Last Updated on September 25, 2025 by Melissa Lazaro

Top 10 Common Non-Conformities with ISO/IEC 17043:2023 Requirements

Let’s face it—no one enjoys reading audit reports, especially when they’re full of findings. But if you’ve ever been through a conformity assessment under ISO/IEC 17043:2023, you already know that non-conformities are part of the process. And that’s okay—what matters is how you prepare for them and what you do afterward.

In my experience working with proficiency testing (PT) providers of all sizes—from international organizations to small labs running a single scheme—the same issues come up again and again. They’re rarely dramatic, but they’re often preventable. Most of the time, it’s not because a provider doesn’t care—it’s because something small slipped through the cracks.

This article breaks down the 10 most common non-conformities I see during ISO/IEC 17043 audits. But more importantly, I’ll walk you through what they really mean and how to avoid them without adding unnecessary complexity.

Where Things Usually Go Wrong

Before we dive into the top 10, it helps to understand where non-conformities tend to show up. Most findings are clustered in five areas:

• Documentation and records (missing, outdated, or incomplete)
• Evaluation methods (unclear, undocumented, or inconsistently applied)
• Personnel competence (not defined, evaluated, or maintained)
• Management system gaps (especially under Clause 8)
• Risk and improvement processes (ignored or too vague)

Now let’s take a closer look.

1. Lack of Documented Competence Criteria for Personnel

Here’s what I’ve seen too often: someone’s been coordinating PT schemes for years, they clearly know their stuff, but there’s no documented evidence of what makes them “competent.” No job description. No formal training. No ongoing evaluation.

Clause 6 of the standard expects PT providers to define required competencies, assess individuals against them, and maintain records. It’s not enough to just say someone is experienced—you need to show how you verify they’re still fit for the role.

What to do:
Define competence for each role. Create a matrix or job description. Conduct and document evaluations regularly—especially after training or a change in responsibilities.

2. No Formal Risk Assessment During Scheme Design

ISO/IEC 17043:2023 emphasizes risk-based thinking throughout the standard, especially when planning and designing PT schemes. But many providers skip this—or they do a one-time risk review that gathers dust in a binder.

What’s missing is a clear, practical approach to identifying, assessing, and mitigating risks related to item preparation, transportation, data integrity, or participant confusion.

What to do:
Incorporate a short risk review into your scheme planning phase. Use a basic table: risk, impact, likelihood, mitigation. Keep it living—update it based on feedback or incidents.

3. Unclear or Undocumented Evaluation Criteria

Participants need to know how their performance is going to be judged. Unfortunately, many schemes still fail to communicate their evaluation methods clearly, or they apply different criteria without explaining why.

Auditors look for transparency, consistency, and justification. That means: How are you assigning scores? Why did you choose z-scores over En values? How do you deal with outliers?

What to do:
Pre-define and publish your evaluation approach. Include examples. Document the rationale for any statistical method or expert judgment, and stick to it unless you’ve got a good reason to deviate.

4. Failure to Monitor Subcontractors or External Providers

Subcontracting is fine—common, even—but delegating doesn’t mean removing responsibility. Too often, PT providers don’t check whether their shipping contractor, lab analyst, or IT vendor is meeting expectations.

Clause 4.5 requires appropriate control and ongoing monitoring of external providers. That includes performance reviews, documented agreements, and corrective actions if something goes wrong.

What to do:
Keep a log of all outsourced activities. Review performance at least annually. Retain contracts or SLAs. Document what you check, how often, and what happens when something isn’t right.

5. Internal Audits That Are Too Shallow (or Missing)

Let’s be honest—internal audits often feel like a chore. But they’re essential for identifying gaps before the external auditor does. I’ve seen providers skip them completely, or only review one part of the process while ignoring the rest.

Clause 8.8 requires a planned, regular, and objective audit of the entire management system, including technical and support activities.

What to do:
Use an internal audit checklist based on ISO/IEC 17043 clauses. Rotate responsibilities to maintain objectivity. And don’t just audit “paper”—test actual practices.

6. Management Reviews Without Enough Substance

Some providers treat the management review as a checkbox exercise. They meet once a year, talk vaguely about how “things seem okay,” and that’s it. But Clause 8.9 outlines specific inputs and outputs that must be considered, including:

• Internal audit results
• Customer feedback
• Complaints and corrective actions
• Risk and improvement opportunities

What to do:
Keep a running agenda and a structured record of your review. Address each required input. Set actions. Assign follow-ups. Show you’re using the review to steer the ship—not just to tick a box.

7. Inadequate Control of PT Items (Stability, Homogeneity, Traceability)

If your PT items aren’t stable, homogeneous, and traceable, everything else falls apart. Yet I’ve seen providers skip validation testing or rely on assumptions like “we’ve always done it this way.”

