What Happens if I Fail an ISO Audit?

What Happens if I Fail an ISO Audit? 

ISO audits are hard enough without thinking about the possibility of failure. However, if you fail an ISO audit, all is not lost. Here is Compleye’s guide to what happens after an audit failure, and how your organisation can get straight As at your next audit.  

 

Introduction  

 

ISO has about 25,000 standards and, in 2022, awarded 2,407,109 certifications across the 16 standards covered by that year’s ISO Survey. That’s an awful lot of audits.  

ISO doesn’t release data on how many organisations fail its audits. But, from the sheer amount of audits conducted every year, if you fail an audit, you can take comfort in the fact that you’re not alone.  

Failing an ISO audit is challenging, but it doesn’t mean it’s the end of your organisation’s compliance journey. It just means it’s going to take a little longer to reach your destination.  

In this Compleye guide, we’ll dive into what happens after an audit failure, and how you can get back on the road to success. Remember, we’re always here if you want to discuss your audit report and make sure things go better next time.  

Why Organisations Might Fail an ISO Audit  

 

At its most basic, an ISO audit failure means your organisation does not comply with the standards set out in an ISO framework. 

 

However, things get a little more complex when you consider that one badly structured document will rarely tip the scales toward failure. Generally, for your organisation to fail an ISO audit, there will have to be:  

 

Major Non-conformances – These are serious deviations from the ISO standard that can compromise the overall effectiveness of your systems. As fundamental issues, they will need to be addressed before certification can be granted. Here are some examples of ISO 27001 non-conformances 

 

Cumulative Effect – While one minor non-conformance is likely to lead to failure, auditors will consider the cumulative effect of several minor non-conformances and their potential impact on your organisation’s ability to meet the framework’s requirements.  

 

Systematic Issues – A lack of control or consistency that affects multiple areas of your organisation or management system may cause an audit failure. This is because these issues suggest that your organisation’s overall approach to compliance is not up to scratch.  

 

Failure to Address Previous Findings – If a previous audit found multiple minor or major non-conformances, you must provide proof that you have attempted to address them and the process you took to do this. If you cannot demonstrate a commitment to continuous review, be prepared to fail.  

 

After You Fail an ISO Audit  

 

If you don’t have your ISO certification… 

 
If you do not possess your ISO certification, and it is your first attempt, the external audit comprises two phases: 

  

Phase 1: During this stage, the auditor examines whether you have addressed all mandatory aspects of the ISO27001 requirements. This can be likened to a ‘theoretical driving licence exam.’ If crucial topics or items are found to be missing, you have a limited time (3-6 weeks) to make necessary repairs. Subsequently, the auditor will conduct a re-audit before proceeding to phase 2, incurring additional costs. Once approved for phase 1, phase 2 commences. Typically, there is a six-week gap between the two phases during the planning stage, allowing for potential repair time. In phase 2, the auditor, through sampling, verifies the implementation of everything documented. 

 

 

If you have your ISO certification 

 

Depending on the severity and impact of non-conformances within your organisation, you may lose your certification. But, this is comfortingly rare since auditors cannot take away your certification – this decision is made by a committee within the certifying body. Usually, your auditors will simply set a deadline for the implementation of corrective measures and a date for your next audit.  

 

If you must have an ISO certification… 

 

Your organisation may operate within a regulated industry that requires you to have an ISO certification. In this case, failure can cause some tangible consequences. You’ll need to be prepared for other costs that result from service/product delays, and reputational damage that can impact your clients’/suppliers’ decisions and employee morale.  

 

Review the Audit Report  

 

Whether you pass or fail an ISO audit, your auditor will provide you with an audit report. This is your best friend when it comes to review and improvement, so make sure to read it thoroughly and discuss it with key individuals.  

 

In particular, you should check the audit report for:  

Major/Minor Non-conformances and Opportunities for Improvement 

 

These will be the main things you’ll need to focus on moving forward. According to UKConsulting, the most common areas where non-conformances cropped up across ISO standards in 2023 were: 

 

  • Compliance  
  • Processes  
  • Suppliers  
  • Competence  
  • Incidents and Corrective Action 

 

Your ISO audit report should go into more detail about your organisation’s non-conformances. Make sure to log these issues and conduct further reviews into their causes/effects, whether employees are aware of how to raise issues, and what corrective measures you’ll take.  

 

Document Review  

 

Documentation is an important aspect of ISO compliance. But, in comparison to the implementation of tangible processes and controls, many organisations consider it an afterthought. The audit report’s documentation review will highlight if and where your documents are falling short.  

Changes in ISO Standards  

 

It’s worth busting out the full standard after your audit to ensure you are working from the most recent version. For example, as we outline in this handy article, ISO 27001 was updated in 2022 for the first time in almost 10 years. Your organisation will have 3 years to adapt to changes to the framework, so factor these into your workload.  

