Why Closing Out Audit Findings Matters More Than You Think
Audit findings are not the end of the world. In fact, most businesses going through ISO certification for the first time will receive at least a handful of findings during their Stage 1 or Stage 2 audit. The real problem is not getting the findings. It is not knowing how to close them out properly, which is what actually delays or derails certification.
On this page
If you have recently been through a Stage 1 or Stage 2 audit and received nonconformances or observations, this guide will walk you through exactly what to do next. We will cover the different types of findings, how to structure your corrective action responses, what evidence auditors actually want to see, and the common mistakes that cause closures to get rejected. This is practical, step by step advice based on what happens in real audits, not textbook theory.
Understanding the Types of Audit Findings
Before you can close a finding, you need to understand what type of finding you are dealing with. Auditors raise different categories of findings, and each one carries a different level of urgency and a different closure process.
Major Nonconformances
A major nonconformance is a significant failure to meet a requirement of the standard. This could mean an entire clause is not addressed, a critical process has no controls in place, or there is a systemic breakdown in your management system. Major nonconformances must be closed before a certification body can issue your certificate. They are not optional. You cannot receive certification with an open major.
Examples of major nonconformances include having no internal audit programme in place, no management review being conducted, or no documented procedure for corrective action. These are foundational requirements that the standard demands, and their absence signals that your system is not genuinely operational.
Minor Nonconformances
A minor nonconformance is a single isolated failure or a gap in implementation that does not represent a systemic breakdown. The requirement exists in your system, but something has slipped. A certification body will typically allow you to receive certification with open minors, provided you submit an acceptable corrective action plan and close the finding within an agreed timeframe, often within 90 days of certification.
Do not treat minors as unimportant. A cluster of minors in the same area can signal a systemic problem, and auditors will be watching at your first surveillance audit to see whether you followed through.
Observations and Opportunities for Improvement
These are not formal nonconformances. An auditor might note that something is working but could be done better, or flag a risk they noticed that has not yet become a problem. You are not required to formally close these out, but addressing them demonstrates good faith and strengthens your system. If you want to understand the distinction more clearly, read our article on what it means when an auditor raises an observation versus a nonconformance.
The Corrective Action Process: Step by Step
Closing an audit finding is not simply about fixing the problem and sending a photo as evidence. Certification bodies want to see that you have understood the root cause, addressed it properly, and put controls in place to stop it happening again. This is the corrective action process, and it follows a structured approach that auditors are trained to evaluate.
Step 1: Acknowledge and Document the Finding
Start by making sure you fully understand what the auditor has written. Read the nonconformance statement carefully. What specific clause does it relate to? What evidence did the auditor observe or fail to observe? If anything is unclear, contact the auditor or certification body and ask for clarification before you start working on your response. Responding to the wrong problem is a common and costly mistake.
Open a corrective action record in your system. This could be a simple form or a dedicated corrective action register. Document the finding reference number, the clause affected, the date raised, and the person responsible for closing it out.
Step 2: Contain the Immediate Problem
For major nonconformances especially, you need to take immediate containment action to prevent the issue from causing further harm while you work on the root cause. This is sometimes called a containment action or immediate correction.
For example, if the finding is that a batch of products was released without completing the required inspection checks, the immediate containment action might be to quarantine the batch, conduct a retrospective inspection, and notify affected customers if necessary. This step shows the auditor that you took the finding seriously from day one.
Step 3: Conduct a Root Cause Analysis
This is the step most businesses get wrong. They fix the surface problem and think that is enough. Auditors are specifically trained to check whether your root cause analysis is genuine and whether your corrective action actually addresses that root cause.
Root cause analysis does not need to be complex. For most findings, a simple Five Whys analysis is sufficient. Ask why the problem occurred, then ask why again, and keep going until you reach the underlying cause. Common root causes include inadequate training, unclear procedures, poor communication between teams, or a process that was designed but never properly implemented.
Write your root cause analysis down. Auditors will want to see it. A verbal explanation is not enough.
Step 4: Develop and Implement the Corrective Action
Once you know the root cause, you can design a corrective action that actually addresses it. The corrective action should be proportionate to the severity of the finding. A major nonconformance will require more robust corrective action than a minor one.
Be specific. Do not write generic statements like “staff will be trained” or “procedures will be updated.” Write exactly what training will be conducted, who will receive it, by when, and how you will verify that it has been completed. Auditors are looking for specificity, accountability, and a realistic timeline.
Step 5: Gather and Submit Evidence
This is where many businesses stumble. They do the work but fail to document it properly, and then cannot demonstrate to the auditor that the corrective action has been completed.
Think about what evidence would prove to an independent observer that the action was taken. Common forms of evidence include updated procedures or work instructions, training records or attendance sheets, completed checklists or inspection records, meeting minutes, photographs of physical changes, and updated registers or logs. The evidence needs to be dated and traceable. If you updated a procedure, the revised version should carry a new version number and a revision date.
Submit your evidence to the certification body through whatever channel they have specified, usually an online portal or email. Include a clear cover note that maps each piece of evidence back to the specific finding it addresses.
Step 6: Verify Effectiveness
Closing a finding is not just about submitting evidence of the action taken. For major nonconformances in particular, auditors will want to see evidence that the corrective action has actually worked. This is called effectiveness verification.
