After more than 200 certifications across manufacturing, life sciences, services, and construction, I can tell you with some confidence: audit nonconformities are not random. The same issues show up year after year, and almost all of them were preventable.
This isn't a criticism of the organizations that get cited. Running a quality management system while also running a business is genuinely hard, and the spots where systems crack tend to be the same spots where daily operational pressure competes with compliance maintenance. Once you know where the fault lines are, you can address them before an auditor does.
According to ISO's most recent annual survey, ISO 9001 remains the world's most widely adopted management system standard, with approximately 1.1 million certificates issued across 172 countries. With that scale, certification bodies have accumulated substantial data on where QMS implementations fall short. Major CBs including BSI, DNV, and Bureau Veritas publish periodic findings, and the pattern is remarkably consistent: a small cluster of clauses accounts for the majority of nonconformities raised globally.
Here's what those clauses are, why they keep generating findings, and what you can actually do about each one.
What Counts as a Nonconformity
Auditors distinguish between minor nonconformities — an isolated lapse like a single record missing or one instance of a procedure not followed — and major nonconformities, which reflect a systemic breakdown: a whole category of records absent, a required process entirely unaddressed, or a clause requirement that simply doesn't exist in the QMS.
A major nonconformance can delay or prevent certification. Minors require a corrective action plan but don't typically block the certificate, provided the response is credible and timely. Most of the findings I describe below can be either — depending on how pervasive the gap is when the auditor encounters it.
The 8 Most Common ISO 9001 Nonconformities
1. Document and Record Control (Clause 7.5)
Document and record control failures under ISO 9001 clause 7.5 are the most consistently cited nonconformity category across major certification bodies globally. It's been that way under both the 2008 and 2015 versions of the standard, and I don't expect it to change.
What auditors find: obsolete procedures still in use on the production floor, documents missing version controls or approval signatures, required records that simply don't exist, and electronic documents stored in ways that permit unauthorized modification.
Why it keeps happening: most organizations build their document control system once, get certified, and let it drift. New procedures get created informally. Old procedures never get retired. The document register becomes a historical artifact rather than a live control.
What to do: Schedule a document control sweep at least quarterly — separate from your internal QMS audit. Assign a document controller who owns the register actively, not just nominally. When a process changes, the procedure update should be a required step before the change goes live, not an afterthought. And pay particular attention to obsolete documents — pulling them from circulation is as important as keeping current documents accurate.
2. Internal Audit Program (Clause 9.2)
Internal audits are the standard's built-in self-monitoring mechanism. They are also among the most consistently mismanaged elements of any QMS, and one of the most common sources of nonconformities.
What auditors find: internal audits not completed on schedule, auditors evaluating their own work (a direct violation of the objectivity requirement at 9.2.2), vague audit criteria that produce superficial findings, no follow-up on prior findings, or an audit program that exists on paper but shows no evidence of execution.
Why it keeps happening: internal audits feel like overhead, especially in smaller organizations where the quality function is part-time. They get pushed when operations are busy — which is exactly when the QMS most needs scrutiny.
What to do: Build your internal audit schedule into your quality plan at the start of each year. Treat a missed audit as a nonconformance in its own right, because the standard does. Train your internal auditors properly — not just on the checklist, but on interviewing technique and evidence evaluation. Our ISO 9001 Internal Audit Guide covers the planning and competency requirements in detail. The purpose of an internal audit is to find problems before an external auditor does. An audit that finds nothing is either a sign of a very mature system or a sign that the auditor wasn't looking hard enough.
3. Corrective Action (Clause 10.2)
Corrective action is where organizations address problems they've identified. It's also where a lot of QMS programs produce paperwork instead of solutions.
What auditors find: corrections recorded without root cause analysis, root cause listed as something generic like "human error" or "oversight" that explains nothing about what actually drove the problem, no evidence the corrective action was implemented, and no effectiveness check to verify the problem didn't recur.
Why it keeps happening: real root cause analysis requires slowing down when something goes wrong. Under operational pressure, the temptation is to fix the immediate problem and move on. The structured investigation process feels bureaucratic when you're already behind on delivery.
What to do: The most important discipline here is distinguishing between a correction — fixing the immediate problem — and a corrective action, which eliminates the root cause. Clause 10.2 requires both. Use a structured root cause tool: 5 Whys, fishbone diagram, or fault tree analysis. Document the method and the conclusion, not just the outcome. Set a specific target date for the effectiveness check, and record it when you close the action. See our ISO 9001 Corrective Action guide for a template that covers all clause 10.2 requirements.
