Audit Findings: Major, Minor and Observations Explained
What audit findings mean, from a major nonconformity to an opportunity for improvement, and how to respond with correction, root cause and effectiveness.
In short
Audit findings are graded by severity: a major nonconformity signals a systemic failure or serious risk, a minor is an isolated gap, and an observation is an early warning with no nonconformity yet. Respond in three steps: immediate correction, root cause analysis, and a corrective action that removes the cause and is then verified for effectiveness.
Auf Deutsch lesen: deutsche Fassung
An audit report lists findings, and for many people the word "nonconformity" alone sounds threatening. Yet findings are the most valuable outcome of an audit: they show exactly where you need to act. What matters is understanding the severity levels and responding to them correctly.
The severity levels of a finding
- Major nonconformity: a systemic failure or a serious risk. A requirement is not met, or the system is at risk of failing.
- Minor nonconformity: an isolated case or a small gap that does not fundamentally call the overall system into question.
- Observation: not yet a nonconformity, but an early warning signal worth keeping an eye on.
- Opportunity for improvement: a suggestion for doing things even better, with no obligation attached.
The difference between a major and a minor nonconformity is not arbitrary. It comes down to systematics and risk. A single forgotten record is judged differently from a process that simply does not exist.
The right response in three steps
- Correction (immediate): fix the specific problem right away.
- Root cause analysis: understand why it happened, not just the symptom.
- Corrective action (CAPA): eliminate the cause so it does not recur, then verify that the action was effective.
If you only fix the symptom, you will see the same nonconformity again at the next audit. Root cause analysis is the real lever.
What does this mean for certification?
A major nonconformity must, as a rule, be demonstrably closed before the certificate can be issued. For minor nonconformities, an accepted action plan is usually sufficient, with its implementation reviewed at the next surveillance audit. A clean, honest root cause analysis counts for more than a quick cosmetic fix.
The right mindset
Mature organizations welcome findings. They are free, expert pointers to real weaknesses, identified in the protected setting of an audit rather than in an actual incident. Once you internalize that, the audit becomes a tool for improvement instead of a source of exam-style anxiety.
Findings are the most valuable outcome of an audit: they show exactly where you need to act.
Frequently asked questions
Is a minor nonconformity a serious problem?+
No. It indicates a limited gap. An action plan is usually enough, with its implementation reviewed at the next surveillance audit.
What is the difference between a correction and a corrective action?+
A correction fixes the immediate problem. A corrective action removes the underlying cause so that the issue does not occur again.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 26 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.