ISO 13485 Audit Findings: Most Common Nonconformities by Clause and How to Prevent Them
The ISO 13485 clauses most cited in audit findings — root causes and corrective actions for document control, CAPA, design controls, suppliers, internal audits, and process validation.
Why Audit Findings Matter More Under QMSR
Since February 2, 2026, FDA inspections are conducted under the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference. FDA Form 483 observations and warning letters now cite failures in ISO 13485 clause language — for example, "failure to maintain calibration of measuring equipment as required by Clause 7.6" or "lack of documented risk management for software changes." This makes understanding the most common ISO 13485 audit findings directly relevant to both your certification body audits and your FDA inspection readiness.
Whether you are preparing for initial ISO 13485 certification, a surveillance audit, a recertification audit, or an FDA inspection under QMSR, the same clauses appear on auditors' radar over and over. This guide maps the most frequently cited nonconformities to their ISO 13485 clauses, explains why auditors flag them, and gives you specific corrective actions for each.
Where This Data Comes From
The nonconformity patterns described here are drawn from:
- BSI Group published data on the top 5 audit nonconformities raised during ISO 13485 certification and surveillance audits
- Perry Johnson Registrars analysis of Stage 1 readiness failures and Stage 2/surveillance nonconformities
- The FDA Group auditor trend report covering 33 audits across 5 countries (August–November 2025), including ISO 13485 medical device, GMP vendor qualification, and gap assessments
- Qualio and SimplerQMS published analysis of common ISO audit failure modes
- ClariMed year-end compliance checklist identifying the most frequent gaps in supplier controls, training, internal audits, and management review
- FDA QMSR inspection guidance (CP 7382.850, effective February 2, 2026) which replaced QSIT and now frames inspections in ISO 13485 terms
The clauses below are ranked approximately by frequency of citation, though the exact ranking varies by certification body and audit type.
Clause 4.2 — Document Control and Quality Manual
What Auditors Find
Document control remains one of the most frequently cited areas across every type of ISO 13485 audit. The issues fall into several categories:
Outdated or uncontrolled documents in use. SOPs, work instructions, and forms are found in active use without current approval status. Staff may be following an older revision that has been superseded but not removed from point-of-use locations. This directly violates Clause 4.2.4, which requires that documents remain legible, readily identifiable, and retrievable, and that only current versions are available at points of use.
Missing revision histories and inadequate change records. When documents are updated, the reasons for change are not documented, or the revision history is incomplete. Auditors trace a document through its lifecycle and find gaps where the rationale for a change cannot be explained.
Inconsistent document control between sites. For companies with multiple manufacturing or distribution sites, document control procedures exist at headquarters but are not uniformly implemented at satellite locations. This is especially common when companies acquire new facilities and have not yet integrated their document management systems.
Quality manual out of date. The quality manual does not reflect current organizational structure, scope of certification, or recent process changes. Some organizations treat the quality manual as a formality rather than a living document.
Why It Happens
Document control failures are often cultural rather than technical. Organizations may have a functional eQMS but lack the discipline to enforce it consistently. Common root causes include:
- No clear ownership of document control at each site or department
- Document review and approval workflows that are too slow, leading to workarounds
- Mergers, acquisitions, or site expansions that outpace document system integration
- Paper-based systems that do not have adequate version control or access controls
How to Prevent It
- Conduct a periodic document audit (quarterly or semi-annually) that samples documents from each department against the current approved document register
- Assign document owners for each procedure category and require annual review attestations
- For multi-site organizations, implement a single centralized eQMS with controlled access rather than maintaining separate systems
- Ensure the quality manual is reviewed during every management review cycle and updated to reflect organizational changes
- Train all employees on how to identify the current revision of a document and how to report suspected uncontrolled documents
Clause 7.3 — Design and Development (Design Controls)
What Auditors Find
Design control nonconformities are among the most serious findings because they can directly affect device safety. The most common issues include:
Incomplete Design History Files (now called Design and Development Files under QMSR). DHFs lack required elements such as approved design inputs, verification and validation protocols, documented design reviews with objective evidence of reviewer independence, or design transfer records. The DHF exists but is incomplete.
Design inputs that are vague or unmeasurable. Design inputs are written as general statements rather than specific, measurable requirements that can be verified. For example, "the device shall be easy to use" rather than "the device shall allow a trained user to complete the injection sequence in under 30 seconds with zero critical use errors, as demonstrated by usability validation testing per IEC 62366-1."
