Every year, hundreds of Indian MSME factories arrive at their ISO audit with confidence — and leave with a list of non-conformances (NCRs) that surprises and frustrates them.

‘We have been following the same processes for years. We trained our people. We have all the documents. What went wrong?’

The answer is almost always the same: the factory confused the appearance of compliance with the reality of compliance. An ISO audit does not assess whether you have a quality manual. It assesses whether your management system is alive, functioning, and driving real improvement — every day, not just on audit day.

Based on Greendot Management Solutions’ 25+ years of ISO consulting experience with Indian MSMEs across pharmaceutical, chemical, and engineering sectors, here are the 7 most common reasons Indian factories fail ISO audits — and exactly how to address each one.

Reason 1: Documents Exist — But Systems Do Not

This is the single most common failure mode in Indian MSME ISO audits, across ISO 9001, ISO 14001, and ISO 45001.

What it looks like: The factory has a beautifully formatted Quality Manual, documented procedures for every process, and a full set of forms. But when the auditor asks employees to walk them through how they actually do the work, the answer has nothing to do with the documented procedure. The documents describe an ideal world. The factory operates in a different one.

Why it happens: Many Indian MSMEs build their ISO documentation to pass the certification audit — not to describe and improve real operations. Documents are created by a consultant, approved by management, filed in a cabinet, and never touched again.

How to Fix It:

• Every procedure must describe what actually happens — not what should ideally happen
• Involve the people who do the work in writing the procedures: they know the real process
• Review and update procedures whenever the process changes — not just at the annual management review
• Test your system quarterly: ask a random employee to follow a procedure step-by-step. If they cannot, the system is not embedded

Reason 2: Management Review Is a Formality, Not a Tool

ISO standards require a formal Management Review — a structured meeting where top management reviews the performance of the management system and makes decisions for improvement. For most Indian MSMEs, the Management Review Meeting (MRM) is a once-a-year box-ticking exercise, conducted the week before the audit, with minutes that look identical to last year’s.

What auditors look for: Evidence that management actually reviewed real data, identified real trends, made real decisions, and followed up on them. They compare this year’s MRM output against last year’s — and check whether the actions from last year were actually implemented.

How to Fix It:

• Conduct management reviews at minimum twice a year — quarterly is better
• Base the review on actual data: customer complaints, NCRs, internal audit findings, KPI trends, supplier performance
• Record specific decisions and action items — not vague resolutions
• Begin the next review by checking the status of every action from the previous one
• Management review is a leadership tool — not a compliance ritual. Use it as one.

Reason 3: Internal Audits Are Superficial — or Simply Not Done

Every ISO standard requires a programme of internal audits to verify that the management system is effectively implemented. In most Indian MSMEs, internal audits either don’t happen at all, or are conducted as a rubber-stamp exercise by the same person who wrote the procedures.

What auditors look for: A planned internal audit schedule covering all processes and departments, evidence that audits were conducted (with records), findings that were raised and closed, and a trend showing the system is improving over time.

How to Fix It:

• Build an annual internal audit calendar at the start of each year — covering all processes, all shifts, and all departments
• Train at least 2–3 internal auditors to conduct audits independently and objectively
• Internal auditors must not audit their own area — independence is essential
• Raise and close NCRs from internal audits just as you would from external audits — they are your early warning system
• Use internal audit findings as the data input for your management review

Reason 4: Corrective Actions Are Closed Without Root Cause Analysis

When a non-conformance is raised — whether from a customer complaint, internal audit, or external audit — the ISO standard requires a Corrective Action that addresses the root cause, not just the symptom. In most Indian MSMEs, corrective actions look like this: NCR raised → problem fixed → NCR closed. Root cause? ‘Human error.’ Corrective action? ‘Worker retrained.’

This approach satisfies the paperwork but changes nothing. The same NCR reappears at the next audit — because the systemic cause was never identified or addressed.

How to Fix It:

• Make root cause analysis (RCA) a mandatory step in every corrective action — use 5-Why or fishbone analysis
• Distinguish between immediate correction (fix this instance), corrective action (prevent this category), and preventive action (prevent similar issues elsewhere)
• Train your QA/compliance team in structured RCA methodology — this is a skill that must be built
• Review the effectiveness of each corrective action at the next management review — did it actually prevent recurrence?

