7 Common AS9110 Audit Findings (And How to Avoid Them)

7 Common AS9110 Audit Findings (And How to Avoid Them)

Quick Answer: AS9110 audits most frequently flag issues in corrective action processes, traceability records, service provision controls, document management, internal auditing, supplier oversight, and personnel competence. Understanding where these non-conformances cluster—and why—gives quality teams a practical edge before auditors arrive.

AS9110 is the internationally recognized quality management standard for aviation maintenance, repair, and overhaul (MRO) organizations. Developed by the Society of Automotive Engineers (SAE) and the International Aerospace Quality Group (IAQG), AS9110 Revision C builds on ISO 9001:2015 with additional requirements specific to aircraft maintenance—covering airworthiness documentation, configuration management, counterfeit parts prevention, and first article inspection.

Achieving AS9110 certification opens the door to high-value contracts with airlines, original equipment manufacturers, and defense customers. Keeping it requires sustained discipline. Each certification cycle includes annual surveillance audits and a full recertification audit every three years. Non-conformances—minor or major—can derail timelines and damage credibility.

The findings below are drawn from IAQG-OASIS database data covering approximately 50% of global AS91XX certifications in the Americas. In 2019 alone, auditors issued 17,184 total non-conformances across AS9100, AS9110, and AS9120 organizations (15,298 minor; 1,886 major). These are the seven that appear most consistently—and what your team can do about each one.

1. Gaps in Corrective Action Processes (Clause 10.2.1)

Clause 10.2.1—Nonconformity and Corrective Action—produces the highest number of major nonconformances of any AS9110 clause. The reasons are predictable: weak root cause analysis, corrective actions that address symptoms rather than systemic causes, incomplete documentation, and verification steps that never get closed out.

Effective corrective action in aerospace demands a documented methodology (8D, 5-Why, fishbone, fault tree) with a clear separation between the direct cause, contributing causes, and the systemic root cause. Actions must map back to the verified root cause—not default to "retrain the operator" or "add an inspection step" unless those measures directly address the identified failure.

How to avoid it: Define effectiveness criteria before you implement a corrective action, not after. Specify what measurable outcome over what timeframe will confirm the issue has been resolved. Build that verification window into your CAPA record from day one.

2. Incomplete Traceability Records (Clause 7.1.5.2)

Measurement traceability ranks as the third most common AS9110 finding across AS91XX organizations. For MRO providers, the stakes are particularly high. Every calibrated tool used on an aircraft—from torque wrenches to bore gauges—must be calibrated at defined intervals against standards traceable to national or international measurement standards.

Auditors commonly find calibration databases that are out of date, missing reference to the standards used, or silent on what happened when equipment was found out of tolerance. In aviation maintenance, that last point matters enormously: if a tool was used while out of cal, what was the exposure? What product was potentially affected?

How to avoid it: Maintain a calibration register that records the calibration standard used, the result, the due date, and—critically—any out-of-tolerance events along with the corrective action taken. Review this register as part of every internal audit cycle, not just when certification is approaching.

3. Poor Control of Maintenance Service Provision (Clause 8.5.1)

Control of production and service provision is the single most common AS9110 finding across all AS91XX standards. In an MRO context, this clause covers the planning and execution of maintenance tasks: work orders, task cards, maintenance manuals, and special process controls.

Common failure points include work instructions that don't reflect current revision levels, inconsistencies between what technicians do in practice and what documented procedures require, and inadequate validation of special processes—such as welding, heat treatment, or surface coatings—where nonconformance can't be detected without destructive testing.

How to avoid it: Treat shift-to-shift consistency as a quality metric. Audit whether both day and night shifts follow procedures identically. Establish a validation protocol for special processes that defines approval criteria, equipment qualification, and re-validation triggers after any disruption or process change.

4. Deficiencies in Internal Audit Programs (Clause 9.2.2)

Internal audits exist to surface non-conformances before external auditors do. When the internal audit program itself becomes a finding, it typically signals one of two problems: the program doesn't cover all QMS elements within the required cycle, or audit findings aren't being reported to management and converted into corrective actions.

AS9110 requires that critical processes be audited with a frequency that reflects their risk profile—not simply slotted into a fixed annual schedule regardless of performance history or recent changes.

How to avoid it: Build your audit frequency schedule around risk. Processes with a history of customer complaints, recent organizational changes, or high safety impact should be audited more frequently than stable, low-risk functions. Ensure every internal audit finding triggers a management review input and a documented corrective action, however minor.

