This guide shows real-world R2v3 nonconformities that recyclers and ITAD providers run into, why they happen, and exactly how to correct and prevent them. Use the checklists, templates, and acceptance criteria to close findings quickly and keep them from coming back.

---

How to read this playbook

• Scope: Focuses on operational pain points that commonly trigger minor and major nonconformities during Stage 1, Stage 2, and surveillance audits.
• Format: Each section lists (1) what auditors usually find, (2) the root causes, and (3) corrective and preventive actions with evidence examples and acceptance criteria.
• Use it: Copy the bullet points into your CAPA form and attach the evidence listed.

---

1) Data security & sanitization: method not matching media, or records incomplete

What auditors find

• Drives or devices labeled “wiped” without a verifiable record of method, tool, settings, pass/fail, and unique identifier.
• Mixed media types treated with a single method that isn’t appropriate (e.g., SSDs processed with an HDD-only overwrite method).
• Sampling performed, but the sampling plan isn’t defined or justified.
• Software version or wipe profile changed mid-period without a change control entry.

Likely root causes

• SOPs are vague or not role-specific.
• Technicians rely on tribal knowledge; training records do not reflect method specifics.
• Wipe tool exports not mapped to your log fields; serial capturing inconsistent.

Corrective actions (fix now)

• Align each media type to an approved method in a one-page Media → Method Matrix and post it at the station.
• Update the Data Sanitization Log to include: asset ID, media type, tool & version, profile, date/time, operator, pass/fail report reference, and reviewer sign-off.
• Re-run sanitization for a sample of affected items; quarantine and reprocess any uncertain units.
• Record a change control entry for the tool/version/profile currently in use.

Preventive actions (stop it recurring)

• Technician training module that covers the matrix and log completion; require practical sign-off.
• Weekly sanitization spot-check: supervisor reviews 10 random records against exported tool reports.
• Lock the wipe tool configuration; changes require manager approval with a version snapshot.

Evidence to attach

• Updated SOP and the Media → Method Matrix.
• Completed logs with matching software reports.
• Training sign-in and competency checklists.
• Spot-check checklist with pass rate.

Acceptance criteria

• For a sample of 30 wiped devices across media types, 100% have full, traceable records and correct method per matrix; 0 unlabeled or unverified devices on the floor.

---

2) Chain of custody: gaps between intake, storage, and outbound transfer

What auditors find

• Intake receipts exist, but location status and container IDs aren’t tracked end-to-end.
• Outbound shipments lack a complete reconciliation from intake quantities/IDs to final disposition.
• “Quarantine” or “secure cage” exists, but no log shows time-in/time-out and who had access.

Likely root causes

• Process maps stop at departmental boundaries.
• Labels or barcodes not applied at the first practical touchpoint.
• Paper forms that don’t sync with the digital ledger.

Corrective actions

• Introduce a Chain-of-Custody Ledger (physical or digital) with five mandatory states: Received → In Secure Storage → In Process → Post-Process Hold → Outbound.
• Require unique container IDs; affix labels immediately on intake.
• Perform a backward reconciliation on last quarter’s shipments: choose 3 representative POs and tie every unit/container to the outbound record; correct discrepancies.

Preventive actions

• Gate control: outbound cannot be scheduled unless reconciliation status = “complete.”
• Weekly walk-through with a location audit checklist (random containers).
• Integrate barcode scanning at intake and outbound to cut manual errors.

Evidence

• Completed ledger examples and reconciliations.
• Photos of container labels and secure storage signage.
• Walk-through checklists and corrective notes.

Acceptance criteria

• For 3 sample POs, 100% of items/containers are traceable from receipt to outbound with timestamps and handler IDs.

---

3) Downstream due diligence: approval packets incomplete or not refreshed

What auditors find

• Vendor approval forms on file, but missing waste codes, permit numbers, or final processing descriptions.
• Annual reviews overdue; risk ratings not updated after incidents or regulation changes.
• EHS/CSR claims (e.g., “no child labor,” “no prison labor”) not backed by documented checks.

