Most audit findings don't stay open because of bad quality management. They stay open because organizations write corrective actions that fix the paperwork without fixing the problem — and auditors, even patient ones, eventually notice the difference.
Here is something I've noticed across more than 200 client engagements: organizations almost always know what went wrong. The harder question — the one that determines whether an auditor accepts your corrective action or sends it back — is why it went wrong, and what you actually changed so it can't happen the same way again.
This article breaks down what makes a corrective action effective, what causes them to fail verification, and how to write responses that close findings the first time.
What ISO 9001:2015 Clause 10.2 Actually Requires
ISO 9001:2015 clause 10.2 is the governing requirement for corrective action, and it is more specific than most people give it credit for. The standard doesn't just ask you to fix things. It asks you to react to the nonconformity, evaluate the need to eliminate its root cause so it won't recur, implement the corrective action, review its effectiveness, and update the QMS if necessary.
That last piece is the one organizations skip most often. A corrective action that doesn't result in any change to the system — a procedure, a training record, a form, a control point — is very rarely effective. If nothing changed, nothing changed.
Citation hook: An effective corrective action under ISO 9001:2015 clause 10.2 requires three distinct elements: eliminating the immediate nonconformity, identifying and addressing its root cause, and verifying through documented evidence that the action prevented recurrence.
The Three Layers of Every Corrective Action
There are three layers to every corrective action response, and conflating them is the single most common mistake I see.
Layer 1: The Correction (Immediate Containment)
The correction is what you do right now to stop the bleeding. You pull the suspect product. You re-inspect the lot. You pause the process. It is a reactive, immediate step — and it is necessary — but it is not a corrective action. It addresses the output of the problem, not the problem itself.
Organizations that submit their correction as their corrective action are submitting a first draft and calling it a final answer.
Layer 2: The Root Cause Analysis
This is where most corrective actions break down. Root cause analysis is not a formality — it is the mechanism that separates a corrective action that closes a finding from one that prevents the problem from returning.
The most common root cause entries I see in corrective action forms are also the least useful ones: "human error," "employee oversight," "procedure not followed." These describe the event. They do not explain it. If you write "human error," the auditor's next question is: why did the human err? What in the system made that error possible, or likely, or even predictable?
The 5-Why method is the most practical tool for the depth an ISO 9001 corrective action requires. You don't need a complex fishbone diagram for every finding. You do need to push past the first obvious answer at least twice. Most real root causes sit at the third or fourth "why" — a gap in onboarding, a procedure that was revised without accompanying training, a verification step that exists on paper but wasn't built into the daily workflow.
Citation hook: "Human error" is never a root cause — it is a description of what happened, not an explanation of why the system permitted it. Auditors trained in corrective action review will send that response back.
Layer 3: The Corrective Action (Systemic Fix)
The corrective action addresses the root cause, not the symptom. It changes something about the system: a procedure is updated, a training requirement is formalized, a supplier qualification step is tightened, a verification checkpoint is added to a form.
If the corrective action doesn't change anything, it isn't one.
Weak vs. Strong: What the Difference Looks Like
The table below shows the same finding addressed poorly and effectively. The finding: operators in the production area were not following the documented equipment cleaning procedure.
| Element | Weak (Gets Rejected) | Strong (Gets Accepted) |
|---|---|---|
| Problem statement | "Procedure not followed by operators" | "4 of 6 sampled equipment cleaning logs for Line 3 were missing Supervisor sign-off required in SOP-012 Step 7, covering records from March 1–15, 2026" |
| Root cause | "Human error / employee oversight" | "SOP-012 was revised in February 2026. The Supervisor sign-off requirement added in Step 7 was not included in the retraining announcement. Line 3 supervisors were not aware the requirement applied to their shift." |
| Correction | "Employees retrained on the procedure" | "All 6 affected Line 3 supervisors completed makeup training on SOP-012 Step 7 on [date]; training records on file in the QMS" |
| Corrective action | "Will ensure procedures are followed" | "Change control process updated (Form SOP-CN-01, effective [date]) to require supervisor sign-off acknowledgment before any revised SOP reaches the floor" |
| Effectiveness check | "Will monitor going forward" | "20 cleaning logs audited at 30 and 60 days post-implementation; 20/20 compliance. Supervisor sign-off added to monthly internal audit checklist." |
The right column closes the finding. The left column generates a repeat observation at the next audit.
How to Write the Narrative
The written response matters — not just the content, but the structure. Auditors read a lot of corrective actions, and a response that is easy to follow reduces friction and increases confidence. Here is the sequence I recommend:
1. Describe what happened — specifically. State the finding with precision: which procedure, which process, which product line, which date range, how many records were affected. Don't just paraphrase the auditor's observation back to them — add granularity to it.