For example, if your corrective action was to retrain staff on a procedure, effectiveness verification might involve checking records from the following month to confirm that the procedure is now being followed correctly. Build this step into your corrective action plan from the start. Set a date for effectiveness review and document the outcome.
Common Mistakes That Delay Closure
Having reviewed corrective action submissions from many different businesses, certain patterns come up repeatedly when closures get rejected or delayed. Here are the most common ones to avoid.
Addressing the Symptom Instead of the Root Cause
This is the number one reason corrective action submissions get rejected. If your finding relates to staff not following a procedure, and your corrective action is simply to remind staff of the procedure, you have addressed the symptom. The root cause might be that the procedure is not accessible at the point of work, or that staff were never properly trained on it in the first place. Fix the root cause, not just the visible problem.
Submitting Vague or Undated Evidence
Evidence that cannot be traced to a specific date, person, or process is almost useless. If you submit a training record with no date on it, the auditor cannot confirm that the training happened after the finding was raised. Always ensure your evidence is dated and clearly linked to the corrective action.
Not Closing All Parts of a Multi-Part Finding
Sometimes a nonconformance statement contains multiple elements. For example, a finding might note that procedures were not documented, staff were not trained, and records were not maintained. You need to address every element. Businesses sometimes fix one part and assume the finding is closed, only to have it rejected because two other elements remain open.
Leaving Minors Until the Last Minute
Minor nonconformances raised during a Stage 2 audit are often given a 90 day closure window. Many businesses put them aside and forget about them until the deadline approaches. Then they scramble to produce evidence and submit something rushed. Start working on minors immediately, even if you have more time. Your first surveillance audit will come around faster than you expect, and open minors will be reviewed.
Missing the Deadline
If you cannot meet a closure deadline, contact your certification body in advance and ask for an extension. Do not simply miss the deadline without communicating. Certification bodies generally have a process for granting extensions if you can show genuine progress and a reasonable explanation for the delay. Silence is never the right approach.
How to Prioritise When You Have Multiple Findings
If your audit resulted in several findings, you need a clear plan for prioritising them. Start with any majors, since these must be closed before certification can proceed. Within the majors, prioritise those that affect the most critical processes or present the greatest risk to your customers, workers, or the environment.
For minors, group them by theme. If you have three findings all related to document control, address them together with a single systemic corrective action rather than treating each one in isolation. This approach is more efficient and demonstrates to the auditor that you have understood the underlying pattern.
Assign a responsible person and a target date to each finding. Review progress weekly. If you are working with a consultant, make sure they are actively involved in reviewing your corrective action responses before you submit them. A good consultant will tell you if your root cause analysis is superficial or if your evidence is insufficient. If you are looking for guidance on choosing the right support, our article on how to select the best ISO consultant for certification is worth reading before you engage anyone.
What Happens After You Submit Your Corrective Actions
Once you have submitted your corrective action responses and evidence, the certification body will assign a reviewer, usually the lead auditor from your audit. They will assess each submission against the finding and decide whether to accept it, request additional information, or reject it.
If a submission is accepted, the finding is formally closed. If the reviewer requests additional information, you will typically have a short window to provide it. If a submission is rejected, you will receive feedback explaining why, and you will need to revise and resubmit.
For major nonconformances, some certification bodies require a follow-up visit before they will close the finding, particularly where the original audit evidence was limited or the corrective action involved significant changes to your system. This is normal and should not be alarming. It is simply the certification body doing its job properly. You can read more about the formal process for disputing an ISO audit finding if you believe a finding has been raised unfairly.
Once all majors are closed and your corrective action plans for any minors are accepted, the certification body can proceed to issue your certificate. The timeline from audit completion to certificate issue varies, but it typically takes between two and six weeks depending on how quickly findings are closed and how responsive both parties are.
Building a System That Prevents Repeat Findings
Closing findings before certification is one thing. Keeping them closed is another. The businesses that struggle most with surveillance audits are those that treated their initial certification as a one-time exercise rather than the beginning of an ongoing system.
Once you are certified, your internal audit programme becomes your primary tool for identifying and addressing issues before the external auditor does. A well-run internal audit programme will catch the same types of problems that certification auditors look for, giving you the opportunity to fix them proactively. Our guide on how to run ISO internal audits that actually find problems covers this in practical detail.
The ISO 19011 guidelines for auditing management systems also provide a solid framework for understanding how to conduct effective audits and manage audit programmes, which is useful reading for anyone responsible for maintaining certification.
Your corrective action process should also become a routine part of how your business operates. Every time something goes wrong, whether it was flagged by an auditor or noticed internally, the same structured approach applies: contain, analyse root cause, implement corrective action, verify effectiveness. Businesses that embed this discipline into their culture find that their systems genuinely improve over time, and their surveillance audits become progressively easier.
Getting Help When You Are Stuck
If you are struggling to close out findings on your own, particularly majors that involve significant system changes, it is worth getting professional help. An experienced ISO consultant can review your corrective action submissions before you send them, identify weaknesses in your root cause analysis, and help you build evidence packages that will satisfy the auditor.
The challenge is finding a consultant who actually knows what they are doing and who has experience with your specific standard and industry. If you are not sure where to start, CertBetter can help. Submit one form and receive up to three competing quotes from vetted ISO consultants and certification bodies. The service is completely free for businesses, and it saves you the time and risk of searching for providers on your own.
