What Goes Wrong on ISO Audits: Top 15 Findings from 200+ Real Audits

These figures are Ekontrol's aggregation of 200+ supported certification audits in 2024-2025 (food + QMS + EMS), validated against publicly available data from DNV (250,000+ audits) and AFNOR (20,000 audit reports). Sum of percentages exceeds 100% because each audit typically contains multiple nonconformities.

What exactly we counted. Every finding in an audit report was coded by clause, type (major/minor/observation/OFI), and short description. Duplicates from multi-site certifications were merged. That gives clean per-audit frequencies rather than per-line counts.

Geography: mostly Ukraine, Moldova, Poland, Romania. Industries: food processing (45%), agriculture and biofuels (20%), engineering and metals (15%), services (12%), chemicals and packaging (8%). Standards: ISO 9001 (38%), ISO 22000 (24%), FSSC 22000 (16%), ISCC EU/PLUS (12%), ISO 14001 (7%), other (3%).

Why this matters. Many articles about common audit findings just retell public PDFs from CB websites without original data. Our sample reflects what actually happens in a room with a Ukrainian quality manager and an auditor from an accredited CB. The best way to stay out of these statistics is to run an independent readiness diagnostic before the auditor shows up. Most of the top 15 findings can be closed in 2-8 hours if you catch them before Stage 2.

Before looking at the top 15, you need to understand the difference between a major and a minor nonconformity. That difference decides whether you walk away with a certificate or with corrective action plans and a follow-up visit.

A major is a breakdown that calls into question the system's ability to deliver intended results. Examples: a documented procedure that simply does not exist, systematic failure to monitor a CCP, no management review for 18 months or more. A minor is an isolated failure that does not destroy the system: one missing record, one overdue calibration, one training session without a signature. Both require corrective action, but the consequences differ. IAF MD 4 and ISO 19011 give general criteria, but each CB applies them with its own flavour. Here are the key differences.

Each finding below follows a fixed structure: frequency, clause, typical auditor quote, root cause, and prevention checklist. Numbers are rounded, but the ranking matches our sample. What gets found most often is not necessarily the most serious; in fact, the top 3 are usually minors, while the bottom of the list often hides systemic majors.

Frequency: 32% of audits. Standard clause: ISO 9001 §7.5.3 / ISO 22000 §7.5.3.

Auditor quote: "The current revision of the purchasing procedure, version 2.1, does not reflect the actual approval workflow described by the head of supply during the interview. The change is in operation, but the document has not been updated."

Why it happens: processes inside the company evolve faster than the documents do. Someone decided that approvals now go through 1C instead of paper, but the procedure still sits in the QMS folder with last year's date on it. The quality manager doesn't know about the change because it was made informally.

Prevention checklist:

• Quarterly formal review of active procedures with process owners (not with QM)
• A document update trigger inside any ECR/CR when work changes
• A column for "Owner of accuracy" in the document register with a real name
• A 30-day pre-audit sweep of the top 10 key procedures: "is this still how we do it?"
• Versioning with date and approval signature on the cover page

Estimated fix time + cost: 4-8 hours of owner time, €0-200 for documentation updates.

Frequency: 28% of audits (food). Standard clause: ISO 22000 §8.5.4 / FSSC 22000 v6 additional requirements.

Auditor quote: "In the CCP-2 monitoring records (heat treatment) for the period 14-21 April, operator signatures and temperature values for the 22:00-06:00 shift are missing. Actions taken on deviation from the critical limit are not documented."

Why it happens: night shift, operator busy, shift supervisor didn't remind anyone. Gaps appear in the paper journal. Or the form is filled in but doesn't show who verified it. Sometimes a critical limit was breached, the operator corrected the parameter on the line, but the corrective actions field stayed empty.

Prevention checklist:

• Electronic monitoring where feasible (temperature loggers with auto-export)
• The shift handover checklist must include "all CCPs filled in"
• Weekly walk-through by the production manager with a signature on the forms
• A separate "Action on deviation" column always filled in, even when it says "no deviation"
• Internal audit of CCP journals 30 days before certification on a 5-10 day sample

Estimated fix time + cost: 16-40 hours to embed the discipline, €500-2000 for electronic loggers (optional).

Frequency: 24% of audits. Standard clause: ISO 9001 §7.1.5.

Auditor quote: "Thermometer inv. no. TM-014, used to monitor raw material storage temperature, carries a calibration sticker dated 02.2024. The next verification is 4 months overdue. No records of current calibration results were provided."

