Corrective Action for Audit Findings: A Working Guide

Audit findings are corrective action triggers, the same as customer complaints and internal NCRs. They go into the same CAPA system, follow the same 8-step process, and require the same evidence. The difference is who reads the response and how strictly the dates are enforced.

Three audit sources

• Internal audit — performed by your own auditors against your own procedures and the applicable standard. Findings stay inside the QMS.
• Registrar (third-party) audit — your certification body for ISO 9001, IATF 16949, AS9100, ISO 13485. Findings are tracked in their portal, must be closed within their stated window, and become certification-conditional.
• Customer (second-party) audit — an OEM, prime, or major customer auditing you as a supplier. Findings often follow the customer's specific corrective action format and feed their supplier scorecard.

Anatomy of an audit finding

A useful finding contains three things: the requirement, the objective evidence of nonconformance, and the classification.

• Requirement — the clause or specification that was not met (e.g. "ISO 9001 clause 7.1.5.2 requires calibration of measuring equipment").
• Evidence — what the auditor observed (e.g. "CMM serial 4521 last calibration 2025-11-20, in active production use 2026-03-05, calibration interval per CAL-007 is 90 days").
• Classification — major nonconformance, minor nonconformance, or observation.

If any of the three is missing, ask for clarification before responding. Responding to a vague finding produces a vague corrective action that rarely closes on first submission.

Correction vs corrective action

Auditors expect both. Correction fixes the immediate observation — the missing record is created, the expired calibration is performed, the wrong-revision document is replaced. Corrective action removes the cause so the finding cannot recur — the calibration scheduler is automated, the document change-control workflow is fixed, the training gap is closed with a system change.

Submitting only the correction is the most common reason audit responses get rejected. The auditor's exact question on re-audit is "what stops this from happening again on a different gage, document, or process?" — and that is the corrective action answer.

Internal audit response

Internal findings are the easiest case but the most commonly skipped. The response goes into the CAPA system the same as a production NCR. Typical timelines: correction within 14 days, root cause and plan within 30 days, effectiveness check at the next quarterly audit cycle. Use the same template as production CAPAs so the records are comparable.

Internal findings are also the best source of preventive action. A weak control found by internal audit, treated quickly, prevents a finding at the next registrar visit.

Registrar audit response

Registrars typically require: correction and containment within 30 days, root cause and corrective action plan within 60 days, and evidence of implementation before the next surveillance audit. Major nonconformances may require a special visit and have certification implications if not closed on time.

The registrar's auditor reads your response, then verifies it at the next visit by sampling the evidence. The response must therefore be specific enough to verify. "Procedure updated" is useless; "Procedure QP-12 revised to Rev D, dated 2026-04-15, training completed for 18 operators on the matrix" is verifiable.

Customer audit response

Customer audits — automotive OEM supplier audits, aerospace prime audits, medical device customer audits — are usually the tightest. Major OEMs require 8D-format responses with the same timing as a production complaint: 24 hours for containment, 14 days for root cause, 30 days for the plan, 60-90 days for effectiveness. The response also feeds your supplier scorecard.

Customer audit findings often trigger a parallel SCAR in the customer's system. The same evidence supports both.

Evidence package

• Revised procedure or work instruction at new rev level with effective date.
• Updated PFMEA and control plan pages where applicable.
• Training records for the affected personnel.
• Before/after evidence for any physical change (photos, system screenshots).
• SPC, audit, or trending data for the effectiveness window.
• Read-across record showing similar processes were reviewed.

FAQ

How long do I have to respond to a registrar audit finding?

Most registrars require correction and containment within 30 days, root cause and the corrective action plan within 60 days, and evidence of implementation before the next surveillance. Customer audits and major nonconformances often run on tighter clocks.

What is the difference between correction and corrective action?

Correction fixes the immediate observation. Corrective action removes the cause so the finding cannot recur. Auditors expect both, and submitting only the correction is the most common reason responses get rejected.

Can one corrective action close multiple audit findings?

Yes, when the findings share a common root cause (often process or system-wide weaknesses). Cross-reference every finding to the single CAPA record in both directions so the auditor can trace it.

What if I disagree with a finding?

Most registrars and customers allow a formal challenge before the finding is logged. Use it when the requirement was misquoted or the evidence was misread. Once the finding is accepted, challenging on principle is rarely useful — the time goes into producing a strong response.