Global Community

DETERMINATION OF MAJOR OR MINOR NONCONFORMITIES.

I worked for the ANSI National Accreditation Body (ANAB) on the Accreditation Council from 2000 to 2020 and served as Chair of the Council in the early 2000's.  I was also an Accreditation Auditor for ANAB from 2005 to 2008.

I worked as a Lead Auditor for DQS Certification Body (CB) which is the fifth largest CB in the world from 2013 - 2022.  At the end of that period, I led a 55-auditor group auditing ISO 9001, ISO 14001, ISO 45001, ISO 50001, and RC 14001.  We did not use AI to verify audit findings.  Granted, I did not audit medical devices or automotive, but I don't know if that would matter.  I found during that period that the key to the determination of nonconformity is a matter if a requirement in the Standard has not been met. then there is a nonconformity.  The Auditor needs to be able to identify the particular requirement that is not being met.

The determination of whether it was a minor or a major nonconformity was based on whether the classification is major or minor depending on the severity, scope, and potential impact of the nonconformity.   This includes:

1. Impact on the management system's effectiveness

• Major: A breakdown or absence of a key requirement that undermines the system's ability to meet the standard's objectives. This can be a total absence of a required process, a systemic failure, or repeated issues across multiple areas.
• Minor: An isolated or limited deviation that does not significantly affect the system's overall effectiveness.

2. Risk to quality, safety, or compliance

• Major: Noncompliance that could lead to product failure, safety hazards, environmental harm, or regulatory penalties.
• Minor: No immediate risk to safety, quality, or compliance, though it may indicate a procedural lapse.

3. Scope and recurrence

• Major: Often involves multiple minor nonconformities against the same requirement, indicating a widespread problem.
• Minor: Single or infrequent occurrences, such as a one-off document error or training record omission.

4. Potential for certification impact

• Major: If unresolved, can lead to suspension or withdrawal of certification.
• Minor: Does not immediately threaten certification but still requires correction to prevent escalation.

5. Judgment and experience

• Auditors and management use judgment and experience to decide if a nonconformity is likely to cause failure of the system or materially reduce its ability to assure controlled processes.

I hope this provides some clarification on management system nonconformities.

Thank you Chris.  This is very informative.  I will use this to help guide me in the future. 

It looks like you have a lot of experience as an auditor and leading auditing groups.  As someone who is relatively new to auditing, I have found AI to be a useful tool to confirm that my findings are relevant and to provide additional reasoning if the auditee needs more than I can provide.  As I gain experience, I realize that the decision to give a major/minor nonconformances will become easier.  Have you used AI for anything in your career as a lead auditor?  

DETERMINATION OF MAJOR OR MINOR NONCONFORMITIES.

I worked for the ANSI National Accreditation Body (ANAB) on the Accreditation Council from 2000 to 2020 and served as Chair of the Council in the early 2000's.  I was also an Accreditation Auditor for ANAB from 2005 to 2008.

I worked as a Lead Auditor for DQS Certification Body (CB) which is the fifth largest CB in the world from 2013 - 2022.  At the end of that period, I led a 55-auditor group auditing ISO 9001, ISO 14001, ISO 45001, ISO 50001, and RC 14001.  We did not use AI to verify audit findings.  Granted, I did not audit medical devices or automotive, but I don't know if that would matter.  I found during that period that the key to the determination of nonconformity is a matter if a requirement in the Standard has not been met. then there is a nonconformity.  The Auditor needs to be able to identify the particular requirement that is not being met.

The determination of whether it was a minor or a major nonconformity was based on whether the classification is major or minor depending on the severity, scope, and potential impact of the nonconformity.   This includes:

1. Impact on the management system's effectiveness

• Major: A breakdown or absence of a key requirement that undermines the system's ability to meet the standard's objectives. This can be a total absence of a required process, a systemic failure, or repeated issues across multiple areas.
• Minor: An isolated or limited deviation that does not significantly affect the system's overall effectiveness.

2. Risk to quality, safety, or compliance

• Major: Noncompliance that could lead to product failure, safety hazards, environmental harm, or regulatory penalties.
• Minor: No immediate risk to safety, quality, or compliance, though it may indicate a procedural lapse.

3. Scope and recurrence

• Major: Often involves multiple minor nonconformities against the same requirement, indicating a widespread problem.
• Minor: Single or infrequent occurrences, such as a one-off document error or training record omission.

4. Potential for certification impact

• Major: If unresolved, can lead to suspension or withdrawal of certification.
• Minor: Does not immediately threaten certification but still requires correction to prevent escalation.

5. Judgment and experience

• Auditors and management use judgment and experience to decide if a nonconformity is likely to cause failure of the system or materially reduce its ability to assure controlled processes.

I hope this provides some clarification on management system nonconformities.

The use of AI in auditing is not only inevitable, it's also needed to improve accuracy and consistency, and to keep pace with the complexity, breadth and depth of audits. It may be helpful to view AI as an augmented resource rather than an automation or simplification tool. It's especially important for auditors not to lose sight of the fact that they are ultimately responsible for everything that goes into the audit report. As @Godly Yao commented: AI cannot replace auditor professional skepticism, judgment, or attestation responsibilities.

As a cautionary reminder, make sure how you're using AI doesn't violate confidentiality and a data protection requirements. Also keep in mind that some AI tools, for example those used to record meeting notes, have been linked to privacy issues, including one case where a transcription tool was reportedly used to monitor a sensitive human rights meeting without participant consent (see Politico's 2022 investigation into Otter.ai).

