ISO 13485 Internal Audit Findings: Real Examples and Corrective Actions That Actually Work

The most common ISO 13485 internal audit findings include weak CAPA systems, poor document control, incomplete risk management, ineffective training, and lack of traceability. These findings are not caused by missing procedures, but by poor implementation. Corrective actions must address root causes, strengthen system linkages, and include measurable effectiveness checks.

If your internal audits are not identifying these issues early, your external audit will.

---

Why Internal Audit Findings Matter More Than External Audits

ISO 13485 Clause 8.2.4 requires organisations to conduct internal audits to determine whether the quality management system is effectively implemented and maintained.

The intent is simple: internal audits should find problems before regulators or certification bodies do.

In reality, many companies:

• Run checklist audits that miss real issues
• Write weak findings that do not trigger meaningful CAPA
• Fail to connect audit results to system improvement

Strong internal audit findings are a competitive advantage. Weak ones are a liability.

Related: ISO 13485 Internal Audit Explained

---

Real Internal Audit Findings and How to Fix Them

1. CAPA Not Effective

Typical Finding:
CAPA records show closure, but similar issues continue to occur.

What the Auditor Saw:

• Root cause documented as “operator error”
• No systemic analysis performed
• No effectiveness verification

Corrective Action That Works:

• Reopen CAPA and redefine the problem clearly
• Perform structured root cause analysis
• Implement systemic corrective actions (not just retraining)
• Define measurable effectiveness criteria

Tools:

• CAPA Toolkit ISO 13485
• Free CAPA Initiation Checklist

---

2. Document Control Not Enforced

Typical Finding:
Obsolete procedures found in use during audit sampling.

What the Auditor Saw:

• Printed documents not aligned to latest revision
• Local copies used instead of controlled system

Corrective Action That Works:

• Remove uncontrolled copies from operational areas
• Enforce access to controlled system only
• Train staff on document access and usage
• Audit real usage periodically

Tools:

• Master Document List Template

---

3. Risk Management Not Maintained

Typical Finding:
Risk management file not updated following design or process changes.

What the Auditor Saw:

• No linkage between CAPA and risk file
• Hazards not updated after complaints

Corrective Action That Works:

• Review risk management file against recent changes
• Link CAPA, complaints, and post-market data to risk review
• Update hazard analysis and residual risk evaluation

Tools:

• ISO 14971 Risk Management System

---

4. Training and Competency Gaps

Typical Finding:
Personnel performing quality-critical tasks lack documented competency.

What the Auditor Saw:

• Training records incomplete
• No evidence of competency evaluation

Corrective Action That Works:

• Define competency requirements per role
• Link training to specific procedures and responsibilities
• Evaluate effectiveness of training (not just attendance)

---

5. Internal Audit Itself Is Weak

Typical Finding:
Internal audits do not identify meaningful issues.

What the Auditor Saw:

• All audits marked “compliant”
• No evidence of process-based auditing

Corrective Action That Works:

• Move from checklist auditing to process auditing
• Define audit objectives and expected evidence
• Train auditors in interviewing and sampling

Related:

• Internal Audit Program Setup
• Internal Audit System

---

How to Write Strong Internal Audit Findings

Weak finding:

• “Procedure not followed”

Strong finding:

• “Procedure QMS-004 requires document approval prior to release. Document XYZ was used in production without approval. This indicates document control is not effectively implemented.”

Key principles:

• State requirement
• State objective evidence
• State impact

---

How to Ensure Corrective Actions Actually Work

• Fix the system, not the symptom
• Link corrective actions to measurable outcomes
• Verify effectiveness over time
• Connect CAPA, audit, and management review

If your corrective actions are not preventing recurrence, they are not effective.

---

Internal Audit Checklist Before Your Next Audit

• Are findings specific and evidence-based?
• Are CAPAs linked to audit findings?
• Are recurring issues being eliminated?
• Are auditors trained and competent?
• Is audit planning risk-based?

Tool:
Internal Audit System (ISO 13485 Clause 8.2.4)

---

When Internal Audit Findings Indicate Bigger Problems

If you see repeated findings in:

• CAPA
• Risk management
• Design controls
• Document control

Then your issue is not audit-related. It is system design.

Next step:

• Fix Audit Findings Fast
• ISO 13485 Consulting

---

Final Thought

Internal audits are not about compliance reporting. They are your early warning system.

If your internal audits are not finding meaningful issues, your external audit will.

The goal is not to pass audits. The goal is to build a system that cannot fail them.