Design reviews without documented independence. Design reviews are conducted but the records do not demonstrate that an independent reviewer — someone who did not participate in the design activity under review — was present and provided input. ISO 13485 Clause 7.3.5 requires that design reviews include representatives of functions concerned with the design stage being reviewed, and records must demonstrate this.
Verification and validation protocols not aligned with inputs. There is a disconnect between what the design inputs specify and what the verification and validation testing actually evaluates. Traceability between inputs, outputs, verification, and validation is missing or incomplete.
Risk management files not updated after design changes. The initial risk management file may be thorough, but after design changes are implemented through multiple engineering change orders, the risk file has not been updated to reflect new or changed hazards. This is one of the most common findings specifically for software companies, where features change rapidly through iterative development.
Why It Happens
- Design control is treated as a documentation exercise rather than an engineering process
- Rapid development cycles, especially in software, outpace the design control documentation
- Teams lack a dedicated regulatory or quality engineer to maintain design control discipline
- Traceability matrices are built after the fact rather than maintained incrementally during development
How to Prevent It
- Maintain a living traceability matrix from design inputs through outputs, verification, and validation — update it with every design change
- Schedule design reviews at defined project milestones and document attendance, independence, and specific review items
- Update risk management files (ISO 14971) as part of the change control process for every design change
- Write design inputs as specific, measurable requirements that map directly to verification test methods
Clause 8.2.4 — Internal Audits
What Auditors Find
Internal audit nonconformities are a recurring theme because they represent the organization's self-monitoring mechanism. When the internal audit process is weak, other nonconformities tend to accumulate unchecked. The most common findings:
Incomplete audit records. Internal audit records are missing required elements: plans, checklists, evidence reviewed, findings with classification, the report, and corrective action tracking. Auditors select a completed internal audit and find the documentation incomplete.
Risk-based approach not applied to audit planning. The internal audit schedule is a fixed annual calendar that does not reflect changes in risk, previous audit findings, or the importance of the processes being audited. ISO 13485 Clause 8.2.4 requires that the audit program be planned taking into consideration the importance of the quality management system processes and the results of previous audits.
Untimely follow-up on corrective actions. Internal audits identify findings and initiate corrective actions, but there is no documented evidence of timely follow-up to verify that corrective actions were implemented and effective.
Internal auditors lacking competence or impartiality. Records do not demonstrate that internal auditors are trained and competent for the areas they audit. In some cases, auditors audit their own work without adequate independence safeguards.
Audit coverage not comprehensive. The internal audit program does not cover all QMS processes within the audit cycle. Certain clauses or processes are repeatedly deferred.
Why It Happens
- Internal auditing is assigned as a secondary responsibility without adequate time allocation
- The organization lacks sufficient trained internal auditors to maintain independence requirements
- Audit findings are tracked in spreadsheets or email rather than in a systematic CAPA or quality management system
- Management does not prioritize internal audit resource allocation
How to Prevent It
- Train a sufficient number of internal auditors (at least 3–4 for most organizations) to ensure independence and coverage
- Use a risk-based audit schedule that adjusts frequency based on process criticality, previous findings, and organizational changes
- Track all internal audit findings through the CAPA system with defined timelines for closure and effectiveness verification
- Document auditor competence records, including initial training and ongoing calibration activities
Clause 8.5.2 / 8.5.3 — Corrective and Preventive Action (CAPA)
What Auditors Find
CAPA is the single most common area cited in both ISO 13485 audits and FDA inspections. The issues:
CAPAs initiated without documented root cause analysis. Corrective actions are implemented to fix symptoms rather than underlying causes. The investigation record does not show a systematic root cause analysis methodology (such as 5 Whys, fishbone diagram, or fault tree analysis) was applied.
CAPA effectiveness not verified. Corrective actions are closed without documented evidence that the action was effective in preventing recurrence. The CAPA record shows the action was implemented but not whether it actually resolved the problem.
Repeat nonconformities for the same root cause. This is the consequence of the two previous findings: CAPAs are closed prematurely without root cause analysis or effectiveness verification, and the same problem recurs in the next audit cycle.
Hiding CAPAs from the QMS. Some management teams discourage documentation of nonconformities and corrective actions because they believe open CAPAs reflect poorly during audits. This is the fastest way to fail an ISO audit. An empty or underutilized CAPA system is a red flag that tells auditors the quality management system is not being used as intended.
