6/25/2018

Ask Our VP of Compliance: June 2018

"How Do Audit Findings Work?"

Many companies undergoing a certification audit spend countless hours undergoing stress and worry that their auditor will find something wrong. Will they just leave in the middle of the audit? Will they refuse to grant you certification? Will they never come back? Do they have to find something wrong? These questions run through the heads of many implementers as they await the certification audit, but it is not as bad as you fear!

Today, we answer a few questions about how audit findings work, what nonconformities mean, and what you need to do about them:

How do audit findings work?

During your audit, the auditor takes a set of criteria, or their requirements, along with your policies and procedures, and gathers evidence to verify if the criteria are being met. This evidence may be records, statements of fact, or other information that is relevant to the audit criteria. 

Once the audit evidence is gathered, the auditors will compare the evidence to the criteria and determine if the criteria were met. The hope is that this comparison will show that the process is conforming to the criteria, but it can also show that it is non-conforming. When the audit finding is that the process is non-conforming, then an audit nonconformity is recorded in the audit report. This is not the end of the world! 

What are audit nonconformities, and what do they mean?

During a registration audit, nonconformities are generally divided into two different types by certification bodies: major and minor. Both need to be addressed, but each can mean a different thing when it comes to your company certification being granted.

Major nonconformities are typically seen as a breakdown of a requirement needed to satisfy overall compliance for the certifying body. For instance, the ISO 9001 requirements state that you need to prevent the unintended use of obsolete documents, and to address this you may state in your procedure that employees are not to print out copies of documents to keep at their desk and must use the electronic version. If the auditors found many different people across your company using printed versions of older procedures for their work, this could be seen as a major nonconformity.

A minor nonconformity is when there is a problem found that is more limited in scope throughout your company. If the evidence above for the printed versions of obsolete documents occurred only with one or two individuals in one department, then the problem would labeled as a minor nonconformity.

What do you need to do if a nonconformity is found?

It does not matter if an audit nonconformity is major or minor – you should address them in the same way, by correcting them using your corrective action process. The only real difference in this process between a corrective action raised internally in your company, and one raised due to a certification audit nonconformity, is who should review your plan’s adequacy and perform the follow up. With a certification audit nonconformity, this should be done with your certification body auditor, as they will record your response to the nonconformity in their audit report and follow up on the completion of the corrective action at their next audit.

What I have seen is that any minor nonconformities found in an audit will need to be addressed within a certain timeline, but the certification can be granted when the corrective action plan is received, and typically the audit team will follow up at the next maintenance audit by the certification body. Major nonconformities might mean that your certification will not be granted until the corrective action is in place and the certification body auditors come and verify that it is effective.


Audit nonconformities are not the end of the world.

Nonconformities should be viewed as one way to identify needed improvements in your organization or business. Sometimes when you have an outside expert look at your processes they can see things that are not easily seen by an observer internal to your company. Use these findings to improve, and you will be getting the most for your money from your certification audit.

Was this article helpful?
Danielle Johnsen
VP of Compliance

Danielle V. Johnsen joined the Digital Edge team in 2015 as the VP of Compliance.  With a passion for information security and organizational compliance, Danielle’s vision is to enable collaboration between 'The Business' and Information Technology, thus creating common objectives and outcomes that benefit the organization, while staying in compliance with all regulatory bodies and companywide policies. Specializing in security frameworks and policies such as: ISO 9001, ISO 27001, NYS DFS 500, NIST, HIPPA, GDPR, PCI, OSPAR, and more!