The Finding That Confuses Most Businesses
You have just come out of your ISO audit and the auditor hands you a report. There are no nonconformities, which is great. But there are several items listed as “Opportunities for Improvement.” You are not sure whether to be relieved or concerned. Does this mean something is wrong? Will it affect your certification? Do you have to fix these things before you get your certificate?
On this page
This is one of the most common points of confusion in an ISO audit, and it is completely understandable. The term “opportunity for improvement” sounds vague, and auditors do not always explain it well. This article breaks down exactly what it means, how it differs from a nonconformity, what you are actually required to do about it, and how to use these findings to get real value from your certification rather than just ticking a box.
What Is an Opportunity for Improvement?
In ISO auditing, an opportunity for improvement (often abbreviated as OFI) is a finding where the auditor has observed something that is not technically a breach of the standard but could be done better. The system is working, the requirement is being met, but the auditor can see a way the organisation could strengthen its processes, reduce risk, or get better outcomes.
Think of it this way. A nonconformity means you are not meeting a requirement. An opportunity for improvement means you are meeting the requirement, but there is a smarter or more effective way to do it.
Under ISO 19011, the international guidelines for auditing management systems, audit findings can include conformities, nonconformities, and opportunities for improvement. OFIs are a legitimate and recognised part of the audit process, not a grey area or an unofficial observation.
It is worth noting that OFIs carry no obligation. You are not required to act on them to receive or maintain your certification. However, dismissing them entirely is a missed opportunity, and in some cases a costly one.
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
How OFIs Differ From Nonconformities
To understand OFIs properly, you need to understand where they sit in relation to other audit findings. Most ISO standards recognise two levels of nonconformity and then OFIs as a separate category entirely.
Major Nonconformity
A major nonconformity is a serious failure. It means a requirement of the standard is either completely absent or has broken down to the point where the management system cannot achieve its intended outcomes. A major nonconformity will prevent certification or require immediate corrective action before the certificate can be issued or maintained.
Minor Nonconformity
A minor nonconformity means a requirement is partially met or there is an isolated lapse. The system is broadly functioning but there is a specific gap. You will need to provide a corrective action plan and evidence of resolution, usually within a defined timeframe agreed with your certification body.
Opportunity for Improvement
An OFI sits outside the nonconformity categories entirely. The auditor is saying: “Your system meets the requirement, but here is something worth considering.” There is no corrective action required, no timeframe imposed, and no impact on your certification status. It is advice, not a finding against you.
If you want a broader understanding of how these findings fit into the overall audit process, the article on how to run ISO internal audits that actually find problems is worth reading alongside this one.
Real Examples of Opportunities for Improvement
Abstract definitions only go so far. Here are some practical examples of what an auditor might flag as an OFI across different standards.
ISO 9001 Quality Management
An auditor reviews your customer feedback process and finds you are collecting feedback consistently, which meets the requirement. However, the data is sitting in a spreadsheet and nobody is analysing trends or presenting findings to management. The auditor notes this as an OFI: the process exists, but the organisation is not extracting useful information from it. You are compliant, but you are not getting the value you could from the data you already collect.
ISO 45001 Occupational Health and Safety
Your hazard identification process is documented and operational. The auditor notices that workers on the floor are rarely involved in identifying hazards, with most inputs coming from supervisors. This is not a breach of the standard, but worker participation is a theme ISO 45001 strongly encourages. The OFI suggests broadening who contributes to hazard identification to improve the quality and completeness of your risk picture.
ISO 27001 Information Security
Your access control procedures are in place and working. The auditor observes that user access reviews are happening annually as required, but there is no process to trigger an immediate review when an employee changes roles or moves to a different department. The standard does not prescribe the frequency of interim reviews, so this is not a nonconformity. But it is a genuine gap in your security posture worth addressing.
ISO 14001 Environmental Management
Your environmental aspects register is current and your monitoring is happening. The auditor notes that your environmental objectives have remained unchanged for three years despite significant changes in your operations and supply chain. The objectives are still technically valid, so there is no nonconformity. But the OFI flags that your targets may no longer reflect your actual environmental impact or ambition.
Why Auditors Raise OFIs
A good auditor is not just checking boxes. They are spending time inside your organisation, reviewing processes, talking to your people, and building a picture of how your management system actually operates day to day. When they spot something that is not a breach but is clearly suboptimal, raising it as an OFI is the professional thing to do.
OFIs reflect the auditor's experience across many organisations and industries. When an auditor says “I have seen this approach cause problems down the track,” that is genuinely useful information. It is worth treating it as such rather than filing the report away the moment certification is confirmed.
That said, the quality of OFIs varies significantly between auditors. A thorough, experienced auditor will raise OFIs that are specific, actionable, and grounded in real observations. A less engaged auditor might raise generic OFIs that could apply to any organisation in any industry. If you are consistently receiving vague OFIs that do not feel relevant to your business, that is worth noting when you next review your certification body. The article on what businesses can actually do about a bad ISO certification auditor covers your options in that situation.
Are You Required to Act on OFIs?