Preventive actions not documented. Organizations focus on corrective actions after problems occur but do not proactively identify and address potential problems before they result in nonconformities. ISO 13485 Clause 8.5.3 requires documented preventive action, though this is often weaker than corrective action processes.
Why It Happens
- Cultural resistance to documenting problems, driven by fear that CAPAs will be viewed negatively
- Inadequate root cause analysis training — teams default to surface-level explanations
- No defined process for CAPA effectiveness verification
- Leadership does not allocate time and resources for thorough investigations
How to Prevent It
- Train all quality and engineering personnel in at least two root cause analysis methodologies
- Require documented effectiveness verification (with evidence) before closing any CAPA
- Track CAPA metrics (time to closure, effectiveness verification rate, recurrence rate) and review them in management review
- Build a quality culture where CAPAs are viewed as improvement opportunities, not failures — auditors expect to see an active CAPA system
Clause 7.4 — Purchasing and Supplier Controls
What Auditors Find
Supplier control deficiencies are increasing in frequency, partly because supply chain complexity has grown and partly because QMSR makes supplier-related records more inspectable. Common findings:
Approved supplier list (ASL) outdated or incomplete. The ASL does not include all critical suppliers, or evaluations are overdue based on the organization's own procedures. Evaluation criteria are applied inconsistently.
Supplier evaluations lacking documented approval or re-evaluation. Initial supplier qualification may be documented, but periodic re-evaluations are missing or not documented according to the defined intervals in the organization's procedures.
No traceable link between supplier nonconformities and requalification decisions. When supplier-related quality issues occur, there is no documented process for triggering a supplier re-evaluation or audit. The CAPA system addresses the immediate issue but does not feed back into supplier oversight.
Quality agreements missing or inadequate for critical suppliers. Critical suppliers — including contract manufacturers, sterilization providers, testing laboratories, and software developers — do not have quality agreements that define responsibilities, change notification requirements, and right-to-audit provisions.
Purchasing data incomplete. Purchase orders or specifications do not adequately describe the product or service being ordered, making it difficult to verify conformity upon receipt.
Why It Happens
- Supplier management is split across purchasing, quality, and engineering without clear ownership
- The organization has more suppliers than it can effectively manage with existing resources
- Legacy suppliers were grandfathered into the ASL without formal qualification
- Rapid growth or outsourcing increased the supplier base faster than the oversight system could scale
How to Prevent It
- Classify suppliers by risk (critical, significant, routine) and apply proportionate controls
- Maintain a master supplier register with evaluation dates, re-evaluation intervals, and current status
- Execute quality agreements with all critical suppliers that include change notification, right-to-audit, and complaint handling requirements
- Link supplier performance data (incoming inspection results, complaint data, delivery performance) to periodic re-evaluation decisions
Clause 6.2 — Personnel and Training
What Auditors Find
Training record deficiencies are a persistent finding that crosses every type of audit. The specific issues:
Training records do not demonstrate competency on current procedures. Personnel files show training was conducted, but not on the current revision of the procedure. This is especially common when procedures are updated frequently but retraining is not triggered automatically.
Training effectiveness not evaluated. Training records show that training occurred (attendance, completion date) but do not demonstrate that the training was effective. ISO 13485 Clause 6.2 requires organizations to determine the necessary competence of personnel and ensure training effectiveness.
Missing training for new or transferred employees. New hires or employees transferred to new roles are performing work affecting product quality before their training is complete and documented. In one documented case from 2025, a developer contributed for eight months without a training record for the CAPA procedure or design review process.
On-the-job training not documented. Much of the practical training in manufacturing environments happens on the job, but it is not formally recorded, leaving no evidence that the employee was competent at the time they performed the task.
Why It Happens
- Training is tracked in HR systems disconnected from the quality management system
- Procedure updates do not automatically trigger retraining requirements
- Organizations rely on informal knowledge transfer without documentation
- Hiring and onboarding timelines pressure teams to put people to work before training is complete
How to Prevent It
- Link the training management system to document control so that procedure revisions automatically flag affected personnel for retraining
- Define competency criteria for each role and document how competency is assessed (written test, practical demonstration, supervisor attestation)
- Include a training completeness check in the onboarding process before granting system access or work assignments
- Audit training records as a specific line item in every internal audit cycle
Clause 7.1 — Product Realization and Risk Management
What Auditors Find
Risk management integration across product realization is a growing area of focus, especially under QMSR:
Risk management files not updated after design or process changes. The risk management file was complete at initial launch, but subsequent changes — new materials, modified processes, software updates — did not trigger risk file updates.
