ISO 13485 Internal Audit Guide for Medical Device Manufacturers: Checklist, Process, and Best Practices
Complete guide to ISO 13485 internal audits — Clause 8.2.4 requirements, audit planning, checklist by clause, auditor qualifications, nonconformity classification, CAPA integration, and preparation tips for certification audits.
What Is an ISO 13485 Internal Audit?
An ISO 13485 internal audit is a systematic, independent, and documented process for evaluating whether an organization's quality management system (QMS) conforms to the requirements of ISO 13485:2016, the organization's own quality policies and procedures, and applicable regulatory requirements. Internal audits are mandatory under Clause 8.2.4 of ISO 13485:2016.
Internal audits are one of the most important tools a medical device manufacturer has for maintaining QMS effectiveness. They serve as the organization's early warning system — identifying gaps, nonconformities, and improvement opportunities before they affect product quality or patient safety. They also provide critical input to management review and demonstrate due diligence to external auditors (Notified Bodies, FDA inspectors, MDSAP auditors).
Unlike external audits conducted by certification bodies or regulatory authorities, internal audits are self-initiated and self-managed. The organization defines the audit schedule, selects the auditors, determines the scope, and manages follow-up actions. This autonomy makes internal audits both a powerful compliance tool and a potential liability — if done poorly, they create a false sense of security.
ISO 13485 Clause 8.2.4 Requirements
ISO 13485:2016 Clause 8.2.4 establishes the following requirements for internal audits:
The organization shall conduct internal audits at planned intervals to determine whether the quality management system: a) conforms to the requirements of this International Standard and to the quality management system requirements established by the organization, and b) is effectively implemented and maintained.
Key Mandatory Elements
- Planned intervals — Audits must be scheduled in advance and conducted at defined frequencies, not ad hoc
- Audit program — A documented program that considers the status and importance of processes, areas to be audited, and results of previous audits
- Documented procedures — Written procedures defining audit criteria, scope, frequency, methods, and responsibilities
- Competent auditors — Auditors must be trained and shall not audit their own work (independence requirement)
- Non-biased audit — Selection of auditors and conduct of audits shall ensure objectivity and impartiality
- Records — Audit records and results must be maintained
- Corrective action — Management must ensure corrective actions are taken without undue delay to eliminate detected nonconformities and their causes
- Follow-up activities — Verification of corrective action implementation and reporting of verification results
Relationship to Other Standards
- FDA QMSR (21 CFR Part 820) — Since February 2, 2026, the FDA's Quality Management System Regulation incorporates ISO 13485:2016 by reference, making internal audits a direct FDA requirement
- EU MDR/IVDR — Article 10(9) requires manufacturers to have a QMS that includes "reporting to management of the results of audits" (which implicitly requires internal audits)
- MDSAP — The Medical Device Single Audit Program includes specific requirements for internal audit programs, including adequate coverage of all MDSAP-regulating country requirements
Internal Audit vs External Audit
| Aspect | Internal Audit | External Audit (Certification) | Regulatory Inspection (FDA/MDSAP) |
|---|---|---|---|
| Who conducts | Organization's own trained auditors | Third-party certification body | Regulatory authority (FDA, TGA, etc.) |
| Purpose | Verify QMS conformity and effectiveness | Assess conformity for certification/registration | Assess compliance with regulatory requirements |
| Frequency | Planned intervals (typically annual) | Annual surveillance, triennial recertification | Risk-based, may be unannounced |
| Scope | Defined by internal program | Defined by certification scope | Defined by inspector |
| Output | Internal audit report, CAPA actions | Audit report, certificate decision | Inspection report, potential enforcement action |
| Independence | Must not audit own work | Fully independent | Fully independent |
| Findings | Internal nonconformities | Certification nonconformities | FDA Form 483 observations, Warning Letters |
Auditor Qualifications
Who Can Be an Internal Auditor?
