Internal Audit under ISO 13485: From Audit Programme to Follow-up
This guidance is written for medical-device manufacturers and service providers operating under ISO 13485:2016 who require an internal audit system that functions as a regulatory control, not an administrative exercise. It addresses internal audit as an integrated mechanism that detects systemic weakness, validates QMS effectiveness, and drives risk-based improvement.
The focus is execution-grade design: how to build an audit programme, qualify auditors, design checklists, sample records, grade nonconformities, and close the loop through CAPA and management review. The intent is audit defensibility—internal audits that withstand notified body scrutiny and materially reduce regulatory and operational risk.
Internal audit is treated here as a closed-loop system: audit programme → planning → execution → grading → reporting → CAPA → management review → effectiveness follow-up. Any break in this loop converts audit activity into regulatory noise.
Audit programme and risk-based planning
The audit programme defines how the organisation maintains continuous oversight of QMS conformity and effectiveness. Auditors expect a documented, approved programme that covers the full audit universe on a process basis, not by organisational departments.
Audit universe definition. The audit universe must include all QMS processes influencing product safety, performance, and regulatory compliance. Typical process groupings include document control, design and development, supplier management, production controls, complaint handling, CAPA, training, and post-market surveillance. Exclusions require formal justification.
Risk-based prioritisation. ISO 13485 expects audit frequency and depth to be driven by risk and performance data. Static annual schedules disconnected from operational signals are a common audit finding.
| Process | Key risks | Data sources | Baseline frequency | Trigger-based adjustments |
|---|---|---|---|---|
| Document Control | Uncontrolled documents, obsolete procedures in use | Change logs, training records, audit history | Annual | Immediate audit after major procedure overhaul or system migration |
| CAPA | Recurrence, ineffective actions, overdue closures | CAPA register, complaints, prior audits | Annual | Semi-annual if repeat findings or overdue actions exist |
| Complaint Handling | Delayed reporting, misclassification, missed signals | Complaint trends, vigilance records | Annual | Targeted audit after spike in complaints or adverse events |
| Supplier Management | Unqualified suppliers, poor performance | Supplier evaluations, incoming inspection data | Annual | Focused audit after critical supplier change or failure |
Frequency logic. Baseline coverage is typically annual for all core processes. Risk triggers override baseline frequency. These triggers include complaint trends, nonconformity recurrence, KPI degradation, validation changes, supplier failures, and organisational restructuring.
Programme governance. The audit programme requires management approval, revision control, and documented independence. Auditors cannot audit activities they perform or control. Programme changes must be justified and traceable.
Implementation Block — Audit programme control.
Maintain the audit programme as a controlled document with revision history, approval signatures, and documented rationale for frequency changes. Auditors expect to see why the programme looks the way it does.
Auditor competence
Auditor competence is a regulatory control. Auditors assess whether internal auditors can identify systemic failure, not whether they can complete a checklist.
Competence criteria. Required competence spans ISO 13485 knowledge, process auditing skill, sampling methodology, technical understanding of audited activities, and impartiality. Competence must be demonstrated, not asserted.
Independence. Auditors may not audit their own work, direct responsibilities, or decisions they control. Independence is evaluated at both organisational and task levels.
Ongoing qualification. Initial training is insufficient. Auditors require calibration, witnessed audits, periodic re-evaluation, and evidence of regulatory awareness.
| Competence area | Evidence types | Minimum standard | Re-evaluation frequency |
|---|---|---|---|
| ISO 13485 knowledge | Training records, exam results | Formal ISO 13485 auditor training | Every 3 years |
| Process auditing | Witnessed audits, audit reports | Successful supervised audits | Annual |
| Sampling skill | Audit plans, sampling rationale | Risk-based sampling demonstrated | Annual |
| Technical competence | CV, role history, training | Relevant technical background | As role changes |
| Impartiality | Audit assignments, role mapping | No conflict of interest | Per audit |
Audit checklist design
Checklists guide audits but must not replace auditor judgment. Clause-only checklists detect documentation gaps but miss process failure. Process-based checklists detect operational breakdown but risk regulatory blind spots. Effective audits integrate both.
