What if Your ISO Auditor is Wrong?

Imagine completing your first ISO Certification audit. Your company received no major nonconformities, but the auditor identified a bunch of minor findings. You expect to receive a recommendation for certification, but instead the auditor says, “There were eight minor nonconformities, and therefore I cannot recommend certification.”

The auditor is explaining that they never recommend certification if there are more than seven minors in an audit. “What!?” you reply, “You never said anything about a maximum number of minor nonconformities. You said that we would be recommended for certification if we did not receive any major nonconformities.”

More than one company has heard something like this before—and the auditor was wrong. Auditors are human. The question is: What should you do when your auditor is wrong?

In this situation, there are three things you should know:

  1. Audit findings are not a jail sentence.
  2. There is an appeal process.
  3. You can and should push back.

Worst Case Scenario
You, and your boss, need to remember that the worst that can happen is that you receive a nonconformity. If the auditor finds a nonconformity, then you need to develop a CAPA plan. If the auditor finds nothing, one of the guides probably noticed a nonconformity that the auditor overlooked. Regardless of the number of findings, there is no pass or fail in audits. There is always something you need to improve.

If you do receive a dreaded major nonconformity, what happens? You write a CAPA plan. There are three practical differences between a minor and major finding. First, you now have to pay for a special audit to close or “knock-down” the finding from major to minor. The approximate cost of a one-day special audit is $2,000.

Second, you typically have a maximum of 90 days to implement corrections and begin implementing your corrective action or actions. Major findings require immediate correction and aggressive corrective actions. This probably means that you will be taking some work home with you next month, or putting other routine activities on hold.

Third, everyone’s perception is that major findings are a big deal. I think of them like a speeding ticket. If you received a major, you probably already knew you were not in compliance (“Yes officer, I was driving 65 mph in a 50 MPH zone.”). If you did not know, there are two possible reasons: #1, your internal audits are wimpy, or #2, you need training.

The Appeal Process
A client should never be surprised by the audit’s outcome. If they are, the auditor did not communicate findings clearly during the audit or did not communicate the process clearly during the opening meeting. Of the two, poor communication during the opening meeting is the more common.

ISO 19011:2011 is the official guidance document for auditors of Quality Management Systems. Section 6.4.2 of this standard explains the best practices for an opening meeting. The last five items in this section are critical to preparing the client for potential non-conformities:

  1. The method of reporting audit findings, including grading, if any
  2. The conditions under which the audit may be terminated
  3. Time and place of the closing meeting
  4. The way to deal with possible findings during the audit
  5. The system for feedback from the auditee on the findings or conclusions of the audit
  6. The process for complaints and appeals

The last two items are routinely skipped by auditors. If your auditor forgets any of these items, make sure you ask them to address these items at the end of the opening meeting. You should take notes, and you should ask for the contact information for feedback, complaints and appeals. You can smile and say that you want to know who to give positive feedback to, but the auditor knows that you can also complain to his boss.

When providing feedback to a certification auditor’s boss, you should know that there will be no negative repercussions against your company if you complain. In fact, well-phrased appeals often result in rewording, re-grading or removal of findings. Sometimes a Certification Body will retrain an auditor to ensure that future audits are consistent. The key to providing feedback, however, is to be objective. Give specific examples in your complaint, and avoid personal feelings and opinions. If you are appealing, be sure to reference specific objective evidence and cite the official interpretations in an ISO guidance document such as ISO 14969 (i.e., the guidance document for ISO 13485).

Pushing Back During the Audit
My first audit did not go so well. The reason the audit went poorly is that the auditor wrote nonconformities that my boss and our regulatory consultant did not agree with. At the time, I was too inexperienced to know how to handle it. My boss and the consultant, however, totally lost it. I have never seen veins that big in someone’s forehead—even in cartoons.

I asked them both to leave the room, because I was afraid to “push back” on the auditor. Many people feel the same way I did during that initial certification audit.

Recently, a LinkedIn group member emailed me to say that they have seen several auditors for registrars identifying nonconformities that represented their own personal opinions rather than specific requirements of the Standard. For example: there is a requirement to assign management responsibilities and document it, but there is no requirement to have an organization chart.

Another common mistake is to grade a date typo in a document header or footer as a nonconformity of document control. Can you show me an audit report without a typo?

My favorite example was a mistake I made. I wrote a nonconformity because a company did not have a process for implant registration cards. This company planned to ship high-risk implants to Canada. There is a requirement for implant registry cards, but I forgot that Canada defines “implants” in this case as only a very short list of implant devices—not implants in general.

I recommend that you “push back,” but you need to know how. Many consultants suggest saying, “Can you show me in the Standard where it says I have to do that?” That’s just like poking a bear. If you do it once, it’s annoying. If you do it multiple times, an auditor might just eat you.

One client did that to me after I took the time to review the requirement with him. I responded by holding the ISO 13485 Standard in front of him and reciting the clause. He responded by saying, “Well that’s up for interpretation.” I offered to recite the ISO 14969 guidance document, but someone kicked him under the table. This certainly wasn’t the only time a client pushed back, but most people have the sense to argue about things they actually understand.

One of the clients said that he changes the topic to the auditor’s favorite sports team. That’s one approach. I’m sure that more than one client has distracted me by asking me to explain where they can learn about best practices. They were probably somewhat successful, too.

Another approach is to slide the lunch menu in front of them; I only know one auditor who is not distracted by a lunch menu.
Here’s my step-by-step approach to pushing back when you disagree with an auditor:

  1. Shut-up and look it up—before you open your mouth, grab the applicable external standard and look up exactly what you are seeking.
  2. If you are still convinced that your auditor is wrong, then tell the auditor that you are having trouble finding the requirement. Show them where you are looking, and then ask them to help you find the requirement.
  3. If the auditor can’t show you where you are wrong, or it appears that the auditor is interpreting the Standard as they see fit, then focus on asking the auditor for guidance on what they will be looking for in your CAPA plan.
  4. If the CAPA plan the auditor is looking for is something that you think is a good idea, then shut up and implement the improvements. If the CAPA plan is not acceptable to you, then you should ask what the process is for resolution of disputes.
  5. No matter what, don’t start an argument. Auditors actually enjoy a good debate. They like a challenge, and they resent people with less experience criticizing them.
  6. If you still disagree with your auditor, then you should ask if the auditor can explain the process for appealing findings and follow that process.

It took me a few years to accept that every audit concludes with the need to write a CAPA. Once I relaxed and accepted this fact, I noticed that everyone around me relaxed, too—including the auditor. Auditors are tired, travel-worn and human. When you disagree with them, ask them to clarify what the issue is without being confrontational. Sometimes they just don’t understand the brilliance of doing something differently. If you still disagree, shut up and look it up.


For more on this topic, check out the discussion Mr. Packard started on LinkedIn. While you’re there, also become a member of ORTHOWORLD’s LinkedIn group.

Robert Packard of Packard Consulting is a regulatory consultant with 20 years of experience developing products and managing projects in the medical device, biotechnology, pharmaceutical industries. His experience includes research, product development, operations management, manufacturing engineering, equipment design, regulatory affairs, quality assurance and fund-raising. Mr. Packard's passion is training others. He may be reached by This email address is being protected from spambots. You need JavaScript enabled to view it. or on his blog Medical Device Academy.