Reason 5: KPIs and Objectives Are Meaningless

ISO standards require organizations to set quality/environmental/safety objectives and measure their performance against them. In many Indian MSMEs, the objectives set are guaranteed to be achieved — because they were designed to show improvement on paper rather than to drive real change.

What auditors look for: Objectives that are SMART (Specific, Measurable, Achievable, Relevant, Time-bound), connected to real business risks, tracked with actual data, and revised when they are consistently met to drive further improvement.

How to Fix It:

• Set objectives that connect to real operational pain points: delivery on time, customer complaint rate, accident frequency, energy consumption
• Track performance monthly — not annually. If you only review KPIs at the management review, you have lost 11 months of learning.
• When an objective is consistently met, raise the bar — do not lower the target to maintain a ‘green’ indicator
• Connect every objective to a responsible owner who is accountable in the management review

Reason 6: Competence and Training Records Are Incomplete

Every ISO standard requires the organisation to determine the competencies required for roles affecting quality, safety, or environmental performance — and to ensure that people in those roles are competent. In practice, Indian MSMEs often have training records but no competency framework. Training is done, but whether the training made the person competent is never assessed.

What auditors find: Training records without evaluation. Workers trained on a procedure that has since changed. Critical processes handled by workers whose competency has never been formally assessed. Induction training that was signed on Day 1 and never revisited.

How to Fix It:

• Create a competency matrix: list every critical role and the competencies required for it
• Evaluate competency after training — written test, practical demonstration, or supervisor sign-off
• Refresh training whenever a procedure or equipment changes — and document that the refresh happened
• For high-risk operations (chemical handling, machine operation, EHS-critical tasks), require periodic re-evaluation of competency — not just initial training

Reason 7: The ISO System Is Owned by One Person — and Disconnected from Operations

In many Indian MSMEs, the entire ISO management system is effectively owned and operated by one person: the Management Representative (MR), Quality Manager, or the consultant who built the system. Everyone else in the factory treats ISO as ‘the MR’s thing.’

When the auditor asks a production supervisor about their quality objectives, they shrug. When the auditor asks the purchase team about approved supplier criteria, they call the MR. When the auditor interviews a worker about the H&S procedure, the worker has no idea what they are talking about.

This happens when the ISO system was built for certification — not for integration into how the business actually operates.

How to Fix It:

• Every department head must own their part of the management system — not just the MR
• Include department-level KPIs in the management review — not just company-wide metrics
• Conduct quarterly department-level awareness sessions — 15 minutes, focused on that team’s procedures and current NCRs
• Include ISO system performance as an agenda item in every monthly department meeting
• The goal: ISO should be how you run your business — not something you do in addition to running your business

Failure Reason	Root Cause	Fix
Documents ≠ Systems	Procedures describe ideal, not real	Write procedures with the people who do the work
Superficial Management Review	Treated as audit formality	Conduct quarterly with real data and decisions
Internal Audits Not Done	No trained auditors; independence missing	Annual audit calendar + trained internal auditors
Corrective Actions Without RCA	Symptoms fixed, not root causes	Mandatory 5-Why or fishbone before closing any NCR
Meaningless KPIs	Objectives designed to be met	SMART objectives connected to real business pain
Incomplete Competency Records	Training done but not evaluated	Competency matrix + post-training assessment
ISO Owned by One Person	System not integrated into operations	Department ownership + monthly integration into meetings

Frequently Asked Questions

Q1: How long should we allow to prepare for an ISO surveillance audit?

For a surveillance audit (Year 1 or Year 2 after initial certification), begin your internal audit programme at least 3 months before the scheduled external audit. Review all NCRs from the previous external audit — all must be closed with evidence. Conduct your management review at least 4 weeks before the external audit so findings can be actioned.

Q2: Can we fail an ISO audit and lose our certificate?

Yes. A Major Non-Conformance that is not closed within the defined timeframe (typically 90 days) can result in suspension or withdrawal of your ISO certificate. Critical or systemic failures — particularly where the auditor concludes the management system is not functional — can lead to immediate suspension. This makes proper maintenance of the system between audits essential.

Q3: We passed our ISO audit last year but got many NCRs this year. What changed?

This is common when organizations stop maintaining the system between audit cycles. Auditors’ expectations also evolve — what was acceptable under ISO 9001:2008 is more scrutinized under ISO 9001:2015 (process-based thinking, risk management, and leadership engagement are assessed much more rigorously). If NCRs are increasing year-on-year, it typically signals that the system was built for certification rather than operation.