What Happens If You Fail an ISO Audit?

CertBetter

Team CertBetter

12 min read
What Happens If You Fail an ISO Audit?

Failing an ISO audit is one of those scenarios that business owners dread but rarely get a straight answer about. The truth is, most businesses do not walk away from their first certification audit with a clean pass. Nonconformances are common, and in many cases they are expected. What matters is not whether you received a finding, but what you do with it. This article walks you through exactly what happens if you fail an ISO audit, what the different types of findings mean, how much time you have to fix things, and what the real consequences are if you ignore them.

First, Let’s Be Honest About What “Failing” Actually Means

ISO audits do not work like a school exam where you either pass or fail outright. There is a spectrum of outcomes, and most of them are recoverable. The word “fail” is not even used in formal ISO audit language. What auditors raise are findings, and those findings sit on a scale from minor to major.

Understanding where your finding sits on that scale determines everything: how quickly you need to respond, whether your certificate is at risk, and what evidence you need to provide. If you are new to this, it helps to first read about what an audit actually involves before diving into the consequences of a poor outcome.

The Three Types of Audit Findings You Need to Know

Minor Nonconformance

A minor nonconformance means you have a gap in your system, but it is isolated. It does not represent a complete breakdown of a process or a systemic failure. An example might be a single procedure that was not reviewed on schedule, or one staff member who could not demonstrate awareness of the quality policy during an interview.

Minor nonconformances do not automatically prevent certification. In most cases, your certification body will grant you a timeframe, typically 30 to 90 days, to close them out with documented corrective action evidence. Your certificate can still be issued or maintained while you work through the fix.

Major Nonconformance

A major nonconformance is more serious. It indicates that a key requirement of the standard has not been met at all, or that a minor issue has become systemic across your organisation. Examples include having no documented internal audit programme, no management review records, or a complete absence of corrective action processes.

A major nonconformance will prevent initial certification from being granted. For surveillance or recertification audits, it can result in suspension of your certificate. You will be required to complete a root cause analysis, implement corrective actions, and provide objective evidence before the certification body will close the finding. In some cases, a follow-up audit is required before the certificate is released or reinstated.

If you want to understand how to dispute a finding you believe is unfair, there is a clear process for that too. Read our guide on the formal process for disputing an ISO audit finding if you think the auditor has got it wrong.

Observations and Opportunities for Improvement

These are not nonconformances. An observation is a note from the auditor flagging something that could become a problem if left unaddressed. An opportunity for improvement is a suggestion, not a requirement. You are not obligated to act on either, but ignoring them repeatedly across multiple audit cycles is not a good look and can signal to your auditor that your system is not genuinely improving.

For a deeper breakdown of the difference between these two, see our article on what it means when an auditor raises an observation versus a nonconformance.

What Happens During a Stage 2 Audit If You Have Nonconformances

The Stage 2 audit is your main certification audit. It is where the auditor assesses whether your management system is fully implemented and effective. If nonconformances are raised at this point, here is the typical sequence of events.

The Auditor Documents the Findings

At the closing meeting, the auditor will present their findings verbally. Within a few days, you will receive a formal audit report detailing each nonconformance, the clause of the standard it relates to, and the objective evidence that led to the finding. The report will also specify whether each finding is minor or major.

You Submit a Corrective Action Plan

For minor nonconformances, you typically have 30 to 90 days to submit evidence of corrective action. This means identifying the root cause, implementing a fix, and providing documented proof. For major nonconformances, the timeframe is usually tighter, often 30 days, and the evidence requirements are more rigorous.

Your corrective action needs to address the root cause, not just the symptom. Auditors have seen every version of a superficial fix. If your procedure was not reviewed because nobody owned it, updating the procedure once is not enough. You need to demonstrate that ownership has been assigned and that a review schedule is now in place and being followed.

The Certification Body Reviews Your Evidence

Once you submit your corrective action evidence, the certification body reviews it. If they are satisfied, the finding is closed and your certificate is issued or maintained. If the evidence is insufficient, they will ask for more. For major nonconformances, many certification bodies will require a follow-up visit, either on-site or remote, before they close the finding.