ISO 13485 does not prescribe specific credentials for internal auditors, but it requires them to be competent. This means:
- Training — Auditors must be trained in ISO 13485 requirements, audit principles, and audit techniques (planning, evidence gathering, interviewing, reporting)
- Understanding of the standard — Auditors must know the requirements they are auditing against
- Familiarity with the organization's QMS — Auditors must understand the processes, procedures, and regulatory requirements applicable to the areas they audit
- Independence — Auditors shall not audit their own work. A person who designed a process cannot audit that process. This is one of the most commonly cited findings in certification audits
Training Approaches
- Lead Auditor training — A formal 5-day ISO 13485 Lead Auditor course provides comprehensive training
- Internal Auditor training — Shorter courses (2-3 days) focused on internal audit techniques
- On-the-job training — Supervised audit participation with experienced auditors
- Continuing education — Regular updates on standard revisions, regulatory changes, and audit methodology
Building an Audit Team
Most organizations maintain a pool of 3-5 internal auditors drawn from different departments (quality, engineering, manufacturing, regulatory). This provides:
- Coverage for all QMS processes
- Built-in independence (auditors from one area audit another area)
- Scheduling flexibility
- Cross-functional knowledge transfer
Audit Planning
Annual Audit Schedule
ISO 13485 requires audits at "planned intervals." Best practice is to develop an annual audit schedule that covers all QMS processes within a 12-month period. The schedule should consider:
- Process risk — Higher-risk processes are audited more frequently
- Previous audit results — Areas with prior nonconformities receive follow-up attention
- Regulatory priority — Processes subject to regulatory scrutiny (complaint handling, CAPA, design controls) should be prioritized
- Organizational changes — New processes, relocated operations, or personnel changes may trigger additional audits
- Certification schedule — Align internal audits before external surveillance or recertification audits
Risk-Based Audit Approach
A risk-based audit program allocates more resources to processes where:
- The potential impact on product quality or patient safety is highest
- Historical nonconformity rates are elevated
- Significant changes have occurred
- Regulatory requirements are most demanding
Sampling Strategy
Auditors cannot review every record or observe every process. A sampling strategy must be defined:
- Statistical sampling — For high-volume records (e.g., DHR review), use a defined sample size
- Judgmental sampling — For targeted investigations, select specific records based on risk indicators
- Time-based sampling — Review records spanning a defined period to assess consistency
Complete Audit Checklist by ISO 13485 Clause
Clause 4: Quality Management System
| Audit Question | Evidence to Review |
|---|---|
| Is the QMS scope documented and appropriate? | Quality manual, scope statement |
| Are required documents and records established and maintained? | Document master list, record retention policy |
| Is the quality manual maintained and available? | Quality manual content vs. ISO 13485 requirements |
| Are document control procedures followed? | Document change records, approval records, obsolete document control |
| Are medical device files established for each device type? | Medical device file contents per Clause 4.2.3 |
Clause 5: Management Responsibility
| Audit Question | Evidence to Review |
|---|---|
| Has top management defined and communicated a quality policy? | Quality policy document, communication records |
| Are quality objectives established and measurable? | Quality objectives, progress tracking |
| Is the QMS planning adequate? | QMS planning records, risk-based approach |
| Are responsibilities and authorities defined? | Organizational chart, job descriptions |
| Is management review conducted at planned intervals? | Management review minutes, input/output records |
| Are adequate resources provided? | Budget allocations, staffing plans, training records |
Clause 6: Resource Management
| Audit Question | Evidence to Review |
|---|---|
| Are competence requirements defined for each role? | Competence matrix, job descriptions |
| Is training provided and effectiveness evaluated? | Training records, competence assessment records |
| Is infrastructure adequate for product realization? | Facility records, equipment maintenance logs |
| Are work environment controls appropriate? | Environmental monitoring records, cleanroom certifications |
Clause 7: Product Realization
| Audit Question | Evidence to Review |
|---|---|
| Is product realization planning documented? | Quality plans, project plans |
| Are customer requirements determined and reviewed? | Contract review records, requirements specifications |
| Are design and development controls implemented? | Design plans, inputs, outputs, reviews, verification, validation, transfer records |
| Are design changes controlled? | Design change records, change impact assessments |
| Is purchasing controlled? | Approved supplier list, supplier evaluations, incoming inspection records |
| Are production and service provision controlled? | Production procedures, process validation records, work instructions |
| Are measurement and monitoring devices controlled? | Calibration records, measurement system analysis |
Clause 8: Measurement, Analysis, Improvement
| Audit Question | Evidence to Review |
|---|---|
| Are customer feedback and complaint procedures implemented? | Complaint files, complaint trending, evaluation for MDR reportability |
| Is internal audit program implemented per Clause 8.2.4? | Audit schedule, audit reports, CAPA records |
| Are nonconforming products identified and controlled? | Nonconformance records, disposition decisions |