4. Competence and Training Records (Clause 7.2)
Clause 7.2 requires you to determine the competence required for roles affecting quality, ensure people have it, and retain documented evidence. The evidence part is where most organizations fall short.
What auditors find: training was conducted but not recorded, records exist but show only attendance rather than competence, new employees performing quality-critical tasks without documented qualification, and on-the-job training with no formalized structure or sign-off.
Why it keeps happening: HR owns training records, quality owns the competence requirements, and the two systems rarely talk to each other. Informal OJT is efficient but invisible to an auditor without deliberate documentation.
What to do: Create a competency matrix for every role that touches product or service quality. Map each competency to a training or qualification activity, and document completion with evidence of effectiveness — not just attendance. For OJT, a supervisor sign-off form is sufficient if it's specific and dated. Conduct a gap analysis against your matrix at least annually.
5. Risk-Based Thinking (Clause 6.1)
ISO 9001:2015 replaced the prescriptive preventive action requirement with a broader requirement for risk-based thinking. That turned out to be harder for many organizations, not easier. As of 2026 — more than eight years since the full transition deadline passed — risk-based thinking nonconformities remain in the top five most common findings in surveillance and recertification audits, which tells you how many organizations treated it as a checkbox rather than a genuine planning tool.
What auditors find: a risk register that lists generic risks without any real analysis, risks identified once at certification and never reviewed, no visible connection between the risk register and actual QMS planning decisions.
Why it keeps happening: "risk-based thinking" is abstract, and the standard doesn't prescribe a specific methodology. That left a lot of room for superficial compliance.
What to do: Your risk register needs to be a living document with clear ownership, probability and impact ratings (even simple ones work), and documented mitigation actions. Review it at every management review. When something goes wrong — a nonconformity, a customer complaint, a supplier failure — ask whether that risk was on the register, and if not, add it. The register should look like it informed real decisions, because it should have.
6. Quality Objectives (Clause 6.2)
The standard requires quality objectives that are measurable, monitored, and communicated to relevant personnel. "Improve customer satisfaction" is not a quality objective under clause 6.2. It's an aspiration.
What auditors find: objectives stated as intentions rather than targets, no measurement process defined, no records showing objectives were actually monitored during the period, and objectives unchanged from the previous certification cycle with no evidence of review.
Why it keeps happening: setting measurable objectives means committing to a number, and numbers create accountability. Organizations often resist that, especially when they're not confident they can hit the target.
What to do: For each quality objective, document the specific metric, the baseline, the target, the measurement frequency, and the responsible owner. Connecting objectives to the outputs of your risk analysis and management review makes the QMS coherent rather than a collection of separate compliance exercises.
7. External Provider Controls (Clause 8.4)
If your product or service depends on suppliers, contractors, or outsourced processes, clause 8.4 requires you to control them in proportion to their impact on quality. Most organizations have more supplier risk than their QMS acknowledges.
What auditors find: no approved supplier list, or a list that hasn't been updated in years, no documented criteria for evaluating or re-evaluating suppliers, critical processes outsourced with no oversight mechanism, and no records of supplier performance monitoring.
Why it keeps happening: supplier management tends to live in procurement, and procurement tends to be cost-focused rather than quality-focused. When the QMS was built, supplier controls got documented minimally, and they've stayed that way.
What to do: Start with a risk-tiered approach. Not every supplier needs a full audit — but every supplier delivering something that directly affects product or service quality needs documented evaluation criteria, initial qualification records, and periodic performance tracking. Define what acceptable supplier performance looks like, and have a documented process for handling suppliers who don't meet it.
8. Management Review (Clause 9.3)
Management review is the leadership accountability mechanism built into ISO 9001. Clause 9.3 specifies exactly what it must cover and requires documented outputs. It is also frequently treated as a rubber-stamp exercise.
What auditors find: management reviews conducted with no records, reviews missing required agenda items such as audit results, customer feedback, nonconformity trends, or QMS performance data, and annual reviews that consist of a one-page summary circulated by email with no documented decisions or action items.
Why it keeps happening: management reviews get treated as a compliance event rather than a genuine leadership tool. Once organizations realize the review has to cover specific topics and produce documented outputs, it often gets done in the most minimal way possible.
What to do: Use the standard's list of required inputs at clause 9.3.2 as your standing agenda. Require documented action items with owners and due dates as the output. Keep the meeting records — notes, attendance, decisions. An auditor reading your management review records should be able to see that leadership actually engaged with QMS performance, not just signed off on a form.
