When writing a nonconformity as part of the audit, it must contain at least these elements:
1) The situation observed: what the auditor has seen that characterizes a nonconformity
2) The requirement that is not fulfilled: an internal rule, policy, procedure, or clause of the standard not being observed
3) The evidence: any record, personal observation, or verbal statement that can be fully verified

Examples:
An example of nonconformity would be: "Assets are not being returned as defined in the approved IT Security Policy, compromising the fulfillment of implementation of control A.5.10 Acceptable use of information and other associated assets. Objective evidence: Three laptops in possession of terminated employees were not returned to the IT department. They remain with the former employees' managers."