ISO 13485 Internal Audit Explained: Process, Checklist and Audit Readiness Guide
ISO 13485 internal audits are a mandatory requirement used to verify whether your quality management system (QMS) is effectively implemented, compliant, and audit-ready.
Under ISO 13485, internal audits are not optional—they are a core mechanism for ensuring your processes are working and identifying gaps before external auditors do.
Where Internal Audit Fits in ISO 13485
Internal audit is defined under Clause 8.2.4 and sits within the broader framework of monitoring, measurement, and improvement.
ISO 13485 requires organisations to:
- Conduct audits at planned intervals
- Verify compliance to both ISO 13485 and internal procedures
- Ensure the QMS is effectively implemented and maintained
Internal audits are also a key input into management review and CAPA systems.
What ISO 13485 Internal Audits Actually Assess
Most teams misunderstand internal audits as checklist exercises. In reality, auditors assess:
- Process effectiveness (not just existence)
- Compliance with procedures and records
- Regulatory alignment
- Risk-based implementation of processes
- Linkages between systems (CAPA, complaints, risk, design, etc.)
This aligns with ISO 13485’s process-based approach to quality management, where processes must be defined, controlled, monitored, and improved. :contentReference[oaicite:0]{index=0}
ISO 13485 Internal Audit Process (Step-by-Step)
1. Audit Planning
- Define audit scope (process, department, full QMS)
- Set audit criteria (ISO 13485 clauses, procedures)
- Assign competent auditor
- Consider risk, previous findings, and regulatory impact
2. Audit Preparation
- Review procedures and records
- Prepare audit checklist
- Identify key risk areas
3. Audit Execution
- Conduct interviews
- Review objective evidence
- Trace processes end-to-end
4. Audit Findings
- Nonconformities (major/minor)
- Observations
- Opportunities for improvement
5. Audit Reporting
- Clear, evidence-based findings
- Link findings to clauses and procedures
- Assign CAPA where required
6. Follow-Up and Closure
- Verify corrective actions
- Confirm effectiveness
- Close audit formally
ISO 13485 Internal Audit Checklist (What Auditors Look For)
| Area | What to Check |
|---|---|
| Document Control | Are documents approved, current, and controlled? |
| Records | Are records complete, legible, and retrievable? |
| CAPA | Are root causes identified and actions effective? |
| Risk Management | Are risks identified, evaluated, and controlled? |
| Training | Are personnel competent and trained? |
| Production | Are processes controlled and validated where required? |
| Complaints | Are complaints investigated and linked to CAPA? |
Common ISO 13485 Internal Audit Mistakes
- Checklist-only audits (no process understanding)
- Weak or subjective findings
- No linkage to risk or regulatory impact
- Auditors auditing their own work
- No follow-up on CAPA effectiveness
How to Make Your Internal Audits Audit-Ready
- Train auditors properly (not just ISO awareness)
- Use process-based auditing, not clause-only
- Link findings to CAPA and risk
- Audit high-risk processes more frequently
- Track trends across audits
Internal Audit vs External Audit
| Internal Audit | External Audit |
|---|---|
| Conducted by your organisation | Conducted by certification body |
| Focus on improvement | Focus on compliance |
| Flexible scope | Fixed audit scope |
| Prepares you for certification | Determines certification outcome |
When Should You Conduct Internal Audits?
- At planned intervals (annual minimum)
- Before certification audits
- After major changes
- After significant nonconformities
FAQ: ISO 13485 Internal Audit
Is internal audit mandatory in ISO 13485?
Yes. ISO 13485 requires internal audits to verify QMS compliance and effectiveness.
Who can perform an internal audit?
Auditors must be competent and independent of the process being audited.
How often should internal audits be done?
Based on a risk-based schedule, but typically at least once per year.
What is the output of an internal audit?
An audit report, findings, and corrective actions where required.
Do internal audits need documented procedures?
Yes. ISO 13485 requires documented procedures and records for audits.
Final Takeaway
ISO 13485 internal audits are not just a compliance exercise—they are your early warning system for audit failure.
If your internal audit process is weak, your entire QMS is exposed.
Build a structured, risk-based, and evidence-driven audit system—and your certification audits become significantly easier.