This process takes time. If you are working to a contract deadline or a tender requirement, a major nonconformance at Stage 2 can push your certification date back by weeks or even months. That is a real commercial consequence, and it is one of the strongest reasons to prepare properly before your audit.

What Happens at a Surveillance Audit If Nonconformances Are Raised

Surveillance audits happen annually in most three-year certification cycles. They are smaller in scope than your initial certification audit, but they carry real weight. If a major nonconformance is raised at a surveillance audit, your certificate can be suspended.

Certificate Suspension

Suspension means your certificate is temporarily invalid. You cannot use it in tenders, contracts, or marketing materials during the suspension period. Most certification bodies will give you a defined window, typically 30 to 90 days, to resolve the nonconformance and lift the suspension.

Suspension is not the same as withdrawal. It is a temporary status, and it is recoverable. However, it creates real problems if clients or procurement teams discover your certificate is suspended. Some contracts require you to notify clients immediately if your certification status changes, so check your contractual obligations carefully.

Certificate Withdrawal

If you fail to close out the nonconformance within the suspension period, the certification body can withdraw your certificate entirely. At that point, you are no longer certified, and you would need to go through the certification process again from the beginning. This is rare, but it does happen, usually in cases where a business has genuinely stopped maintaining its management system or has stopped engaging with the certification body altogether.

What Happens at a Recertification Audit If You Have Major Nonconformances

Recertification audits occur at the end of your three-year certification cycle. They are a full reassessment of your management system. If major nonconformances are raised here, the same rules apply as at Stage 2. Your certificate will not be renewed until the findings are closed, and your current certificate may lapse in the meantime if the resolution takes too long.

This is why it is worth understanding how often ISO certification audits are conducted and planning your internal audit programme around the full three-year cycle, not just the weeks before each external audit.

The Real Consequences of Ignoring Audit Findings

Some businesses treat nonconformances as paperwork to be filed and forgotten. That approach catches up with you. Here is what actually happens when findings are not properly addressed.

Accumulated Findings Become Systemic

If the same issue appears across multiple audit cycles, auditors will start treating it as a systemic failure rather than an isolated gap. What started as a minor nonconformance can be elevated to a major one at your next audit if you have not demonstrated genuine improvement. Auditors are trained to look for patterns, and a history of recurring findings is a red flag.

Your Certificate Loses Credibility

A certificate that has been suspended or that is held by an organisation with a poor audit history does not carry the same weight as one from a business that consistently maintains its system. Procurement teams and sophisticated clients do check certification status, and some will ask for your audit history or your corrective action records as part of due diligence.

Commercial and Contractual Consequences

If a contract requires you to hold a valid ISO certificate and your certificate is suspended or withdrawn, you may be in breach of that contract. Depending on the contract terms, that could expose you to financial penalties or loss of the contract entirely. Government procurement in particular often has strict requirements around certification status.

How to Recover Properly After a Failed Audit

Do Not Panic, Do Not Guess

The first thing to do after receiving nonconformances is read the audit report carefully. Understand exactly what the auditor found and which clause of the standard it relates to. Do not start implementing fixes before you understand the root cause. A rushed corrective action that misses the point will be rejected by the certification body, and you will have wasted time.

Conduct a Genuine Root Cause Analysis

Root cause analysis does not need to be complicated, but it does need to be honest. Ask why the gap existed. Was it a training issue? A process that was never properly documented? A responsibility that fell through the cracks during a restructure? The answer to that question drives your corrective action. If you fix the symptom without addressing the cause, the same finding will come back at your next audit.

Document Everything

Your corrective action evidence needs to be clear, specific, and traceable. Include the root cause analysis, the actions taken, the person responsible, the completion date, and evidence that the fix is working. A revised procedure on its own is rarely enough. Show that the procedure has been communicated to relevant staff, that training has been completed if required, and that you have checked the fix is being followed in practice.