Why it happens: the register of equipment that needs calibration lives in Excel, and reminders for verification live in the metrologist's head. The metrologist resigned, the new one hasn't received the full list yet. Or equipment was decommissioned but the sticker stayed on, so the auditor sees an active instrument with an expired date.

Prevention checklist:

• Register with automatic reminders 60 days before verification is due
• Colour coding: green sticker (valid), red (decommissioned)
• Calibration certificates archived in one place (paper or electronic)
• A 90-day pre-audit register review: "do all active instruments have valid verification?"
• A documented decision on calibration vs verification (the legal regimes differ in Ukraine)

Estimated fix time + cost: 8-20 hours to review the register, €100-500 for urgent verification if expired items are found.

Frequency: 19% of audits. Standard clause: ISO 9001 §8.4.1 / ISO 22000 §7.1.6.

Auditor quote: "Raw material supplier X Ltd is on the approved supplier list. The last documented evaluation is from 2022. The re-evaluation frequency defined in procedure P-08-2024 is one year. The current evaluation has not been carried out."

Why it happens: re-evaluating suppliers is dull work that doesn't block the operational day. Procurement runs, no complaints, why bother. Eighteen to twenty-four months later, the auditor opens the register and sees that the last evaluation was two years ago.

Prevention checklist:

• Electronic re-evaluation calendar with a named owner
• A simplified form for suppliers without complaints (5 minutes instead of 1 hour)
• Integration with complaint data: automatic re-evaluation triggered by any claim
• ABC segmentation of suppliers: critical ones yearly, others every 2 years (with rationale)
• A 60-day pre-audit sweep of the top 20 suppliers

Estimated fix time + cost: 12-24 hours to re-evaluate 20-30 suppliers, €0.

Frequency: 17% of audits. Standard clause: ISO 9001 §6.1.

Auditor quote: "The risks and opportunities register contains 8 entries related to production risks. Risks linked to the supply chain and the regulatory environment, mentioned in section 4.1 (organisational context), have not been considered."

Why it happens: risk analysis is done once before the first certification as a formality. Obvious things get listed (equipment breakdown, power outage), then it's forgotten. Two years later the context has shifted (war, sanctions, new regulatory requirements) and the register hasn't moved.

Prevention checklist:

• Register review every 6 months with department heads
• A template with categories: product, process, supply, people, regulation, finance, market
• A mandatory "risk → action → owner → date" link for every entry
• Risk analysis as input for management review
• A separate opportunities register (this is the one usually forgotten)

Estimated fix time + cost: 8-16 hours for the review, €0.

Frequency: 16% of audits. Standard clause: ISO 9001 §6.2 / ISO 22000 §5.2.

Auditor quote: "The objective 'increase customer satisfaction' is set for 2026 without a defined measurable indicator, target value, measurement method, or owner. Achievement of the objective cannot be evaluated."

Why it happens: objectives are written once at a strategic session in abstract terms ("improve", "optimise", "reduce") and never translated into KPIs. The auditor wants to see a number, a date, and a name; without those, the objective is not measurable.

Prevention checklist:

• SMART format for every objective: specific, measurable, achievable, relevant, time-bound
• A table: objective | KPI | baseline | target | date | owner | method
• Quarterly progress monitoring as input to management review
• Link objectives to context, risks, and policy
• Separate strategic (yearly) and operational (quarterly) objectives

Estimated fix time + cost: 4-8 hours to rewrite the objectives, €0.

Frequency: 14% of audits. Standard clause: ISO 9001 §9.3 / ISO 22000 §9.3.

Auditor quote: "The management review minutes dated 15.12.2024 do not include analysis of all required inputs, in particular: monitoring and measurement results, customer feedback, status of corrective actions, opportunities for improvement."

Why it happens: management review happens once a year, the QM prepares it, the director signs without reading. The minutes state facts ("the system works") with no analysis and no decisions. The standard requires 8-10 specific inputs and outputs; the minutes contain 3.

Prevention checklist:

• A minutes template with all mandatory inputs/outputs as headings
• A presentation with data (complaint trends, KPIs, audit findings) attached to the minutes
• Decisions with owners and dates as a separate table inside the minutes
• At least once a year, ideally twice (linked to annual planning)
• Participants: actual top management, not just QM and director

Estimated fix time + cost: 4-6 hours for a proper review, €0.

Frequency: 13% of audits. Standard clause: ISO 9001 §9.2.

