How Many Rounds of Corrective Action Can You Submit Before Failing?

CertBetter

Team CertBetter

12 min read
How Many Rounds of Corrective Action Can You Submit Before Failing?

The Question Every Business Asks After an Audit

You have just come out of your ISO certification audit and the auditor has raised nonconformances. You submit your corrective action response, and then another one, and maybe a third. At some point, a very reasonable question starts forming in your mind: how many times can I actually do this before the certification body just says no?

It is one of the most common questions I hear from businesses going through their first or second audit cycle. And the honest answer is that there is no single universal number written in any ISO standard. But that does not mean there are no limits. There absolutely are, and understanding how this process actually works can be the difference between getting certified and having to restart your audit entirely.

This article walks you through how corrective action submission rounds work in practice, what certification bodies are really looking for, and how to avoid burning through your chances before you have even addressed the root cause.

What Happens When an Auditor Raises a Nonconformance?

Before we get into the number of rounds, it helps to understand what a nonconformance actually triggers. When an auditor identifies a nonconformance during a Stage 2 certification audit or a surveillance audit, they are documenting that your management system has failed to meet a specific requirement of the standard. That finding gets recorded in the audit report and you are given a defined period to respond.

Your response is not just about fixing the immediate problem. A proper corrective action response under ISO standards requires three things: containment of the immediate issue, a root cause analysis that explains why it happened, and evidence that you have implemented a systemic fix to prevent recurrence. If your response only addresses the surface problem without touching the root cause, the auditor will likely reject it.

This is where most businesses run into trouble. They treat corrective action like a checkbox exercise rather than a genuine investigation. They fix the symptom, submit a response, and then wonder why the auditor keeps sending it back.

For a clear explanation of what separates an observation from a formal nonconformance, see our article on what it means when an auditor raises an observation versus a nonconformance.

So How Many Rounds Do You Actually Get?

The short answer is that most certification bodies allow two to three rounds of corrective action submission before escalating the situation. But the practical reality is more nuanced than that.

The Typical Timeline and Round Structure

After a Stage 2 audit, you will usually have a set period, commonly 30 to 90 days depending on the certification body and the severity of the finding, to submit your corrective action response. The auditor reviews it and either accepts it, requests clarification, or rejects it and asks you to resubmit.

In practice, most certification bodies will give you two formal rounds. If your first submission is rejected, you get a second attempt. If that second attempt is also inadequate, the situation becomes serious. Some bodies will allow a third round, but at that point the auditor is typically escalating the matter internally and the outcome may no longer be a simple acceptance or rejection.

What happens after repeated failed submissions depends on the certification body's own procedures and the nature of the nonconformance. Common outcomes include:

  • The certification body closes the nonconformance as unresolved and withholds certification
  • The audit cycle is terminated and a new Stage 2 audit is required
  • The finding is escalated to a major nonconformance if it was originally classified as minor
  • A special audit or follow-up visit is scheduled at your cost

Major vs Minor Nonconformances: The Stakes Are Different

The number of rounds you effectively get also depends heavily on whether the nonconformance is classified as major or minor. This distinction matters enormously and is something businesses often underestimate.

A minor nonconformance is a single isolated failure or gap in your system. It is serious enough to require corrective action, but it does not indicate a systemic breakdown. You generally have more flexibility in how you respond and the timeframe is usually more generous.

A major nonconformance is a different situation entirely. It indicates either a complete absence of a required element, a systemic failure across multiple areas, or a situation that raises serious doubt about whether your management system can achieve its intended outcomes. For major nonconformances, certification bodies are far less patient. Some will not issue a certificate at all until the major is fully closed, and the review process is typically much stricter.

If you have a major nonconformance and your first corrective action response misses the mark, you may only get one more attempt before the certification body requires a re-audit. That is an expensive outcome that could have been avoided with a better first response.

Why Corrective Action Responses Get Rejected

Understanding why responses get rejected is just as important as knowing how many rounds you have. In my experience reviewing corrective actions, the same mistakes come up repeatedly.