Consider Getting External Help

If you received major nonconformances and you are not confident in your ability to close them out properly, bring in an experienced ISO consultant. Not someone who will write a document for you and call it done, but someone who will help you understand the root cause and build a corrective action that will actually satisfy the certification body. The cost of a consultant for a few days is far less than the commercial cost of a delayed or withdrawn certificate.

If you are not sure how to find the right person, our guide on how to select the best ISO consultant for certification is a good starting point.

How to Avoid Audit Failures in the First Place

Prevention is always better than recovery. The businesses that consistently pass audits with minimal findings are not the ones with the most resources. They are the ones that run their management systems as genuine business tools rather than compliance exercises.

Run internal audits regularly and take them seriously. An internal audit programme that actually finds problems before your external auditor does is one of the most valuable things you can invest in. If your internal audits are consistently finding nothing, that is not a good sign. It usually means the audits are not being conducted with enough rigour.

Conduct management reviews that are substantive, not just a box-ticking exercise. Review your objectives, your performance data, your nonconformance trends, and your audit results. Make decisions and record them. This is the evidence your auditor wants to see when they assess whether top management is genuinely engaged with the system.

Keep your documentation current. Procedures that have not been reviewed in three years, records that are incomplete, and competency evidence that is out of date are among the most common sources of nonconformances. Assign ownership for each document and build review dates into your calendar.

If you want a practical framework for assessing whether your system is genuinely working, read our article on how to check if your ISO management system is actually working.

Working With CertBetter

If you have just received nonconformances and need help finding a qualified consultant to assist with your corrective actions, or if you are preparing for an upcoming audit and want to make sure you are ready, CertBetter can connect you with verified ISO consultants and accredited certification bodies. You submit one form, receive up to three competing quotes from vetted providers, and the service costs you nothing. It is a straightforward way to find the right support without spending hours searching and vetting on your own.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

Not necessarily. Receiving a minor nonconformance does not prevent certification. It means you have a gap that needs to be addressed within a set timeframe, usually 30 to 90 days. A major nonconformance is more serious and will delay certification or trigger a suspension, but it is still recoverable if you respond with a proper corrective action. The term “fail” is not used in formal ISO audit language, and most audits result in at least some findings.

Most certification bodies give you 30 days to submit corrective action evidence for a major nonconformance, though this can vary. For minor nonconformances, the window is typically 30 to 90 days. The timeframe starts from the date the audit report is issued. If you need more time due to genuine complexity, you can usually request an extension, but you need to communicate this proactively with your certification body rather than simply missing the deadline.

Yes. If a major nonconformance is raised at a surveillance or recertification audit and you do not close it out within the suspension period, your certification body can withdraw your certificate. Withdrawal means you are no longer certified and would need to restart the certification process. This is uncommon, but it does happen when businesses stop maintaining their management system or fail to engage with their certification body after a suspension is issued.

Suspension is a temporary status. Your certificate is placed on hold while you resolve the nonconformance. You cannot use it in tenders or marketing during this period. Withdrawal is permanent removal of the certificate. Once withdrawn, you are no longer certified and must go through the full certification process again. Most certification bodies will only withdraw a certificate after a suspension period has expired without resolution, so you typically have time to act before reaching that point.

It depends on the certification body and the nature of the finding. For some major nonconformances, submitting documentary evidence is sufficient for the finding to be closed. For others, particularly where the auditor needs to verify that a systemic issue has been genuinely resolved across the organisation, a follow-up audit visit, either on-site or remote, may be required. Your audit report and the certification body’s closing letter should specify what is needed to close each finding.

Technically yes, but it will not help you avoid dealing with the nonconformances. Any accredited certification body conducting a Stage 1 audit will identify the same gaps if they genuinely exist in your system. Switching certification bodies to escape findings is not a strategy that works, and some certification bodies will ask whether you have previously been audited and what the outcome was. The right approach is to address the root cause of the findings and close them out properly, regardless of which body you use.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.