Why the Distinction Between an Observation and a Nonconformance Actually Matters
If you have ever sat through an ISO audit closing meeting and heard the auditor rattle off a list of findings, you may have walked away unsure what any of it actually means for your certification. One of the most common points of confusion is the difference between an observation and a nonconformance. These two terms sound like they might be interchangeable, but they are not. Confusing them can lead you to either panic unnecessarily or, worse, ignore something that genuinely puts your certificate at risk.
On this page
This article breaks down what each finding type means, how auditors decide which one to raise, what you are expected to do in response, and how the two fit into the broader audit process. Whether you are heading into your first certification audit or managing an ongoing surveillance cycle, understanding this distinction will make you a far more effective participant in the process.
What Is a Nonconformance in an ISO Audit?
A nonconformance, sometimes written as nonconformity or NC, is a finding that your management system or a specific activity does not meet a requirement. That requirement could come from the ISO standard itself, from your own documented procedures, or from a regulatory obligation you have committed to within your system.
There are two levels of nonconformance, and understanding the difference between them is just as important as understanding the difference between observations and NCs.
Major Nonconformance
A major nonconformance is a serious finding. It means either a complete absence of a required element, a systemic failure across multiple areas, or a breakdown that is likely to result in the delivery of a nonconforming product or service. If your auditor raises a major NC, your certification is at risk. You will not receive your certificate, or your existing certificate may be suspended, until you have resolved it and provided acceptable evidence of correction.
An example of a major NC would be a manufacturing business with no documented process for controlling nonconforming outputs under ISO 9001, despite this being a clear clause requirement. Another example would be a company that claims to conduct internal audits but has no records showing any have ever been completed.
Minor Nonconformance
A minor nonconformance is a single, isolated failure to meet a requirement. It is still a real finding that must be addressed, but it does not represent a systemic breakdown. Your certificate is not immediately at risk, but you are required to investigate the root cause, implement a corrective action, and provide evidence to the auditor within an agreed timeframe, usually 30 to 90 days depending on the certification body.
An example of a minor NC would be finding one piece of equipment in your calibration register that has passed its due date for recalibration. The process exists, it is mostly working, but there is an isolated gap.
For a deeper look at how auditors assess your system against standard requirements, it helps to understand the different types of audits and how they work.
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
What Is an Observation in an ISO Audit?
An observation is a finding that sits below the threshold of a nonconformance. It does not represent a breach of a specific requirement. Instead, it signals that something is not quite right, that a process is heading in a concerning direction, or that there is a risk of a future nonconformance if nothing changes.
Some certification bodies and auditors use the term observation and opportunity for improvement almost interchangeably, though there is a subtle distinction worth noting. An observation tends to be more specific, often tied to a particular process or piece of evidence the auditor reviewed. An opportunity for improvement is often more general, a suggestion rather than a flag.
You can read more about the specific nature of opportunities for improvement in our article on what an opportunity for improvement means in an ISO audit.
Critically, observations do not require a formal corrective action response. You are not obligated to submit evidence of resolution to the auditor. However, a smart business treats observations seriously, because they often become nonconformances at the next audit if left unaddressed.
Examples of Audit Observations
Here are some real-world scenarios where an auditor might raise an observation rather than a nonconformance:
- Your risk register exists and is being maintained, but it has not been reviewed in 11 months. The standard requires periodic review but does not specify a frequency. The auditor notes that the gap is getting long and flags it as an observation.
- Several staff members interviewed during the audit were unclear about the organisation's quality policy objectives. There is no specific clause breach, but the auditor is concerned about the level of awareness across the team.
- Your supplier evaluation process is documented and followed, but the auditor notices that you have not reassessed one of your critical suppliers in over two years. There is no defined timeframe in your procedure, so it is not technically a breach, but the auditor flags it as a concern.
- Training records are maintained, but some records lack specific details about the content covered. The records exist, so it is not a nonconformance, but the quality of the records is borderline.
In each of these cases, the auditor is doing you a favour. They are pointing out something worth fixing before it becomes a real problem.
How Auditors Decide Which Finding to Raise
This is where a lot of businesses get frustrated, because the line between an observation and a minor nonconformance can feel subjective. To some extent, it is. Different auditors will interpret the same evidence differently, and different certification bodies have different internal guidance on how to classify findings.
That said, there are some consistent principles that most competent auditors apply.
Is There a Specific Requirement Being Breached?
The first question an auditor asks is whether there is a clear, specific requirement in the standard or in the organisation's own documented system that is not being met. If the answer is yes, the finding is a nonconformance. If the answer is no but there is still a concern, the finding is typically an observation.
Is the Gap Isolated or Systemic?
A single instance of a problem is more likely to attract a minor NC or an observation. A pattern of the same problem across multiple areas, multiple people, or multiple records is more likely to attract a major NC. Auditors look for evidence of whether the issue is a one-off or whether it reflects how the business actually operates.
What Is the Potential Impact?
Auditors also consider the potential consequence of the gap. If a finding could directly lead to a safety incident, a regulatory breach, or a significant quality failure, it is more likely to be elevated to a nonconformance even if it might otherwise be borderline. If the potential impact is low, an observation is more appropriate.