Addressing the Symptom, Not the Root Cause

This is the most common failure. A business finds that a procedure was not followed, so they retrain the staff member involved and submit that as their corrective action. The auditor rejects it because the response does not explain why the procedure was not followed in the first place. Was the procedure unclear? Was it not accessible at the point of use? Was there a supervision gap? Was the procedure itself outdated?

Root cause analysis tools like the 5 Whys or an Ishikawa diagram are not just theoretical exercises. They are the mechanism by which you demonstrate to an auditor that you have genuinely understood the failure and addressed it at a systemic level.

Insufficient or Irrelevant Evidence

Auditors need to see objective evidence that your corrective action has been implemented, not just planned. Submitting a corrective action plan without any evidence of implementation is a very common reason for rejection, particularly if your submission deadline is close and you are rushing to get something in.

Evidence needs to be specific and traceable. Screenshots of updated procedures, training records with dates, revised process flowcharts, meeting minutes showing management review of the issue, updated risk registers. Vague statements like “staff have been informed” without supporting records will not satisfy an auditor.

For guidance on how long you need to retain that evidence, our article on how long corrective action evidence needs to be kept is worth reading before you start filing anything away.

Corrective Action That Does Not Match the Finding

Sometimes businesses submit a response that addresses a related but slightly different problem from what was actually raised. This often happens when the nonconformance description in the audit report is technical and the person preparing the response has not fully understood what clause was breached and why.

Always map your corrective action back to the specific clause cited in the finding. If the auditor raised a nonconformance against Clause 8.4 of ISO 9001 regarding control of externally provided processes, your corrective action needs to demonstrate that your supplier management process now meets that clause, not just that you have had a conversation with the supplier in question.

Timelines That Slip Without Communication

If you know your corrective action is going to take longer than the agreed deadline, communicate with your certification body early. Do not simply miss the deadline and then submit late without explanation. Most certification bodies will grant an extension if you ask in advance and provide a reasonable justification. If you miss the deadline without communication, some bodies treat that as a failure to respond, which can trigger escalation procedures.

What Certification Bodies Are Actually Evaluating

It helps to understand what is going through the auditor's mind when they review your corrective action submission. They are not looking for perfection in the writing. They are evaluating three things: whether you understood the finding, whether your root cause analysis is credible, and whether your evidence demonstrates that the fix is real and durable.

Auditors are also looking at the pattern across your entire audit. If you have five nonconformances and all five corrective action responses are superficial, that tells the auditor something about the maturity of your management system. Conversely, if you have five nonconformances and your responses are thorough, well-evidenced and demonstrate genuine learning, that creates a very different impression.

The ISO 19011 standard for auditing management systems provides the framework auditors use when evaluating evidence. Understanding that framework helps you present your corrective actions in a way that aligns with how auditors are trained to assess them.

It is also worth noting that certification bodies operate under their own accreditation requirements. In Australia, JAS-ANZ accredited bodies are required to follow ISO 17021-1, which sets out requirements for how certification bodies must manage nonconformances and corrective actions. This means the process is not arbitrary. There are rules governing how many opportunities a certification body can reasonably give you before they must make a decision.

Practical Steps to Get Your Corrective Action Right the First Time

Given that you have a limited number of attempts, getting your first response right is clearly the better strategy. Here is how to approach it properly.

Read the Finding Carefully Before You Do Anything

Print out the nonconformance description and read it at least twice. Identify the specific clause being cited, the objective evidence the auditor used to raise the finding, and the exact nature of the gap. If anything in the finding is unclear, contact the certification body and ask for clarification before you start preparing your response. This is completely acceptable and most auditors would rather you ask than submit a response that misses the point.

Conduct a Genuine Root Cause Analysis

Do not skip this step or treat it as a formality. Bring together the people who are closest to the process where the failure occurred. Use a structured tool. Document your analysis. The root cause you identify should be specific enough that it points directly to a corrective action. If your root cause is something vague like “lack of awareness,” you have not gone deep enough.

Implement Before You Submit

Wherever possible, implement your corrective action before you submit the response. Do not submit a plan and promise future action. Submit evidence of completed action. This is the single biggest thing you can do to improve your acceptance rate on the first submission.

Structure Your Response Clearly

Present your response in a clear format that maps directly to the three components the auditor is looking for: immediate containment, root cause analysis, and systemic corrective action with evidence. Some certification bodies provide a template. Use it. If they do not, create your own structure that clearly separates these three elements.

