Many businesses conduct ISO 9001 internal audits every year. However, the audit results do not always accurately reflect the effectiveness of the quality management system in actual operation. Some nonconformities recur over multiple audit cycles, corrective records remain incomplete, or the audit activity is limited to document checking only.

In this article, ARES Vietnam helps businesses identify five common nonconformities found during ISO 9001:2015 internal audits. In addition, we suggest practical improvement approaches to reduce recurring issues and enhance the effectiveness of the quality management system.

5 common non-conformance points in ISO 9001:2015 internal audit

What Is An ISO 9001 Internal Audit?

An ISO 9001 internal audit is an activity carried out by a business to evaluate whether its quality management system complies with the requirements of ISO 9001:2015, internal procedures, and established objectives.

Unlike routine work inspections, internal audits focus on determining whether the system is operating as planned. Through this activity, businesses can identify which processes are working effectively, which areas are not fully compliant, and which aspects require improvement before external audits take place.

In essence, internal audits are not intended to assign blame to individuals. Instead, they focus on collecting objective evidence, identifying risks, and improving the quality management system based on factual information.

ISO 9001 Internal Audit

5 Common Nonconformities Found During ISO 9001:2015 Internal Audits

Below are five common categories of nonconformities frequently identified during ISO 9001:2015 internal audits.

1. ISO Documents And Records Are Not Properly Controlled

This is one of the most common nonconformities identified during internal audits. Many businesses have established procedures, forms, and work instructions. However, document control across departments is often inconsistent.

A common situation is that updated documents are available within the system, yet employees continue using outdated forms. In addition, some records lack signatures, dates, or sufficient information for traceability purposes.

Common Signs

• Employees use outdated forms instead of the latest version.
• Procedures have changed, but ISO documents have not been updated accordingly.
• Quality records lack signatures, dates, or traceability information.
• Documents are stored in multiple locations, making it difficult to identify the current version.
• Activities are performed, but records are insufficient to provide evidence.

Why Is This Considered A Nonconformity?

ISO 9001:2015 requires organizations to control documented information to ensure documents and records are properly updated, approved, stored, and retrievable.

Without proper control, businesses cannot demonstrate operational consistency. Furthermore, using incorrect document versions or maintaining incomplete records may increase the risk of errors during operations.

How Can Businesses Improve?

Businesses should establish a document register and clearly define responsibilities for drafting, approving, issuing, updating, and withdrawing documents. In addition, departments should periodically verify that employees are using the latest versions.

It is also important to distinguish between documents and records:

When documents and records are properly controlled, businesses can improve traceability, reduce inconsistencies, and strengthen system consistency.

Documents and ISO records are not fully controlled

2. Procedures Exist But Are Not Implemented in Practice

Another common nonconformity is the gap between documented procedures and actual practices within the organization.

In many cases, procedures are well established within the documentation system. However, during on-site audits or employee interviews, actual practices differ from the documented requirements. Employees may rely on habits, personal experience, or skip certain steps due to schedule pressures.

Common Signs

• Procedures specify one method, but actual implementation follows another.
• Certain inspection, verification, or approval steps are omitted.
• Employees are unfamiliar with procedures related to their work.
• Different departments perform the same activity differently.
• Procedures were issued long ago and no longer reflect current operations.

Why Is This Considered A Nonconformity?

ISO 9001:2015 requires organizations to plan, implement, and control processes necessary to meet product, service, and quality management system requirements.

When documented procedures differ from actual practices, organizations may struggle to control outputs, assign responsibilities, and demonstrate conformity during audits. As a result, the ISO system becomes merely formal and no longer reflects how the business actually operates.

How Can Businesses Improve?

Businesses should periodically review existing procedures. If operations have changed, the documents should be updated accordingly. Conversely, if procedures remain appropriate but employees do not follow them correctly, retraining and communication are necessary.

For processes that directly affect product or service quality, organizations should clearly define responsibilities, required records, and output control criteria.

The process exists but it is not implemented correctly

3. Quality Objectives Are Not Properly Measured and Monitored

Quality objectives provide the foundation for improvement activities within an organization. However, many companies still establish objectives that are too general, difficult to measure, or lack periodic monitoring data.

Objectives such as “improve product quality,” “increase customer satisfaction,” or “enhance work efficiency” are difficult to evaluate without clear indicators, target deadlines, and assigned responsibilities.

