Failing an ISO audit is one of those scenarios that business owners dread but rarely get a straight answer about. The truth is, most businesses do not walk away from their first certification audit with a clean pass. Nonconformances are common, and in many cases they are expected. What matters is not whether you received a finding, but what you do with it. This article walks you through exactly what happens if you fail an ISO audit, what the different types of findings mean, how much time you have to fix things, and what the real consequences are if you ignore them.
On this page
First, Let’s Be Honest About What “Failing” Actually Means
ISO audits do not work like a school exam where you either pass or fail outright. There is a spectrum of outcomes, and most of them are recoverable. The word “fail” is not even used in formal ISO audit language. What auditors raise are findings, and those findings sit on a scale from minor to major.
Understanding where your finding sits on that scale determines everything: how quickly you need to respond, whether your certificate is at risk, and what evidence you need to provide. If you are new to this, it helps to first read about what an audit actually involves before diving into the consequences of a poor outcome.
The Three Types of Audit Findings You Need to Know
Minor Nonconformance
A minor nonconformance means you have a gap in your system, but it is isolated. It does not represent a complete breakdown of a process or a systemic failure. An example might be a single procedure that was not reviewed on schedule, or one staff member who could not demonstrate awareness of the quality policy during an interview.
Minor nonconformances do not automatically prevent certification. In most cases, your certification body will grant you a timeframe, typically 30 to 90 days, to close them out with documented corrective action evidence. Your certificate can still be issued or maintained while you work through the fix.
Major Nonconformance
A major nonconformance is more serious. It indicates that a key requirement of the standard has not been met at all, or that a minor issue has become systemic across your organisation. Examples include having no documented internal audit programme, no management review records, or a complete absence of corrective action processes.
A major nonconformance will prevent initial certification from being granted. For surveillance or recertification audits, it can result in suspension of your certificate. You will be required to complete a root cause analysis, implement corrective actions, and provide objective evidence before the certification body will close the finding. In some cases, a follow-up audit is required before the certificate is released or reinstated.
If you want to understand how to dispute a finding you believe is unfair, there is a clear process for that too. Read our guide on the formal process for disputing an ISO audit finding if you think the auditor has got it wrong.
Observations and Opportunities for Improvement
These are not nonconformances. An observation is a note from the auditor flagging something that could become a problem if left unaddressed. An opportunity for improvement is a suggestion, not a requirement. You are not obligated to act on either, but ignoring them repeatedly across multiple audit cycles is not a good look and can signal to your auditor that your system is not genuinely improving.
For a deeper breakdown of the difference between these two, see our article on what it means when an auditor raises an observation versus a nonconformance.
What Happens During a Stage 2 Audit If You Have Nonconformances
The Stage 2 audit is your main certification audit. It is where the auditor assesses whether your management system is fully implemented and effective. If nonconformances are raised at this point, here is the typical sequence of events.
The Auditor Documents the Findings
At the closing meeting, the auditor will present their findings verbally. Within a few days, you will receive a formal audit report detailing each nonconformance, the clause of the standard it relates to, and the objective evidence that led to the finding. The report will also specify whether each finding is minor or major.
You Submit a Corrective Action Plan
For minor nonconformances, you typically have 30 to 90 days to submit evidence of corrective action. This means identifying the root cause, implementing a fix, and providing documented proof. For major nonconformances, the timeframe is usually tighter, often 30 days, and the evidence requirements are more rigorous.
Your corrective action needs to address the root cause, not just the symptom. Auditors have seen every version of a superficial fix. If your procedure was not reviewed because nobody owned it, updating the procedure once is not enough. You need to demonstrate that ownership has been assigned and that a review schedule is now in place and being followed.
The Certification Body Reviews Your Evidence
Once you submit your corrective action evidence, the certification body reviews it. If they are satisfied, the finding is closed and your certificate is issued or maintained. If the evidence is insufficient, they will ask for more. For major nonconformances, many certification bodies will require a follow-up visit, either on-site or remote, before they close the finding.
This process takes time. If you are working to a contract deadline or a tender requirement, a major nonconformance at Stage 2 can push your certification date back by weeks or even months. That is a real commercial consequence, and it is one of the strongest reasons to prepare properly before your audit.
What Happens at a Surveillance Audit If Nonconformances Are Raised
Surveillance audits happen annually in most three-year certification cycles. They are smaller in scope than your initial certification audit, but they carry real weight. If a major nonconformance is raised at a surveillance audit, your certificate can be suspended.
Certificate Suspension
Suspension means your certificate is temporarily invalid. You cannot use it in tenders, contracts, or marketing materials during the suspension period. Most certification bodies will give you a defined window, typically 30 to 90 days, to resolve the nonconformance and lift the suspension.
Suspension is not the same as withdrawal. It is a temporary status, and it is recoverable. However, it creates real problems if clients or procurement teams discover your certificate is suspended. Some contracts require you to notify clients immediately if your certification status changes, so check your contractual obligations carefully.