Clause 7.4 requires objective evidence that PT items perform consistently and support valid evaluations.

What to do:
Plan, test, and document. Even a basic stability check or homogeneity test can be enough—if it’s done and recorded. Use lot numbers, storage logs, and traceability charts.

8. Delays and Errors in Reporting Participant Results

This one affects trust more than anything. Participants rely on timely, clear, and accurate results. If your report is late, incomplete, or difficult to interpret, confidence drops fast.

Clause 7.8 outlines what your reports must include, and participants should get results within an agreed timeline.

What to do:
Create report templates. Include a summary of assigned values, statistical results, and interpretation guidelines. Review drafts carefully before releasing. And stick to your timelines—or communicate clearly if there’s a delay.

9. Ignoring Participant Feedback or Complaints

Sometimes feedback is vague or informal—“Hey, that sample label was confusing.” But even small comments can point to systemic issues. Unfortunately, many PT providers fail to capture, track, or respond to this input in a structured way.

Clause 7.10 requires a documented complaints and appeals process that’s impartial, timely, and effective.

What to do:
Maintain a feedback and complaint log. Set a standard response time. Keep records of investigations, actions taken, and resolution outcomes—even for “small” issues.

10. Over-Reliance on One Expert Without Backup

This isn’t in the standard word-for-word, but it’s a huge operational risk—and auditors notice it. If your PT program depends entirely on one coordinator, analyst, or evaluator, what happens if they’re unavailable?

What to do:
Cross-train your team. Document key processes clearly. Use checklists, flowcharts, and simple instructions. Make sure someone else can step in, even temporarily, without chaos.

Pro Tips – What I Tell My Clients

Pro Tip 1: Don’t fake an internal audit. I’ve seen providers do a “paper audit” just days before their external assessment. Instead, space audits out, rotate focus areas, and treat them like a learning tool—not an obligation.

Pro Tip 2: Create a clause-by-clause checklist and self-assess every year. It keeps your system fresh and gives you an early warning for gaps.

Pro Tip 3: Capture informal feedback. A participant saying “the form was confusing” might be your first clue that instructions need work. Log those comments and use them during your next review.

Pro Tip 4: Future-proof your team. One-person systems break. Build knowledge-sharing into your routine. Use short SOPs and routine training refreshers so the process doesn’t collapse if someone takes leave or leaves the company.

Common Mistakes PT Providers Should Watch For

Over the years, I’ve seen certain patterns repeat themselves. These mistakes aren’t just technical—they often stem from misunderstanding the intent of the standard or trying to take shortcuts under pressure. If you recognize any of these in your own system, now’s a good time to correct them before they become findings.

Mistake 1: Treating internal audits as optional or informal
Some providers skip internal audits entirely, or they rush through them without really digging into the effectiveness of their processes. Auditors notice this right away. The result? A non-conformity that could’ve been avoided with one good review.

Mistake 2: Leaving evaluation criteria “understood” but undocumented
If your team knows how to assess participant results, that’s great. But unless it’s written down and shared clearly, it’s not compliant. You need to show your method, justify it, and ensure participants understand it too.

Mistake 3: Ignoring informal participant feedback
Not all complaints are official. If someone casually mentions a confusing form or delayed report, that’s still valuable feedback. Don’t let it slip by unrecorded. Those are the little clues that can help you improve your system before problems escalate.

Mistake 4: Relying too heavily on one expert
This one’s more operational than technical, but it matters. If your PT scheme falls apart when one person’s on vacation, that’s a red flag. Accreditation bodies want to see resilience. Cross-train your team, document processes, and share the knowledge.

Mistake 5: Assuming Option A is easier than Option B without understanding the full scope
When choosing between Clause 8’s Option A or Option B, some providers pick Option A assuming it requires less effort. But Option A still demands a full management system with audits, reviews, corrective action, and continual improvement. The difference is structure, not substance.

FAQs – Straightforward Answers

Are all non-conformities serious?
Not necessarily. Some are minor—like missing a date on a form. Others are major—like not evaluating participant performance consistently. What matters is how you address and learn from them.

What happens if a non-conformity shows up again?
Repeated issues suggest your corrective action didn’t work. That can damage your credibility and may raise concerns with the accreditation body.

Can we use templates to reduce errors?
Absolutely. Just make sure your templates are tailored to your process and reviewed regularly—they’re a tool, not a substitute for good systems.

Spot the Pattern, Strengthen the Process

Non-conformities aren’t the enemy. In fact, they’re opportunities to improve and grow stronger. The trick is recognizing the patterns—and putting systems in place that reduce the risk before the next audit.

If you’ve seen one or more of these issues pop up in your own operations, don’t panic. Just start where you are. Tackle one gap at a time. And if you need help building a system that works—not just for auditors, but for your team and your participants—I’d be happy to walk you through it.