Top ISO 13485 Internal Audit Findings: Common Issues and How to Fix Them

If your internal audits are not finding issues, your system is not working.

The reality is simple: external auditors rarely find new problems. They find the problems your internal audits failed to detect.

Why Internal Audit Findings Matter

Internal audits are designed to identify nonconformities before certification auditors do.

Under ISO 13485, audits are a required mechanism to verify compliance and effectiveness of the QMS. :contentReference[oaicite:0]{index=0}

Strong internal audit findings lead to:

• Stronger CAPA systems
• Better audit outcomes
• Reduced regulatory risk

Top ISO 13485 Internal Audit Findings

1. Weak CAPA System

• Root causes not properly identified
• Corrective actions not linked to root cause
• Effectiveness checks missing or superficial

Fix: Implement structured root cause analysis and enforce effectiveness verification.

2. Poor Document Control

• Obsolete documents still in use
• Missing approvals
• Uncontrolled external documents

Fix: Enforce strict document approval, revision control, and distribution processes.

3. Incomplete or Missing Records

• Training records incomplete
• Missing production records
• Untraceable documentation

Fix: Define clear record requirements and enforce retention and traceability controls.

4. Ineffective Risk Management

• Risk files not updated
• Risks not linked to CAPA or complaints
• Risk analysis treated as a one-time activity

Risk management must be applied throughout the lifecycle, including monitoring and control. :contentReference[oaicite:1]{index=1}

Fix: Integrate risk management into real processes—not just documentation.

5. Internal Audits Not Effective

• Checklist-only audits
• No process-based auditing
• Findings not linked to CAPA

Fix: Train auditors and shift to process-based auditing.

6. Lack of Process Monitoring

• No KPIs defined
• No evidence of process performance tracking
• No trend analysis

Fix: Define measurable indicators and review them regularly.

7. Training and Competency Gaps

• No defined competency requirements
• Training effectiveness not evaluated
• Personnel unaware of their impact on quality

Fix: Define competencies, train accordingly, and verify effectiveness.

8. Supplier Control Issues

• No supplier evaluation criteria
• Missing supplier performance monitoring
• No quality agreements

Fix: Implement structured supplier qualification and monitoring.

9. Complaint Handling Gaps

• Complaints not fully investigated
• No linkage to CAPA
• Regulatory reporting not assessed

Fix: Ensure complaints feed directly into CAPA and risk systems.

10. Management Review Weaknesses

• Missing required inputs
• No evidence of decisions or actions
• Reviews treated as a formality

Fix: Structure management reviews around data, decisions, and outputs.

What These Findings Have in Common

Almost all findings come down to one issue:

• Systems exist—but are not implemented effectively

ISO 13485 requires processes to be monitored, measured, and improved—not just documented. :contentReference[oaicite:2]{index=2}

How to Prevent These Findings

• Shift from document-based to process-based auditing
• Integrate CAPA, risk, and audit systems
• Focus on effectiveness, not compliance alone
• Audit high-risk areas more frequently
• Track trends across audits

Major vs Minor Findings (What’s the Difference?)

FAQ: ISO 13485 Internal Audit Findings

What is the most common ISO 13485 finding?

Weak CAPA systems are consistently the most common finding.

Are internal audit findings required?

Yes. Internal audits must identify and document nonconformities where they exist.

How should findings be documented?

Clearly, with objective evidence, clause reference, and defined corrective actions.

What happens if internal audits find nothing?

This usually indicates ineffective auditing—not a perfect system.

Final Takeaway

The purpose of internal audits is not to pass—it is to expose weaknesses.

The companies that pass audits easily are the ones that find their problems first.