Important: This content is provided for general information only. It is not advice, instruction, or a substitute for your own arrangements, contractual requirements, or applicable standards.

Top 3 clauses linked to non conformances (P11–13)

What's coming up most often in audits (Top 3, P11–13)

Image for: What’s coming up most often in audits (Top 3, P11–13)

Source: RISQS, April 2026.

Major non conformances: what’s typically going wrong

Across P11–13, major findings are more likely to reflect systemic issues than isolated errors. In practice, this often shows up where documented processes exist but application is inconsistent, evidence is incomplete, or governance and follow up are not clear.

  • Closing out corrective actions (CORS 8.1)
    Where previous non conformances have been raised, audits sometimes found that close out was not fully evidenced. For example, unclear verification, incomplete records, or limited demonstration that the underlying cause was addressed. This can result in repeat findings.
  • How the management system is set up and used (CORS 2.2)
    Arrangements were sometimes missing, incomplete, or not demonstrable in day to day delivery. A common theme was a gap between what is documented and what teams can evidence in practice.
  • Competence and ownership of core requirements (CORS 1.2)
    Organisations couldn’t always evidence that HSQE responsibilities were clearly defined and accepted. Also, that people in key roles were competent (and remained competent) for what they were expected to do.

Why this matters

These themes can affect audit outcomes. They also tend to be leading indicators of wider control and assurance. Understanding the common evidence gaps can help organisations prepare their own internal reviews. And, to strengthen how they demonstrate delivery.

Minor non conformances: early warning signs

Minor findings more often suggest inconsistency. For example, controls exist but they’re not applied uniformly, or the evidence trail doesn’t clearly show routine completion. Over time, repeated minor issues can point to areas where assurance is weaker than intended.

  • Applying arrangements consistently (CORS 2.7)
    Procedures existed, but weren’t followed the same way across teams, sites, or activities—leading to local variation and gaps.
  • Monitoring that leads to action (CORS 3.1)
    Monitoring was happening, but records were sometimes incomplete, not routine, or not clearly linked to learning, decisions, and corrective actions.
  • Document control basics (CORS 2.3)
    Version control and document status weren’t always clear, increasing the risk of outdated forms, procedures, or records being used.

Common evidence prompts (not advice)

The points below are shared as general prompts based on typical audit evidence. They are not recommendations or instructions, and organisations should use their own processes and requirements to determine what is appropriate.

  • Corrective actions: is there a clear record of what was done, how close out was verified, and who authorised closure?
  • Management system in practice: can teams describe how arrangements work day to day, and is there evidence that aligns with what is documented?
  • Competence, monitoring, and document control: are role expectations defined, competence evidence current, monitoring records complete, and current documents easy to identify?

RISQS will continue to publish periodic insights to help suppliers and buyers understand emerging audit themes and support continual improvement across the community.