Featured Product
This Week in Quality Digest Live
Standards Features
William A. Levinson
Many of IATF 16949’s key clauses are relevant to nonautomotive applications
Jennifer Lopez
How manufacturers can best prepare as the FDA moves to adopt ISO 13485:2016
ISO
A third standard has just been published in this series
Stephanie McArdle
The agency seeks to balance expedient exemptions against public transparency about medical devices
Grant Ramaley
European MDR update: Lowest risk medical devices must comply by May 26, 2020

More Features

Standards News
How the nation’s leading multistate cannabis company ensures quality and safety standards
New auditors must pass the exam before auditing for GFSI-recognized certification programs
ISO and WHO are working for universal access to quality health products that are all at once safe, effective, and affordable
Streamlines shop floor processes, manages nonconformance life cycle, supports enterprisewide continuous improvement
Allows construction industry to collaborate across projects and national borders
Enhances accreditation services portfolio across global market
Features illustrations as applied in real-world organizational contexts
Standards like ISO 10303 and ISO 14306 help to keep planes high in the sky
Amendments to the California Consumer Privacy Act go into effect no later than July 2020

More News

Miriam Boudreaux

Standards

What Happens If You Fail Your Audit

It's not the end of the world. It's a chance to improve.

Published: Tuesday, August 18, 2009 - 05:30

Story update 8/21/2009: We corrected an error regarding the function of the accreditation body.

 

I’ve worked with several companies over the years and dealt with different individuals, different processes, and different levels of ISO 9001 understanding. However, when an organization is getting ready to apply for ISO 9001 certification, the question most often asked is: “Are we going to pass the audit?" Similar questions I've been asked are:

"How many of your clients have passed the audit?"

"How many of your clients failed the audit?"

And after I have conducted an internal audit, the usual question is, of course, “Did we pass?”

Those seem to be very simple questions and a yes or no should suffice, however the truth of the matter is that ISO 9001 audits don't have a grade, there is no pass or fail status or there is no pass or fail grade. 

Please visit our blog on the ISO Audit Results and Nonconformities for a detail explanation on what constitute an audit finding, or nonconformity.

Passing or failing an internal audit

Let’s look at the case of internal audits. Internal audits are usually run by people from the organization, or often by consultants who issue an internal audit report containing audit findings, specifically nonconformities. If your company gets one or two nonconformities, will it pass the internal audit? The answer is that audits aren't pass or fail exercises. Basically, you will have done great even with two or five audit findings, or perhaps even 10. In all cases, you should see the results as great, because you have found some shortcomings in your company and now you are in a position where you can fix them. 

So the internal audit isn't a passing or failing matter, the purpose of the audit is to assess the degree of conformance to the audit standard and report the results of the audit in the audit report. The audit report will not indicate that the company passed or failed, but rather whether the company has a high degree of conformance or needs some improvement, which can be accomplished by taking appropriate actions to address the nonconformities.

Passing or failing an external audit

In the case of external audits, the same principles apply. You don't have a pass or fail grade. However there is a difference—whether it is an initial audit or a periodic audit, and whether there were major or minor nonconformities issued. 

Registrars have their own procedures, which establish how much time the organization has to respond to nonconformities. If the audit is a certification or initial audit, then there's a set time for responding to nonconformities. Failure to comply will result in the organization not being recommended for certification and ultimately not receiving their certificate. 

If the audit is a periodic audit, then again, there is a set time to respond to nonconformities. If the organization submits their response within that allotted time, then their certificate will continue in good standing. If the organization doesn't submit their responses in the allotted time, then they risk losing their certificate. In most cases, you have 30 days to submit your response to the registrar on how you will resolve the nonconformities.

