How to Conduct an ISO 13485 Internal Audit

A strong ISO 13485 internal audit system does far more than satisfy a certification requirement. It helps you detect weak process controls, verify that your quality management system is working as intended, and identify problems before they become external audit findings, customer complaints, or regulatory issues.

Under ISO 13485 Clause 8.2.4, internal audits must be conducted at planned intervals to determine whether the quality management system conforms to planned arrangements, conforms to the requirements of the standard, meets applicable regulatory requirements, and is effectively implemented and maintained.

In practice, this means your internal audit programme needs to be systematic, objective, documented, and linked to real process performance. It is not enough to complete a basic checklist once a year. Audits need to assess how your system actually operates.

1. Start with a Risk-Based Audit Programme

Not all processes should be audited with the same frequency or the same level of depth. High-risk and high-impact activities deserve more attention than stable low-risk administrative processes. This is where many businesses go wrong. They treat all audits equally, which weakens the value of the entire audit programme.

Your audit schedule should take into account:

• the importance of the process,
• the risk associated with the activity,
• previous audit results,
• known quality issues or repeat nonconformities,
• changes to process, personnel, suppliers, equipment, or documentation.

For example, design controls, supplier controls, sterilization validation, complaint handling, CAPA, and nonconforming product controls usually justify deeper and more frequent auditing than lower-risk support functions. A risk-based approach produces better findings and a more credible system.

2. Define Scope, Criteria, Method, and Audit Evidence Expectations

Before the audit begins, the scope needs to be clearly defined. This prevents shallow audits and avoids confusion over what is being examined. The scope may cover a full process, a department, a product realization stream, a clause area, a site, or a focused investigation following a known issue.

Audit criteria should also be clear. These can include:

• ISO 13485 requirements,
• internal procedures and SOPs,
• regulatory obligations,
• company quality plans,
• device-specific controls and records.

Good auditors do not just ask whether a procedure exists. They verify whether the process is being followed, whether records support compliance, and whether the process is effective in practice.

3. Auditor Independence Matters

One of the clearest weaknesses in many internal audit systems is lack of independence. A person should not audit their own work. When this happens, objectivity drops, challenge is reduced, and issues are more likely to be missed or softened.

Auditor independence does not always require a fully external auditor, but it does require separation from direct responsibility for the activity being audited. Cross-functional auditing often works well, especially in smaller companies. For more sensitive or high-risk areas, an external consultant or independent specialist may be the better option.

The point is simple: if the audit is not objective, it loses value.

4. Audit the Process, Not Just the Clause

Weak audits often follow a clause checklist without understanding how work actually moves through the business. Strong audits follow the process. They trace inputs, responsibilities, decisions, approvals, controls, outputs, and records.

For example, instead of only asking whether complaint handling is documented, follow a real complaint record through the system:

• Was the complaint logged correctly?
• Was it assessed for regulatory significance?
• Did it trigger CAPA?
• Was risk management reviewed?
• Was trend analysis updated?
• Was management informed where appropriate?

This process-based approach produces far better audit evidence than a surface-level checklist exercise. It also shows whether different parts of the QMS are actually connected.

5. Sample Real Records and Follow the Audit Trail

Internal audits should be evidence-based. That means reviewing actual records, not relying on verbal assurance. Objective evidence is what allows you to confirm whether requirements are being met and whether the process is effective.

Depending on the process, this might include:

• training records,
• design review minutes,
• supplier evaluations,
• incoming inspection records,
• batch or device history records,
• complaint files,
• CAPA records,
• change controls,
• risk management files,
• management review outputs.

Sampling should be deliberate and sufficient to support conclusions. A clean procedure with weak records is still a problem. If it is not documented, it is not defensible.

6. Connect Internal Audit to Risk Management

Internal audits should not operate in isolation from ISO 14971 risk management activities. In medical device businesses, audit quality improves significantly when auditors understand how risk flows across the system.

An effective audit should test whether:

• risks are identified and documented,
• risk controls are implemented,
• changes are assessed for risk impact,
• post-market information is fed back into risk review,
• residual risks remain acceptable,
• risk files stay aligned with complaints, CAPA, and design changes.

This matters because disconnected systems create audit exposure. If CAPA records show one thing, complaint data shows another, and risk files are outdated, auditors will see the gap quickly.

7. Write Findings Clearly and Classify Them Properly

Audit findings need to be specific, objective, and actionable. Vague wording makes corrective action weaker and reduces management attention. A good finding identifies the requirement, the evidence reviewed, and the exact nature of the gap.

Strong findings usually answer three questions:

• What requirement was not met?
• What objective evidence shows the gap?
• Why does this matter to compliance or effectiveness?

Findings may be classified differently depending on your system, but the key is consistency. Not every issue is equal. A missing signature on one controlled record is not the same as a systemic failure to investigate complaints or control design changes.

8. CAPA Follow-Up Is Part of the Audit System

An audit is not complete when the report is issued. It is complete when findings are corrected, root causes are addressed where needed, and effectiveness is verified. This is where many businesses lose control. They perform the audit, log the issue, and then fail to close the loop properly.

Every significant finding should move through a structured corrective action process that includes:

• containment if required,
• root cause analysis,
• correction and corrective action,
• responsibility assignment,
• target dates,
• effectiveness verification.

If audit findings repeat across multiple cycles, that is usually a sign that CAPA is weak, superficial, or badly verified.

9. Report to Management in a Way That Drives Action

Audit outputs should not disappear into a folder. Results need to be visible to management so trends, repeat findings, systemic weaknesses, and resource issues can be addressed. A strong internal audit function helps leadership see where the QMS is robust and where it is vulnerable.

Useful management-level reporting often includes:

• audit completion against schedule,
• number and type of findings,
• repeat findings,
• late CAPAs,
• process areas with elevated risk,
• recommended system improvements.

This turns internal audits into a management tool rather than a compliance chore.

10. What Auditors Really Want to See

Whether the audit is internal, certification, customer, or regulatory, the same pattern usually applies. Auditors want to see that your internal audit process is planned, objective, evidence-based, and effective. They also want to see that problems found internally are acted on seriously.

A credible internal audit system shows:

• scheduled audits based on risk and process importance,
• clear audit scope and criteria,
• independent auditors,
• real sampling and objective evidence,
• clear findings and documented reports,
• timely corrective action and follow-up,
• management visibility and system improvement.

If your internal audit system can show that consistently, external audits become far more manageable.

Internal Audit Should Strengthen the Whole QMS

A strong internal audit process does not just identify isolated issues. It improves discipline across the whole quality system. It reinforces documentation control, training, CAPA, management review, complaint handling, supplier control, design control, and risk management. That is why Clause 8.2.4 matters so much.

If your audits are rushed, weak, or poorly structured, your QMS may look compliant on paper while failing in practice. But if your audits are planned properly and executed with real evidence, they become one of the most valuable systems you have.

That is the real goal: not just to pass audits, but to build a quality system that holds up under pressure.