The guidance document that governs how audits of management systems should be conducted is ISO 19011, which provides guidelines for auditing management systems. Understanding this standard gives you real insight into how auditors are supposed to approach their work.
What You Are Required to Do After Each Finding Type
This is the practical part that most business owners care about. What actually happens after the audit closing meeting?
Responding to a Major Nonconformance
If you receive a major NC, you need to act quickly. You will typically be given a defined timeframe, often 30 days but sometimes less, to submit a corrective action plan and initial evidence of correction. The certification body will review your response before deciding whether to grant or maintain your certificate. In some cases, a follow-up audit visit may be required to verify the correction on-site.
Do not try to close a major NC with a quick paperwork fix. Auditors are experienced at spotting responses that address the symptom without dealing with the root cause. A genuine investigation, a real corrective action, and solid evidence are what you need.
Responding to a Minor Nonconformance
Minor NCs require a formal corrective action response, but you typically have more time. You need to identify the root cause, implement a correction and a corrective action to prevent recurrence, and submit evidence to the certification body. The auditor or a reviewer at the certification body will assess whether your response is adequate. If it is not, they will ask for more information.
Our article on how long corrective action evidence needs to be kept is worth reading before you close out any NC, because the record-keeping requirements extend well beyond the immediate response.
Responding to an Observation
There is no mandatory formal response required for an observation. However, the best practice is to treat it like a minor NC and address it anyway. Document what you found when you investigated, what you did about it, and when it was resolved. This gives you a strong position at the next audit and demonstrates that your management system is genuinely functioning rather than just compliant on paper.
Businesses that consistently ignore observations tend to accumulate nonconformances over time. The audit trail tells a story, and auditors read it.
Common Misconceptions About Audit Findings
After years of conducting and reviewing audits, there are a handful of misunderstandings that come up repeatedly. Here are the most important ones to clear up.
Misconception 1: Observations Are Not Real Findings
Some businesses breathe a sigh of relief when they hear the word observation and immediately move on. This is a mistake. Observations are real findings. They reflect something the auditor noticed that is worth your attention. Treat them as early warning signals, not compliments.
Misconception 2: More Findings Means a Worse Audit
Not necessarily. An auditor who raises a handful of observations and minor NCs is doing their job properly. A clean audit report with zero findings can actually be a red flag, particularly for a mature system. It might mean the auditor did not look hard enough, or that the system is so well-maintained that there is genuinely nothing to find. The former is more common than the latter.
If you are concerned about the quality of your audit, our article on what to do if you have a bad ISO certification auditor covers your options clearly.
Misconception 3: You Can Argue Your Way Out of a Nonconformance
You can dispute a finding if you believe it is genuinely incorrect, and there is a formal process for doing so. But trying to talk an auditor out of a legitimate NC during the closing meeting rarely works and can damage the relationship. If you believe a finding is wrong, the right approach is to raise a formal objection through the certification body's complaints process after the audit. For more on this, see our article on the formal process for disputing an ISO audit finding.
Misconception 4: Observations Cannot Become Nonconformances
They absolutely can. If an auditor raises an observation at one surveillance audit and finds the same issue unaddressed at the next visit, they are very likely to escalate it to a nonconformance. The fact that they flagged it previously and you did nothing is not a good look.
How to Use Audit Findings to Strengthen Your System
The businesses that get the most value from ISO certification are the ones that treat audit findings, including observations, as genuine business intelligence rather than bureaucratic hurdles. Every finding is a data point about where your system is working and where it is not.
After each audit, sit down with your management team and go through every finding. For nonconformances, assign ownership and set realistic deadlines for corrective action. For observations, discuss whether they reflect a real operational risk and decide whether to act on them formally or monitor them. Either way, record your decision.
Build your findings into your management review agenda. ISO standards require management review to consider audit results, and this is exactly what that clause is designed for. If you are running internal audits well, you should be catching most of these issues before the external auditor does. Our guide on how to run ISO internal audits that actually find problems is a practical resource for building that capability.
A Quick Reference Summary
To summarise the key distinctions clearly:
- Major Nonconformance: A serious breach of a requirement. Certificate at risk. Requires urgent corrective action and evidence before certification proceeds.
- Minor Nonconformance: An isolated breach of a requirement. Certificate not immediately at risk. Requires root cause analysis, corrective action, and evidence within an agreed timeframe.
- Observation: A concern or risk noted by the auditor that does not breach a specific requirement. No mandatory response required, but best practice is to address it and document your response.
- Opportunity for Improvement: A suggestion from the auditor for how you might enhance your system. No response required. Treat it as free consulting advice.
Getting the Right Support Before and After Your Audit
Understanding the language of ISO audits is one thing. Having the right people in your corner before, during, and after the process is another. If you are heading into a certification audit for the first time, or if you have received findings that you are not sure how to respond to, working with an experienced ISO consultant can make a significant difference to both your confidence and your outcome.
If you are looking for qualified consultants who understand the audit process from the inside, CertBetter can help. Submit one form and receive up to three competing quotes from vetted ISO consultants and certification bodies. The service is free for businesses, and all providers on the platform are independently verified. It is a straightforward way to find the right support without the usual guesswork.
