What are the different levels of findings/nonconformities?

There are 3 levels of findings which may result from an audit:

• Major nonconformity - a systemic or critical failure of a process to control elements of the management system.  These are generally raised against mandatory clauses; however failure of multiple Annex A controls may point to a clause not being in place
• Minor nonconformity - a single or non-critical failures of the process to control elements of the management system.  This could be raised against mandatory clauses, Annex A controls or the organisation’s own policies.  An aggregation of min nonconformities could be escalated to a major nonconformity, but there is no magic number, it would be conditional upon the aggregation of risks in the area affected.
• Opportunity for improvement - where there has been no nonconformity, but a potential weakness has been noted.  There may not be any objective evidence of a nonconformity but in the judgement of the auditor, there could potentially be a problem in the future if this is not addressed.

Nonconformities must have corrective actions planned against them, in order to rectify the problem.  An organisational decision may define the timeframe for the production of a corrective action plan, which may vary depending on the severity of the finding (Major or minor nonconformity).  It should be noted that this timeframe is for the production of a plan to rectify the problem.  The actual resolution of the problem can in some cases take time, however organisations must demonstrate that they are progressing towards closing the finding.

Where an opportunity for improvement has been identified, the organisation should decide if there is a benefit to be realised from addressing this opportunity.  It is good business practice to capture opportunities for improvement at subsequent management meetings to provide evidence that this consideration has been given.