Chapter 27: Audit Findings to Corrective Action: The Handoff That Most Plants Break

This is where most internal audit programs collapse. The audit is done, the report is filed, and then... nothing happens with urgency. Findings sit in a queue. Auditees assign generic corrective actions. Root causes are written as descriptions of what was observed, not reasons why it happened.

An audit finding that drives real corrective action starts with a clear observation and a specific reference to what should have happened. Not: "Inspection records were not complete." Better: "The inspection records for production lot #4521 on 2026-02-15 do not show documented dimensional checks of hole depth, which is specified in procedure QC-03 and required by customer drawing ABC-789." The difference is specificity.

The auditor has documented exactly what's missing, which lot it affects, and which requirement it violates.

The auditee (or management) then assigns a root cause investigation, which is different from an audit finding. The finding is what the auditor observed. The root cause investigation answers why. Did the operator not know the inspection was required? Was the gauge broken and nobody reported it? Was the procedure unclear? Was the training incomplete? Until you answer the "why," you're not fixing the system—you're just implementing a workaround.

Tracking your audit findings and corrective actions should be part of your management review KPIs. You need to know:

• How many nonconformances were raised in the past year, and how many have closed?
• What's the average time to closure?
• How many corrective actions are overdue?
• Are findings clustering around certain processes (a signal of repeated risk)?

A plant that audits quarterly but doesn't close corrective actions before the next audit is auditing in circles. You'll audit the same process again and find the same gap, now labeled a repeat finding. Certification auditors take repeat findings seriously—they suggest a system that isn't learning from its own audits.

To strengthen this handoff, assign corrective action ownership at the audit closeout meeting. The auditee or their manager, not the auditor, owns the corrective action. The auditor's job is to verify that the action actually fixes the gap. This separation of responsibility prevents auditors from becoming process owners (which destroys their independence) while ensuring that the person accountable for the process is the person accountable for fixing it.

Your internal audit program is your early warning system. When it's designed for real discovery—not compliance theater—it catches problems while you still have time to fix them. The next chapter moves into how to actually investigate those problems and design corrective actions that stick.

Nonconformance and Corrective Action: Building a System That Eliminates Defects Instead of Just Recording Them

You've got a customer complaint about a batch of fasteners that arrived with surface finish below spec. Your quality team investigates, finds the plating temperature was off, documents it as "Operator didn't monitor temperature gauge," retrains the operator, and closes the NCR. Six weeks later, a different batch fails the same check. The operator was retrained. The plating tank was never inspected. The temperature probe was never calibrated. What went wrong?

This is the gap between nonconformance control and corrective action. And it's where most ISO 9001 QMS implementations leak value.

ISO 9001 Clause 8.7 requires you to control nonconforming outputs—the defects themselves. Clause 10.2 requires you to take corrective action to prevent recurrence. They're not the same thing. One stops the bleeding. The other stops the bleeding *and* heals the wound. If your NCR process treats them as interchangeable, you're documenting compliance without eliminating defects. Your auditors will tick the box. Your costs won't.

This chapter walks you through building a nonconformance and corrective action system that actually works on a Canadian shop floor—one that catches root causes instead of symptoms, and proves the fix stuck before you call it closed.