Common Signs

• Quality objectives do not include measurable indicators.
• No responsible person is assigned to monitor progress.
• Periodic reports or performance data are unavailable.
• Departmental objectives are not aligned with the organization’s overall objectives.
• When objectives are not achieved, no root cause analysis or improvement action is conducted.

Why Is This Considered A Nonconformity?

According to ISO 9001:2015, quality objectives must be consistent with the quality policy, measurable, monitored, communicated, and updated when necessary.

If objectives cannot be measured, organizations lack a basis for evaluating system performance. As a result, quality objectives may exist only on paper without delivering real management value.

How Can Businesses Improve?

Organizations should establish quality objectives with clear indicators, target dates, responsible persons, and monitoring methods.

Examples:

When objectives are clearly quantified, organizations can monitor progress more effectively, evaluate results accurately, and implement appropriate improvement actions.

Quality goals are not adequately measured and tracked

4. Corrective Actions For Nonconformities Are Not Thorough

One reason why nonconformities continue to recur over multiple audit cycles is that organizations often fail to address the root cause of the issue.

In many cases, companies only deal with the symptoms. For example, missing records are simply added, employees are reminded after making mistakes, or incorrect forms are replaced. While these actions may solve the immediate problem, they do not necessarily prevent recurrence.

Common Signs

• The same nonconformity appears repeatedly in multiple audits.
• Corrective actions only involve completing records or reminding employees.
• No root cause analysis is performed.
• No responsible person or completion deadline is defined.
• No evidence is available to verify the effectiveness of corrective actions.

Why Is This Considered A Nonconformity?

ISO 9001:2015 requires organizations to respond appropriately to nonconformities, determine their causes, implement necessary actions, and evaluate the effectiveness of those actions.

If only the symptoms are addressed without identifying the root cause, the issue is likely to reoccur. Consequently, the quality management system cannot fully support prevention and continual improvement.

How Can Businesses Improve?

Organizations should apply root cause analysis methods such as the 5 Whys, Fishbone Diagram, or process-based analysis to determine the actual cause of the problem.

Examples:

After corrective actions are implemented, organizations should verify their effectiveness by checking whether the issue has recurred, whether performance data has improved, and whether related procedures need to be updated.

Actions to correct nonconformities are not thorough

5. Internal Audits Lack Objectivity or Auditors Lack Competence

This is a sensitive but common issue. Many organizations have audit plans, checklists, and reports in place, yet the audit process still fails to reflect the actual condition of the quality management system.

The cause may be insufficient auditor training, lack of skills in collecting objective evidence, subjective assessments, or auditors evaluating areas for which they are directly responsible.

Common Signs

• Audit checklists are too basic and mainly focus on whether records exist.
• Audit questions do not evaluate process effectiveness.
• Auditors fail to document objective evidence supporting their conclusions.
• Auditors do not maintain independence from the audited area.
• Audit reports do not clearly distinguish conformities, nonconformities, and opportunities for improvement.
• Internal audits identify no issues for years, yet external audits reveal several nonconformities.

Why Is This Considered A Nonconformity?

Internal audits should provide management with reliable information regarding the status of the quality management system. If auditors lack competence or if the audit process is not objective, the results will not accurately represent actual operations.

As a result, organizations may overlook critical risks, fail to identify weaknesses, and lose valuable opportunities for improvement.

How Can Businesses Improve?

Organizations should provide ISO 9001 internal auditor training so that auditors understand the standard requirements, are familiar with internal processes, and know how to collect objective evidence.

In addition, cross-functional auditing should be implemented to ensure independence. Organizations should also standardize audit checklists, audit reports, and nonconformity records so that audit results are clear, consistent, and useful for continual improvement.

Internal audits are not objective or auditors are not qualified

Self-Assessment Checklist Before Conducting An ISO 9001 Internal Audit

To minimize nonconformities during an ISO 9001 internal audit, organizations can review the following items in advance:

This checklist does not replace a formal internal audit program. However, it can help organizations proactively identify weaknesses before the audit begins.

Prepare Proactively For Your ISO 9001 Audit

Identifying nonconformities early during internal audits can help organizations reduce corrective action pressure before certification audits, surveillance audits, or recertification audits.

ARES Vietnam provides ISO 9001 audit and certification services in accordance with international standards. These services help organizations verify the conformity of their quality management systems in an objective and professional manner.

Contact ARES Vietnam to learn more about the ISO 9001 certification audit process and the requirements organizations should prepare before an audit.

• Hotline: 085.3858.553
• Email: Service@aresvietnam.vn

Frequently Asked Questions About ISO 9001 Internal Audits