Internal Audit Findings, Nonconformities and Reporting
Audit Findings in Brief
Findings should be factual, evidenced and traceable to the audit criteria. Nonconformity, observation and opportunity for improvement are the standard categories. Each finding identifies what was seen and which requirement it relates to.
Audit findings and reporting
An audit that ends with everything looked fine is rarely much use. The point of internal auditing is to surface things that need attention - and a usable audit report is one that names what was found, why it matters and what the evidence is. Without that, audit findings cannot be acted on consistently and trends cannot be tracked over time.
ISO 9001 Clause 9.2.2d and the equivalent clauses in the other ISO standards require the organisation to ensure that the results of the audits are reported to relevant management. The reporting itself is the requirement. The format and grading of findings is left to the organisation.
Types of audit finding
Most management systems use three or four categories for audit findings, with broadly the same meanings across organisations.
Major non-conformity. A significant failure of the management system - either a complete absence of a required element (no documented procedure for something the standard requires), or a systemic breakdown (the procedure exists but is widely ignored). Major non-conformities suggest the management system is not delivering its intended outcomes in this area. They are uncommon in routine internal audits and usually require management attention beyond the immediate corrective action.
Minor non-conformity. A localised or isolated failure to meet a defined requirement. The procedure exists and is generally followed, but a specific instance falls short - a record not signed, a check not done, a training requirement missed for one person. Minor non-conformities are by far the most common audit finding and are addressed through routine corrective action.
Observation. Something noted by the auditor that is not strictly a non-conformity but might develop into one if not addressed. A trend, a single instance of something that could become systemic, or an area where practice is approaching but not yet breaching a procedure.
Opportunity for improvement. Something working acceptably but where the auditor sees a way the organisation could improve. Not a finding against requirements, but a constructive suggestion. Some organisations record these as a separate category, others fold them into observations.
Some organisations also use positive findings for things working notably well - useful for management review reporting and for keeping audit reports balanced.
Writing up a finding
A well-written audit finding has four parts. Missing any of them weakens the finding and makes it harder to act on.
The requirement. What the auditee was supposed to be doing - the procedure reference, ISO clause or legal requirement that applies. PP-1-08 section 3.2 requires all controlled documents to carry an issue number.
The evidence. What the auditor saw. Specific, verifiable, with enough detail to support the finding if challenged. Three of the five sample documents reviewed (X, Y, Z) had no issue number visible.
The gap. The difference between requirement and evidence stated explicitly. Three of five sample documents do not meet the issue numbering requirement in PP-1-08 section 3.2.
The grading. Major non-conformity, minor non-conformity, observation or opportunity for improvement.
Writing findings this way takes only a sentence or two longer than vague findings, but the result can be acted on without further investigation, defended in external audit, and trended over time. Findings that are missing requirement, evidence or grading are the most common reason for audit reports being challenged.
What audit findings are not
Three things that sometimes appear as findings but should not.
The auditor's preferences. If a procedure works and meets the standard but the auditor would have done it differently, that is not a finding. Findings have to be against defined requirements, not against the auditor's view of best practice.
Things outside the audit scope. Issues observed in passing but outside the scope of the audit are noted (often as informal feedback) but not raised as findings against the audit. Findings should be raised in the next audit that covers that area.
Personal performance issues. Audits look at the system, not at individuals. If the audit reveals that someone has not been doing what their procedure requires, the finding is against the procedure or training - not against the person. Personal performance issues are dealt with through line management, not through internal audit.
The audit report
The audit report packages findings for distribution. The minimum content for a usable report is short.
Header information. Date, area audited, auditor, scope and criteria, attendees.
Summary. Two or three sentences on what was found overall - balance positive and negative.
Findings list. Each finding written in the four-part format described above, with grading.
Action ownership. Who is responsible for addressing each finding, and a target date.
The F-Q31 Audit Report Template in the toolkit captures all of this. Some organisations use the F-Q2 Audit Checklist as the report itself, with findings recorded in line with the checklist items - this works well for shorter audits where a separate report would duplicate content.
Reports go to the management team responsible for the audited area and to whoever owns the management system overall. The audit findings list is also typically a standing input to management review.
Significant findings and the issues register
Significant findings - usually all non-conformities, sometimes also significant observations - are also logged on the ER1 Issues and Actions Register. This is where they get tracked through investigation, action and verification under ISO 9001 Clause 10.2. The register is the single source of truth for what is open and what has been closed; the audit report is the source of the original finding.
Findings logged on ER1 should reference the audit report they came from, so the connection is traceable in both directions. Where a single corrective action addresses multiple findings, that is recorded too.
The audit reports I take seriously have findings written so I can understand them without needing to talk to the auditor. The requirement, the evidence and the gap all clearly stated. I should be able to read a finding from six months ago and know what was wrong and why.
The reports that struggle in surveillance audits are the ones with vague findings - training records need attention, document control could be improved. I do not know what was actually wrong, and neither does the corrective action owner. That tends to lead to corrective actions that do not actually fix anything because the underlying issue was never identified clearly.
One thing I push clients on is grading consistency. If every finding ends up as a minor non-conformity regardless of how serious or systemic the issue is, the grading is doing no work. Major non-conformities should be reserved for genuinely significant breakdowns. Observations should be used where something is not yet a non-conformity but might become one. Used properly, the grading helps management focus on what actually matters.
A finding without evidence is just an opinion. A finding without a stated requirement is unfair to the auditee. A finding without a grading is hard to track and prioritise. All three together is a finding people can actually act on.
Practical compliance guidance
IMS1 Section 5.3.3 Internal Audit Findings - Audit Report covers how audit findings are recorded, graded and reported, including how significant findings are escalated to the issues and actions register for tracking under Clause 10.2.
The toolkit provides the audit report template, the issues and actions register and supporting policy and guidance documents covering audit reporting.
| alphaZ document | How to use it |
|---|---|
| ISO 9001 Management System Toolkit | Full toolkit with the audit report template, issues register and supporting documents for managing audit findings under ISO 9001. |
| F-Q31 Audit Report Template | Audit report template for documenting scope, criteria, evidence, findings and actions following an internal audit. |
| F-Q2 Internal Audit Checklist | Audit checklist that doubles as a report for shorter audits, with findings recorded against checklist items. |
| ER1 Issues and Actions Register | Register where significant findings are logged for ongoing tracking through investigation, corrective action and verification. |
| F-Q10 Significant Problem, Incident, Complaint Form | Form for recording significant audit findings that need detailed investigation and corrective action handling. |
| GG-1-10 Internal Audits Guidance | Plain-language guidance on writing audit findings and reports, including grading conventions and worked examples. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to audit findings
UK legislation does not specify how internal audit findings are recorded, but several laws require organisations to maintain records of compliance monitoring outcomes - which audit reports typically support. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
- Health and Safety at Work etc. Act 1974
- Management of Health and Safety at Work Regulations 1999
- Data Protection Act 2018
