QA/RA Consulting, Auditing & Training


Let's get started

How to Prepare for and Conduct an ISO 13485 Internal QMS Audit

Congratulations! You have been chosen (or perhaps conscripted) to conduct or participate in an ISO 13485 internal quality management system (QMS) audit. For many, the prospect of coordinating and conducting an audit can be overwhelming. However, believe us when we say the fear subsides with each hour of planning you do. In this white paper we will talk about how you can lay the foundation to ensure that your ISO 13485 audit progresses smoothly, yielding input that’s useful to your company’s management review as well as its corrective and preventive action (CAPA) processes.

The Real Purpose of the Medical Device QMS Audit

Even though it seems obvious, it’s worth repeating that the purpose of conducting an audit is to determine whether the QMS conforms to specified requirements and is effective in enabling your organization to meet quality objectives. In other words, you are trying to assess whether the organization’s system says what it needs to say, that you’re doing what you say you’ll do, and that what you’re doing is working to produce the outcomes you need. A QMS audit is NOT intended to evaluate the quality of products, nor does it focus on the performance of people. The emphasis is on the QMS processes and the effectiveness of the entire system in meeting defined requirements and objectives.

Basic Types of ISO 13485 Audits

Audits are planned, systematic processes carried out according to prepared working documents and audit plans.

ISO 13485 talks about two main components of internal audits (section 8.2.4):

  • Confirming that the organization’s QMS documentation conforms to the standard and any applicable regulatory requirements commonly called a “documentation audit.”
  • Confirming that the organization has implemented and is maintaining the QMS documentation commonly called an “on-site audit.”

While documentation and on-site audits may seem like two entirely different animals, they are not. A thorough QMS audit includes both components. The difference between the two usually is in the approach and depth to which each of these audit components is conducted. The focus of the documentation audit centers on whether the QMS has been established and documented, while the on-site audit looks at whether there is sufficient objective evidence within the QMS to confirm it has been implemented and maintained.

A full QMS audit has four primary goals:

  1. Determine the extent to which the QMS has been established.
  2. Determine whether or not the QMS has been documented in accordance with applicable requirements also known as audit criteria (e.g., ISO standard, applicable regulations, contracts).
  3. Determine if the QMS has been effectively implemented.
  4. Determine whether or not the QMS has been properly maintained.
QMS Audit Goals

Developing Your Overall ISO 13485 Audit Schedule

A well-planned audit schedule will ensure that audits are performed regularly, are conducted according to the importance of the process and address the results of previous audits.

Developing a master audit schedule is the first step toward planning audit activities for the year.  Individual audit leaders will construct the individual audit plans to meet the schedule. An example of a master internal audit schedule is shown below. A similar one could be developed to plan your supplier audits for the year.

A typical ISO 13485:2016 internal audit will generally cover 2-4 areas of the organization each month throughout the year, depending on the size of the company.


Audit Process Table - Sample

Preparing for Your ISO 13485 QMS Audit

When planning an audit, it is tempting to skip some of the steps below and go immediately to creating a checklist and schedule. However, the process of initiating the audit is vital to assure the audit process is comprehensive and successful.Here are the steps you should take. 

