Writing Nonconformities

by Craig Cochran

The term “nonconformity” inspires fear in many people. It shouldn’t. A nonconformity is simply an opportunity for the management system to improve. It should not be viewed as an indictment of any person or group, but rather as a factual statement that drives improvement. Before we get any further, it’s helpful to provide a clear definition of what a nonconformity is. A nonconformity is the failure to meet a requirement.

It’s a short definition, but it packs a lot of power. The first thing you should notice is the prerequisite. You need a requirement before you can ever have a nonconformity. When we write a nonconformity, you always write the requirement first. It sets the tone for everything else. If you can’t find a requirement for a particular situation, then categorically you can’t have a nonconformity. You might have a concern, observation, remark, or opportunity, but it’s not a nonconformity unless it’s clearly tied to a requirement.

The second half of a nonconformity is the objective evidence. The evidence states exactly what the auditor saw, heard, read, or experienced that contradicted the requirement. The objective evidence is factual and traceable, but it is stated as concisely as possible. We can’t write a book detailing every minute thing that happened. A good auditor simply cites the evidence that fails to meet the requirement.

A child could write a clear nonconformity. It’s a simple one-two process. This is how the two halves of a nonconformity statement fit together:

  • Requirement: The company committed itself to doing XYZ. The commitment is a fact, evidenced by its presence in a procedure, plan, policy, specification, contract, work instruction, standard, or statement.
  • Evidence: The company failed to do XYZ. The failure is a fact, based on evidence such as records, observations, documents, or interviews.

No opinions are present in the nonconformity, just cold, hard facts. It’s hard to argue with facts. It also makes the audit go much smoother. Sure, facts may remove a degree of creativity that auditors exercised, but creativity is better expressed in other ways.

Writing effective nonconformities is one of the most fundamental auditing skills. Despite its fundamental nature, it is a skill that even the most experienced auditors struggle with. Here are a few keys that will help you write nonconformities as well as anybody out there.

  • Match the requirement with concise evidence. This is the single most important key. State the requirement and then provide the evidence that shows that the requirement was not met.
  • Write in complete sentences. This is what your eighth grade english teacher would have insisted on, and good auditing insists on it, also. Complete sentences, in both the requirement and the evidence, provides the customer of the audit with a complete product. This complete product is more likely to be understood, and thus more likely to be acted upon.
  • Include all applicable identifiers (what, who, when, where). It is critical that your evidence is fully traceable. This is achieved by including all identifiers: what the nonconformity was, who was involved, when it happened, where was it located, and how much was involved. This builds credibility in the evidence and allows the auditee to know exactly what needs to be done to remedy the situation. The only identifier that is not clearly stated are people’s names. We use job titles in the evidence, because we want to remind everybody involved that the audit is about the process, not people.
  • Use an economy of words. Writing a nonconformity is a balancing act. We need to include all identifiers, but we need to use an economy of words. As Shakespeare said, “Brevity is the soul of wit.” Not only is brevity the soul of wit, but it helps drive understanding. Ironically, including more words rarely increases anybody’s understanding of what you’re trying to communicate. Keep your nonconformity statement nice and tight. If you can remove a few words, while still communicating the essential message, then by all means do it.
  • State the facts, not your opinions. The audit is about facts. There is no need to editorialize as part of the evidence. This happens when the auditor tries to explain why the nonconformity is harmful or what the effects could be. This is not necessary. Just state the evidence and no more.

 

Here is an example of a well written nonconformity:

Requirement: SOP #QOP-32, revision 3, states in section 6.5 that employees must wear white gloves when handling finished product.

We state exactly where the requirement comes from. In this case, it’s a procedure written by the organization being audited. We provide the procedure number, revision, and even the section. Some auditors also include the procedure name, and this can add value too. Once we say where the requirement comes from, we state exactly what the requirement is. We don’t paraphrase it or get creative, we repeat the requirement word for word.

Evidence: The auditor observed two employees in the warehouse handling finished product without white gloves.

The language in the evidence mimics the language in the requirement. The organization committed to wearing white gloves when handling finished product, but the auditor observed two people not wearing white gloves. Cut and dry.

Here is an example of a poorly written nonconformity:

Requirement: All products must be identified.

There is no traceability to this requirement. Where did it come from? There is a similar requirement in ISO 9001:2015, but that source is not referenced. Always cite where the requirement is coming from, and never paraphrase it. It is permissible to add ellipsis (…) if the requirements is taken from a long passage and the entire section is not needed.