 

Timeline for Corrective Actions  

 

Your audit report might specify deadlines for implementing changes. This will assist you in assessing the importance of necessary tasks, allocating resources, and establishing internal deadlines in these specific areas. 

  

In the case of non-conformities, you will be required to submit a CAPA report (Corrective Action Preventive Action) to the auditor. The auditor will provide a template for this, as every audit company has its unique reporting approach. Critical or major non-conformities usually need to be rectified within 6-12 weeks, and the auditor will schedule an additional audit day for this purpose (incurring extra costs). Minor non-conformities, observations, or improvements will be reviewed during the next year’s audit. 

 

Evidence of Compliance 

 

It’s highly unlikely that you’ll be completely non-compliant. While opportunities for improvement are the most important areas to review and discuss, highlighting what you’ve done well provides positive reinforcement for management and employees.  

 

Follow-up and Feedback Procedures  

 

A majority of certifying bodies and auditors will provide their contact information so you can seek further clarification on any issues. Make sure you understand the processes for seeking information, and the extent of the clarification that your auditor can offer you.  

 

Make Changes  

 

After you’ve reviewed your audit report and identified the areas you’ll need to work on, it’s time to plan, test, and implement changes. You should:  

 

  1. Develop an action plan, outlining specific tasks and responsibilities 
  2. Set realistic timelines for implementing corrective actions 
  3. Communicate the planned changes to key individuals/departments 
  4. Conduct thorough tests and identify further issues 
  5. Track the progress of implementation activities, adjusting strategies as needed 
  6. Keep detailed records of progress, revised procedures and modifications to management systems 
  7. Provide necessary training to employees involved in or affected by the changes 
  8. Gather insights and feedback from stakeholders for further improvement 
  9. Regularly review and seek opportunities for enhancement 

                   

                  Check out Compleye’s helpful guide to overcoming common ISO 27001 compliance challenges here.  

                   

                  Conduct an Internal Audit 

                   

                  A reliable way to increase your chances of passing an external audit is to conduct an internal audit. Take advantage of our free internal audit checklist and template here.  

                   

                  Internal audits are useful for many reasons, including:  

                   

                  • Understanding the audit process 
                  • Identifying areas that need attention before the real deal 
                  • Meeting requirements for internal review  
                  • Ensuring consistent improvement  

                   

                  But, conducting an internal audit is a complex process in itself. Not to mention, it may take up more time in its planning than you have to spend. This is where Compleye comes to the rescue. Click here to find out how we’ll conduct your internal audit for you!  

                   

                  During your yearly Internal Audit, you will need to address the non-conformities of last year’s external audit.  

                   

                  Appeal or Reapply  

                   

                  Finally, it’s time to do it all over again.  

                   

                  If your certification is voluntary, each auditor will conclude the external audit by scheduling a date for the following year. You will enter into a three-year contract with the external auditor (for ISO27001, ISO9001, etc.), and there is no flexibility in the scheduling of annual audits. 

                    

                  However, if you choose not to follow this route, you will need to reapply to your certifying body for another opportunity. This approach provides you with flexibility in terms of the time available to make changes and refine your documentation and implementation activities. 

                   

                  However, the longer you take between audits, the more resources you’ll use and the more money you’ll spend. To keep the time this process takes and costs at a minimum, Compleye will have you compliant and ready for certification in 6 months.  

                   

                  Every auditor will initiate the external audit by mentioning that there is an appeal procedure in place for cases of disagreements on decisions and general complaints. There are unique advantages and disadvantages to the appeal process, and it might be quicker and less stressful to make the necessary changes and reapply instead. 
                   

                  Conclusion  

                   

                  Often, organisations look at ISO audits the wrong way. It’s not simply a test wherein you must demonstrate compliance, but an opportunity for you to show just how much work you’ve put into improving your business.  

                   

                  Dilawar Laghari, an ISO auditor, summed it up well when he said “While ISO standards are fantastic benchmarks, there’s always room to push the envelope. Think of them as the foundations upon which you can build an even better, continually improving business.” 

                   

                  If you fail an ISO audit, while it doesn’t exactly feel good, it’s simply another chance for you to make your organisation even better. An audit failure adds a few more months (and, we won’t lie, a lot of money and resources) to the process, but it won’t stop your organisation from achieving your certification.  

                   

                  So, it’s time to review and improve, and you’ll pass the next audit with flying colours.  

                  Table of Contents

                  Compliance Platform for Tech Companies


                  All-in-One DIY Compliance Platform to help tech businesses towards their ISO 27001, ISO 9001, or SOC-2 certification and stronger performance on privacy and security. Ready?