  • Appoint the lead auditor. The first basic step is to figure out who will lead the audit team. If you work for a small company, that might be you! This person will be responsible for all phases of the audit.
  • Define audit objectives, scope, and criteria. This is an important step. You need to define which facilities and/or departments are involved and which processes will be audited and clearly identify those areas that may be excluded. Defining the audit criteria (i.e., ISO 13485:2016) and additional applicable regulatory requirements (e.g., 21 CFR 820 and/or EU Medical Device Regulation 2017/745) are also imperative.
  • Determine the feasibility of the audit. You need to ensure that you will be able to conduct the audit as planned. Will you have adequate cooperation from auditees? Are any of the people involved working on a major deadline that would take away from their participation? Will any of them be on vacation? Is there adequate time and budget to conduct the audit? Will all the information you need be made available to you? Don’t assume. Verify.
  • Select the audit team. If your company is small, you may comprise the “team” If your company has more than, say, 150 employees, insources design, makes high risk-products, etc., it is possible that you may need 2+ auditors on your team. In selecting the audit team members, consider which competencies are needed, how long your audit will last, the scope of the audit, and time constraints. The first rule of auditing is that an auditor cannot examine an area for which he/she is responsible. Regarding competence, consider this example: An auditor who needs to interview management regarding management processes (e.g., resource processes, results processes, etc.) should have some minimal business experience. An auditor who needs to verify process or product measurements may need to have knowledge of quality and statistical tools. That’s why ISO defines competence in terms of education, training, skill, experience, and personal attributes.
  • Establish initial contact with the auditee(s). With a lead auditor chosen, the team determined, the scope defined, and other factors considered, it’s time establish contact with your auditees. Make sure affected members of your organization (or your supplier) understand the scope of the audit you are conducting, when the audit will be conducted, and who is on the team. Request access to all relevant documents and, if you are auditing a supplier, ask for a map or sketch of their facility that has the departments clearly labeled.
  • Review your reference documents. Review any applicable standards or guidance documents to refamiliarize yourself with the requirements.

Conducting a QMS Documentation Review

The purpose of the documentation review is to determine whether or not the QMS has been established and documented and meets the established regulatory requirements.  Accordingly, where possible, try to review all documentation before the on-site audit activities commence. This will help you prepare for the on-site audit effectively and efficiently. Typically, auditees are required to submit a quality manual and procedures before the on-site audit.

The documentation should cover relevant information regarding the QMS (e.g., scope, exclusions that may exist) and any additional requirements beyond ISO 13485 and applicable regulatory requirements (e.g., customer requirements and/or supplier agreements). It should represent the documented quality management system as required by ISO 13485 in paragraphs 4.2.1 and 4.2.2 or other applicable criteria. If you are auditing a supplier, sometimes it might not be possible to get the quality manual ahead of time for proprietary reasons. If that’s the case, allocate time for a review at the beginning of the on-site audit. Organizational charts are helpful, so make sure you get a copy.

In addition to the manual and procedures, review:

  • Promotional literature and website pages
  • Previous audit findings and status of corrective actions
  • Supplier agreements (if auditing a supplier)

Role of the ISO 13485 Lead Auditor

Every audit has a lead auditor even if it’s the only auditor! This person represents the team in communication with the auditee and management. The lead auditor also defines the requirements of each audit assignment, including qualification of other audit team members. Here are some of the lead auditor’s additional responsibilities:

  • Plan the audit.
  • Assign audit responsibilities to each audit team member.
  • Make effective use of resources during the audit.
  • Organize and direct audit team members.
  • Provide direction and guidance to auditors in training.
  • Serve as the lead communicator between the audit team and auditee team.
  • Lead the audit team to reach conclusions.
  • Prevent and resolve conflicts during the audit.
  • Prepare and complete the audit report.

Creating the QMS Audit Plan

Starting an on-site audit without a detailed plan is a surefire way to waste a lot of time, frustrate a lot of people, and leave without generating useful output. In an ideal world, you should spend 2 hours planning every hour of audit time. A detailed audit plan should cover:

  • Audit objectives and scope
  • Audit criteria and reference documents
  • Locations, dates, times, and duration of audit activities
  • Audit method to be used, including the extent of sampling
  • Roles and responsibilities of the audit team members, guides, and observers
  • Allocation of appropriate resources to critical areas of the audit
  • Logistics and communications arrangements (usually for supplier audits)

This is an example of an internal audit plan for a single internal process.

Audit Plan - Single Process

This is an example of an ISO 13485:2016 audit plan for individual processes. It also shows the ISO 13485:2016 clauses that would typically be relevant for each process.

