8.4 Audit Conclusions, the Closing Meeting, the Audit Report & Follow-Up
Key Takeaways
- ISO 19011:2018 clause 6.4.9 requires the audit team to agree audit conclusions before the closing meeting, considering the extent of conformity, effective implementation of the management system, and achievement of audit objectives.
- The closing meeting (clause 6.4.10) presents findings, confirms nonconformity grading, and agrees timeframes for the auditee's response — it should surface no findings the auditee hasn't already seen evidence for during the audit.
- A complete audit report (clause 6.5) documents the scope, criteria, audit team, dates, findings (including grading), the audit conclusion, and its distribution list.
- Closing a nonconformity during audit follow-up (clause 6.7) requires objective evidence that the corrective action was both implemented and effective — not just a completed action plan.
Drawing the Audit Conclusion
Before anyone leaves the site, the audit team must agree the audit conclusion. ISO 19011:2018 clause 6.4.9 ("Determining audit conclusions") has the team confer prior to the closing meeting to review the findings against the audit objectives and agree conclusions that consider:
- The extent of conformity with the audit criteria, and the robustness of the management system;
- Effective implementation, maintenance, and improvement of the management system;
- Whether the audit programme's and audit plan's objectives were achieved and the scope was covered;
- Any similar findings identified in different areas that, taken together, may represent a systemic issue (this is where Section 8.2's grading-escalation logic gets applied at the whole-audit level, not just clause by clause).
For a third-party certification audit, the conclusion feeds directly into the team's recommendation to the certification body: recommend certification or continued certification, recommend it be withheld or suspended pending closure of a major nonconformity, or (for a recertification audit) recommend the certificate be renewed. The auditor recommends; the certification decision itself is made by the certification body, typically through a separate decision-maker who was not part of the audit team — this separation protects the impartiality principle from Section 6.1.
The Closing Meeting
ISO 19011:2018 clause 6.4.10 covers the closing meeting, where the audit team formally presents its findings and conclusions to the auditee's management. Good practice:
- No surprises. Every nonconformity presented at the closing meeting should already be evidence the auditee has seen and had a chance to comment on during the audit — the closing meeting confirms and documents findings, it does not introduce new ones the auditee never had a chance to respond to.
- Present clearly and in order. Walk through conformity, nonconformities (with their grading), and any opportunities for improvement, using the same three-part structure from Section 8.3 so nothing is ambiguous.
- Agree, don't negotiate the facts. The auditee can question the accuracy of the evidence or the applicability of the requirement, and if they're right, the team corrects the record before the meeting closes — but the grading itself, once the facts are settled, follows the objective criteria from Section 8.2, not a negotiation.
- Confirm timeframes. The auditee's initial response — a root-cause analysis and corrective-action plan — is normally due within an agreed window; the meeting should confirm what's expected and by when.
- Explain the recommendation and next steps, including the right to appeal a finding through the certification body's process, and thank the participants for their time and access.
The Audit Report
ISO 19011:2018 clause 6.5 covers preparing and distributing the audit report — the audit's permanent record, which must be complete enough to stand alone. A well-formed report includes:
| Report element | What it contains |
|---|---|
| Scope & criteria | What was audited (sites, processes, departments) and against which requirements (ISO 9001:2015, plus any client-specific documents) |
| Audit team & dates | Who conducted the audit, in what roles, and the dates on site |
| Findings | Every conformity, nonconformity (with grade), and opportunity for improvement, each written per the three-part model where applicable |
| Audit conclusion | The team's overall conclusion and, for certification audits, the recommendation |
| Distribution | Who receives the report — client management, the certification body's file, and any confidentiality controls on circulation |
The report is a controlled document in its own right: it should carry a unique reference, a version and date, and be distributed only to the parties agreed at the audit plan stage, respecting the confidentiality principle from Section 6.1.
Follow-Up: Correction, Corrective Action & Verifying Effectiveness
Two different things are commonly confused after the closing meeting:
- Correction — fixing the immediate symptom (re-calibrating the overdue micrometer, replacing the obsolete work instruction on the wall).
- Corrective action — addressing the root cause so the nonconformity doesn't recur (per ISO 9001:2015 clause 10.2: reacting to the nonconformity, evaluating the need for action to eliminate the cause, implementing the action, and reviewing its effectiveness).
Audit follow-up (ISO 19011:2018 clause 6.7) is not finished when the auditee submits a plan. Closing a nonconformity — whether at a scheduled follow-up visit, a desktop document review, or the next surveillance audit — requires objective evidence of two things: that the planned action was actually implemented, and that it was effective (the root cause is genuinely addressed, not just the one instance corrected). A corrective-action plan that has been carried out but never checked for effectiveness is not grounds to close the nonconformity; the auditor should look for evidence — a repeat sample, an updated record set, a subsequent internal audit result — that the same failure has not recurred before recommending closure.
During the closing meeting, the audit team presents a nonconformity that references evidence the client's Quality Manager says was never shown to them during the on-site audit. What does this indicate went wrong?
A certification body receives a corrective-action plan for a minor nonconformity: the auditee re-trained the affected employee and updated the work instruction. At the next surveillance audit, the auditor should close the nonconformity only after confirming which of the following?