Whew. You Successfully Finished Your ISO 13485 Internal or Supplier Audit. Now What?

September 20, 2018

In our previous blog posts, we talked about how to prepare and plan for your ISO 13485 audit and provided tips on how to conduct the QMS audit. In this final post, we will discuss the preparation of the audit report and your obligations for following up to ensure corrective actions are being addressed. We’ve combined all three posts into one easy-to-read PDF. Download it here

Want to learn more about ISO 13485 auditing? Consider our ISO 13485 Lead Auditor Training class.

Preparing Your Written ISO 13485 Audit Report

You’ve spent weeks preparing for your audit and several days conducting it. Now comes the time to formally put your thoughts and findings on paper. The purpose of the audit report is to present the auditee with a written record of nonconformities and provide a full account of audit evidence that supports these nonconformities. In general, your audit report should:

  • Describe the audit purpose and scope.
  • Identify all audit team members.
  • Identify people who attended the opening and closing meetings.
  • Describe the strengths of the QMS.
  • Describe each system nonconformity.
    • Typically, people’s names are not linked to process nonconformities, only to their job function
  • (e.g., supervisor, etc.).
  • Provide audit evidence to support each nonconformity.
  • Describe concerns and opportunities for improvement.
  • Provide a conclusion (e.g., “The audit shows that the QMS has remained effective with a few exceptions, as revealed by the nonconformities as follows…”).

Don’t forget – your report should not contain surprise nonconformities that were not discussed during the audit and in the closing meeting.

How Much Detail Goes into the Final Audit Report?

The nature of the audit will determine the characteristics such as the length, format, emphasis areas, and sequence. Nonetheless, the formal report should contain a highly detailed description of the quality management system’s strengths, nonconformities, audit evidence, opportunities for improvement, and areas of concern. It should include:

  • Executive summary
  • Audit overview, including:
    • Date of the audit
    • Purpose of the audit and scope
    • Audit criteria (e.g., ISO 13485:2016 standard)
    • Persons contacted during the audit and the audit team
    • Approvals and signoff by lead auditor
  • Specific nonconformity reports
  • Specific concern reports (could become future nonconformities)

Audit Goals

The content of the ISO 13485 QMS audit report must represent the conclusions of the lead auditor with input from the entire audit team, and not just the viewpoints of individuals. This gives the auditee the benefit of the collective experience of all team members and reduces bias.

The lead auditor will decide if the scope of the audit warrants including corrective action requests in the final report. Your audit report should be sent to the auditee as soon after the closing meeting as practical. This is important because it reinforces the points you made during the closing meeting and keeps those issues top of mind with the auditee management team.

ISO 13485 Internal or Supplier Audit Follow-Up Activities

Now that you’ve crafted a beautifully detailed report and submitted it to the auditee, you’re finished – right? Not so fast. The last thing you want is to show up at the next audit only to find out that nothing has been done to address nonconformities described in your audit report. Inaction would certainly frustrate you and it would not be good for the company. Thus, after the closing meeting has occurred and the audit report has been sent to management, your goals are to:

  • Ensure the management team fully understands the nonconformities via audit report distribution.
  • Make sure the auditee prepares timely corrective action plans to address any nonconformities
  • Ask the auditee to identify the people who will initiate and implement the corrective actions.
  • Evaluate the auditee’s corrective action plan responses to determine the completeness of the plan.
  • Verify the completion and effectiveness of corrective actions, which may include a follow-up audit.
  • Determine the need for surveillance visits.

It’s also a good idea to make sure the organization has a methodology to address corrective actions. If not, this would be a good opportunity for improvement. Without a methodology supported by tools, chances are that the CAPA system will not be effective.

As part of the follow-up process, you should also retain or destroy documents pertaining to the audit in accordance with any agreements, procedures, and applicable statutory, regulatory, and contractual requirements.

Your Work Will Never Be Done, and That’s Good

As an auditor, you play a critical role in the health of your organization’s quality management system, and ultimately the safety of the medical devices your company produces. That’s an important responsibility, which needs to be taken seriously. The benefits of sustained audits are much the same as eating healthfully or exercising. It may not always feel good right away, but the long-term results are always positive.

Want to take the next step in becoming an ISO 13485 auditor?

This blog series on planning, conducting, and following up on an ISO 13485 audit only scratches the surface of the topic. If you will be more involved in doing audits for your organization, we highly recommend you check out our ISO 13485 lead auditor training class, which offers the opportunity to become certified by Exemplar Global.

Our team is here to help. Call 1.800.472.6477 or contact us online ›