| Is data analysis performed? | Trend analyses, statistical reports |
| Is the corrective action process effective? | CAPA records, root cause analysis, effectiveness verification |
| Is the preventive action process implemented? | Preventive action records, risk analysis updates |
| Is continual improvement demonstrated? | Improvement project records, management review outputs |
Audit Execution
Opening Meeting
A brief meeting with the auditee's management to:
- Confirm the audit scope and objectives
- Review the audit schedule
- Clarify roles and logistics
- Confirm communication methods
Evidence Collection Methods
- Document review — Examining procedures, records, forms, reports
- Interviews — Talking with process owners and operators to verify understanding and implementation
- Observation — Watching processes being performed, verifying work environment conditions
- Record sampling — Selecting and reviewing representative records
Closing Meeting
A meeting with auditee management to:
- Present audit findings
- Classify nonconformities
- Discuss observations and improvement opportunities
- Agree on corrective action timelines
- Clarify any misunderstandings
Nonconformity Classification
Major Nonconformity
A major nonconformity is a significant breakdown in the QMS that could affect product quality or patient safety. Characteristics:
- A total breakdown of a system element
- Multiple minor nonconformities in the same area indicating a systemic failure
- A failure to address a previously identified nonconformity
- Non-compliance with a regulatory requirement that directly impacts product safety
Example: No complaint handling procedure exists, despite ISO 13485 Clause 8.2.2 and MDR Article 10(4) requiring one.
Minor Nonconformity
A minor nonconformity is a single observed lapse in meeting a requirement that does not represent a systemic failure:
- An isolated failure to follow a procedure
- An incomplete record
- A minor documentation error
Example: One DHR was missing the final inspection signature, but all other DHRs in the sample were complete.
Observation / Opportunity for Improvement (OFI)
An observation is not a nonconformity but an area where improvement is possible:
- A process that works but could be more efficient
- A procedure that is compliant but could be clearer
- An area where industry best practices could be adopted
Audit Report
The audit report should include:
- Audit identification — Date, auditors, auditee, scope
- Audit criteria — ISO 13485 clauses, internal procedures, regulatory requirements
- Executive summary — Key findings, overall assessment
- Detailed findings — Each nonconformity with:
- Requirement reference (ISO clause or procedure section)
- Description of the finding
- Objective evidence reviewed
- Classification (major, minor, observation)
- Positive findings — Areas of good practice (important for a balanced report)
- Corrective action requirements — Required actions, responsible persons, deadlines
- Distribution list — Who receives the report
CAPA Integration
Internal audit findings must feed into the corrective action process:
- Nonconformity documented in the audit report
- Root cause analysis performed for each nonconformity
- Corrective action plan developed with specific actions, owners, and deadlines
- Implementation of corrective actions
- Effectiveness verification — Follow-up audit or review to confirm the action addressed the root cause
- Closure — Document that the CAPA was effective and close the finding
Common finding: Organizations implement corrections (fixing the specific instance) without addressing the root cause. Auditors look for evidence that the underlying system issue was resolved, not just the symptom.
Management Review Connection
Internal audit results are a mandatory input to management review (ISO 13485 Clause 5.6.2). The management review must consider:
- Summary of internal audit findings
- Status of corrective actions from previous audits
- Trends in nonconformities over time
- Effectiveness of the audit program itself
- Recommendations for QMS improvements
Common Audit Findings
Based on industry data and certification body reports, these are the most frequently cited nonconformities:
- Clause 8.2.4 (Internal audit) — Inadequate audit coverage, auditors auditing their own work, failure to verify corrective action effectiveness
- Clause 8.5.2 (Corrective action) — Incomplete root cause analysis, failure to verify effectiveness, untimely closures
- Clause 7.5.1 (Production control) — Inadequate process validation, incomplete work instructions, failure to control special processes
- Clause 7.3 (Design and development) — Incomplete design inputs, inadequate design verification/validation, poor design change control
- Clause 4.2 (Documentation) — Inadequate document control, outdated procedures, missing records
- Clause 8.2.2 (Complaint handling) — Failure to evaluate all complaints, inadequate investigation, missing complaint-to-MDR triage
- Clause 7.4 (Purchasing) — Inadequate supplier evaluation, missing supplier agreements, incomplete incoming inspection
Tips for Certification Audit Preparation
- Complete all open CAPAs — Certification auditors will check whether previous audit findings have been effectively closed
- Conduct a pre-certification mock audit — Simulate the external audit to identify gaps
- Ensure all records are current — Update training records, calibration logs, and document approvals
- Prepare employees — Ensure staff understand the QMS, their roles, and how to answer auditor questions
- Review previous findings — Address any recurring issues before the external audit
- Update the audit schedule — Demonstrate the internal audit program is on track
- Organize evidence — Have documents, records, and evidence readily accessible for the auditor
Frequently Asked Questions
How often must internal audits be conducted?