5. Supplier Control and Flow-Down Failures (Clauses 8.4.1, 8.4.2, 8.4.3)

Three separate clauses related to external provider control appear in the top ten AS9110 findings, which reflects how much AS9110 demands of supplier oversight. The standard requires MRO organizations to maintain an approved supplier register with current approval status, monitor supplier performance against defined criteria, and flow down critical requirements—including counterfeit parts controls, record retention, and right-of-access provisions—to sub-tier providers.

A common finding is that Certificates of Conformance and raw material certs are received and filed without anyone verifying that the underlying data actually confirms the product meets specification. For high-risk or critical-item materials, filing is not enough.

How to avoid it: Define what "monitoring" means for each category of supplier, based on risk. For suppliers providing critical-item materials, establish a process to evaluate test report data—not just store it. Periodically re-evaluate supplier approval status, and document the outcomes of those reviews.

6. Document Control Breakdowns (Clause 7.5.3.2)

Control of documented information is a persistent finding across all AS91XX certifications. In MRO environments, where technicians regularly work from printed task cards, maintenance manuals, and engineering orders, document control failures carry direct safety implications. An out-of-revision document on the shop floor is not an administrative oversight—it is a maintenance risk.

Auditors look for evidence that the documents people actually use reflect the current approved revision, that access controls prevent unauthorized edits, and that obsolete documents are removed from points of use promptly.

How to avoid it: Assign clear ownership for document change control at the process level, not just at the QMS administrator level. If documents are distributed in print, establish a retrieval protocol for superseded revisions. For electronic systems, apply access controls that distinguish between read access and revision authority.

7. Competence and Training Record Gaps (Clause 7.2)

Competence requirements in AS9110 extend beyond job descriptions. Auditors expect organizations to demonstrate that competence needs are assessed systematically—accounting for technology changes, organizational shifts, and individual performance—and that records exist to substantiate the qualifications of maintenance personnel.

Common findings include training records that don't link to specific task authorizations, competence assessments that were completed once at hire and never revisited, and temporary personnel whose qualification status isn't documented to the same standard as permanent staff.

How to avoid it: Conduct an annual competence review that connects each role's requirements to current business objectives and any changes in technology or regulatory requirements. Retain evidence in a format auditors can trace—certificates, training attendance records, and where applicable, supervised task sign-offs.

Prepare with the Right Mindset, Not Just the Right Documents

The seven AS9110 audit findings described here share a common thread: they are rarely caused by a single mistake. They accumulate when quality discipline erodes between audit cycles. Corrective actions fall through the cracks. Documents drift out of revision. Supplier oversight becomes reactive.

The most audit-ready AS9110 organizations are those that treat compliance as an operational habit rather than a pre-audit sprint. Internal audit programs, management reviews, and corrective action tracking need to function continuously—not intensify every three years when recertification approaches.

If your team is preparing for an AS9110 audit, the most practical starting point is a structured gap analysis against AS9110 Revision C requirements, with particular attention to the seven clause areas identified above.

For support in achieving or maintaining AS9110 certification, request a quote today or contact us to discuss how our expertise can help streamline your compliance efforts.

Frequently Asked Questions

What is the most common major non-conformance in AS9110 audits?

Clause 10.2.1—Nonconformity and Corrective Action—generates the highest number of major non-conformances in AS9110 audits. According to IAQG-OASIS data from 2019, this clause consistently produces more major findings than any other across the AS91XX standard family. Weak root cause analysis and ineffective verification of corrective actions are the leading contributors.

How often does an AS9110-certified organization get audited?

AS9110 certification follows a three-year cycle. Certification bodies conduct annual surveillance audits in years one and two to confirm continued compliance. A full recertification audit is required at the end of the three-year period.

What is the difference between a minor and a major AS9110 non-conformance?

A minor nonconformance indicates a failure to meet a requirement that is unlikely to result in QMS breakdown or nonconforming product reaching the customer. A major nonconformance signals a systemic failure, the absence of a required system element, or a condition that could result in the delivery of nonconforming products or services. Major non-conformances typically require a follow-up audit before certification can proceed.

Is AS9110 certification legally required by aviation regulators?

AS9110 certification is not a direct regulatory requirement from the FAA or EASA. However, many airlines, OEMs, and defense contractors require it contractually as a condition for supplier approval. In practice, MRO organizations without AS9110 certification are frequently excluded from competitive bids before the selection process begins.

How long does it take to prepare for an AS9110 audit?

Most MRO organizations should allow six to eighteen months for preparation before a certification audit, depending on the size of the organization and the maturity of the existing quality management system. Organizations that already hold ISO 9001 certification typically require less preparation time, as AS9110 builds directly on that foundation.

How can we help?

Cancel
Show Policy

Download Guide

Related Information: AS9110 Certification

Latest Resources

See all resources