No. There is no obligation under any major ISO standard to implement an OFI. Your certification will not be withheld, suspended, or withdrawn because you chose not to act on an opportunity for improvement. This is a hard rule, not a grey area.
However, there is a practical consideration. At your next surveillance or recertification audit, the auditor may revisit previous OFIs. If the same issues keep appearing across multiple audit cycles and nothing has changed, that is a signal that your organisation is not engaging with continual improvement, which is a core requirement of every ISO management system standard.
If an auditor sees the same OFI raised in three consecutive audits with no action and no documented consideration of why action was not taken, it could start to look like a pattern of inaction rather than a deliberate business decision. That pattern can eventually influence how the auditor views your commitment to the standard.
The safest approach is to document your response to every OFI, even if that response is a reasoned decision not to act. Record that you considered the finding, assessed the effort and benefit, and made a conscious choice. That is evidence of a functioning management system, not a gap in one.
How to Get Real Value From OFIs
Most businesses treat OFIs as a formality. They read them, nod, and move on. The organisations that get the most from their ISO certification are the ones that treat OFIs as a free consulting input from someone who has just spent time inside their system.
Prioritise by Risk and Effort
Not every OFI deserves equal attention. When you receive your audit report, go through each OFI and ask two questions. First, what is the potential impact if this issue is not addressed? Second, how much effort would it take to fix? OFIs that are low effort and high impact should go straight onto your improvement register. OFIs that are high effort and low impact can be noted and reviewed at your next management review.
Bring Them Into Your Management Review
ISO standards require management reviews to consider the results of audits, including OFIs. Do not just list them and move on. Discuss them. Assign ownership. Make a decision and record it. This is exactly the kind of input that management reviews are designed to process.
Use Them to Build Your Continual Improvement Register
If your management system includes a continual improvement register or log, OFIs from external audits belong in it. They sit alongside inputs from internal audits, customer feedback, incident investigations, and staff suggestions. Treating all of these inputs consistently is what a mature management system looks like in practice.
If you are not sure whether your management system is actually working or just looking good on paper, the article on how to check if your ISO management system is actually working covers the practical signs to look for.
Ask the Auditor to Elaborate
During the closing meeting, if an OFI is unclear, ask the auditor to explain it further. Ask what they have seen work well in similar organisations. Ask what the risk looks like if the issue is left unaddressed. Most auditors are happy to discuss this, and the conversation often yields more useful information than the written finding itself.
OFIs in Internal Audits vs External Audits
OFIs are not exclusive to external certification audits. A well-run internal audit programme should be raising them regularly too. In fact, if your internal audits are only ever finding nonconformities and never raising OFIs, that is a sign your internal auditors may be focused too narrowly on compliance checking rather than genuine system evaluation.
The purpose of an internal audit is to give your organisation a clear picture of how the management system is performing. OFIs from internal audits are often more detailed and operationally specific than those from external audits because your internal auditors know the business context better. They should be treated with the same seriousness as OFIs from a certification body.
One common mistake is for internal auditors to avoid raising OFIs because they do not want to create extra work or appear critical of colleagues. This defeats the purpose of the internal audit entirely. A culture where OFIs are welcomed as useful inputs rather than treated as criticism is a sign of a genuinely mature management system.
What Happens to OFIs Between Audit Cycles
Between your surveillance audits, OFIs should not just sit in a report folder. They need to be tracked. This does not have to be complicated. A simple register that records each OFI, the date it was raised, the decision made, any actions taken, and the outcome is sufficient.
When your next audit comes around, having this register available demonstrates that your organisation takes continual improvement seriously. It also gives the auditor confidence that the management system is being actively maintained rather than dusted off before each audit visit.
If you are preparing for an upcoming audit and want a checklist of what to have ready, the article on 10 things to do before an ISO Stage 2 certification audit is a practical starting point.
A Note on Auditor Consistency
One thing businesses sometimes notice is that different auditors raise very different OFIs for the same system. One auditor might flag five OFIs across a two-day audit, while another raises two. This is partly a reflection of auditor experience and style, and partly a reflection of how much time the auditor spent looking at each area.
This inconsistency is not a flaw in the ISO system so much as a reality of human judgement in auditing. What it means for you is that OFIs should not be treated as the definitive word on every improvement your business needs. They are one input among many. Your internal audit findings, customer complaints, operational data, and staff feedback are equally valid sources of improvement ideas.
The goal is not to satisfy the auditor. The goal is to build a management system that actually helps your business perform better. OFIs, when treated seriously, are one useful tool toward that goal.
Finding the Right Certification Partner
The quality of the OFIs you receive depends significantly on the quality of your auditor and certification body. An auditor who knows your industry, understands your operational context, and takes time to observe how your system actually works in practice will raise OFIs that are genuinely useful. An auditor who is rushing through a checklist will raise OFIs that are generic at best.
Choosing the right certification body matters more than most businesses realise when they are first going through the process. If you are at the stage of comparing providers, CertBetter makes it straightforward. You submit one form describing your business and certification needs, and you receive up to three competing quotes from verified, accredited certification bodies. The service is completely free, and it saves you the time of hunting down providers and chasing responses individually. It is a practical way to find a certification partner whose auditors will give you findings worth acting on.