ISO 13485 requires audits at "planned intervals." The standard does not specify a frequency, but best practice is to cover all QMS processes at least annually. Higher-risk processes may be audited more frequently.
Can an internal auditor audit their own department?
No. ISO 13485 Clause 8.2.4 requires that auditors shall not audit their own work. A person from quality engineering cannot audit the quality engineering function. Cross-departmental auditing or using external resources resolves this.
What qualifications do internal auditors need?
ISO 13485 does not prescribe specific qualifications but requires auditors to be competent. This typically includes training in ISO 13485 requirements, audit methodology, and the organization's QMS processes.
How are internal audits different from management review?
Internal audits evaluate whether QMS processes conform to requirements and are effectively implemented. Management review evaluates the overall suitability, adequacy, and effectiveness of the QMS. Internal audit results are an input to management review.
Do we need to audit all ISO 13485 clauses every year?
You need to cover all applicable QMS processes within your audit cycle. For most organizations, this means all clauses annually. However, you can prioritize higher-risk areas for more frequent audits and lower-risk areas for less frequent coverage.
What is the difference between a major and minor nonconformity?
A major nonconformity represents a significant breakdown or systemic failure. A minor nonconformity is an isolated lapse that does not indicate a broader system failure. Certification bodies treat them differently — major nonconformities must be resolved before certification can be granted.
Must internal audit records be available to FDA inspectors?
Yes. Under the FDA's QMSR (effective February 2, 2026), which incorporates ISO 13485 by reference, internal audit records are part of the QMS and must be available for FDA inspection. However, FDA has stated it will not routinely request internal audit records during inspections, consistent with its historical approach.
Important QMSR Change: Under the legacy QSR, internal audit results were considered confidential and not subject to FDA review during inspections. Under the QMSR (effective February 2, 2026), this confidentiality protection no longer applies — internal audit records and management review records are now subject to FDA inspection. Organizations should ensure their internal audit findings are well-documented and that CAPAs arising from audits are properly closed before any FDA inspection.
How do internal audits relate to MDSAP?
MDSAP audits cover regulatory requirements from five countries (US, Canada, Brazil, Japan, Australia). Your internal audit program must also cover the specific regulatory requirements of each MDSAP-participating country, not just ISO 13485.
Can we use external consultants as internal auditors?
Yes, as long as they are competent and independent from the processes being audited. Some organizations use external auditors for specialized areas (software, cybersecurity, clinical evaluation) where internal expertise is limited.
What happens if we find a major nonconformity during an internal audit?
The nonconformity must be documented, a root cause analysis conducted, a corrective action plan developed and implemented, and the effectiveness of the corrective action verified. The finding should also be reported to management as part of management review.
Do ISO 13485 internal audits need to cover suppliers?
ISO 13485 Clause 7.4.1 requires that the organization evaluate and select suppliers based on their ability to supply product that meets requirements. While supplier audits are a separate activity from internal audits, the internal audit program should verify that the supplier management process itself is effective.
How should we document that corrective actions from audits are effective?
Maintain records showing: the original nonconformity, the root cause analysis, the corrective action plan, evidence of implementation, and the results of effectiveness verification (follow-up audit or review). This trail should be traceable from the audit finding to closure.
Related Guides
- CAPA for Medical Devices Guide — Implementing corrective and preventive actions triggered by audit findings.
- ISO 13485 Certification Guide — Complete guide to achieving and maintaining ISO 13485 certification.
- Design Controls Guide — Understanding design control requirements frequently audited under Clause 7.3.
- Medical Device Quality Audits Guide — Comprehensive guide to all types of quality system audits.
- QSR to QMSR Transition Guide — What changes with the FDA's shift from QSR to QMSR and how to prepare.