Audit Plan - Processes

Creating Your Working Documents

An essential part of the audit planning stage involves preparation of the working documents. You’ll usually do some of this in parallel with the documentation review portion of the audit, which will give you information about specific topics and information paths to follow during your on-site audit.

Working documents typically include checklists, audit sampling plans and forms for recording meeting attendance, audit evidence, and audit findings (corrective action reports, nonconformity reports). Checklists are good tools, as they save valuable time and ensure that important items are not missed during the audit. It is worth spending time on these, because checklists can be adapted for use in other audits and improved based on your experience over time. Just remember: As you’re auditing, don’t use checklists like a script; instead, consider them only as a guide. Also, don’t forget to safeguard and treat your audit documents as confidential or proprietary at all times.


Notifying Your Auditee

The final step in the preparation phase is to confirm the audit details with your auditee. This correspondence comes from the lead auditor and must follow company procedures and address all points from any previous phone discussions, meetings, or emails. The notification must confirm the date, time, and place of the opening meeting and include the audit plan and proposed schedule/agenda. (Optionally, you could include a copy of your checklists if they will aid understanding, but there are pros and cons to doing so.) The purpose of this notification is to ensure there are no misunderstandings.

A detailed audit plan will be very specific about times, participants, and process areas.

Sample Audit Plan

How to Ensure the Opening Day of Your ISO 13485:2016 Audit Goes Smoothly

You have spent weeks preparing for your audit. All documentation has been reviewed, schedules created, auditees notified, and checklists confirmed. Now it’s time for the scary part: Conducting the audit! If you have done your job well to this point, the audit should be the easy part because you will simply be executing a well-choreographed plan.

On the morning of Day 1, you will host the opening meeting. There are many things you will want to accomplish during this meeting, including:

  • Record the name and title of all participants.
  • Introduce audit team members and state each member’s responsibilities. Ask the auditee team to do the same.
  • Discuss the responsibilities of auditee management.
  • Confirm the purpose and scope of the audit and confirm the audit plan (typically sent a few weeks prior to the opening meeting).
  • Confirm the availability of all requested resources.
  • Describe the audit methodology (e.g., interviewing, observing, reviewing documentation, taking
  • notes, recording findings, classifying nonconformities, etc.).
  • State the audit objectives and emphasize that the audit will try not to interfere with operations.
  • Confirm the working hours, meal breaks, and time for daily debriefings.
  • Confirm the time of the closing meeting, and state how long it will take after that meeting until the audit report is issued.

Average ISO 13485 Internal Audit Duration

The duration of an audit is based on the number of employees in the facility and the scope of the QMS. The risk associated with the device is also a factor. For example, there is certainly more risk associated with manufacturing heart valves than manual wheelchairs, and this impacts audit length. The International Accreditation Forum documents MD-5 and MD-9 set guidelines for internal audit days as well as general protocols for conducting an ISO audit. It should be noted, however, that this type of audit length determination is trending out with the use of audit duration calculations used in the Medical Device Single Audit Program Model (MDSAP). MDSAP audits are based on the number of elements to be covered in the audit. These types of audits can be considerably longer than an ISO audit.

Conducting the On-Site Audit and Avoiding Rabbit Holes

All that preparation you did in the weeks leading up to the audit will now pay off. You should make every effort to deal directly with the people involved in implementing the system. People – not documents – make or break a system. When you start performing the audit, it is important to remember that an audit is really a method of sampling and is conducted to get a sense of what is happening. Consider stratified random sampling to focus the audit based on risk (e.g., rather than taking a random sampling of purchase orders, stratify the population by criticality to focus on what is important). You need to be sure that the auditee is not cherry-picking documents to show you. You should dictate the documents you want to see, reviewing the requisite number of samples stipulated in your audit plan.