Evidence: Returned goods were missing the nonconforming materials tags, which greatly increases the chance of accidentally shipping bad material.

This evidence has a lot of problems, most of which can be summarized by saying the evidence is not traceable. Firstly, there’s no indication of where the returned goods were located. The returned goods are also not identified in any unique way. The quantity of returned goods is also not indicated—there could be two or 200, it’s not clear. Finally, the auditor included a lot of editorial opinion at the end of the evidence. This opinion is not needed and only serves to inflame the auditee. Stick to the facts when you write evidence and make sure the facts are fully traceable.

 

Auditors are held to a higher standard

It’s tempting to just say “Who cares?” when it comes to writing clear and correct nonconformity statements. After all, the rest of the world writes in a very informal manner. Grammar, correct spelling, and proper usage all seem optional these days. As long as the auditee understands what I’m talking about, it’s okay, right? Wrong answer. Auditors must produce a polished and professional product. Everything you write, say, and do is being scrutinized constantly by the auditee. Not in an attempt to disparage you, but simply to ensure that audit is credible. The output of the audit that gets the most attention are nonconformity write-ups. Even though nonconformities are not aimed at any particular person in an organization, auditees are still keenly aware that they represent failings of a sort. A requirements was established, but we weren’t able to meet it. Because of the high profile of nonconformities, they need to be written very well.

If you’re auditing with another person or as part of a team, make sure to have someone else review your nonconformity write-up. This is usually the role of the lead auditor, but really any set of trained eyes are helpful. Any rework that is necessary should be performed by the auditor who originally wrote the nonconformity. Recognize also that sometimes the answer is not reworking the nonconformity, it’s ripping it up. These are the conditions that usually result in a nonconformity being removed and not being provided as part of the final report:

  • Requirement does not actually exist
  • Requirement exists, but it’s outside the scope of the audit
  • Evidence is not traceable and it’s too late in the audit to gather the details
  • Evidence relies on hearsay, rumors, or second/third hand information
  • Auditee has presented evidence (after the original interview) that shows the requirement was met

This is a good time to address findings that fall outside the scope of the audit. They could be in a department/process that is not officially being audited, or they could be against a standard that is not being used in the present audit. For instance, we see something happening in the warehouse that constitutes a nonconformity, but the warehouse is not part of the audit. Or the auditors observe a safety violation, but the audit is against ISO 9001 and safety is not included. In these cases it is usually of verbally reporting the finding to your contact within the auditee organization. Verbally report it, mention that it is officially outside the scope, and ask him/her if they would like you to include it in the report. If they say “no,” then you don’t include it. The scope of the audit is almost a contract, and you don’t intentionally audit outside the scope or report findings that are outside the scope. It’s perfectly fine to make a note of the issue and follow up the next time there is an audit that includes that topic.

About the author

Craig Cochran is the North Metro Regional Manager with Georgia Tech’s Economic Development Institute. He has assisted more than 5,000 companies since 1999 in QMS implementation, problem solving, auditing, and performance improvement. Cochran is a Certified Quality Manager, Certified Quality Engineer, and Certified Quality Auditor through the American Society for Quality. He is certified as a QMS Lead Auditor through Exemplar Global.

He is the author of numerous books, including ISO 9001:2015 in Plain Englishpublished by Paton Professional. His latest book, Internal Auditing in Plain Englishfrom which this article was excerpted, was released in late 2016.

2 Responses

  1. David Page
    David Page at |

    Hi Craig
    Thank you for a very well written article and explanation.
    Unfortunately some auditors hand-out NCRs like lollies and leave the client very confused.
    I have previously read your ISO 9001:2015 ABC book and found that to be really useful in explaining the basics. It’s what people want.
    I have recommended it to several people here in Australia and likewise they have found it to be very helpful.
    Any plans for an ABC book for 14001 and 45001?
    Regards
    David Page

    Reply
  2. Chris Shepherd
    Chris Shepherd at |

    This guidance is fine when there are hard and fast requirements like those listed above as examples. How does one write a nonconformance on the more subjective management requirements in the latest version of ISO 9001, such as those listed in section 5 of the standard, and how does the auditee respond? I can easily see addressing the relative effectiveness or maturity of the processes, but this is a different thought process.
    Thanks.

    Reply

Leave a Reply