Likely root causes

• DDQ template doesn’t reflect your actual outbound streams.
• Calendar reminders lapse; ownership for annual review unclear.
• Overreliance on marketing brochures rather than documented evidence.

Corrective actions

• Rework the DDQ to include: legal entity info, permits/licenses per stream, final process description, material flow map, facility photos, insurance, and contacts.
• Perform desk audits for top 5 highest-volume downstreams: gather missing docs, verify permit validity dates, and document risk scores.
• Temporarily suspend routing to any downstream lacking mandatory artifacts; identify alternates.

Preventive actions

• Annual review schedule with assigned owner; automated reminders 60/30/7 days before due.
• Post-incident re-evaluation trigger: any shipment complaint, nonconformity, or spill requires a DDQ refresh and risk rescore.
• Supplier scorecard with thresholds that auto-flag high risk.

Evidence

• Updated DDQ forms with attachments list.
• Annual review log and upcoming reminder plan.
• Risk scoring sheet with criteria and weighting.

Acceptance criteria

• 100% of active downstreams have current approval packets (dated within 12 months) that match your outbound streams and demonstrate legal authorization.

---

4) EHS controls: hazard assessments exist, but controls and training aren’t aligned

What auditors find

• Generic risk assessments written years ago; they don’t mention lithium batteries, toner dust, or noise exposure specific to your lines.
• PPE signage posted, yet training records don’t show task-specific PPE fit and use.
• Spill kits present, inspection logs missing or outdated.

Likely root causes

• Copy-paste assessments that never got localized.
• Training tracked by job title, not by task.
• No calendar for kit inspections or eyewash testing.

Corrective actions

• Update the Hazard Identification & Risk Assessment by process step (intake, demanufacturing, battery handling, shredding, packing). Add specific hazards and controls.
• Map each task to required PPE and training; issue task cards at workstations.
• Inspect and replenish spill kits; start a monthly inspection log.
• Conduct a drill (spill or fire) and document lessons learned.

Preventive actions

• Quarterly floor audit with an EHS checklist tied to the risk assessment.
• New-hire and job-change competency checks (not just attendance).
• Purchasing control: PPE or kit changes trigger SOP and training updates.

Evidence

• Revised risk assessment with sign-off date.
• Task cards, training matrix, and signed competency forms.
• Completed kit inspection logs and drill report.

Acceptance criteria

• Zero missing or expired EHS controls in a random walk-through; training matrix shows 100% of active operators with current task-specific training.

---

5) Testing, evaluation, and repair (reuse claims not evidenced)

What auditors find

• Units sold as “tested working,” but no test protocol or proof of test steps/criteria per device category.
• Repairs performed, but parts traceability and final quality check missing.
• Cosmetic grading inconsistent across technicians.

Likely root causes

• Test procedures live in people’s heads.
• Work orders don’t require attachment of test results or photos.
• No final QA gate before sale.

Corrective actions

• Create category-specific test sheets (e.g., laptops, desktops, monitors) with pass criteria, firmware/BIOS checks, and battery/cycle thresholds.
• Require a final QA sign-off on each work order before listing or shipment.
• Introduce a grading guide with photos and definitions for A/B/C; train staff.

Preventive actions

• Monthly QA sampling: pull 10 sold items, verify test sheets and grade accuracy.
• Calibration or version control for diagnostic tools.
• Separate “retest” lane for returned units.

Evidence

• Completed test sheets and work orders with QA sign-offs.
• Grading guide and training records.
• QA sampling log with results and actions.

Acceptance criteria

• For a sample of 20 sold units, 100% have complete test evidence; grading disputes under 2% over a quarter.

---

6) Document control & change management: people use the old version

What auditors find

• Multiple SOP versions on the floor; technicians follow an outdated instruction.
• Recent process change (e.g., new wipe profile) not documented or reviewed.
• Forms without revision numbers; difficult to verify they’re current.