During the audit, you will invariably come across people who nervously ramble, digress, or are intentionally vague or evasive. In these cases, it is important that you remain courteous but persistent. Be polite but insist on getting details needed to answer the question. Don’t go down the rabbit hole with someone who is trying to explain something that is irrelevant. It is the auditor’s job to keep the auditee on track and extract the information needed. That being said, you should explore problems fully. Accordingly, you may need to go beyond your checklist to dig deeper and look at key process interactions that may be relevant (e.g., purchasing and production interaction).

Audit Interviewing Tips

Auditees often get nervous during an ISO 13485:2016 audit because they sometimes feel as though they are being personally interrogated. To gain their cooperation, it is important that you set a commonality of perceived purpose in the opening meeting. Your common goal is to ensure that the company has a quality management system that is conforming to requirements and effective, not to throw someone under the bus. Make sure to tell the auditee that you will be taking notes during an interview. Refer to your checklists repeatedly but don’t read verbatim from them; instead, use the checklist items as a framework for discussion. To get relevant, complete information from auditees,

follow these guidelines:

  • Don’t be sarcastic, argue, or criticize people’s efforts.
  • Don’t be negative.
  • Don’t reveal your opinions but don’t be overly secretive.
  • Don’t question beyond your level of knowledge.
  • Don’t get into company politics or personalities.
  • Don’t be late!

Remember, although the audit may be the most important thing in your professional life at this moment and you may feel like the most powerful person in the room, your presence is an imposition for the auditee. They have other work to do. With limited time to collect the information you need, think carefully about how you ask questions. Consider these alternative examples:

  • Do you issue new revisions?
  • How do you issue new revisions?

The second question (i.e., an open question) is likely to reveal much more information about who, what, when, where, why, and how revisions are issued. Also, keep personnel dynamics in mind. Auditee personnel may hold back information if their boss is also in the room.

Recording and Discussing Your Observations

Audits can be exhausting, and you’ll be eager to go home at the end of a long day. Resist the urge! It is vital that you conduct a debriefing at the end of each day (not the next morning) to discuss observations with your audit team members and ensure that team members are performing their assigned functions. Document your observations so each team member can evaluate results for potential nonconformities. Also, you’ll sleep better that night with all of your insights safely put on paper instead of cluttering your brain.

Don’t meet only with your audit team. It is important that you keep the auditee fully aware of what is being observed. Meet with the auditee per an established schedule for debriefing and report good as well as nonconforming conditions.

Conducting the Closing Meeting of Your ISO 13485 Internal Audit

When the audit is complete, the audit team will conduct a closing meeting with the management team to formally present positive findings, cite concerns, share opportunities for improvement, and clarify misunderstandings. This meeting and the final ISO 13485 audit report are critical to the success of the audit, so the lead auditor must be fully prepared with notes covering all areas and have supporting objective evidence for each finding.

The purpose of the closing meeting is to present logical and fact-based explanations of the strengths and weaknesses of the quality management system. You will want to explain to management that the audit investigated only a sample of activities and that there may be other nonconformities the sampling did not uncover. This is especially important for people to understand because an actual FDA inspection or Notified Body audit may uncover different issues. You don’t want people pointing fingers at you if observations arise that were not revealed by an internal audit.

With regard to nonconformities, it is best not to raise these for the first time during closing meetings. Always bring the issue up during the audit and give the auditee an opportunity to explain something you may have misunderstood. If there is still evidence of a nonconformity, let the auditee know then. Also, make sure you give credit where credit is due, particularly in areas where procedures have been shown to be effective. When covering deficiencies, focus the auditee’s attention on the significance of the nonconformities (major versus minor). Get agreement on a timeframe for creating a corrective action plan, and a deadline for addressing those deficiencies. You should also state the date when the final audit report will be issued. Finally, although not required (especially with internal audits), it’s a good idea to keep minutes of the meeting and record attendance.

Whew. You Successfully Finished Your ISO 13485 Internal or Supplier Audit. Now What?

