8.1 Generating Audit Findings & Evaluating Evidence Against Criteria
Key Takeaways
- ISO 19011:2018 (clause 3.6) defines an audit finding as the result of evaluating collected audit evidence against audit criteria.
- Every audit finding falls into one of three categories: conformity, nonconformity, or opportunity for improvement (OFI).
- Objective evidence must be verifiable — auditors record specific document numbers, dates, sample sizes, and roles, never vague impressions.
- ISO 19011:2018 clause 6.4.8 instructs auditors to record opportunities for improvement without prescribing the specific solution the auditee must adopt.
From Evidence to Finding
Everything an auditor does before the closing meeting — reviewing documents, interviewing staff, observing the shop floor — exists to produce audit findings. ISO 19011:2018 (clause 3.6) defines an audit finding as "results of the evaluation of the collected audit evidence against audit criteria." Two inputs are compared:
- Audit criteria — the set of requirements used as a reference: the applicable ISO 9001:2015 clauses, plus any of the organization's own documented procedures, work instructions, contracts, or statutory/regulatory requirements that the audit scope pulls in.
- Audit evidence — records, statements of fact, or other information that is relevant to the audit criteria and verifiable (ISO 19011:2018, clause 3.5). Evidence can be documented (a record, a procedure, a calibration certificate) or it can come from observation and interview.
An auditor who has only evidence, or only criteria, has nothing yet. The finding only exists at the point evidence is measured against a specific requirement.
Three Kinds of Finding
Every audit finding lands in one of three buckets:
| Finding type | What it means | What happens next |
|---|---|---|
| Conformity | The evidence shows the requirement is met | Recorded; may support the audit conclusion, no action required |
| Nonconformity (NC) | The evidence shows a requirement is not met | Graded major or minor (Section 8.2), written up (Section 8.3), and tracked to closure |
| Opportunity for improvement (OFI) | The organization already meets the requirement, but the auditor observes a place it could do better | Recorded as an observation; not linked to a failed requirement and never carries a mandatory corrective action |
The OFI category is easy to misuse. ISO 19011:2018 clause 6.4.8 is explicit that when opportunities for improvement are recorded, the audit team should not recommend specific solutions — that crosses from auditing into consulting, and on a certification-body audit it can compromise the auditor's independence under ISO/IEC 17021-1. An auditor can note that a process would benefit from real-time defect trending; an auditor should not tell the client which software to buy.
Matching Evidence to the Right Requirement
The most common grading dispute at a closing meeting is not "did this happen" — it's "which clause does this actually breach." Before writing anything, the auditor should be able to point to the exact clause or documented requirement the evidence fails, not a general area of the standard. "Something's wrong with document control" is not a finding; "the work instruction retrieved from the Line 2 workstation was Revision 3, but the master list in the document register shows Revision 5 as current" points straight at ISO 9001:2015 clause 7.5.3.1 a) — the requirement that documented information be available and suitable for use, where and when it is needed.
This discipline matters because the same logic behind clause 8.5.2's traceability requirement for products applies to findings too: a reviewer months later, or a client challenging the finding, must be able to walk from the NC statement back to the specific record, interview, or observation that generated it.
Recording Objective Evidence in Real Time
Objective evidence is only useful if it is captured the moment it is found, in language a second person (the audit team leader, the client, an accreditation-body assessor reviewing the certification body) can independently verify. Good practice:
- Cite the exact source. Document title and reference number, revision, date; or the name of the record examined (e.g., "Nonconformance Log NCR-2026-014"); or, for an interview, the role of the person and the date/time.
- Quantify, don't estimate. "3 of 10 sampled maintenance records for CNC Machine 4 had no evidence of the scheduled quarterly service" is verifiable. "Maintenance records were often incomplete" is not.
- Separate fact from interpretation. Record what was observed, not why the auditor thinks it happened. Root-cause analysis is the auditee's job during corrective action, not the auditor's job while collecting evidence.
- Verify before moving on. Cross-check a single document against a second source (a related record, a second interview, a physical observation) before treating a discrepancy as reliable evidence. A single unconfirmed comment from one employee is a lead to follow up, not evidence to write down as fact.
- Consolidate as a team. On multi-auditor audits, findings are debriefed and cross-checked at the end of each day so grading stays consistent and no potential finding is lost or duplicated before the closing meeting.
Evidence gathered this way flows directly into grading (Section 8.2) and into the three-part nonconformity statement (Section 8.3) without having to be reconstructed from memory.
During a stage 2 audit, an auditor reviews 10 calibration records for measuring equipment on Line 2 and finds that 3 records show no evidence of calibration within the required interval. The other 7 are compliant. Which finding type does this represent?