Nonconformity Quick Reference
| Nonconformity | Clause | Frequency Rank | Typical Finding | Primary Prevention |
|---|---|---|---|---|
| Document & record control | 7.5 | 1 | Obsolete docs in use; missing records | Active document register; quarterly doc sweep |
| Internal audit program | 9.2 | 2 | Audits skipped; auditors not independent | Annual schedule; independence enforced |
| Corrective action | 10.2 | 3 | No root cause; no effectiveness check | Structured RCA tool; documented close-out |
| Competence & training records | 7.2 | 4 | Attendance recorded, not competence | Competency matrix; OJT sign-off forms |
| Risk-based thinking | 6.1 | 5 | Static risk register; no QMS integration | Living register reviewed at MR |
| Quality objectives | 6.2 | 6 | Unmeasurable; unmonitored | Metric + target + owner + frequency |
| External provider controls | 8.4 | 7 | No supplier evaluation criteria | Risk-tiered qualification program |
| Management review | 9.3 | 8 | Missing inputs; no action items recorded | Clause 9.3.2 as standing agenda |
The Underlying Pattern
If you look at that list, you'll notice something: almost every nonconformity on it traces back to the same root cause. The system was built for certification and not maintained for operation.
Document control drifts when people update processes informally. Internal audits get skipped when operations are busy. Corrective actions close on paper without real root cause work. The QMS gradually becomes a compliance artifact — and a compliance artifact is exactly what an auditor finds.
Organizations that consistently pass their surveillance and recertification audits are not necessarily the ones with the most sophisticated systems. They're the ones where the QMS is integrated into how work actually gets done — where the document controller knows about process changes before they go live, where internal audits surface real problems, where management reviews produce actual decisions.
In my experience, the difference between a client who sails through an audit and one who receives a stack of findings often comes down to one thing: whether someone in the organization owns the QMS actively, or owns it only nominally. Active ownership means the system is alive. Nominal ownership means it's a filing cabinet.
Before Your Next Audit: A Practical Self-Check
Documentation sweep (two weeks out). Pull a random sample of your controlled documents and verify they're at the current revision. Check your document register for anything that should have been updated in the last six months. Look for obsolete copies in work areas — production floors and shared drives both.
Internal audit records. Confirm that all scheduled internal audits for the current certification cycle have been completed, findings documented, and prior corrective actions closed. If anything is outstanding, address it now rather than hoping the auditor doesn't ask.
Corrective action log. Review every open CAPA. For any that have been open more than 90 days, investigate why — auditors will. Document the delay rationale if there's a legitimate one.
Training records. Spot-check five employees in quality-critical roles. Verify that their records are current and demonstrate competence, not just attendance.
Management review. Confirm your most recent review covered all required inputs under clause 9.3.2 and produced documented action items with owner names and status updates.
Running through this list two weeks before an audit gives you time to address gaps rather than explain them.
Frequently Asked Questions
What is the most common ISO 9001 nonconformity?
Document and record control failures under ISO 9001 clause 7.5 are consistently the most frequently cited nonconformity category in third-party audits. This includes obsolete documents still in use, missing version controls, approval signatures absent, and required records that simply don't exist. Major certification bodies including BSI, DNV, and Bureau Veritas have identified document control as a top finding across multiple annual reporting cycles.
What is the difference between a minor and major nonconformity in ISO 9001?
A minor nonconformity is an isolated lapse — one missing record, one instance of a procedure not followed. A major nonconformity reflects a systemic failure: a whole category of documentation absent, a required process entirely unaddressed, or a clause requirement not implemented at all. Major nonconformities can delay or prevent certification; minors require a corrective action plan but don't typically block the certificate, provided the response is credible.
How long does an organization have to address nonconformities after an audit?
Most certification bodies allow 30 to 90 days to submit corrective action evidence, depending on severity. For major nonconformities blocking initial certification, the timeline is typically 30 to 60 days and may require a follow-up visit to verify evidence. Timeframes should be confirmed with your specific certification body, as policies vary.
Can you receive a nonconformity because of your internal audit results?
Yes — though not because the audits found problems. Finding problems is the point. You can receive a nonconformity if your internal audit program wasn't completed on schedule, if auditors lacked sufficient independence (auditing their own work), or if findings from prior internal audits weren't closed out. A robust internal audit program that surfaces real findings is actually one of the strongest positive signals an external auditor can see.
Why does risk-based thinking still generate nonconformities after all these years?
ISO 9001:2015 clause 6.1 requires organizations to identify risks and opportunities that could affect the QMS and address them in planning. It continues generating nonconformities because many organizations created a risk register at initial certification and never updated it. A risk register that shows no changes over multiple years — in a business environment that obviously changed — is a compliance artifact, not a genuine risk management tool. Auditors have seen enough of them to know the difference immediately.
Last updated: 2026-06-09
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.