Initial ISO 9001 audits without nonconformities

During the initial audit there are indeed worries whether the organization is going to pass or fail the audit and get its certificate. Let us explain that the certificate isn't issued immediately upon completion of the audit. When the registrar completes the initial or certification audit of the organization, they submit their report to the technical committee who will in turn review the report and issue the certificate. Now this process can happen immediately after the audit or it can be done a few weeks later. It all depends on how many nonconformities the organization got during the audit. So if the company didn't get any nonconformities, then the registrar will feel comfortable recommending the company immediately for certification. The auditors don't issue the certificate immediately, they recommend. So again, if there are no nonconformities to follow up then the registrar will most than likely tell the organization during the closing meeting that they will be recommending them to be registered as an ISO 9001 organization, and then the registrar will issue the certificate a few weeks (or months) later. 

Initial ISO 9001 audits with minor nonconformities issued

The pictures changes when there are nonconformities. Here there is one question to ask, whether those nonconformities are major or minor. 

If there are nonconformities, the registrar won't recommend the organization for certification. However, if all the nonconformities are minor, they will say during the closing meeting that they will recommend the company for certification upon receipt and approval of written corrective action for all the nonconformities issued. So if the company got, for example, two, five, or seven minor nonconformities, the organization should feel great because if appropriate corrective action is submitted for review to the registrar, they will be recommended for certification. So if the registrar conducted the audit this week, and they leave you with a report and findings and you spend one or two days to come up with a corrective action plan for all those findings, you may be on your way to success. Once you submit your response to the registrar and they review and accept all your answers, they will at that point recommend your organization for certification. So it may not even be a week after the audit before you are recommended for certification. It just depends on how long you take to come up with the answers and how long it takes the registrar to review the corrective actions. 

Again, the audit was not pass or fail, just a matter of assessing the degree of conformity.

Initial ISO audits with major nonconformities issued

There is a third case, which is when there are major nonconformities. If there are major nonconformities issued during the initial certification audit, then most likely the registrar won't recommend the company for certification during the closing meeting. Not only will you have to submit your responses by e-mail, but most registrars will require a follow up audit, so they will need to come back to your organization and physically verify that the major findings have been taken care.

So that is the main difference. On minor nonconformities the company submits their corrective actions via e-mail and no follow up is required. On major nonconformities, the corrective action responses to the nonconformities are also submitted by e-mail, but in most cases the registrar is going to come back verify the corrective action implementation. They will schedule an audit follow up, which will probably take a day or so. If everything goes well and the responses to the nonconformities are verified, they should recommend the company for certification.

So once again, external audits aren't a case of pass or fail.  Even if you get major nonconformities, you should address them, issue the corrective action plan, send it to the registrar, make sure they approve it, and if you do so in a very expeditious way, the registrar will be in a position to schedule a follow-up audit shortly. When they come, if they see that the nonconformities have been taken care, they will validate the nonconformities, close them and subsequently recommend you for ISO 9001 certification.

Periodic ISO audits

Periodic audits conducted by the registrar differ slightly from initial audits. Besides the difference in audit time, the big difference is that the organization already has an ISO 9001 certificate. If the organization satisfactorily addresses all nonconformities issued—whether there are major and or minor—the registrar will keep their ISO certificate in good standing. Failure to address minor nonconformities may result in the nonconformities being elevated to a major category. Failure to resolve major nonconformities may result in the company being put on probation, and could go so far as causing them to lose their ISO certificate.

Final words

In essence, once the organization puts into action their preventive and corrective procedures, as well as their continual improvement process to correct nonconformities generated through the internal or external audit, they will receive or continue their ISO 9001 certification. No pass or fail grades, no good or bad remarks, ISO 9001 audits are basically just a great opportunity to continually improve the organization and its quality management system.

 

Discuss

About The Author

Miriam Boudreaux’s picture

Miriam Boudreaux

Miriam Boudreaux is the CEO and founder of Mireaux Management Solutions, a technology and consulting firm headquartered in Houston, Texas. Mireaux’s products and services encompass international standards ISO and API consulting, training, auditing, document control and implementation of Web QMS software platform. Mireaux’s 6,500 square foot headquarters, located in the northwest area of Houston, houses their main offices as well as their state-of-the art training center. Mireaux itself is certified to ISO 9001:2015 and ISO 27001:2013. To get in touch with Miriam Boudreaux, please contact her at info@mireauxms.com.