Corrective Action, Root Cause Analysis and Audit Follow-up
Corrective Action in Brief
- Address the immediate issue and find the root cause
- Action plan with owners and target dates
- Verification that the action worked, not just that it was done
Corrective action and audit follow-up
An audit finding without action is paperwork. The point of internal auditing is to surface things that need attention so they can be fixed - and the process that turns a finding into a fix, with confidence the fix actually worked, is corrective action.
ISO 9001 Clause 9.2.2e requires the organisation to take appropriate correction and corrective actions without undue delay following an internal audit. The detail of what corrective action looks like is in Clause 10.2 Non-conformity and Corrective Action, which applies to non-conformities from any source - audits, complaints, problems found in operation, regulatory issues. The standards in ISO 14001, ISO 45001, ISO 27001, ISO 22301 and ISO 37001 all have equivalent corrective action requirements.
Correction versus corrective action
The standards distinguish between correction and corrective action, and the distinction matters in practice.
Correction is the immediate fix - making the specific problem go away. If the audit finding was that three documents had no issue numbers, correction adds issue numbers to those three documents.
Corrective action addresses the cause - making sure the problem does not recur. If the cause of the missing issue numbers was that the controlled document creation procedure did not include an issue numbering step, corrective action updates the procedure and trains the people who use it.
Most non-conformities need both. Correction alone closes the visible problem but leaves the underlying cause in place, where it will probably produce the same finding again next year. Corrective action without correction leaves the immediate problem unresolved.
Root cause analysis
The standards do not strictly require formal root cause analysis, but most certification bodies expect to see something more than a guess at the cause for any significant finding. The IMS1 framework includes the F-Q70 Root Cause Problem Review for this purpose.
Several techniques work for SME-scale root cause analysis. The simplest is the five whys - asking why repeatedly until you reach a cause that can be acted on. Documents had no issue numbers - why? Because the person creating them did not know they should. Why? Because the procedure does not say so. Why? Because the procedure was written for a different document control system. Three or four whys is usually enough. Pushing too far ends in because we are humans, which cannot be acted on.
For more complex findings, a fishbone (Ishikawa) diagram considers people, process, equipment, materials, environment and management as potential cause categories. This is useful where the cause is not obvious or where multiple factors are at play.
Whichever technique is used, the recorded cause should be specific enough that the corrective action follows logically. Human error is not a useful root cause - the action that follows is usually be more careful, which fixes nothing.
Using an issues and actions register
Significant findings - typically all non-conformities, sometimes also significant observations - are logged on the ER1 Issues and Actions Register. The register is the single source of truth for what is open and what has been closed across all sources of non-conformity, not just internal audits.
A useful register entry has six columns. Source and date identifies where the finding came from (audit reference, complaint number, incident date) and when it was raised. Description states the finding clearly enough to be understood without the original audit report. Correction is the immediate fix. Root cause is the underlying cause. Corrective action is what is being done to address the cause. Verification is the evidence that the action has actually worked.
Each entry has an owner and a target date. Open entries should be reviewed regularly - typically as part of weekly or monthly management activity for active items, and at management review for trend analysis.
Verification - did the action actually work
The most overlooked step in corrective action is verification. The procedure was updated, the training was delivered, the form was changed - but did it actually fix the problem? Without verification, organisations close findings on the basis that something was done, not on the basis that the something worked.
Verification can take several forms.
Re-audit. The most direct evidence. The next audit of the area looks specifically at whether the issue has recurred. This works best for issues where recurrence would be visible - missing records, incorrect approvals, omitted steps.
Sample check. A targeted check of a sample of records or transactions after the action has had time to take effect. Less formal than a re-audit but proportionate for many findings.
Process observation. Watching the work being done, after training or procedure changes, to confirm the new approach is being followed.
Trend analysis. For issues that produce statistical patterns (defect rates, complaint volumes, audit findings in an area), the verification is whether the pattern has improved over time.