Checklist structure. Each checklist element should define intent, expected evidence, sampling prompts, and risk indicators. Checklists must link to procedures, KPIs, risk files, prior findings, and CAPA history.
| Process | Audit prompt | Expected evidence | Sampling notes | Risk indicators |
|---|---|---|---|---|
| Document Control | Are only approved documents available at point of use? | Controlled procedures, access logs | Sample 5 active procedures | Multiple uncontrolled copies observed |
| Document Control | Are changes reviewed and approved? | Change records, approvals | Sample last 3 changes | Missing impact assessments |
Implementation Block — Checklist control.
Maintain checklists as living tools. Update prompts based on audit findings, CAPA themes, and management review outputs.
Conducting audits; sampling logic
Audit execution follows defined stages: opening meeting, process walkthrough, interviews, record review, objective evidence capture, daily alignment where needed, and closing meeting.
Sampling logic. Sampling depth is driven by risk, volume, change, and history. Auditors must document why a sample is sufficient.
- Increase sample size when process risk or patient impact is high.
- Target recent records after significant change.
- Expand sampling when inconsistencies appear.
- Trace forward (input to output) and backward (output to input).
- Document rationale for all sampling decisions.
| Record type | Baseline sample | Risk-based expansion |
|---|---|---|
| Training records | 5 employees | All staff after major procedure change |
| CAPA records | 3 closed CAPAs | All CAPAs for recurring issues |
| Complaints | 5 recent complaints | All complaints in adverse trend period |
Evidence interpretation. Absence of evidence is not automatically evidence of absence. Auditors must determine whether records should exist and whether their absence represents control failure.
Grading nonconformances
Nonconformance grading must be consistent, risk-based, and defensible. Grading reflects impact, not effort required to fix.
| Grade | Criteria | Example |
|---|---|---|
| Critical | Direct patient or regulatory risk | Unreported serious adverse event |
| Major | Systemic breakdown | Repeated CAPA ineffective |
| Minor | Isolated lapse | Single missing training record |
| Observation | Opportunity to improve | Audit trail clarity |
Each nonconformity requires a clear statement, objective evidence, requirement reference, and impact description.
Reporting and follow-up
Audit reports are controlled records. They must support CAPA initiation, management review, and regulatory inspection.
- Audit scope and criteria
- Auditors and participants
- Summary of conformity
- Detailed findings with evidence
- Grading and required actions
- Conclusion and next steps
| Step | Owner | Record | Due date logic | Acceptance criteria |
|---|---|---|---|---|
| Containment | Process owner | Containment record | Immediate | Risk controlled |
| Corrective action | CAPA owner | CAPA record | Risk-based | Root cause addressed |
| Effectiveness verification | Quality | Verification record | Post-implementation | No recurrence |
Linking audits to CAPA and management review
Audit findings feed CAPA when risk, systemic failure, or recurrence thresholds are met. Minor issues may be corrected without CAPA, but rationale must be documented.
| Finding type | CAPA required? | Rationale |
|---|---|---|
| Critical | Yes | Patient or regulatory risk |
| Major | Yes | Systemic breakdown |
| Minor | Conditional | Based on trend |
| Management review input | Source | Decision | Output record | Downstream action |
|---|---|---|---|---|
| Audit results | Audit reports | Programme adjustment | Management review minutes | Audit plan revision |
| CAPA status | CAPA register | Resource allocation | Action items | Process improvement |
FAQ
How often should internal audits be done?
All core QMS processes require at least annual audit coverage. Frequency increases based on risk signals such as complaint trends, repeat nonconformities, major process changes, or supplier failures. High-risk processes may require semi-annual or targeted audits.
Can internal audits be outsourced?
Yes, provided auditor competence, independence, and programme control are maintained. Responsibility remains with the organisation.
Are observations mandatory?
No. Observations are discretionary and should only be raised when they provide objective improvement value.
Do all findings require CAPA?
No. Only findings meeting risk or systemic thresholds require CAPA. Justification is mandatory.