Likely root causes

• Shared folders without permissions or archival rules.
• No “controlled copy” process for printed SOPs.
• Changes implemented informally and announced verbally.

Corrective actions

• Assign document owner per SOP. Add revision, effective date, and approval fields to the header.
• Implement controlled copies: stamped printouts with an expiry; remove/replace old prints during change rollout.
• Create a Change Control Log capturing reason, impacted docs, training required, and validation.

Preventive actions

• Quarterly document review calendar.
• Floor audit that checks version numbers against the master list.
• Rollout checklist: update docs, train, collect sign-offs, and pull obsolete copies.

Evidence

• Master document list with current revisions.
• Change Control Log entries and training sign-off sheets.
• Photos of controlled copies with issue stamps.

Acceptance criteria

• In a floor check of 10 stations, 0 obsolete documents present; all show current revision and effective date.

---

7) Incident/CAPA management: findings closed on paper, not in practice

What auditors find

• CAPA forms filled with generic “retrained staff” actions; no root cause analysis or effectiveness check.
• Repeat nonconformities across audits.
• Due dates keep slipping; ownership unclear.

Likely root causes

• CAPA template doesn’t force analysis.
• Teams avoid measuring outcomes (“did it work?”).
• Too many open CAPAs with no prioritization.

Corrective actions

• Use a 5-Whys + Containment/Correction/Corrective/Preventive CAPA form.
• Add effectiveness criteria before closing (e.g., error rate <1% for 60 days, verified via spot-checks).
• Limit WIP CAPAs; assign owner and due date; escalate overdue items weekly.

Preventive actions

• Monthly CAPA review meeting with metrics (opened, closed, repeat rates).
• Tie CAPA closure to evidence uploads and sign-off by someone independent of the process.
• Recognize teams that eliminate repeat issues; build a culture of prevention.

Evidence

• Completed CAPA forms with root cause analysis diagrams or notes.
• Effectiveness checks showing post-implementation performance.
• Meeting minutes and CAPA dashboard.

Acceptance criteria

• No repeat of the same nonconformity category in the next audit cycle; >90% CAPAs closed on time.

---

A simple, auditor-friendly CAPA template (copy/paste)

1. Nonconformity statement

• What requirement was not met?
• Where found (process, location, record)?
• Evidence observed (IDs, dates, samples)?

2. Immediate containment

• Action taken to protect data, safety, environment, and product today.

3. Correction

• Steps taken to fix the specific items found (rework, relabel, update records).

4. Root cause analysis

• 5 Whys summary or fishbone notes (People, Process, Tools, Materials, Environment).

5. Corrective action (stop recurrence)

• Specific procedural/technical changes, responsible person, due date.

6. Preventive action (stop similar risks)

• Broader systemic changes, training, audits, or controls.

7. Verification of implementation

• What evidence shows actions completed (files, photos, logs)?

8. Effectiveness check

• Metric, target, time window (e.g., 0 missed serials for 60 days; weekly sample of 20).

9. Approval & closure

• Reviewed by [name/title], date; next follow-up date.

---

Quick win checklist before your next audit

• Data sanitization: matrix posted, logs complete, weekly spot-checks done.
• Chain of custody: container IDs and state transitions recorded; 3 PO reconciliations on file.
• Downstream: 100% of active vendors have current approval packets; risk scores updated.
• EHS: task-based training current; spill kits inspected; drill in last 6 months.
• Testing & repair: category test sheets used; QA sign-offs present; grading guide trained.
• Document control: controlled copies only; change log current; obsolete docs removed.
• CAPA: template forces root cause and effectiveness; no overdue high-risk CAPAs.

---

Final notes

Auditors don’t expect perfection; they expect control. That means traceable records, clear ownership, and proof that your fixes work. If you use this playbook to structure your logs, training, DDQ packets, and CAPA forms, you’ll not only close today’s findings—you’ll reduce tomorrow’s risk.