What is an internal audit in ISO 13485?

An internal audit in ISO 13485 is a planned, independent, and documented review used to determine whether your quality management system conforms to requirements, is effectively implemented, and is being maintained properly. In practice, internal auditing is not just a compliance exercise. It is one of the best ways to identify weak controls, recurring failures, missing evidence, and process gaps before an external auditor does.

A strong internal audit process should test how the system actually works in real operations, not just whether procedures exist. That means audit planning, competent auditors, evidence-based findings, root cause linkage where needed, corrective action follow-up, and closure discipline.

Start With Internal Audit Basics

What this internal audit hub helps you do

  • Understand the requirement

    Learn what ISO 13485 expects from internal audits and what makes an audit useful instead of cosmetic.

  • Plan audits properly

    Build audit programmes, audit plans, and process priorities based on risk, previous findings, and system importance.

  • Write stronger findings

    Improve how nonconformities, observations, evidence, and audit conclusions are documented and escalated.

  • Improve audit readiness

    Use internal audits to strengthen external audit performance, management review inputs, and CAPA effectiveness.

Why internal audits matter so much in medical device quality systems

Weak internal audits create a false sense of control. Procedures may appear complete, but records are missing, implementation is inconsistent, and process failures stay hidden until a certification or customer audit exposes them. A strong internal audit system does the opposite. It tests reality, not paperwork.

Internal audits should help your organisation identify process breakdowns early, assess whether controls are actually working, and drive focused improvement through findings, follow-up, and CAPA where required. The best audit systems are practical, evidence-based, and aligned to process risk, not generic checklist activity.

Use this hub in the right order:

Start with internal audit fundamentals, then move into audit planning, checklist structure, common findings, auditor competency, and follow-up controls.

The internal audit process, broken into practical stages

  • 1. Audit programme

    Define what will be audited, when, by whom, and how often based on risk, process importance, and prior results.

  • 2. Audit planning

    Build the audit plan, scope, criteria, objectives, departments, and evidence focus areas before the audit starts.

  • 3. Audit execution

    Review documents, sample records, interview process owners, and test whether the system works in practice.

  • 4. Findings and evidence

    Record objective evidence clearly and classify findings properly so action is proportionate and defensible.

  • 5. Follow-up and CAPA

    Ensure findings are investigated, corrected, escalated when needed, and tracked to closure.

  • 6. Review and improvement

    Feed audit outputs into trend review, management review, training needs, and future audit priorities.

Follow the internal audit learning path

Use these supporting pages to go deeper into the parts of internal auditing that usually create audit risk, weak execution, or poor follow-through.

ISO 13485 internal audit explained

Start here for the direct answer, clause context, and what internal auditing should really achieve in a medical device QMS.

Read the guide

Internal audit checklist

Learn how to structure an audit checklist so it supports evidence gathering instead of becoming a superficial tick-box exercise.

Read the guide

Common internal audit findings

See the types of findings that come up most often in ISO 13485 systems and how stronger internal auditing can catch them earlier.

Read the guide

Auditor competency and follow-up

Review what makes an internal auditor competent, independent, and effective, and how audit actions should be followed through.

Read the guide

Why internal audit systems fail

Most internal audit systems become weak for predictable reasons:

  • audit programmes are too generic
  • low-risk and high-risk processes are treated the same
  • auditors are not trained to probe process effectiveness
  • findings are vague, soft, or poorly evidenced
  • follow-up is weak
  • audits are disconnected from CAPA, management review, complaints, and real process performance

A strong internal audit process should surface meaningful system issues early enough to correct them before they appear again in surveillance, recertification, supplier, or customer audits.

See Complete Audit Process

Weak internal audit vs strong internal audit

A weak internal audit confirms that a procedure exists and moves on. A stronger internal audit tests whether the process is effective, whether records support conformity, whether people understand the controls, and whether the system is producing the intended result.

Weak: Procedure available and signed
Stronger: Procedure available, current revision controlled, records sampled, evidence of implementation confirmed, deviations identified, and effectiveness of the process evaluated against defined requirements

That is the shift that makes internal audits commercially useful, not just compliant.

Learn How to Audit Better

Internal audit tools to help you implement faster

If you want a stronger audit process, start with structure: audit programme, audit plan, checklist, report, competency criteria, interview guide, and follow-up controls. That reduces inconsistency and makes audits easier to run, review, and improve.

View all

Choose the level of internal audit support you need

Internal Audit Toolkit

Best for companies that need a practical audit structure with planning, checklists, reports, evidence capture, and follow-up tools.

View Internal Audit Toolkit

Auditor Training Pack

Best for teams that want to strengthen auditor competency, interview quality, consistency of findings, and audit confidence.

View Auditor Training Pack

Who this internal audit hub is for

  • QA / RA managers

    Improve audit quality, evidence strength, and linkage between findings, CAPA, and management review.

  • Startup and growing manufacturers

    Build a workable internal audit system before external audits expose weak implementation and poor records.

  • Internal auditors

    Improve how you plan audits, sample evidence, interview process owners, and write stronger findings.

  • Teams preparing for certification

    Use internal audits to identify real gaps early and reduce surprises during stage 1, stage 2, or surveillance audits.

Internal Audit FAQ

What is an internal audit in ISO 13485?

An internal audit is a planned and documented review used to determine whether the quality management system conforms to requirements, is implemented effectively, and is maintained properly.

How often should ISO 13485 internal audits be done?

The frequency should be based on process importance, risk, previous findings, changes, and overall audit programme needs. Higher-risk or weak-performing areas often need more frequent attention.

What do auditors look for during an internal audit?

They should look for objective evidence of implementation, record quality, process control, training, traceability where applicable, compliance to procedures, and whether the process is actually effective.

What should an internal audit checklist include?

A good checklist should include clause requirements, process-specific controls, evidence prompts, sampling areas, interview prompts, and space for recording objective evidence and findings.

Who can perform an internal audit?

An internal audit should be performed by someone competent and sufficiently independent from the area being audited so the review is objective and credible.

What is the difference between an audit observation and a nonconformity?

A nonconformity identifies failure to meet a requirement. An observation usually highlights a weaker area, potential issue, or improvement opportunity that may not yet meet the threshold of nonconformity.

What happens after an internal audit?

Findings should be reviewed, assigned, corrected where required, escalated into CAPA when necessary, followed up to verify completion, and fed into broader quality system improvement.