Auditor quote: "The 2025 internal audit plan covers 8 processes. Reports for 4 of those audits were not provided. Records of findings discussion and corrective actions are absent."

Why it happens: the internal audit is treated as a formality before the external one. An internal auditor is appointed, they walk through the processes in a day, write a short "all good" report, and the files get lost. When nonconformities do surface, they don't get closed.

Prevention checklist:

• An annual plan with specific dates and auditors (approved at the start of the year)
• Checklists for each process: at least 15-20 questions per process
• A standardised report format with references to standard clauses
• A register of internal audit nonconformities with closure tracking
• Auditor independence from the audited process (no auditing your own work)
• Internal audit closed before the external one with documentary evidence of all NC closure

Estimated fix time + cost: 24-40 hours for a full cycle, €0-1500 for internal auditor training.

Frequency: 12% of audits. Standard clause: ISO 9001 §8.4.

Auditor quote: "Packaging sterilisation services are provided by an external contractor Y Ltd. The contract contains no quality specifications. Records of incoming inspection of contractor batches are absent."

Why it happens: outsourcing keeps growing: cleaning, IT, metrology, parts of production, logistics. The company is used to thinking "that's not our process", but the standard is clear: if it affects product quality, it falls under your control. Contracts are often old, with no QA annex.

Prevention checklist:

• A register of externally provided processes categorised by impact on product
• A QA annex to the contract with critical service suppliers
• A monitoring plan: incoming inspection, contractor audits, KPIs
• Cross-cutting evaluation of service suppliers alongside material suppliers
• Outsourcing risk analysis with a contingency plan if the contractor fails

Estimated fix time + cost: 12-30 hours, €0-500 to update contracts.

Frequency: 11% of audits. Standard clause: ISO 9001 §7.2.

Auditor quote: "The operator on line 3 has not completed the critical control point training required by the competence matrix. Records of competence evaluation for 2025 are absent."

Why it happens: there is a training plan but execution is patchy. New hires learn on the job without documentary evidence. The competence matrix is out of date: new positions were added, requirements were not updated.

Prevention checklist:

• Competence matrix: position | requirements | current level | action plan
• An onboarding checklist for new hires with signatures
• Annual competence evaluation with documented results
• One archive for training certificates and records (HR + QM)
• Link training to risks and changes (new equipment → mandatory training)

Estimated fix time + cost: 16-32 hours, €500-3000 for training if real gaps surface.

Frequency: 10% of audits. Standard clause: ISO 9001 §10.2 / ISO 22000 §10.2.

Auditor quote: "Nonconformity NC-2024-03, raised at the 2024 surveillance audit, was formally closed on 12.01.2025. On site, recurrence of the same deviation was found in the same process. Root cause analysis was conducted superficially."

Why it happens: the corrective action was "we talked to the operator" with no causal analysis. Six months later the same issue returns because the cause was never removed. This often becomes a major because it shows the system doesn't learn from its mistakes.

Prevention checklist:

• A CAR template with mandatory fields: symptom, root cause (5 Why or Fishbone), action
• Separate containment (quick stop) and corrective (systemic fix)
• Verification: how to confirm the issue does not return (at 30 and 90 days)
• An NCR register that tracks recurrence: a repeat NCR is automatically major
• Open NCRs discussed at management review

Estimated fix time + cost: 4-12 hours to review open CARs, €0.

Frequency: 9% of audits. Standard clause: ISO 9001 §7.5.3.

Auditor quote: "At the operator's workstation, work instruction version 1.3 (approved 2023) was found in use. The current version is 2.0 (approved 04.2025). The document control procedure is not being followed for withdrawal of obsolete copies."

Why it happens: the operator printed a convenient version and has been using it for years. The new version sits on the server but never reached the workstation. Printed copies aren't tracked.

Prevention checklist:

• Electronic document management with controlled access to current versions
• If paper-based, a register of controlled copies with signatures
• A planned quarterly walk-through of workstations to remove obsolete copies
• "CONTROLLED COPY" markings with a number and date
• No personal printouts; all copies issued through QM

Estimated fix time + cost: 8-16 hours, €0-500 (if an electronic system is needed).

Frequency: 8% of audits. Standard clause: ISO 9001 §6.3.

Auditor quote: "In 2025 a new bottling line was implemented. A documented analysis of the change's impact on the quality management system (risks, training, documentation, resources) has not been carried out."

