What is an internal audit in ISO 13485?

An internal audit in ISO 13485 is a planned, independent, and documented review used to determine whether your quality management system conforms to requirements, is effectively implemented, and is being maintained properly. In practice, internal auditing is not just a compliance exercise. It is one of the best ways to identify weak controls, recurring failures, missing evidence, and process gaps before an external auditor does.

A strong internal audit process should test how the system actually works in real operations, not just whether procedures exist. That means audit planning, competent auditors, evidence-based findings, root cause linkage where needed, corrective action follow-up, and closure discipline.

Start With Internal Audit Basics

What this internal audit hub helps you do

  • Understand the requirement

    Learn what ISO 13485 expects from internal audits and what makes an audit useful instead of cosmetic.

  • Plan audits properly

    Build audit programmes, audit plans, and process priorities based on risk, previous findings, and system importance.

  • Write stronger findings

    Improve how nonconformities, observations, evidence, and audit conclusions are documented and escalated.

  • Improve audit readiness

    Use internal audits to strengthen external audit performance, management review inputs, and CAPA effectiveness.

Why internal audits matter so much in medical device quality systems

Weak internal audits create a false sense of control. Procedures may appear complete, but records are missing, implementation is inconsistent, and process failures stay hidden until a certification or customer audit exposes them. This is exactly how many ISO 13485 audit failures happen →

A strong internal audit system does the opposite. It tests reality, not paperwork.

Internal audits should help your organisation identify process breakdowns early, assess whether controls are actually working, and drive focused improvement through findings, follow-up, and CAPA where required. The best audit systems are practical, evidence-based, and aligned to process risk, not generic checklist activity.

Use this hub in the right order:

Start with internal audit fundamentals, then move into audit planning, checklist structure, common findings, auditor competency, and follow-up controls.

The internal audit process, broken into practical stages

  • 1. Audit programme

    Define what will be audited, when, by whom, and how often based on risk, process importance, and prior results.

  • 2. Audit planning

    Build the audit plan, scope, criteria, objectives, departments, and evidence focus areas before the audit starts.

  • 3. Audit execution

    Review documents, sample records, interview process owners, and test whether the system works in practice.

  • 4. Findings and evidence

    Record objective evidence clearly and classify findings properly so action is proportionate and defensible.

  • 5. Follow-up and CAPA

    Ensure findings are investigated, corrected, escalated when needed, and tracked to closure.

  • 6. Review and improvement

    Feed audit outputs into trend review, management review, training needs, and future audit priorities.
ISO 13485 Audit Readiness Assessment

Medical Device Audit Readiness Score: Assess Your ISO 13485 QMS Before an Audit Exposes the Gaps

This audit readiness diagnostic is designed for medical device companies that need a serious view of how prepared their quality management system is for certification, surveillance, supplier, internal or remediation audits. Answer the questions below to assess your current position across document control, management review, internal audit, CAPA, risk management, supplier control, validation, traceability and operational evidence. You will receive an instant score, a readiness band, your weakest areas, and the next actions most likely to reduce audit risk.

What this tool checks

Strong audits do not fail only because procedures are missing. They fail because systems are not aligned to real practice, records are incomplete, responsibilities are blurred, risk files are disconnected from design and operations, CAPAs close weakly, supplier controls are shallow, or teams cannot retrieve objective evidence quickly under pressure.

Document Control Management Review Internal Audit CAPA Risk Management Supplier Control Validation Traceability

Who this is for

  • Medical device startups building a first compliant QMS
  • QA/RA managers preparing for certification or surveillance audits
  • Teams inheriting a weak or poorly implemented system
  • Companies dealing with repeat findings, CAPA delays, or audit remediation
  • Businesses moving into SharePoint, digital QMS, or structured documentation environments

Complete the diagnostic

1. Is your quality manual and top-level QMS structure aligned to how the business actually operates?

Check whether the written system reflects real roles, process flow, outsourced activities, and regulatory context.

2. Are controlled procedures, forms, templates and records current, approved, versioned and available at point of use?

This is where many systems fail: obsolete forms, uncontrolled copies, poor revision discipline, weak document access.

3. Does management review include meaningful inputs, actions, accountability and follow-through?

Not just minutes. Real review inputs, outputs, decisions, metrics, resourcing and evidence of closure.

4. Are quality objectives, KPIs and ownership clear enough to show QMS control rather than administration only?

Auditors look for whether management can demonstrate direction, monitoring and action, not just paperwork.

5. Is your internal audit programme risk-based, scheduled, independent and capable of identifying meaningful findings?

A weak internal audit programme usually shows up before external audit does.

6. Can your audit reports clearly link findings to evidence, classification, root cause expectations and follow-up?

Generic audit reporting reduces the commercial value of internal audit and leaves remediation weak.

7. Does your CAPA system show strong problem definition, investigation depth, true root cause and verified effectiveness?

One of the most common reasons CAPA systems fail is superficial closure with no proof the problem is actually controlled.

8. Are nonconformances, complaints, audit findings, supplier issues and trend data feeding CAPA consistently?

A mature system shows connected quality data, not isolated records.

9. Is your risk management process current, traceable and connected to design, change control, complaints and post-market inputs?

Risk management should live across the product lifecycle, not sit as a static file. This is central to ISO 14971 discipline.

10. Can you clearly show hazard identification, risk evaluation, controls, residual risk and post-production review?

Good risk files are structured, reviewable and evidence-based, not just copied templates.

