Day 1 Conducting Your ISO 13485:2016 Audit. How to Ensure it Goes Smoothly.

September 20, 2018

In our previous post on ISO 13485:2016 auditing, we talked about how to plan your ISO 13485 QMS audit. In this post we will take the next step and provide tips on how to conduct the opening meeting, interact with auditees, and conduct the closing meeting. In our final post, we’ll talk about audit reporting and follow up activities. We’ve combined this entire series into one easy-to-read PDF. Download it here


Want to learn more about ISO 13485 auditing? Consider our ISO 13485 Lead Auditor Training class.

The Opening Meeting of the On-Site Audit

You have spent weeks preparing for your audit. All documentation has been reviewed, schedules created, auditees notified, and checklists confirmed. Now it’s time for the scary part: Conducting the audit! If you have done your job well to this point, the audit should be the easy part because you will simply be executing a well-choreographed plan.

On the morning of Day 1, you will host the opening meeting. There are many things you will want to accomplish during this meeting, including:

  • Record the name and title of all participants.
  • Introduce audit team members and state each member’s responsibilities. Ask the auditee team to do the same.
  • Discuss the responsibilities of auditee management.
  • Confirm the purpose and scope of the audit, and confirm the audit plan (typically sent a few weeks
  • prior to the opening meeting).1
  • Describe the audit methodology (e.g., interviewing, observing, reviewing documentation, taking
  • notes, recording findings, classifying nonconformities, etc.).
  • State the audit objectives and emphasize that the audit will try not to interfere with operations.
  • Confirm the working hours, meal breaks, and time for daily debriefings.
  • Confirm the time of the closing meeting, and state how long it will take after that meeting until the audit report is issued.

Average ISO 13485:2016 Audit Duration

ISO audit duration is based on the number of employees in the facility and the scope of the QMS. The risk associated with the device is also a factor. For example, there is certainly more risk associated with manufacturing heart valves than manual wheelchairs, and this impacts audit length. The International Accreditation Forum documents MD-5 and MD-9 set guidelines for internal audit days as well as general protocols for conducting an ISO audit. It should be noted, however, that this type of audit length determination is trending out with the use of audit duration calculations used in the Medical Device Single Audit Program Model (MDSAP). MDSAP audits are based on the number of elements to be covered in the audit. These types of audits can be considerably longer than an ISO audit.

Conducting the On-Site Audit and Avoiding Rabbit Holes

All that preparation you did in the weeks leading up to the audit will now pay off. You should make every effort to deal directly with the people involved in implementing the system. People – not documents – make or break a system. When you start performing the audit, it is important to remember that an audit is really a method of sampling and is conducted to get a sense of what is happening. Consider stratified random sampling to focus the audit based on risk (e.g., rather than taking a random sampling of purchase orders, stratify the population by criticality to focus on what is important). You need to be sure that the auditee is not cherry-picking documents to show you. You should dictate the documents you want to see, reviewing the requisite number of samples stipulated in your audit plan.

During the audit, you will invariably come across people who nervously ramble, digress, or are intentionally vague or evasive. In these cases, it is important that you remain courteous but persistent. Be polite but insist on getting details needed to answer the question. Don’t go down the rabbit hole with someone who is trying to explain something that is irrelevant. It is the auditor’s job to keep the auditee on track and extract the information needed. That being said, you are encouraged to explore problems to the fullest extent possible rather than skipping over a problem so you can touch lightly on other subjects. Accordingly, you may need to go beyond your checklist to dig deeper and

look at key process interactions that may be relevant (e.g., purchasing and production interaction).

Audit Interviewing Tips

Auditees often get nervous during an ISO 13485:2016 audit because they sometimes feel as though they are being personally interrogated. To gain their cooperation, it is important that you set a commonality of perceived purpose in the opening meeting. Your common goal is to ensure that the company has a quality management system that is conforming to requirements and effective, not to throw someone under the bus. Make sure to tell the auditee that you will be taking notes during an interview. Refer to your checklists repeatedly but don’t read verbatim from them; instead, use the checklist items as a framework for discussion. To get relevant, complete information from auditees,

follow these guidelines:

  • Don’t be sarcastic, argue, or criticize people’s efforts.
  • Don’t be negative.
  • Don’t reveal your opinions but don’t be overly secretive.
  • Don’t question beyond your level of knowledge.
  • Don’t get into company politics or personalities.
  • Don’t be late!

Remember, although the audit may be the most important thing in your professional life at this moment and you may feel like the most powerful person in the room, your presence is an imposition for the auditee. They have other work to do. With limited time to collect the information you need, think carefully about how you ask questions. Consider these alternative examples:

  • Do you issue new revisions?
  • How do you issue new revisions?

The second question (i.e., an open question) is likely to reveal much more information about who, what, when, where, why, and how revisions are issued. Also, keep personnel dynamics in mind. Auditee personnel may hold back information if their boss is also in the room.

Recording and Discussing Your Observations

Audits can be exhausting, and you’ll be eager to go home at the end of a long day. Resist the urge! It is vital that you conduct a debriefing at the end of each day (not the next morning) to discuss observations with your audit team members and ensure that team members are performing their assigned functions. Document your observations so each team member can evaluate results for potential nonconformities. Also, you’ll sleep better that night with all of your insights safely put on paper instead of cluttering your brain.

Don’t meet only with your audit team. It is important that you keep the auditee fully aware of what is being observed. Meet with the auditee per an established schedule for debriefing and report good as well as nonconforming conditions.

Whew, You Made It – the Closing Meeting

When the audit is complete, the audit team will conduct a closing meeting with the management team to formally present positive findings, cite concerns, share opportunities for improvement, and clarify misunderstandings. This meeting and the final ISO 13485 audit report are critical to the success of the audit, so the lead auditor must be fully prepared with notes covering all areas.

The purpose of the closing meeting is to present logical and fact-based explanations of the strengths and weaknesses of the quality management system. You will want to explain to management that the audit investigated only a sample of activities and that there may be other nonconformities the sampling did not uncover. This is especially important for people to understand because an actual FDA inspection or Notified Body audit may uncover different issues. You don’t want people pointing fingers at you if observations arise that were not revealed by an internal audit.

With regard to nonconformities, it is best not to raise these for the first time during closing meetings. Always bring the issue up during the audit and give the auditee an opportunity to explain something you may have misunderstood. If there is still evidence of a nonconformity, let the auditee know then. Also, make sure you give credit where credit is due, particularly in areas where procedures have been shown to be effective. When covering deficiencies, focus the auditee’s attention on the significance of the nonconformities (major versus minor). Get agreement on a timeframe for creating a corrective action plan, and a deadline for addressing those deficiencies. You should also state the date when the final audit report will be issued. Finally, although not required (especially with internal audits), it’s a good idea to keep minutes of the meeting and record attendance.

Want to learn more about ISO 13485:2016 auditing?

In our final post we will talk about how to prepare your ISO 13485:2016 audit report and following up on corrective action plans with auditees.  If you would like to learn more about ISO 13485:2016 auditing, we offer intensive ISO 13485 internal auditor and lead auditor classes in cities throughout the US or as a virtual instructor-led training.

Our team is here to help. Call 1.800.472.6477 or contact us online ›