Risk management not applied to outsourcing decisions. Suppliers and contract service providers are selected and managed without a documented risk assessment that considers the impact on device safety and performance.
Incomplete traceability between hazards, controls, and residual risk. The risk management file does not maintain clear traceability from identified hazards through implemented risk controls to residual risk acceptance. Auditors follow a hazard through the file and find gaps in the chain.
Software risk management disconnected from product risk management. For devices with embedded software, the software risk analysis (per IEC 62304 and ISO 14971) is maintained separately from the overall device risk management file, creating inconsistencies.
Why It Happens
- Risk management is treated as a one-time deliverable rather than a living process
- Change control processes do not include a mandatory risk management review step
- Software development teams work independently from the hardware/mechanical teams without integrated risk management
How to Prevent It
- Make risk management file review a mandatory gate in every change control process
- Maintain a single integrated risk management file for each device that covers hardware, software, and usability
- Conduct periodic risk management reviews (at least annually) even when no changes have occurred, to reassess residual risk in light of post-market surveillance data
Clause 7.5 — Production and Service Provision
What Auditors Find
Production control findings are especially common during Stage 2 initial certification audits and during FDA inspections:
Incomplete or insufficient batch records. Production records are missing required entries, have blank fields, or lack traceability to the individuals who performed specific operations. Batch records that do not demonstrate conformity to specification are a common Stage 2 finding.
Inadequate monitoring and measurement during manufacturing. The process does not include sufficient in-process checks to verify conformity at defined stages. Acceptance criteria are not defined or are not aligned with design specifications.
Equipment qualification records incomplete. Manufacturing equipment, tooling, and test equipment lack installation qualification (IQ), operational qualification (OQ), or performance qualification (PQ) records. Equipment identification tags are missing, or equipment is found in use without current calibration status.
Infrastructure qualification gaps. Manufacturing environments (cleanrooms, controlled temperature/humidity areas) lack qualification records or environmental monitoring data.
Why It Happens
- Production records are paper-based and prone to incomplete entries
- Process validation was performed once during initial setup but not maintained after changes
- Equipment calibration schedules are tracked manually and fall behind
- Manufacturing was scaled up faster than the quality system could document
How to Prevent It
- Implement electronic batch records with mandatory field completion before advancement
- Maintain equipment calibration and qualification schedules in the quality management system with automated alerts
- Define acceptance criteria for every in-process check and ensure they align with design specifications
- Conduct environmental monitoring according to documented procedures and retain records for the required retention period
Clause 7.6 — Control of Monitoring and Measuring Equipment
What Auditors Find
This clause intersects with production controls but is cited independently:
Equipment used without current calibration. Measuring and test equipment is found in production or inspection use with expired calibration status. The calibration due date has passed but the equipment was not removed from service.
Calibration records do not include measurement traceability. Calibration certificates from external laboratories do not demonstrate traceability to national or international standards (such as NIST), or internal calibration records do not document the standards used.
Out-of-tolerance findings not investigated. When equipment is found to be out of tolerance during calibration, the finding is not escalated through the CAPA system to assess impact on previously released product.
No records of calibration for software-based measurement tools. Software used for measurement, analysis, or acceptance decisions is not included in the calibration and validation program.
Why It Happens
- Calibration management is manual (spreadsheets, wall charts) rather than systematized
- The organization does not have a clear policy on what constitutes "monitoring and measuring equipment" and misses software-based tools
- Out-of-tolerance investigations are not built into the calibration workflow
How to Prevent It
- Maintain a calibrated equipment register in the QMS with automatic due date alerts
- Ensure all calibration certificates include traceability to national or international standards
- Define a procedure for out-of-tolerance investigations that includes impact assessment on released product and CAPA initiation when warranted
- Include software measurement tools in the calibration/validation inventory
Clause 5.6 — Management Review
What Auditors Find
Management review is the mechanism by which top management ensures the QMS remains suitable, adequate, and effective. Common findings:
Reviews not conducted at planned intervals. Management reviews are deferred, combined with other meetings without adequate documentation, or skipped entirely during busy periods.
Required inputs missing. The management review does not address all required inputs specified in Clause 5.6.1, such as audit results, customer feedback, process performance and product conformity, status of corrective and preventive actions, follow-up from previous management reviews, changes that could affect the quality management system, and recommendations for improvement.
