Nonconformity – not the end of the world?

I recently had a conversation with a top management company client that I had just audited for certification and it reminded me of a common frustration. The conversation went something like this:

Me: Here are your audit findings – there are two nonconformances [NCs] and two opportunities for improvement [OFIs].

Management: Wow! That sounds bad. Can you reduce the NCs to OFIs?

Me: Excuse me?

Management: Well, the NC you’ve raised makes my company look bad, it makes my workers look bad and worst of all it makes me look bad.

Me: With all due respect, do you know what audit findings actually are?

Management: Of course I do! A good company like mine does not have NCs.

Me: Would it be a good idea to request another audit from the certification body? They could explain what an audit is all about.

And so on…

Agree to disagree?

I have been through conversations like this many times in my short career as an auditor – both internal and external – and the conversation nearly always ends with "Let’s agree to disagree" and I let those higher up the management chain decide on how to move forward. (Maybe this is why the number of contracted audit assignments has started to slow down recently!)

Let’s take a moment to remind ourselves what an audit finding actually is. ISO 19011:2018 Guidelines for auditing management systems tells us they are "the results of the evaluation of the collected audit evidence against audit criteria". They indicate conformity or nonconformity and can lead to the identification of risks, opportunities for improvement and the recording of good practices.

Audit evidence is defined as: the records, statements-of-fact and other pieces of information that are relevant to the audit criteria – and which are verifiable. Audit criteria are a set of requirements used as a reference against which objective evidence is compared. We define a nonconformity as an unfulfilled requirement.

When it comes to opportunities for improvement, there is no definition in ISO 19011 or ISO/IEC 17021-1:2015 Conformity assessment – Requirements for bodies providing audit and certification of management systems, so I will use one that most certification bodies agree on: a suggestion that can help your management system improve, or that can prevent a possible nonconformance in the future. It is not a kind of 'mild nonconformance', since the criteria of the standard have been met.

Key difference

It’s this key difference between an NC and an OFI that makes it impossible to 'downgrade' one into the other. It would be like turning an apple into an orange. They are simply different things.

Furthermore – and returning to my above conversation with senior management – where does it say that a noncompliant audit finding necessarily makes a company look bad? The definition just says "the non-fulfillment of a requirement [of the standard]"

A week after the above conversation took place, I audited another company and encountered a similar situation: a manager requested I downgrade an NC to an OFI.

I said I could not because this is a nonfulfillment of the requirement (a requirement set by the company itself, relating to managing purchases from suppliers). The manager explained that he needed the certificate in order to tender for a very important contract and he was afraid that the NC would not allow his company to be certified.

I explained that an NC does not mean the certification body will refuse the company’s certification. Rather it means that the certificate will be issued once an effective course of action for improvement has been agreed (the so-called 'corrective action') resulting in the NC being closed.

This was music to the manager’s ears, who was much relieved and quickly organised a team of staff to brainstorm ways to correct and prevent the NC from happening again.

This is the way a quality audit should work, and a much better result for the company than simply having the NC finding changed.

I urge my fellow auditors to keep this experience in mind when talking with their own clients, and to resist calls to downgrade NCs.