You’ve spent weeks preparing for your audit and several days conducting it. Now comes the time to formally put your thoughts and findings on paper. The purpose of the audit report is to present the auditee with a written record of nonconformities and provide a full account of audit evidence that supports these nonconformities. In general, your audit report should:

  • Describe the audit purpose and scope.
  • Identify all audit team members.
  • Identify people who attended the opening and closing meetings.
  • Describe the strengths of the QMS.
  • Describe each system nonconformity.
  • Typically, people’s names are not linked to process nonconformities, only to their job function (e.g., supervisor, etc.).
  • Provide audit evidence to support each nonconformity.
  • Describe concerns and opportunities for improvement.
  • Provide a conclusion (e.g., “The audit shows that the QMS has remained effective with a few exceptions, as revealed by the nonconformities as follows…”).

Don’t forget – your report should not contain surprise nonconformities that were not discussed during the audit and in the closing meeting.

How Much Detail Goes into the Final Audit Report?

The nature of the audit will determine the characteristics such as the length, format, emphasis areas, and sequence. Nonetheless, the formal report should contain a highly detailed description of the quality management system’s strengths, nonconformities, audit evidence, opportunities for improvement, and areas of concern. It should include:

  • Executive summary
  • Audit overview, including:
  • Date of the audit
  • Purpose of the audit and scope
  • Audit criteria (e.g., ISO 13485:2016 standard)
  • Persons contacted during the audit and the audit team
  • Approvals and signoff by lead auditor
  • Specific nonconformity reports
  • Specific concern reports (could become future nonconformities)
Nonconformity-Concern Tables

The content of the ISO 13485 QMS audit report must represent the conclusions of the lead auditor with input from the entire audit team, and not just the viewpoints of individuals. This gives the auditee the benefit of the collective experience of all team members and reduces bias.

The lead auditor will decide if the scope of the audit warrants including corrective action requests in the final report. Your audit report should be sent to the auditee as soon after the closing meeting as practical. This is important because it reinforces the points you made during the closing meeting and keeps those issues top of mind with the auditee management team.

ISO 13485 Internal or Supplier Audit Follow-Up Activities

Now that you’ve crafted a beautifully detailed report and submitted it to the auditee, you’re finished – right? Not so fast. The last thing you want is to show up at the next audit only to find out that nothing has been done to address nonconformities described in your audit report. Inaction would certainly frustrate you and it would not be good for the company. Thus, after the closing meeting has occurred and the audit report has been sent to management, your goals are to:

  • Ensure the management team fully understands the nonconformities via audit report distribution.
  • Make sure the auditee prepares timely corrective action plans to address any nonconformities
  • Ask the auditee to identify the people who will initiate and implement the corrective actions.
  • Evaluate the auditee’s corrective action plan responses to determine the completeness of the plan.
  • Verify the completion and effectiveness of corrective actions, which may include a follow-up audit.
  • Determine the need for surveillance visits.

It’s also a good idea to make sure the organization has a methodology to address corrective actions. If not, this would be a good opportunity for improvement. Without a methodology supported by tools, chances are that the CAPA system will not be effective.

As part of the follow-up process, you should also retain or destroy documents pertaining to the audit in accordance with any agreements, procedures, and applicable statutory, regulatory, and contractual requirements.

Your Work Will Never Be Done, and That’s Good

As an auditor, you play a critical role in the health of your organization’s quality management system, and ultimately the safety of the medical devices your company produces. That’s an important responsibility, which needs to be taken seriously. The benefits of sustained audits are much the same as eating healthfully or exercising. It may not always feel great right away, but the long-term results are always positive.

Want to take the next step in becoming an ISO 13485 auditor?

This blog only scratches the surface of the topic. If you will be more involved in doing audits for your organization, we highly recommend you check out our ISO 13485 lead auditor training class, which offers the opportunity to become certified by Exemplar Global. Our team is also available to conduct internal and supplier audits as needed. 

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530