Certification or not, if applicable.
 Run through nonconformities. (Briefly). Ask for no interruptions.
 Invite questions on the findings.
 Give Disclaimer Statement.
 Explain the appeal procedure if relevant.
 Ask the Top Person to agree and sign the report.
 Explain the system for appeals, if any.
 Invite auditee to nominate corrective actions, including timescales.
 Explain reporting and follow-up procedures.
 Confidentiality.
 Thanks and closing.
7.0 Audit Reports
The audit report should contain –
 The date of the audit.
 The name(s) of the person(s) responsible for the report.
 Auditors and key auditees’ names and roles.
 The names and addresses of the site(s) audited.
 The assessed scope of certification and reference to the standard applied, including
exclusions.
 Attendees of the opening and closing meetings.
 Comments on the conformity of the organization’s General requirements for the
competence of organization with the certification requirements, with a clear statement of
nonconformity and where applicable, any useful comparison with the results of previous
assessments of the organization.
 The audit team’s judgment of the extent of the auditees’ compliance with the audit
standard.
 Comment on the system ability to achieve the defined management system objectives.
 Recommendations as appropriate.
 An explanation of any differences from the information presented to the body at the closing
meeting
 Description of any problems encountered that affected the audit and actions taken.
 The audit report distribution list.
 Statement of record retention, if appropriate, and confidentiality status.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 6 of 9

 Chapter – 9 : Nonconformity Reporting and Corrective Action
8.0 Audit Follow-up Activities
8.1 Conducting audit follow-up
The outcome of the audit can, depending on the audit objectives, indicate the need for
corrections or for corrective actions, or opportunities for improvement. Such actions are usually
decided and undertaken by the auditee within an agreed time frame. As appropriate, the
auditee should keep the individual(s) managing the audit program and/or the audit team
informed of the status of these actions.
The completion and effectiveness of these actions should be verified. This verification may be
part of a subsequent audit. Outcomes should be reported to the individual managing the audit
program and reported to the audit client for management review.
 It may be necessary to perform a follow-up audit to verify the effectiveness of any
corrective action carried out. Corrective action and subsequent follow-up audits should be
completed within a time period agreed to by the auditee, in consultation with the Auditor. In
majority of the cases, the documentary evidences are submitted for closure of
nonconformity.
 Agreed corrective actions are followed-up by verifying the documentary evidence
submitted.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 7 of 9

 Chapter – 9 : Nonconformity Reporting and Corrective Action

Annexure-1
Sample Non-conformity Report Form

Auditee Organization Name Date

Location Ref. No.
NCR No.
Auditor Name NCR Category
Auditee Name ISO 9001:2015
Auditee Dept.
Requirements
Write the requirements of ISO 9001:2015 clause or sub-clause requirements.
Observation/Finding
Description of Nonconformity
What is the mistake? Where or when it occurred? Why it is nonconformity against
requirements?

Auditor Sign: Auditee Sign: Date:

Root cause:

Correction:
Completion Date:
Auditee Sign: Lead Auditor Sign: Date:
Action Taken

Satisfactory Not Satisfactory – (State Reasons)

Verified –
Sign Date:

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 8 of 9

 Chapter – 9 : Nonconformity Reporting and Corrective Action

Annexure-2
Corrective Action Process

Auditor raises nonconformity.

↓
Auditee reviews/agrees nonconformity.
↓
Auditee determines root cause.
↓
Auditee evaluates the need for action to prevent recurrence.
↓
Auditee decides whether action is needed – If no action, record decision.
↓
Auditee proposes corrective action.
↓
Auditor agrees proposal – Not mandatory
↓
Auditee implements corrective action.
↓
Auditee records results of action taken.
↓
Auditee reviews effectiveness of action taken, i.e. decides if results of action taken meet
requirements.
↓
Auditee decides if corrective action has been effective.
↓
Auditor verifies effective corrective action has been taken, by reviewing records and evidence
of root cause determination, and that the action taken has achieved the desired results.
↓
Auditor decides if corrective action requirements have been met.
↓
Auditor records results of the action taken and closes the audit.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 9 of 9