11. Are supplier qualification, monitoring and re-evaluation supported by risk-based evidence and clear controls?

Supplier approval based on a once-off checklist is usually not enough for audit resilience.

12. Where process validation, sterilization, software, environmental control or inspection controls are required, are they validated and maintained?

This includes evidence that validated states are controlled and re-reviewed after change.

13. Is traceability adequate for your device class, process requirements, records, release controls and complaint linkage?

Traceability is often present in theory but weak in record retrieval, lot history or linkage to quality events.

14. Can you demonstrate competence, training effectiveness and role clarity for people performing quality-critical activities?

Training matrices alone are rarely enough. Auditors look for competence, not attendance only.

15. If an auditor asked for objective evidence today, could your team retrieve the right records quickly and confidently?

Audit readiness is not only about having documents. It is about evidence retrieval, consistency and control under pressure.

16. Do you have a controlled plan for audit preparation, remediation, ownership and closure if significant gaps are identified?

Many teams only act once the audit is close. Mature teams build a remediation path early.

Answer every question to receive a full diagnostic.
Overall Score
0%
Band

Your audit readiness result

Documentation & Control

0%

Quality manual, procedures, records, change and document control.

Leadership & Oversight

0%

Management review, objectives, direction and accountability.

Audit, CAPA & Risk

0%

Internal audit, CAPA robustness and risk management discipline.

Operations & Evidence

0%

Supplier control, validation, traceability, competence and retrieval.

Highest-priority gaps to address

    What a focused remediation project should cover

      Request a focused gap review

      Submit your details and receive a practical next-step review based on your score profile. This is best suited to teams preparing for certification, surveillance, supplier, remediation or internal audit programme improvement.

      Prefer Klaviyo? Replace this contact form with your embed and map the hidden fields into your form capture.
      Related Services

      Strengthen the Systems Around Internal Audit

      Internal audit works best when it connects properly to CAPA, risk management, auditor training, and the wider ISO 13485 quality system.

      Why internal audit systems fail

      Most internal audit systems become weak for predictable reasons:

      • audit programmes are too generic
      • low-risk and high-risk processes are treated the same
      • auditors are not trained to probe process effectiveness
      • findings are vague, soft, or poorly evidenced
      • follow-up is weak
      • audits are disconnected from CAPA, management review, complaints, and real process performance

      A strong internal audit process should surface meaningful system issues early enough to correct them before they appear again in surveillance, recertification, supplier, or customer audits.

      See Complete Audit Process

      Weak internal audit vs strong internal audit

      A weak internal audit confirms that a procedure exists and moves on. A stronger internal audit tests whether the process is effective, whether records support conformity, whether people understand the controls, and whether the system is producing the intended result.

      Weak: Procedure available and signed
      Stronger: Procedure available, current revision controlled, records sampled, evidence of implementation confirmed, deviations identified, and effectiveness of the process evaluated against defined requirements

      That is the shift that makes internal audits commercially useful, not just compliant.

      Learn How to Audit Better

      Internal audit tools to help you implement faster

      If you want a stronger audit process, start with structure: audit programme, audit plan, checklist, report, competency criteria, interview guide, and follow-up controls. That reduces inconsistency and makes audits easier to run, review, and improve.

      View all

      Choose the level of internal audit support you need

      Internal Audit Toolkit

      Best for companies that need a practical audit structure with planning, checklists, reports, evidence capture, and follow-up tools.

      View Internal Audit Toolkit

      Auditor Training Pack

      Best for teams that want to strengthen auditor competency, interview quality, consistency of findings, and audit confidence.

      View Auditor Training Pack

      Who this internal audit hub is for

      • QA / RA managers

        Improve audit quality, evidence strength, and linkage between findings, CAPA, and management review.

      • Startup and growing manufacturers

        Build a workable internal audit system before external audits expose weak implementation and poor records.

      • Internal auditors

        Improve how you plan audits, sample evidence, interview process owners, and write stronger findings.

      • Teams preparing for certification

        Use internal audits to identify real gaps early and reduce surprises during stage 1, stage 2, or surveillance audits.

      Internal Audit FAQ

      What is an internal audit in ISO 13485?

      An internal audit is a planned and documented review used to determine whether the quality management system conforms to requirements, is implemented effectively, and is maintained properly.

      How often should ISO 13485 internal audits be done?

      The frequency should be based on process importance, risk, previous findings, changes, and overall audit programme needs. Higher-risk or weak-performing areas often need more frequent attention.

      What do auditors look for during an internal audit?

      They should look for objective evidence of implementation, record quality, process control, training, traceability where applicable, compliance to procedures, and whether the process is actually effective.

      What should an internal audit checklist include?

      A good checklist should include clause requirements, process-specific controls, evidence prompts, sampling areas, interview prompts, and space for recording objective evidence and findings.

      Who can perform an internal audit?

      An internal audit should be performed by someone competent and sufficiently independent from the area being audited so the review is objective and credible.

      What is the difference between an audit observation and a nonconformity?

      A nonconformity identifies failure to meet a requirement. An observation usually highlights a weaker area, potential issue, or improvement opportunity that may not yet meet the threshold of nonconformity.

      What happens after an internal audit?

      Findings should be reviewed, assigned, corrected where required, escalated into CAPA when necessary, followed up to verify completion, and fed into broader quality system improvement.