Why NC Management Matters More Than You Think
Nonconformity management is not a side process in ISO certification. It is central to the integrity of the entire certification system. When an auditor identifies a nonconformity, a chain of actions must follow: the finding must be documented, communicated to the client, responded to with a root cause analysis and corrective action plan, verified through evidence, and formally closed before the certification decision can be made.
Every step in this chain is a potential failure point. And when NC management fails, the consequences are severe: invalid certifications, accreditation nonconformities, and damage to the CB's credibility.
Types of Nonconformities in ISO Certification
Understanding the different types of nonconformities and how they interact with the certification process is essential for effective management:
Major Nonconformities: A major nonconformity is the absence or total breakdown of a system to meet a requirement of the applicable standard, or a situation that raises significant doubt about the ability of the management system to achieve its intended outcomes. Major NCs from a Stage 2 audit must be resolved before a positive certification decision can be made.
Minor Nonconformities: A minor nonconformity is a single observed lapse or a situation where the evidence does not indicate a systemic problem. Minor NCs typically require a corrective action plan to be accepted and evidence of implementation to be provided within a defined timeframe, which may extend beyond the audit itself.
Opportunities for Improvement: While not technically nonconformities, OFIs are observations that suggest areas where the management system could be enhanced. They do not require formal corrective action but should be communicated to the client.
The NC Lifecycle
A nonconformity has a defined lifecycle that must be managed from identification through closure:
1. Identification and Documentation: The auditor identifies the nonconformity during the audit and documents it with:
- •A clear statement of the requirement that was not met
- •Objective evidence of the nonconformity
- •Classification (major or minor)
- •The relevant clause of the applicable standard
2. Communication to the Client: The NC must be formally communicated to the client. ISO/IEC 17021-1:2015 Clause 9.4.5 requires that audit findings be reported to the client. The client must understand what was found, why it is a nonconformity, and what is expected of them.
3. Client Response: The client must provide:
- •An analysis of the root cause
- •A description of the correction (immediate action to address the specific instance)
- •A corrective action plan (systemic action to prevent recurrence)
- •A timeline for implementation
4. Auditor Review of the Response: The auditor reviews the client's response to determine whether:
- •The root cause analysis is adequate
- •The correction addresses the specific finding
- •The corrective action plan is likely to prevent recurrence
- •The timeline is reasonable
If the response is inadequate, the auditor communicates what additional information or action is needed.
5. Evidence of Implementation: The client provides evidence that the corrective action has been implemented. This may include revised documents, training records, process outputs, or other objective evidence.
6. Auditor Verification: The auditor reviews the evidence and determines whether the corrective action has been effectively implemented. For major NCs, this verification may require a follow-up visit.
7. Closure: Once the auditor is satisfied that the corrective action is effective, the NC is formally closed. The closure record includes the auditor's assessment and the date of closure.
Where NC Management Typically Goes Wrong
In certification bodies without dedicated software, NC management fails in predictable ways:
Lost Track of Open NCs: When NCs are tracked in spreadsheets or email, it is easy to lose track of which NCs are still open, which are awaiting client response, and which are awaiting auditor verification. A busy auditor with dozens of open NCs across multiple clients may overlook one that is approaching its deadline.
Incomplete Documentation: The NC was identified and communicated, but the client's response was received via email and never formally linked to the NC record. Or the auditor reviewed the evidence verbally but did not document their verification. These gaps are problematic during accreditation assessments.
Missed Deadlines: Clients are given deadlines to respond to NCs and provide evidence of corrective action. Without systematic tracking, these deadlines pass without follow-up. The NC remains open, and the certification process stalls.
No Closure Gates: In manual systems, there is no mechanism to prevent a certification decision from being made while NCs are still open. A busy planner might advance the file to committee review without verifying that all NCs have been properly closed.
Inconsistent Classification: Different auditors classify similar findings differently. Without guidance and consistency checks, what one auditor considers a minor NC, another might classify as major. This inconsistency creates confusion and accreditation risk.
How Certiva Manages the NC Workflow
Certiva implements NC management as a structured workflow with enforced gates at every stage:
Structured NC Creation: Auditors create NCs within the system using a structured form that captures all required information: the requirement, the evidence, the classification, and the relevant clause. The system ensures completeness before the NC can be submitted.
Automatic Client Notification: When an NC is created, the client is automatically notified through their portal. The notification includes all NC details and clear instructions for providing a response.
Portal-Based Client Response: Clients respond to NCs through their portal, providing root cause analysis, corrective action plans, and evidence uploads. All responses are timestamped and linked to the specific NC.
Auditor Review Workflow: The auditor receives the client's response within the system and can review it alongside the original NC. They can accept the response, request additional information, or request modifications.
Evidence Management: Clients upload evidence of corrective action implementation through the portal. The evidence is linked to the NC and available for auditor review within the same interface.
Closure Gates: An NC cannot be closed without the auditor formally recording their verification assessment. The system blocks closure until all required steps are completed.
Certification Decision Blocking: The system prevents the file from advancing to committee review while major NCs remain open. This hard block ensures that certification decisions are only made when all major findings have been adequately addressed.
Deadline Tracking and Alerts: The system tracks NC response and evidence deadlines and generates alerts when deadlines are approaching or have passed.
The Accreditation Perspective
During accreditation assessments, NC management is one of the most closely examined areas. Assessors typically:
- •Select a sample of certification files and examine every NC from identification through closure.
- •Verify that NCs were properly classified, documented, and communicated.
- •Check that client responses were reviewed and accepted before closure.
- •Confirm that major NCs were resolved before the certification decision.
- •Look for evidence of systematic NC management across all files, not just the sampled ones.
Certiva provides all of this evidence in a structured, easily accessible format. Every NC has a complete lifecycle record that can be reviewed in seconds during an assessment.
Best Practices for NC Management
Beyond the software capabilities, effective NC management requires:
- •Clear Writing: NCs must be written clearly enough that the client understands the finding and can take appropriate action. The statement of the requirement and the objective evidence must be specific and unambiguous.
- •Timely Communication: NCs should be communicated to the client promptly after the audit, not weeks later when details have faded from memory.
- •Reasonable Deadlines: Response and evidence deadlines should be realistic, giving clients adequate time to investigate and implement corrective action.
- •Thorough Verification: Auditors should verify corrective actions rigorously, not rubber-stamp client responses.
- •Consistent Classification: CBs should provide guidance to auditors on classification criteria to ensure consistency across the audit team.
Ready to eliminate NC management failures?
Book a demo at getcertiva.com and see how Certiva's structured NC workflow ensures every finding is tracked, responded to, verified, and properly closed.