How to Appeal an Invalid Audit Nonconformity From Your ISO 9001 Registrar

[Updated for 2021].

Unfortunately, the ISO certification scheme does not enforce good training on auditors working for certification bodies (CBs). The result is that sometimes auditors write nonconformities that are invalid — in the US we call them “bogus” — but which nevertheless have to be responded to.

(Note: while this article refers to ISO 9001, the information herein works equally well for AS9100, IATF 16949, and most other management system certifications.)

Common Reasons for Invalid Findings

Typically, these write-ups are invalid because of three common errors:

• No objective evidence. Without objective evidence indicated in the finding, the client cannot take immediate “containment” and fix whatever the auditor happened to be looking at. That’s critical first step, and has to happen before the company takes any long-term corrective action. For example, an auditor may say “purchase orders lack approval signatures” but without indicating which exact purchase orders the auditor looked at, the finding is invalid (vs. ISO 17021-1) since the client cannot fix the purchase orders. It also makes it impossible for the client to physically verify what the auditor was looking at, in case the auditor made a mistake (for example, perhaps the purchase orders were signed, but simply on the back side of the paper.) Then, the finding could be reversed easily, and no one is harmed.
• No requirement cited. Without citing the exact clause of the standard which is alleged to be in violation, the client (again) cannot take proper corrective action because they don’t know what is actually wrong. Citing the requirement is also an industry rule, so any finding that doesn’t indicate an exact clause can be thrown out, or the CB must amend the finding to include the proper clause. Be cautious, too, when CB auditors cite clauses or documents other than the particular standard; I’ve seen auditors try to write up ISO 9001 audit findings, but by quoting internal CB documents, “IAF guidance documents” or something they saw on the internet. Audit findings can only be written against the standard you are being audited against, and that’s a firm contractual requirement.
• Invented requirement. This is the most common problem, where auditors — after years of auditing against their past employer’s QMS — come to assume that requirements exist in the standard when they actually do not. How many ISO 9001 auditors have demanded a “training matrix” or “preventive maintenance records,” even though the standard doesn’t mention them?  And, once again, in such cases, the client cannot possibly take proper corrective action. Worse, if the client does act on the finding, they are essentially allowing the CB auditor to build their quality system based on the auditor’s personal whims and expectations, so that afterwards the auditor is essentially auditing their own work… a serious violation.

There are many other reasons why a finding might be invalid, as well, but these are the most common.

ISO 17021-1: The Other Guy’s Playbook

One of the best ways to ensure you can identify an invalid finding, and then challenge it properly, is to understand the accreditation rules under which all accredited ISO 9001 registrars must operate. These are found in the standard ISO 17021-1. All accredited CBs must comply with this standard lest they be de-accredited, and denied the right to issue ISO 9001 certificates. The enforcement of ISO 17021-1 is done by the Accreditation Body (AB) utilized by the particular registrar; common ABs include ANAB in the USA or UKAS in the UK. You’ve seen their logos next to the CB logo on your ISO 9001 certificate.

ISO 17021-1 is a dull document, moreso than ISO 9001, but it’s a treasure trove of rights and privileges that you never even knew you had. It defines your rights, as well as the rules that restrict auditors from writing bogus nonconformities. I can’t stress enough how beneficial it is to purchase a copy of the standard, read it and understand it. The clauses you will want to focus on are 9.4 (Conducting the Audit), 9.7 (Appeals) and 9.8 (Complaints.) It’s worth the effort if you are plagued with suspicious nonconformities.

The Fear of Appeals

Companies resist filing an appeal because they believe a number of myths, or hold on to some irrational fears. These are sometimes spread by the CB auditors themselves, in an attempt to get clients to accept all audit findings without question; heck, one registrar trains their auditors on how to hypnotize clients without their knowledge, to make them less resistant to their auditors!

Unfortunately, the timidity of clients to challenge CBs creates a self-inflating problem in the industry: the less clients contest bad findings, the more bad findings the auditors write up, since they have no feedback telling them they are wrong.  It’s therefore imperative that clients push back against invalid findings, not only to ensure the health of their QMS, but to ensure that ISO 9001 certificates worldwide remain trusted and respected.

