Question: Recently, a new firm began auditing our organization, and I’m noticing differences in requirements compared with our previous auditor. At the closing of an annual surveillance audit for a three-year certificate, if a nonconformance is issued at the closing meeting:
• What is the expectation for response to the auditor for a minor nonconformance and a major nonconformance?
• How many days are expected for the initial response for each?
• How many times during the next 12 months should we expect the auditor to revisit the site to verify corrective action for each?
Deborah M.
Grand Rapids, MI

Answer: Clause 8.2 of ISO 9001:2008, internal audits, does not specify or prescribe any time limits. Clause 8.2.2 only requires the management for the responsible area—the process owner—to take corrective action without undue delay. With regard to audit follow-up visits, this depends strictly on the registrar or other auditing body. Some auditing bodies will follow up on closed corrective action reports during their next scheduled surveillance audit. This allows enough time for the organization to evaluate the effectiveness of the corrective action taken.
In most cases, the Auditee is required to complete the correction action report identifying the root cause and the corrective actions taken to prevent a recurrence. This information is assessed by the auditing body to confirm that a root cause was identified and that the action taken matches the root cause. This is normally done in the form of a desk review. Due to the costs involved and other logistics, it’s rare for any auditing body to want to come out to verify each corrective action taken. This is usually something for the internal audit staff to perform as part of its audit activities.
I hope this helps.
Bill
Bill Aston
Managing Director
Aston Technical Consulting Services
Kingwood, TX