Why it happens: a major change (new equipment, reorganisation, new product) is treated as a technical project rather than a change to the QMS. The investment is there, the training is there, but formal change management is not.

Prevention checklist:

• A change request template: change description, risks, resources, training, documents, date
• Change management procedure integrated with the investment process
• Review of change impact on the risk register and objectives
• Post-implementation verification: did the change achieve its purpose
• Major changes as a separate item at management review

Estimated fix time + cost: 4-8 hours per change, €0.

Frequency: 7% of audits. Standard clause: ISO 9001 §4.1.

Auditor quote: "The organisational context analysis was approved in 2022. Significant changes in the external environment during 2023-2025 affecting the organisation's activities have not been considered."

Why it happens: the organisational context is written once before the first certification using a SWOT template, filed in a folder, and forgotten. Two or three years later reality is completely different (new markets, new regulations, new risks), but the document hasn't moved.

Prevention checklist:

• Annual context review as input to management review
• Categories: political, economic, social, technological, environmental, legal (PESTEL)
• Link to the interested parties register and their requirements
• Context changes trigger an automatic risk review
• Keep the document short (1-2 pages), not an essay

Estimated fix time + cost: 2-4 hours, €0.

Frequency: 6% of audits (rising in FSSC v6+). Standard clause: ISO 9001 §5.1 / FSSC 22000 v6 leadership requirements.

Auditor quote: "During the interview, the general director was unable to describe the quality policy or the management system's key objectives. No documented evidence of personal top management involvement in promoting a culture of quality/food safety was identified."

Why it happens: top management delegates quality and food safety to the QM, signs documents without reading them, and skips meetings. The auditor asks direct questions and uncovers the lack of real involvement. This is increasingly a major, especially under FSSC 22000 v6 and ISO 9001:2026.

Prevention checklist:

• The top manager personally attends opening and closing meetings of the audit
• The director, not the QM, runs management review
• The quality/safety policy is signed and explained at meetings
• Quality/safety KPIs included in top management's incentive scheme
• A short 30-minute prep with the top manager before the auditor interview

Estimated fix time + cost: 2-4 hours of top management prep, €0.

Most of the top 15 nonconformities close with one tool: a well-written corrective action report (CAR) that the auditor accepts without follow-up questions. A weak CAR is the main reason a minor turns into a major at the next audit, or a closed NC comes back a year later.

The core logic: containment (stop quickly) → root cause (understand why) → corrective action (remove the cause) → preventive action (prevent recurrence in other processes) → verification (confirm it works). Skip any of those five steps and the CAR is incomplete. Auditors from accredited bodies check the structure, not the length of the text. For deeper context, see our breakdown of what happens during the Stage 2 ISO certification audit.

A Stage 2 audit often closes with 2-5 nonconformities and a 30-90 day deadline. Below is the minimum template we use with clients during audit support engagements.

Ukraine has two groups of certification bodies: those accredited by NAAU (the National Accreditation Agency of Ukraine) and international CBs accredited by DAkkS, UKAS, ANAB, and others (often through Ukrainian representatives). The findings tend to be similar, but there are nuances.

NAAU bodies more often write reports in Ukrainian, with direct references to DSTU versions of standards, with an emphasis on documentary compliance. International CBs write in English and more often look for evidence of system effectiveness (how it actually works), not just the presence of documents.

Terminology worth knowing inside the team:

• NCR (Non-Conformity Report): a nonconformity report. Ukrainian reports often just write "nonconformity no. ..."
• CAR (Corrective Action Request/Report): the corrective action plan
• PAR (Preventive Action Request): preventive action plan. ISO 9001:2015 removed the standalone PA requirement, but the concept lives on in §6.1
• OFI (Opportunity for Improvement): not a NCR, but the auditor expects a response
• Observation: a touch more serious than an OFI, but still not an NCR
• Major / minor / critical: most CBs use only major and minor; "critical" appears in GFSI schemes (FSSC 22000)

A practical tip: regardless of the CB, copy the finding wording into the CAR verbatim. Don't rewrite it in your own words; that creates a risk that the CB concludes you didn't understand the problem. An English-language finding gets an English CAR with a Ukrainian translation for the team.

Some findings are universal (§7.5.3 documentation, §6.1 risks); some are industry-specific (CCP monitoring is food only). The table below shows how the top 15 map to the main standards we work with as part of expert audit preparation.

Below are the questions clients ask most often a week before the audit. If yours isn't covered, drop us a line via the contact page and we'll add it to the next update.