The most valuable though singularly non-helpful piece of advice: what works for you (in getting a view on what parts of your system to focus on to get the non-conformities resolved and prevent critical mishaps from occurring).
Don't be persuaded by major or minor from external audits. They are followed up because they are external, not because they are graded.
Don't be persuaded by a clause based, clause recurrence based, point-calculation system like MDSAP's (though I do like the "did non-conforming (unsafe) product make it uncontrolled to the field" modifier; it's something you can get management to care about without the need to)
Find out what management regards as important (and whether they are sufficiently primed on what they must regard as important due to regulations) and 'grade' on those. Some care way less about what are technically non-conformities but do not see it as something that needs to be fixed right now/by the system, and slapping a thou shallt flag on it will not get you what you need until the externals step in, by which time usually the value has gone. On the other end some detest the heavy labels of major, or critical or somesuch, because they don't base priority on that but know that the externals will and hate you for drawing (in their eyes) undue attention to it.
Simple questions to management:
Do you want me to assure a minimum level of certification audit NC's, warn you of major effort to avert certification dangers, or only when the complete loss of certification is at stake? (Some happily do the annual merry-go-round of remediation the same old over and over).
Do you want to know whether actual NC product has left the facility, whether there was a chance actual NC product could have left, or whether you are at risk of NC product being made that might escape? (Some only care about actual fall-out, some only about when the issue turns 'real' and some actually in preventing it by design)
Do you care only about risks now, or risks in the near (6-month) or far (2-year) horizon? (we'll cross that bridge when we get there vs I want it to be done before it starts)
Do you care about any single mishap, a trend, or a repeating trend? (sometimes they know about issues, but will accept the minor details and will get tired of needing to justify the acceptance as-is again and again)
etc.
You'll find that typically (though acknowledging not always) management is somewhat myopic, and you'll be expected on risks that have or could materialize within a few months. They'll want evidence of mishaps, not suspicions, or they will side with the people they work with daily and rely on for the revenue stream. They'll care about certification in so far as it impacts the ability to distribute/sell/service.
Yet if you are a professional auditor, you have a duty towards honesty and hiding away matters is not part of that. Making a grounded allegation is, and if the grounds are not enough you might be able to mention it, but state you did not have enough evidence to concretely state this. It is perhaps good to get that given focus down in a charter or policy, so the auditor can build on and defend with evidence why they did or did not record something as an NC.
(Note: I abhor the thinking and wouldn't like to run a company where such matters do not get registered at all, but can accept rationalizing based on risk)