2. Explain your root cause analysis. Describe how you determined the root cause and what it is. If you used 5-Why, you don't need to include every step in the narrative, but show your reasoning. The auditor needs to believe you identified the real cause, not the convenient one.
3. Describe what you already fixed (past tense). The correction is complete by the time you submit the response. Use past tense, include dates, reference records.
4. Describe what you changed in the system. Be specific: which document changed, what process was revised, who owns the new control, and what the effective date is.
5. Describe how you will verify effectiveness. Name the method, the sample size, and the timeframe. "We will monitor" is not a plan. "We will audit 15 records at 30 and 60 days post-implementation and report results to management review" is a plan.
Evidence: The Corrective Action's Proof of Life
A corrective action response without supporting evidence is a promise. Auditors close findings based on evidence of systemic change, not on the quality of the written plan — which is why so many well-written corrective actions still fail at verification.
The evidence package for a typical corrective action includes:
- Updated procedures, forms, or work instructions (with revision history and effective dates)
- Training records showing affected personnel completed retraining
- The root cause analysis documentation — even a simple 5-Why worksheet
- Completed effectiveness checks with actual results: audit records, inspection data, compliance metrics
Organize your evidence to follow the structure of your narrative. If your response has five sections, your evidence should flow in the same order. Don't make the auditor hunt for the proof — that creates doubt about whether the proof exists.
Common Reasons Corrective Actions Get Rejected
After years of both preparing corrective actions and auditing them, I've seen the same failure patterns appear over and over.
The root cause doesn't explain the finding. If calibration records are missing and your root cause is "the technician forgot," you haven't explained how the technician could forget when the procedure requires sign-off at each step. The root cause needs to account for why the system allowed the failure — not just that a person failed.
The corrective action doesn't address the root cause. If the root cause is a gap in your onboarding training and the corrective action is "supervisors will remind employees of the requirement," you've addressed a symptom. The training gap still exists.
Timeframe is unrealistic. You wrote a 12-month effectiveness check for a finding that an external auditor will follow up on in 90 days. Plan your effectiveness verification to land before the next audit window, or document interim evidence clearly.
No evidence of effectiveness. Effectiveness verification is not optional under clause 10.2 — it is a requirement, and it needs documented results, not a statement of intent.
Vague language. "Improvements will be made" and "procedures will be strengthened" are not corrective actions. Every action statement should name who, what, by when, and how it will be measured.
A Note on Timing
Most registrars allow 30 to 90 days to respond to audit findings, depending on severity. In my experience, organizations spend the first two weeks in post-audit triage, then rush the corrective action in the final week. That rush produces vague root causes and aspirational corrective actions without evidence to back them up.
The better approach: start the 5-Why analysis the week after the audit closes, while context is still fresh. Have a working draft of the response — including a realistic effectiveness verification plan — within two weeks. That leaves time to gather evidence and make the actual system changes before submitting.
Organizations with mature corrective action processes — ones that document root cause analysis, verify effectiveness, and close findings on the first submission at least 85% of the time — report 40 to 60 percent fewer repeat findings over three-year certification periods. That's not a coincidence. It's what happens when corrective action is treated as a quality tool rather than an administrative burden.
Repeat Findings: What They Signal
A repeat finding is a corrective action that appeared closed but wasn't. The problem came back because the root cause was never truly addressed — or was addressed at the symptom level without touching the underlying system.
Repeat findings attract elevated scrutiny from your registrar. In regulated industries like medical devices or pharmaceuticals, FDA Warning Letters frequently cite inadequate corrective action processes as a primary observation — which means regulators view an ineffective corrective action not just as a quality failure but as a compliance failure. That's a different category of risk entirely.
If your organization has seen the same finding in two consecutive audits, that is a signal worth taking to the management review level, not just the quality manager. Learn how an effective internal audit program catches these patterns before external auditors do — because the findings that sting most on surveillance audits are almost always ones you had the information to catch internally.
Citation hook: Repeat audit findings are the most reliable indicator that a corrective action addressed the symptom rather than the cause — and each recurrence compounds the registrar's scrutiny of the organization's overall QMS effectiveness.
The Mindset Shift That Makes the Difference
There is a version of corrective action management that treats the response as paperwork — something you write to satisfy the auditor and move on. And there is a version that treats it as a diagnostic tool: a way to understand what the system actually does versus what it's designed to do.
The second version takes more time in the short run. It also produces quality systems that actually work, which is the whole point of ISO 9001.
Across more than eight years and 200+ clients at Certify Consulting, the organizations that maintain a 100% first-time audit pass rate aren't the ones with the most elaborate procedures. They are the ones that take findings seriously, do the root cause work honestly, and verify that what they changed actually had the effect they expected. That's not a documentation discipline — it's a quality discipline. Understand how ISO 9001 clause 10.2 fits into your broader nonconformance management system and you'll see why the corrective action process is one of the highest-leverage tools in the standard.
Last updated: 2026-06-12
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.