Top ISO 13485 Audit Findings (2026) and How to Fix Them Before Your Next Audit
The most common ISO 13485 audit findings are weak CAPA systems, poor document control, incomplete design controls, ineffective risk management, and lack of traceability. These failures happen because systems exist on paper but are not implemented effectively. Fixing them requires strengthening process execution, linking systems together, and ensuring objective evidence supports compliance—not just procedures.
If you're preparing for an audit or recovering from one, this guide shows exactly what auditors look for and how to fix them properly.
Why ISO 13485 Audit Findings Happen (Even in “Compliant” Systems)
Most companies do not fail audits because they have no quality system. They fail because their system is fragmented, inconsistently followed, or poorly evidenced in records. Auditors are rarely impressed by document volume alone. They want to see that your quality management system works in practice.
Common failure patterns include:
- Procedures that exist but are not followed consistently
- Records that do not prove effectiveness
- Disconnected systems across CAPA, complaints, internal audit, and risk management
- Weak decision-making with little objective evidence
That is why ISO 13485 audit findings are often symptoms of deeper system design issues, not isolated paperwork mistakes.
1. CAPA System Failures
Common Findings
- Root cause analysis is superficial
- Repeat issues continue after closure
- Corrective actions are implemented but not verified for effectiveness
- CAPA records are not linked to complaints, audit findings, or nonconforming product
Why It Fails
Many businesses treat CAPA as a closure workflow rather than a true problem-solving process. That leads to weak investigations, generic actions, and recurring findings in future audits.
How to Fix It
- Define the problem clearly before jumping to actions
- Use structured root cause analysis methods, not surface-level conclusions
- Require objective evidence for implementation and effectiveness
- Connect CAPA to complaint handling, internal audits, supplier issues, and trend data
Related pages and tools:
- CAPA System Not Working? Fix Root Cause, Actions and Closure
- ISO 13485 CAPA Requirements Explained
- CAPA Toolkit ISO 13485 Corrective & Preventive Action Pack
- Free CAPA Initiation Checklist
2. Document Control Breakdown
Common Findings
- Obsolete documents still in use
- Missing approvals or revision history
- External standards not controlled
- Staff using local copies instead of controlled files
Why It Fails
Document control often looks adequate during setup, then breaks down operationally. Teams save files offline, update templates informally, or bypass the controlled system entirely.
How to Fix It
- Create one controlled source of truth
- Train staff on where current documents are accessed
- Control external documents such as standards, regulations, and customer specifications
- Audit real use at point of activity, not just the document register
Related pages and tools:
- ISO 13485 Document Control System
- ISO 13485 Clause 4 QMS and Document Control
- Free Master Document List Template
- QMS Core Bundle (ISO 13485 Clauses 4–6 & 8)
3. Risk Management File Gaps
Common Findings
- Hazards are incomplete or generic
- Risk controls are not clearly linked to design or process outputs
- Residual risk is not evaluated properly
- Post-production information does not feed back into the risk file
Why It Fails
Risk management is often treated as a one-time submission document. In reality, it is a living process that should connect design, verification, production, complaints, and post-market information.
How to Fix It
- Build clear traceability from hazard to hazardous situation, risk estimate, control, verification, and residual risk
- Define risk acceptability criteria before analysis starts
- Use production and post-production data to review whether previous risk estimates remain acceptable
- Keep the risk file aligned with design and process changes
Related pages and tools:
- Risk Management File Rejected? Fix Your ISO 14971 Gaps
- ISO 14971 Risk Management System
- ISO 13485 + ISO 14971 Integrated Compliance Pack
4. Design Controls Are Incomplete
Common Findings
- Design inputs are vague or incomplete
- Outputs do not clearly satisfy inputs
- Verification and validation records are weak
- Design review decisions are not well documented
- Traceability across requirements, risk, and testing is poor
Why It Fails
Fast-moving companies often develop the product first and try to reconstruct design controls later. That usually creates missing links, weak rationale, and audit exposure.
How to Fix It
- Define design inputs clearly and early
- Document formal design reviews with actions and approvals
- Maintain traceability from requirements through verification and validation
- Make sure risk management and design controls inform each other
Related pages and tools:
- Design Controls Incomplete? Get Audit-Ready in 4 Weeks
- Free DHF Audit Checklist & Index Template
- Labelling & Medical Device File Pack
5. Internal Audit Program Is Ineffective
Common Findings
- Audits are checklist-only and not process-based
- Audit schedules are not risk-based
- Auditors are not sufficiently competent
- Findings are weak, vague, or not connected to CAPA
Why It Fails
Too many internal audit programs are built to “tick the clause off” rather than test whether the system is effective. That leads to weak findings internally and stronger findings externally.
How to Fix It
- Audit by process and risk, not just clause
- Define audit criteria and evidence expectations clearly
- Train auditors in questioning, sampling, and writing useful findings
- Link internal audit outputs directly into CAPA and management review
Related pages and tools:
- Internal Audit Program Setup for Medical Device Companies
- ISO 13485 Clause 8.2.4 Internal Audit Explained
- Internal Audit System (ISO 13485 Clause 8.2.4)
6. Poor Control of Records
Common Findings
- Records are incomplete, unsigned, or missing dates
- Evidence is not retrievable during audit
- There is no clear retention logic
- Data integrity is weak across manual and digital systems
Why It Fails
Companies often define records in procedures but do not control how those records are actually created, stored, retrieved, and protected.
How to Fix It
- Define which records prove process conformity
- Standardise templates and retention periods
- Make retrieval fast and audit-friendly
- Review record completion routinely, not only before audits
Related pages and tools:
7. Weak Management Review
Common Findings
- Management review is performed as a meeting record, not a decision-making process
- Inputs are incomplete or low quality
- Actions are vague or not followed through
- Data analysis is weak and trends are missed
Why It Fails
Management review often becomes a compliance event instead of the place where leadership evaluates system effectiveness, resource needs, quality trends, and regulatory risk.
How to Fix It
- Use complaint, CAPA, audit, supplier, process, and product data as structured inputs
- Focus on trend analysis and system performance, not just meeting minutes
- Record decisions, owners, and due dates clearly
- Review whether actions taken actually improved performance
Related pages and tools:
How to Prepare for Your Next ISO 13485 Audit
Before your next audit, test whether your system can hold up under evidence-based review:
- Can you show that CAPA solves recurring problems?
- Can you prove documents are controlled at point of use?
- Can you trace risks through controls and verification?
- Can you show complete design control records?
- Can you demonstrate that internal audits identify meaningful issues?
- Can you retrieve records quickly and confidently?
- Can management review outputs be linked to real quality decisions?
If the answer is no to any of these, you are exposed.
When to Get External Help
You should consider external support when:
- You have already received major or repeated findings
- You are preparing for certification or surveillance audit
- Your QMS is documented but not functioning well
- Your team is overloaded and remediation is stalling
Related pages:
- Failed ISO 13485 Audit? Fix Findings Fast and Pass Your Re-Audit
- ISO 13485 Consulting Services
- Services
- Contact Us
Final Thought: Audits Do Not Fail on Paper Alone
The strongest ISO 13485 systems are not the ones with the most documents. They are the ones with clear accountability, connected processes, strong records, and evidence that the system actually works.
If your audit is approaching, focus less on producing more paperwork and more on proving that your quality system is effective.