Have Someone Independent Review It First

Before you submit, have someone who was not involved in preparing the response read it and ask whether it makes sense. Can they clearly see what the root cause was? Can they see the evidence that the fix has been implemented? If they cannot, the auditor probably cannot either.

What Happens If You Run Out of Rounds?

If your corrective action responses are rejected repeatedly and the certification body determines that the nonconformance cannot be closed, the consequences depend on where you are in the audit cycle.

For initial certification, the most common outcome is that the audit cycle is terminated. You do not receive your certificate. Depending on the certification body's procedures, you may be required to undergo a full Stage 2 audit again rather than just resubmitting. This means additional audit fees on top of the time you have already invested.

For surveillance or recertification audits, an unresolved major nonconformance can result in suspension of your certificate. If the certificate is suspended and you do not resolve the nonconformance within the suspension period, which is typically 6 months, the certificate can be withdrawn entirely.

Certificate suspension and withdrawal are serious outcomes. They can affect your ability to bid on contracts, maintain supplier relationships, and meet regulatory requirements. If you are approaching this situation, it is worth getting external help rather than continuing to submit responses that are not working.

Our article on the formal process for disputing an ISO audit finding is also relevant here. If you genuinely believe a finding has been raised incorrectly, you have the right to dispute it through the certification body's formal complaints process.

When to Get Help

If you have already had one corrective action response rejected and you are not confident about your second attempt, that is the moment to bring in an experienced ISO consultant. Not after the second rejection. Not after your certificate has been suspended. After the first rejection.

An experienced consultant can review the original finding, assess whether your root cause analysis is credible, identify the gaps in your evidence, and help you structure a response that addresses what the auditor is actually looking for. That investment is almost always less expensive than the cost of a re-audit or the commercial consequences of a delayed or suspended certificate.

If you are not sure where to find a consultant you can trust, our guide on how to spot a bad ISO consultant will help you avoid wasting time and money on the wrong person.

CertBetter connects businesses with verified ISO consultants who have real auditing and implementation experience. If you are in the middle of a corrective action process and need expert help fast, you can submit one form on CertBetter and receive up to three competing quotes from vetted consultants. The service is free for businesses and there is no obligation to proceed.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

No ISO standard specifies a maximum number of corrective action submission rounds. The number of rounds allowed is determined by the certification body's own procedures, which must comply with ISO 17021-1. In practice, most certification bodies allow two to three rounds before escalating the situation, but this varies by body and by the severity of the nonconformance.

A corrective action plan describes what you intend to do to fix a nonconformance. A corrective action response includes the completed actions along with objective evidence that those actions have been implemented. Auditors generally want to see a completed response with evidence, not just a plan for future action. Submitting only a plan without evidence of implementation is one of the most common reasons for rejection.

Yes, this can happen. If a minor nonconformance remains unresolved across multiple submission rounds or persists into the next audit cycle, the certification body may reclassify it as a major nonconformance. This is particularly likely if the failure to close the finding suggests a systemic problem rather than an isolated gap. It is one of the reasons why taking minor nonconformances seriously from the first response is so important.

If you arrive at a surveillance audit with an open nonconformance from a previous audit that has not been closed, the auditor will review the status of that finding as part of the current audit. If it remains unresolved and the auditor determines it now represents a major failure, your certificate may be suspended. Certification bodies are required under ISO 17021-1 to take action when open nonconformances are not addressed within the agreed timeframe.

Yes, and you should do so proactively if you know you need more time. Contact your certification body before the deadline, explain why you need an extension, and provide a revised timeline. Most certification bodies will grant a reasonable extension if you ask in advance. What they will not look favourably on is a missed deadline with no communication, which can be treated as a failure to respond and trigger escalation procedures.

A credible root cause analysis identifies the underlying systemic reason for the failure, not just the immediate trigger. A useful test is to ask whether the corrective action you are proposing would prevent the same type of failure from occurring in a different part of your organisation or in a different situation. If the answer is yes, your root cause is probably deep enough. If your corrective action only prevents this exact incident from happening again, you likely have not gone far enough into the root cause.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.