Outputs not documented or not actionable. Management review decisions and actions are not documented, or the documented outputs are vague ("continue monitoring") rather than specific, with defined responsibilities and timelines.
Quality objectives not reviewed. Objectives were set at the beginning of the year but never formally reviewed against actual performance. No documented assessment of whether objectives were achieved.
Why It Happens
- Management views review as a compliance exercise rather than a genuine business improvement tool
- Reviews are conducted informally without structured agendas or documentation
- Quality teams do not adequately prepare data packages that make the review meaningful
How to Prevent It
- Schedule management reviews on the corporate calendar at defined intervals (at least annually, quarterly recommended)
- Prepare a structured agenda that covers all required inputs from Clause 5.6.1
- Document specific decisions, actions, resource allocations, and timelines as outputs
- Track management review action items through the CAPA or quality system with status updates at subsequent reviews
Clause 7.5.6 — Validation of Processes for Production and Service Provision
What Auditors Find
Process validation nonconformities are particularly common for manufacturing processes whose results cannot be fully verified by subsequent monitoring or measurement:
Records of process validation not maintained. IQ/OQ/PQ records are incomplete, or the validation was performed during initial setup but never updated after process changes. This is one of BSI's top five most cited nonconformities.
Re-validation process not defined. There is no documented procedure for when and how re-validation is triggered. Process changes, equipment changes, and material changes occur without re-validation.
Statistical techniques or sample size rationales not defined. Validation activities do not include a documented justification for the sample sizes used, the acceptance criteria, or the statistical methods applied.
Equipment qualification records missing. New equipment is brought into production without installation qualification (IQ) or operational qualification (OQ) records.
Software used in production not validated. Manufacturing execution systems (MES), automated test software, or other production software are not included in the software validation program.
Why It Happens
- Process validation is treated as a one-time event rather than a lifecycle activity
- The organization does not have clear criteria for when re-validation is required
- Validation was performed by personnel who have since left, and the institutional knowledge was lost
- The link between change control and process validation is not formalized
How to Prevent It
- Maintain a master validation index that lists every validated process, the equipment involved, the date of last validation, and the triggers for re-validation
- Include a re-validation assessment as a mandatory step in every change control for manufacturing processes, equipment, or materials
- Document statistical rationales for sample sizes and acceptance criteria
- Include production software in the validation inventory and re-validate when software is updated
Preparing for Your Next Audit
The patterns described above are not theoretical — they are the issues auditors find in real certification, surveillance, and regulatory inspections. To prepare effectively:
Conduct a clause-by-clause self-assessment using the specific findings listed above as a checklist. For each clause, honestly evaluate whether your organization has documented, implemented, and maintained the required controls.
Review your internal audit program to ensure it covers all the clauses listed above with adequate depth. If your internal audits are not finding these issues, either your QMS is exceptionally well-run or your internal audit program needs strengthening.
Address the root causes, not just the symptoms. Many organizations fix individual findings (update a document, close a CAPA) without addressing the systemic issue that caused the finding (inadequate change control process, insufficient training, cultural resistance to documentation).
Align with QMSR expectations. Since February 2026, FDA inspections use ISO 13485 as the framework. Your QMS should be auditable against ISO 13485 clauses regardless of whether your certification body or the FDA is conducting the inspection.
Track trends over time. The most effective quality organizations maintain a database of findings (internal, external, and regulatory) and analyze trends by clause, process, and root cause to identify systemic weaknesses before auditors do.
Sources
- BSI Group, "Top 5 Audit Non-Conformities Raised by BSI — ISO 13485"
- Perry Johnson Registrars, "Most Common Nonconformities Written During ISO 13485 Audits" (webinar analysis)
- The FDA Group, "What Our Auditors Are Finding Lately: 10 Trends Across GMP, GCP, ISO, and GDP Audits (H2 2025)"
- Qualio, "8 Ways to Fail an ISO Audit in 2026"
- SimplerQMS, "ISO 13485 Audits: Definition, Types, Process, and How to Prepare"
- ClariMed, "ISO 13485 Year-End Checklist 2025"
- FDA, Compliance Program 7382.850, "Inspection of Medical Device Manufacturers" (effective February 2, 2026)
- Momentum, "ISO 13485 Internal Audit Checklist for Software Companies" (March 2026)
- Advena Medical / BSI, "Top 5 Audit Non-Conformities Raised by BSI — ISO 13485"