ISO 13485 Internal Audit Checklist: What Auditors Actually Look For
If you are preparing for an audit, you do not need another generic checklist.
You need to know what auditors actually look for, how they think, and where companies typically fail.
Why Most Internal Audit Checklists Fail
Most checklists are clause-based and superficial. They confirm documentation exists—but they do not verify:
- Process effectiveness
- Risk-based implementation
- Linkages between systems
- Regulatory compliance
ISO 13485 requires a process-based approach where activities are monitored, measured, and improved—not just documented. :contentReference[oaicite:0]{index=0}
How to Use This ISO 13485 Internal Audit Checklist
- Audit by process, not just by clause
- Follow evidence through the system
- Test real implementation (not just documents)
- Focus more on high-risk areas
ISO 13485 Internal Audit Checklist (Full QMS)
1. Quality Management System (Clause 4)
- Is the QMS defined, documented, and maintained?
- Are processes identified and their interactions defined?
- Is there a quality manual with scope and exclusions?
- Are outsourced processes controlled?
2. Document Control (Clause 4.2.4)
- Are documents approved before release?
- Are revisions controlled and tracked?
- Are current versions available at point of use?
- Are obsolete documents controlled?
3. Record Control (Clause 4.2.5)
- Are records legible, identifiable, and retrievable?
- Are retention periods defined?
- Are records protected from loss or damage?
4. Management Responsibility (Clause 5)
- Is there evidence of management commitment?
- Are quality objectives defined and monitored?
- Are management reviews conducted and documented?
- Are review inputs complete (audits, complaints, CAPA)?
5. Resource Management (Clause 6)
- Are personnel competent and trained?
- Are training records maintained?
- Is infrastructure adequate and maintained?
- Is work environment controlled where required?
6. Product Realization (Clause 7)
- Are processes planned and controlled?
- Are design controls implemented (if applicable)?
- Are suppliers evaluated and monitored?
- Are production processes validated where required?
- Is traceability maintained?
7. Risk Management (ISO 14971 Integration)
- Is risk management applied throughout the product lifecycle?
- Are hazards identified and risks evaluated?
- Are risk controls implemented and verified?
- Is residual risk evaluated and documented?
Risk management must be applied systematically across the lifecycle, including analysis, evaluation, control, and monitoring. :contentReference[oaicite:1]{index=1}
8. Measurement, Analysis and Improvement (Clause 8)
- Are internal audits conducted at planned intervals?
- Are complaints handled and investigated?
- Is data analysed for trends?
- Are CAPAs raised, investigated, and closed effectively?
What Auditors Actually Do During an Audit
Auditors do not follow your checklist—they follow your processes.
They will:
- Trace a complaint → CAPA → risk → management review
- Follow a product from order → production → release
- Test whether your system actually works in practice
High-Risk Areas to Prioritise
- CAPA system (Clause 8.5)
- Internal audits (Clause 8.2.4)
- Risk management integration
- Supplier control
- Design controls
Common Findings This Checklist Should Catch
- CAPAs with weak root cause analysis
- Training records incomplete or outdated
- Uncontrolled documents in use
- No evidence of process monitoring
- Risk management not linked to real processes
How to Upgrade Your Internal Audit Checklist
- Add risk-based prioritisation
- Include process flow tracing
- Link every finding to CAPA
- Include regulatory impact assessment
- Track trends across audits
Internal Audit Checklist vs Real Audit Readiness
| Checklist Only | Audit-Ready System |
|---|---|
| Confirms documents exist | Confirms processes work |
| Clause-based | Process-based |
| Static | Risk-driven |
| No follow-up | CAPA-driven improvement |
FAQ: ISO 13485 Internal Audit Checklist
What should an ISO 13485 audit checklist include?
It should cover all QMS clauses, but more importantly test process effectiveness, risk integration, and regulatory compliance.
Is a checklist enough for ISO 13485 audits?
No. A checklist supports the audit, but process-based auditing is required for real compliance.
How detailed should an audit checklist be?
Detailed enough to guide auditors, but flexible enough to follow real process flows.
Can I use the same checklist every year?
No. It should evolve based on risks, previous findings, and system changes.
Final Takeaway
An ISO 13485 internal audit checklist is only valuable if it tests reality—not paperwork.
If your checklist cannot detect real system failures, your external auditor will.