As with most things, AI is only as good or useful as you instruct it, and fortunately, AI can help you help it. Setup takes time and is ongoing if you intend to make regular use of AI in audits. In addition to establishing the basic settings like tone and perspective (e.g. skeptical, third-party, independent auditor), AI can also advise on how to structure your requests depending on the complexity and format of the data. In fact, I have several AI-generated instruction sets, written by AI itself, that span several pages when saved in Word.

Routinely challenge the results you get. You should expect to regularly ask for clarification, correct matters of fact, and even argue with your AI tool in order to improve the output. The results AI generates should support, enhance, and highlight the higher-level themes you've already identified as an audit team. Be skeptical of any surprising findings from AI. At most, these create new audit trails to pursue with standard auditing skills, and additional evidence and follow-up requirements.

The use of AI in auditing is not only inevitable, it's also needed to improve accuracy and consistency, and to keep pace with the complexity, breadth and depth of audits. It may be helpful to view AI as an augmented resource rather than an automation or simplification tool. It's especially important for auditors not to lose sight of the fact that they are ultimately responsible for everything that goes into the audit report. As @Godly Yao commented: AI cannot replace auditor professional skepticism, judgment, or attestation responsibilities.

As a cautionary reminder, make sure how you're using AI doesn't violate confidentiality and a data protection requirements. Also keep in mind that some AI tools, for example those used to record meeting notes, have been linked to privacy issues, including one case where a transcription tool was reportedly used to monitor a sensitive human rights meeting without participant consent (see Politico's 2022 investigation into Otter.ai).

As with most things, AI is only as good or useful as you instruct it, and fortunately, AI can help you help it. Setup takes time and is ongoing if you intend to make regular use of AI in audits. In addition to establishing the basic settings like tone and perspective (e.g. skeptical, third-party, independent auditor), AI can also advise on how to structure your requests depending on the complexity and format of the data. In fact, I have several AI-generated instruction sets, written by AI itself, that span several pages when saved in Word.

Routinely challenge the results you get. You should expect to regularly ask for clarification, correct matters of fact, and even argue with your AI tool in order to improve the output. The results AI generates should support, enhance, and highlight the higher-level themes you've already identified as an audit team. Be skeptical of any surprising findings from AI. At most, these create new audit trails to pursue with standard auditing skills, and additional evidence and follow-up requirements.

------------------------------
William Huggett
------------------------------

I agree with the future enthusiasm regarding the "possibilities" and applications of AI, but as Auditors, our "guard" must be up when performing audits on companies, corporations and agencies.  As Auditors, it is essential to be trained to determine what AI Platform is the authentic Evidence Resource that contains the authentic quality records, documentation and performance indicators that have not been influenced by the Training/Algorithmic Programming of the AI Platform by the company, corporation or agency

Did the customer provide the 3rd Party/External Auditor access to an alternate AI Platform setup specifically for 3rd Party/External Audits?

This was my first question two years ago involving a scenario where am I auditing Customer AI Platform "A" (setup as the authentic repository used by company approval workflows, operations, designs, calibrations, test samples and performance reports), or have I been sat down at the Customer's AI Platform "B" (setup specifically for 3rd Party/External Audits where documents, results and reports have been scrubbed by an algorithm or with more preferential data?).  

As in all past and current audits, it is the query skill of the Auditor than can determine a gap or make a discovery that additional sampling and information may need to be pursued.  As Auditors, in the near future, it may be necessary to attend additional query training to determine the authenticity of the requested evidence information is being obtained from a company's, corporate's or agency's only AI Platform or presented from a Partitioned or Separate AI Platform utilized specifically for External Audits.

------------------------------
Robert Tanner Jr.
Director of Quality & ISMS Policy Manager
Herzog Technologies Incorporated
rtanner@herzog.com
------------------------------


Original Message:
Sent: 06-15-2026 03:37 PM
From: William Huggett
Subject: Use of AI in Auditing

The use of AI in auditing is not only inevitable, it's also needed to improve accuracy and consistency, and to keep pace with the complexity, breadth and depth of audits. It may be helpful to view AI as an augmented resource rather than an automation or simplification tool. It's especially important for auditors not to lose sight of the fact that they are ultimately responsible for everything that goes into the audit report. As @Godly Yao commented: AI cannot replace auditor professional skepticism, judgment, or attestation responsibilities.

As a cautionary reminder, make sure how you're using AI doesn't violate confidentiality and a data protection requirements. Also keep in mind that some AI tools, for example those used to record meeting notes, have been linked to privacy issues, including one case where a transcription tool was reportedly used to monitor a sensitive human rights meeting without participant consent (see Politico's 2022 investigation into Otter.ai).

As with most things, AI is only as good or useful as you instruct it, and fortunately, AI can help you help it. Setup takes time and is ongoing if you intend to make regular use of AI in audits. In addition to establishing the basic settings like tone and perspective (e.g. skeptical, third-party, independent auditor), AI can also advise on how to structure your requests depending on the complexity and format of the data. In fact, I have several AI-generated instruction sets, written by AI itself, that span several pages when saved in Word.

Routinely challenge the results you get. You should expect to regularly ask for clarification, correct matters of fact, and even argue with your AI tool in order to improve the output. The results AI generates should support, enhance, and highlight the higher-level themes you've already identified as an audit team. Be skeptical of any surprising findings from AI. At most, these create new audit trails to pursue with standard auditing skills, and additional evidence and follow-up requirements.

------------------------------
William Huggett
------------------------------