The verification step has its own date and owner on the register. A finding is not closed until the verification has been done and the result recorded.
Trends and management review
Internal audit findings, considered collectively, tell a story about the management system. Patterns across audits - the same kind of finding cropping up in different areas, repeat findings against the same procedure, areas that consistently produce more findings than others - usually point to something deeper than the individual issues.
Audit trends are a standard input to management review under ISO 9001 Clause 9.3 and the equivalent clauses in the other standards. The review considers whether the audit programme is finding what it should, whether corrective actions are being effective, and whether the trends suggest changes to the management system itself rather than just to the areas being audited.
A management review that just notes the audit programme was completed is missing the value. A review that says three of the past four audits found weaknesses in document control - we need to look at how we maintain the document register, not just close the individual findings is using the audit programme as it was intended.
When the original finding was wrong
Sometimes investigation reveals that the audit finding itself was incorrect - the auditor misunderstood the procedure, the evidence was misread, or context known to the auditee but not to the auditor changes the picture. In these cases the finding is closed without corrective action, but the reason is recorded clearly. This is an acceptable outcome and certification bodies will accept it provided the reasoning is documented.
What is not acceptable is closing findings as not a non-conformity after all without explanation. Where this happens repeatedly, the audit programme will lose credibility - both with management and with external auditors.
Closing the loop is what I look for most carefully on corrective action. The finding, the immediate fix, the root cause, the action to address the cause, and the verification that the action worked. If any of those four are missing, the corrective action is incomplete.
The most common gap is verification. The action gets done and the finding gets closed in the same step, with no evidence the action actually fixed anything. Six months later the same finding comes up in another audit, which is usually how the gap surfaces.
For root cause analysis, I encourage clients to be honest. Human error is rarely the real cause - it is usually a symptom of an unclear procedure, missing training, conflicting priorities or a process that does not work the way it was documented. Pushing past human error to the actual cause is the difference between a corrective action that works and one that just adds be more careful to the list of things people are supposed to do.
The register entries that work best have a brief, specific root cause that the action then plainly addresses. Procedure 3.2 did not include an issue numbering step leads naturally to add issue numbering step to procedure 3.2 and train the team. Lack of awareness leads naturally to nothing useful.
Two things matter beyond the immediate fix. Why did it happen, and how do you know it will not happen again. Skip either one and you are doing housekeeping, not corrective action. The audit will find the same thing next year.
Practical compliance guidance
The IMS1 Manual Section 5.2 Control of Nonconforming Outputs, Problems and Complaints sets out the corrective action process applied to all sources of non-conformity, including internal audit findings. Section 5.3.4 Internal Audits - Review describes how audit trends feed management review.
The toolkit provides the issues and actions register, the significant problem form, the root cause review and the audit checklists used during follow-up audits.
| alphaZ document | How to use it |
|---|---|
| ISO 9001 Management System Toolkit | Full toolkit including the issues register, root cause review and audit checklists for managing corrective action under ISO 9001. |
| ER1 Issues and Actions Register | Central register where audit findings and other non-conformities are tracked through correction, root cause analysis, corrective action and verification. |
| F-Q10 Significant Problem, Incident, Complaint Form | Form for recording significant findings that need detailed investigation, including the corrective action and follow-up. |
| F-Q70 Root Cause Problem Review | Template for working through root cause analysis on significant findings, supporting more rigorous corrective action. |
| A-C P17 Nonconforming, Problems and Complaints Audit Checklist | Process audit checklist for reviewing how well non-conformity and corrective action processes are working - useful when verifying corrective action effectiveness. |
| A-C P18 Management System Audits Checklist | Process audit checklist for auditing the internal audit process itself, including how findings are followed up and verified. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to corrective action
UK legislation does not directly require ISO-style corrective action processes, but several laws require organisations to investigate incidents and take action to prevent recurrence - which the corrective action process typically supports. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
