When Your Accreditation Is on the Line
Accreditation assessments are the most consequential events in a certification body's calendar. A major nonconformity can restrict your scope, suspend your accreditation, or in extreme cases, lead to withdrawal. And while assessors are thorough professionals, the nonconformities they find are rarely surprising. They are usually the predictable result of operational gaps that everyone in the CB knew existed but never addressed.
The common thread in most major nonconformities is the absence of a systematic approach to certification operations. And in 2026, a systematic approach means software.
Category 1: Incomplete Audit Trails
ISO/IEC 17021-1:2015 requires certification bodies to maintain records that demonstrate the effective implementation of the certification process. This means a complete, chronological record of every step in the certification lifecycle.
When a CB operates on spreadsheets and email, audit trails have gaps. Common findings include:
- •Missing evidence of application review. The client was accepted, but there is no record of who reviewed the application, when, or what criteria were evaluated.
- •Undocumented scope changes. The scope was modified between Stage 1 and Stage 2, but there is no record of the change or its justification.
- •Unrecorded audit team changes. An auditor was substituted, but the original and revised team composition records do not match.
How this happens without software: Information is scattered across emails, spreadsheets, and file folders. No single system captures the complete sequence of events. Reconstructing the trail after the fact is time-consuming and often incomplete.
How software prevents it: Certiva logs every action in the system with a timestamp and user identification. The audit trail is generated automatically as work is performed, not reconstructed manually before an assessment.
Category 2: Missing or Incomplete Communication Records
Clause 9.1.1 and related clauses require that certification bodies communicate specific information to clients at defined points in the certification process. Accreditation assessors routinely check whether these communications occurred and whether they are documented.
Common findings include:
- •No evidence of pre-audit communication. The audit was conducted, but there is no record of the audit plan being sent to the client in advance.
- •Undocumented notification of findings. Nonconformities were raised, but there is no documented evidence that the client was formally notified with clear deadlines.
- •Missing confirmation of certificate scope. The certificate was issued, but there is no record of the client confirming the scope.
How this happens without software: Communications occur via email, phone, and sometimes in person. Even if the communication happened, finding the evidence requires searching through email archives and hoping the right message was saved.
How software prevents it: Certiva logs every communication within the platform, linked to the specific client and audit. When a notification is sent through the system, the record is created automatically.
Category 3: Unsigned or Improperly Signed Documents
Accreditation bodies expect key documents to be signed by authorized personnel. Audit plans, stage reports, nonconformity reports, and certificates all require signatures. The signing must be verifiable, and the signing order must reflect the CB's procedures.
Common findings include:
- •Documents without any signatures. Reports were generated but never formally signed by the audit team leader or technical reviewer.
- •Signatures without dates. Documents were signed, but the signature dates were not recorded, making it impossible to verify the timeline.
- •Missing signing chain evidence. Multiple signatures were required, but there is no evidence of the sequence or completeness of the signing process.
How this happens without software: Documents are created in word processors, converted to PDF, and either signed with wet signatures (requiring printing and scanning) or with basic electronic signature tools that do not capture adequate metadata.
How software prevents it: Certiva's digital signing system enforces the complete signing chain. Each signature includes the signer's name, timestamp, and IP address. The system blocks progression until all required signatures are collected.
Category 4: Auditor Competence and Scope Coverage Gaps
ISO/IEC 17021-1:2015 Clause 7.2 requires certification bodies to ensure the competence of personnel involved in the certification process. This includes matching auditor qualifications to audit scope.
Common findings include:
- •Audit team lacking EA code coverage. The audit was conducted for a scope that requires specific EA code competence, but the audit team did not include anyone qualified for that code.
- •Missing technical expert. The scope required technical expertise that neither the lead auditor nor team members possessed, and no technical expert was included.
- •Expired or incomplete qualification records. The auditor's qualification records are outdated, incomplete, or cannot be located.
How this happens without software: Auditor qualifications are tracked in spreadsheets or paper files. When building audit teams, planners rely on memory or manual cross-referencing. In a busy scheduling environment, gaps are easily overlooked.
How software prevents it: Certiva maintains a complete qualification matrix for every auditor and validates team composition against scope requirements before confirming the audit. If coverage is inadequate, the system flags it immediately.
Category 5: Audit Time Calculation Errors
IAF MD 5 provides mandatory rules for calculating audit time based on factors including the number of employees, the complexity of the management system, the number of standards, and various adjustment factors. Errors in audit time calculation are a frequent source of nonconformities.
Common findings include:
- •Insufficient audit time allocated. The audit time was less than required by IAF MD 5, and there is no documented justification for the reduction.
- •Incorrect application of reduction factors. Multi-site or multi-standard reductions were applied incorrectly, resulting in insufficient audit time.
- •No documentation of the calculation. The audit time was determined, but there is no record showing how it was calculated.
How this happens without software: Audit time calculations are performed manually, often in spreadsheets. The formulas are complex, the K-factors are not intuitive, and mistakes are easy to make and hard to catch.
How software prevents it: Certiva calculates audit time according to IAF MD 5 rules, applying the correct factors based on the client's data. The calculation is documented automatically and linked to the audit record.
Category 6: Committee Review Failures
ISO/IEC 17021-1:2015 Clause 9.5 requires that certification decisions be made by competent persons who were not involved in the audit. The committee review process must demonstrate both competence and impartiality.
Common findings include:
- •Committee members lacking qualifications for the scope. The certification decision was made by reviewers who did not have demonstrated competence in the relevant standard or scope category.
- •Incomplete committee review. Not all required reviewers completed their review before the certification decision was recorded.
- •No separation between audit and decision. The same individual who conducted the audit also made the certification decision, or there is insufficient evidence of separation.
How this happens without software: Committee assignments are made informally. Qualification matching is done by memory. Review completion is tracked via email or not tracked at all.
How software prevents it: Certiva validates committee member qualifications against the scope of each certification, enforces the complete review and signing process, and prevents the certification decision from being finalized until all requirements are met.
Category 7: Surveillance and Recertification Scheduling Failures
Clause 9.1.3 requires certification bodies to establish and maintain an audit programme that includes surveillance and recertification audits at defined intervals. Missing these deadlines creates immediate compliance risk.
Common findings include:
- •Overdue surveillance audits. Surveillance audits were not conducted within the required timeframe, and the certification was not suspended or withdrawn as required.
- •No systematic tracking of the audit programme. The CB cannot demonstrate a systematic approach to scheduling and tracking surveillance and recertification audits.
How this happens without software: Audit schedules are maintained in spreadsheets or calendars. With hundreds of clients, each with their own surveillance and recertification cycle, manual tracking inevitably leads to missed deadlines.
How software prevents it: Certiva tracks the complete audit programme for every client, calculates upcoming deadlines, and generates automated alerts. The system makes it impossible to overlook a pending surveillance or recertification audit.
The Pattern Is Clear
Every nonconformity category described above has the same root cause: the absence of a systematic, software-supported approach to certification operations. The findings are not caused by incompetent people. They are caused by competent people working with inadequate tools.
Ready to eliminate these nonconformity risks?
Book a demo at getcertiva.com and see how Certiva systematically addresses the operational gaps that lead to accreditation findings.