The most common myths and fears are:

• If contested, the auditor can take away my ISO 9001 certificate. This is untrue, since auditors cannot take anyone’s certificate away. Those decisions are made by an internal committee within the registrar, not by the auditor. Furthermore, you are guaranteed the right to contest nonconformities under ISO 17021-1.
• If contested, the auditor will escalate the finding to a major nonconformity. Also untrue, for the same reasons. The definitions of “major” and “minor” nonconformities are defined in ISO 17021-1, and nonconformities don’t magically increase in severity because a client questions them.
• If contested, the auditor will come back angry, and our next audit will be hell. Typically an auditor won’t even remember the issue by the next audit, but even if they do, their behavior is governed by ISO 17021-1, and they cannot begin issuing “spite findings” out of anger.
• Challenging a registrar is expensive. Not true, and technically it’s free, other than the cost of the time needed to send the emails. In fact, challenging a registrar can save the company a tremendous amount of money.
• We hate conflict. Some companies simply hate conflict, and do anything to avoid it. Unfortunately, at times professional and courteous conflict is a necessary part of doing business, such as pushing back against customers who refuse to pay their bills. Ultimately, companies must remember that the registrar is a vendor, and that you are their customer.
• Top management doesn’t care, they just want the cert on the wall. This is more common than it should be, and often middle managers tasked with defending the QMS find themselves ordered by their bosses to accept the findings, no matter what, just to keep the cert on the wall. It’s a phony argument, since appealing a nonconformity doesn’t de-certify a company, but if the boss is that worried about it, there’s little you can do other than find a new employer.
• Our certificate will expire while waiting for the appeal to be resolved. This one has some merit, but you should clearly communicate to the CB that you expect the appeal to be resolved by them in a timely manner that does not impact on your certification.  There are a lot of minor tweaks the CB can do to ensure your cert does not expire, but clearly they should simply prioritize the issue so that this doesn’t even become a risk. If they don’t, you have an entirely different complaint you can levy against them.

Steps to Appeal a Finding

When contesting a nonconformity, this is referred to as an “appeal.” The ISO standards use that term to differentiate it from a “complaint,” which goes through an entirely different process.

Appealing a finding is incredibly simple, and should be done in the following order. In all cases, the challenge must be made in a manner that is polite, firm and based on evidence. Let’s take a look:

1.) Confirm that the nonconformity is, in fact, invalid. Many clients don’t like nonconformities, and want to oppose them, but if the nonconformity is valid, there is no amount of arguing that can reverse it. If it’s a valid finding, it’s better to work to correct the problem than argue for the sake of arguing.

2.) Don’t worry about the closing meeting. Many clients feel that because they have signed the auditor’s nonconformance report, and held a closing meeting, that this means the finding has been accepted by the company. This is not true, although some CB auditors will lie and say so. Instead, all you are signing for is receipt of the nonconformity, not acceptance of it. You are granted the right to go back, after the audit, and study the nonconformity in greater detail. Even if during the closing meeting every nodded their heads in agreement, you are allowed to change your mind once you study the finding in detail; that is why you do a root cause analysis, after all. So don’t feel obligated to accept the finding as valid if it is not, even if you signed for it and agreed to it verbally during the audit itself.

3.) Demand your objection be recorded. If, during the closing meeting, you already know you intend to object to the finding, ISO 17021-1 requires auditors to document those objections in their final report. Auditors won’t tell you that you have this right, because they don’t want a paper trail. But doing so will help you later, if the auditor falsely claims “but you agreed during the closing meeting.”

4.) Gather your facts. Next, you have to be 100% absolutely sure the finding is invalid. You will want to put together internal notes on why the finding may be wrong, such as “auditor didn’t cite a requirement” or “he didn’t indicate what he looked at” or “I can’t find a requirement anywhere in ISO 9001 that requires this.” If you have purchased ISO 17021-1, go over clause 9.4 to find where the auditor may have violated the accreditation rules, which will help your case. Keep copies of any emails from the auditor, as well as copies of the audit report and nonconformity.

5.) Craft your argument. Using the information, put together a strong argument as to why you think the finding is invalid. For now this is an internal discussion only, so you can be as forceful as you like in your internal notes. Be sure your argument clearly describes what the problem is, and why you cannot take corrective action with the finding written in the way it is.

