Published: 4 Dec 2019

Joseph Krolikowski, QMS Technical Director and Auditor at Perry Johnson Registrars, explains why writing non-conformity statements is an essential part of the auditing process.

Nonconformities are not usually something that most people are terribly happy to receive during an audit. However, if the nonconformity statement isn’t adequately written it can make for a myriad of problems for all parties involved.

Required content for nonconformities written by certification bodies is officially established in ISO 17021-1:2015 Conformity assessment — Requirements for bodies providing audit and certification of management systems (clause 9.4.5.3) where it states:

“A finding of nonconformity shall be recorded against a specific requirement, and shall contain

a clear statement of the nonconformity, identifying in detail the objective evidence on which the

nonconformity is based.”

ISO 19011:2018 – Guidelines for auditing management systems echoes similar sentiments in section A.18.3, where the following items are recommended for a written nonconformity – “description of or reference to audit criteria, audit evidence, and declaration of nonconformity”.

Both of these requirements essentially say the same thing. Namely that nonconformities are intended to be written in three parts:

  1. Statement of nonconformity;
  2. Evidence of nonconformity;
  3. Requirement(s) substantiating the nonconformity.

Requirements are fairly simple things to understand, but the distinction between “statement” and “evidence” of nonconformity is a more advanced concept.

Correction and corrective action are two entirely different concepts

In the early days of certification for standards such as ISO 9001:1987 – Quality systems and ISO 14001:1996 – Environmental management systems, most nonconformities were written as evidentiary statements. That is to say they only presented what the auditor found during the audit. An example of a nonconformity written in this era might have read as follows: “Two guages found in the press area that aren’t currently calibrated. These were guages DG-014 and DM-006”.

You might read such a statement and wonder what is wrong with that. The auditor has provided some relative details (department affected, guage numbers, etc.). However, the weakness in an evidentiary nonconformity is in the typical response it receives from the auditee.

Imagine you are the department manager that receives this nonconformity. What is your natural inclination at such a statement? You might have said that your primary response would be to immediately calibrate the two guages cited by the auditor. Once that was finished, what motivation did you have to do anything further?  The auditor cited two uncalibrated guages, and you’ve now calibrated those two guages. Case closed, right?

Anybody with experience in management systems already knows what’s missing here. In calibrating the two guages the auditee has provided a correction, but not a corrective action. Correction and corrective action are both required as outlined in clause 9.4.10 of ISO 17021-1:2015 (ISO 19011:2018 again echoes similar sentiment in section 6.7).

Correction and corrective action are two entirely different concepts, with correction defined in ISO 9000:2015 as “action to eliminate a detected nonconformity” and corrective action defined as “action to eliminate the cause of a nonconformity and to prevent recurrence”. In our scenario the calibration of the two guages is certainly a correction, but it does nothing to prevent recurrence of similar situations so it cannot be viewed as a corrective action.

This problem was what drove the industry to demand that nonconformities capture not just the evidence of the nonconformity, but also the statement of nonconformity.

Prompt for action 

A statement of nonconformity is intended to highlight that there is one (or potentially several) systemic weaknesses that allowed the nonconformity to occur. If properly written, the statement of nonconformity should drive the organisation to take a fresh look at all the relevant controls they have in place for the process that was cited in the nonconformity. They need to consider procedures, work instructions, training methods, signage, oversight controls, audit methods, and any other part of their management system that might contribute to a systemic fixing of the cited issue.

In my experience, the best written statements of nonconformity are those that contain at least one of the following words: processes, controls, systems, or protocols. Presumably there are other words to get the point across. Let’s revisit our scenario above and apply a strong statement of nonconformity: “Processes established to ensure that guages are in a known state of calibration/verification are ineffective at this time. Two guages found in the press area that aren’t currently calibrated. These were guages DG-014 and DM-006”.

By this simple act of providing a second bit of writing, the auditee is now tasked with not only addressing the immediate issue (via correction) but must also address the systemic weakness (via corrective action).

Including all the relevant details under evidence of nonconformity is equally important to providing the statement of nonconformity. It is critical to capture the who, what, when, and how of what was observed. Item numbers, department names, shift information, and any other relevant details, must be provided to ensure the auditee can clearly understand the nonconformity and respond to it.

Failing to provide the details in a written nonconformity can dilute the effectiveness of your audit and leave systemic weakness unfixed in a management system. The prudent auditor will always ensure that the relevant details are captured and provided to the auditee.