Certificate Withdrawal
If you fail to close out the nonconformance within the suspension period, the certification body can withdraw your certificate entirely. At that point, you are no longer certified, and you would need to go through the certification process again from the beginning. This is rare, but it does happen, usually in cases where a business has genuinely stopped maintaining its management system or has stopped engaging with the certification body altogether.
What Happens at a Recertification Audit If You Have Major Nonconformances
Recertification audits occur at the end of your three-year certification cycle. They are a full reassessment of your management system. If major nonconformances are raised here, the same rules apply as at Stage 2. Your certificate will not be renewed until the findings are closed, and your current certificate may lapse in the meantime if the resolution takes too long.
This is why it is worth understanding how often ISO certification audits are conducted and planning your internal audit programme around the full three-year cycle, not just the weeks before each external audit.
The Real Consequences of Ignoring Audit Findings
Some businesses treat nonconformances as paperwork to be filed and forgotten. That approach catches up with you. Here is what actually happens when findings are not properly addressed.
Accumulated Findings Become Systemic
If the same issue appears across multiple audit cycles, auditors will start treating it as a systemic failure rather than an isolated gap. What started as a minor nonconformance can be elevated to a major one at your next audit if you have not demonstrated genuine improvement. Auditors are trained to look for patterns, and a history of recurring findings is a red flag.
Your Certificate Loses Credibility
A certificate that has been suspended or that is held by an organisation with a poor audit history does not carry the same weight as one from a business that consistently maintains its system. Procurement teams and sophisticated clients do check certification status, and some will ask for your audit history or your corrective action records as part of due diligence.
Commercial and Contractual Consequences
If a contract requires you to hold a valid ISO certificate and your certificate is suspended or withdrawn, you may be in breach of that contract. Depending on the contract terms, that could expose you to financial penalties or loss of the contract entirely. Government procurement in particular often has strict requirements around certification status.
How to Recover Properly After a Failed Audit
Do Not Panic, Do Not Guess
The first thing to do after receiving nonconformances is read the audit report carefully. Understand exactly what the auditor found and which clause of the standard it relates to. Do not start implementing fixes before you understand the root cause. A rushed corrective action that misses the point will be rejected by the certification body, and you will have wasted time.
Conduct a Genuine Root Cause Analysis
Root cause analysis does not need to be complicated, but it does need to be honest. Ask why the gap existed. Was it a training issue? A process that was never properly documented? A responsibility that fell through the cracks during a restructure? The answer to that question drives your corrective action. If you fix the symptom without addressing the cause, the same finding will come back at your next audit.
Document Everything
Your corrective action evidence needs to be clear, specific, and traceable. Include the root cause analysis, the actions taken, the person responsible, the completion date, and evidence that the fix is working. A revised procedure on its own is rarely enough. Show that the procedure has been communicated to relevant staff, that training has been completed if required, and that you have checked the fix is being followed in practice.
Consider Getting External Help
If you received major nonconformances and you are not confident in your ability to close them out properly, bring in an experienced ISO consultant. Not someone who will write a document for you and call it done, but someone who will help you understand the root cause and build a corrective action that will actually satisfy the certification body. The cost of a consultant for a few days is far less than the commercial cost of a delayed or withdrawn certificate.
If you are not sure how to find the right person, our guide on how to select the best ISO consultant for certification is a good starting point.
How to Avoid Audit Failures in the First Place
Prevention is always better than recovery. The businesses that consistently pass audits with minimal findings are not the ones with the most resources. They are the ones that run their management systems as genuine business tools rather than compliance exercises.
Run internal audits regularly and take them seriously. An internal audit programme that actually finds problems before your external auditor does is one of the most valuable things you can invest in. If your internal audits are consistently finding nothing, that is not a good sign. It usually means the audits are not being conducted with enough rigour.
Conduct management reviews that are substantive, not just a box-ticking exercise. Review your objectives, your performance data, your nonconformance trends, and your audit results. Make decisions and record them. This is the evidence your auditor wants to see when they assess whether top management is genuinely engaged with the system.
Keep your documentation current. Procedures that have not been reviewed in three years, records that are incomplete, and competency evidence that is out of date are among the most common sources of nonconformances. Assign ownership for each document and build review dates into your calendar.
If you want a practical framework for assessing whether your system is genuinely working, read our article on how to check if your ISO management system is actually working.
Working With CertBetter
If you have just received nonconformances and need help finding a qualified consultant to assist with your corrective actions, or if you are preparing for an upcoming audit and want to make sure you are ready, CertBetter can connect you with verified ISO consultants and accredited certification bodies. You submit one form, receive up to three competing quotes from vetted providers, and the service costs you nothing. It is a straightforward way to find the right support without spending hours searching and vetting on your own.