For the next few steps, I urge you to switch to written communication only. Resist all urges (either by you or the auditor) to “resolve this over the phone.” Auditors do that because they do not want a paper trail, and when you begin the appeal process, records are critical. If the auditor calls, don’t take the call, and follow up with an email instead. Save everything.

6.) Send an informal email to the auditor. The best first alert to the auditor is a casual email, written in a friendly manner, but which captures — in broad strokes — what your concern is. In the email, you would ask (politely!) that the auditor consider re-wording the finding to address your concerns or ask that they consider withdrawing the nonconformity altogether. Here are a few examples:

Dear Joe,

As part of our root cause analysis of your finding, we are having trouble seeing which specific ISO 9001 clause you are citing. Can you help us by rewording the finding by citing the clause you are concerned with, and perhaps explaining better how you feel the clause was violated? If there was an error in the finding and it’s not associated with an ISO 9001, we would then ask that perhaps you could withdraw it. Thanks so much.

Or:

We noticed in your finding that you did not indicate the objective evidence you looked at during our audit. As a result, we cannot take immediate containment, since we don’t know for sure what to fix. Could you amend the nonconformity with an indication of what exact evidence you looked at? That would help us greatly. If not, we would ask that you withdraw the nonconformity, since we are unable to take proper corrective action with the problem as written. Thanks so much.

Now you will notice that both samples are extremely polite and quite cool-headed. Unfortunately. because receiving a challenge is a rare thing for many auditors, they may react with some level of hostility.  So you should be prepared for an irrational response, but you must remain professional and calm no matter what.

You should also not let fear of a possible irrational reply dissuade you from pursuing your concern. Eventually, it all blows over and everything returns to normal.

Alternatively, you may get a completely professional and polite reply; so don’t assume things will go south just yet.

If you don’t get a satisfactory result from the auditor through an informal email, you have to make a formal appeal.

7.) File a formal appeal. This is a formal request for the nonconformity to be reviewed by the registrar’s internal committee (not the auditor him/herself). You are guaranteed this right under ISO 17021-1, and which the CB cannot refuse. To file this, you simply send an email to your registrar’s sales contact, and cc a copy to the auditor. Ask that they forward it to the appropriate appeals body within the registrar.

The appeal should more formally state the reason you are requesting the nonconformity to be withdrawn, and should include a copy of the nonconformity, along with specific citations of ISO 17021-1 if possible.  You should politely but firmly request the finding be withdrawn or amended, and specifically request the CB take “appropriate corrective action.”

Typically, the CB office will then attempt to resolve the problem over the phone, so you may get a call from the home office. Again, resist this. Instead, ask the CB rep to follow up in writing, with formal corrective action. Keep copies of any emails received on the matter.

In 90% of the cases that go to appeal, the internal body will side with the client and withdraw the nonconformity. This is true because of two primary reasons: first, the internal committee discovers the finding was, in fact, bogus and agrees with the client. Second, the CB home office does not want to risk losing you as a client, so they would rather throw out the finding, rather than lose your annual revenue.  So you stand a very good chance of having the nonconformity dropped entirely.

If not, continue…

8.) Assess the registrar’s response. If the registrar has provided a reason as to why the nonconformity should stand, be sure to assess that response in an objective, open-minded manner. It could be they have a very good argument that you did not consider previously, and the finding should be upheld. If so, write to the CB and alert them that you agree with their result, thank them for it, and proceed with your appropriate corrective action. If the response is lacking, however, then push forward…

9.) File a formal complaint. If the appeal goes south, and you are absolutely certain you still have a valid argument, you would then file a complaint with the registrar, and cc their accreditation body. Oxebridge has a separate article on filing complaints here. Once again, however, be sure you remain professional and courteous no matter what. Do everything in writing, and keep records of any and all communication regarding the complaint. CC the registrar’s Accreditation Body as well, which will typically shake up the CB so they take your complaint more seriously.

As I said, typically 90% of all contested findings are withdrawn, usually just because the CB wants tokeep your business. But if the CB feels they have a valid finding, and especially if there’s a direct risk that you are releasing defective product in the market, you may not have a good standing, and should probably accept the finding and make the appropriate corrective action.

As always, if you find yourself in a real bind with your CB, we can help with filing appeals, complaints, or simply counseling you on whether the finding is, in fact, valid. Check our page on Audit Defense Services.