Writing Medical Device Audit Reports That People Will Read – and Take Action On

March 23, 2019

Whether you are auditing a critical supplier for compliance with 21 CFR Part 820 or conducting an internal MDSAP audit for another facility within your company, the audit report is the most important output of your hard work. The audit report represents the who, what, why, and how of the audit…and your primary goal is to get people to take action. How you go about crafting that report will make a big difference in what action is taken on your insights and recommendations. 

Keep the Objective of the Final Audit Report Top of Mind

It’s important to remember that the final audit report serves two key purposes. First, it should provide the auditee with a clear and accurate written record of nonconformities discovered during the audit. Second, the report should convey all of the evidence gathered during the audit.

The formal report should include a very detailed comprehensive description of the audited organization’s QMS strengths, nonconformities, audit evidence, opportunities for improvement, and concerns. The report is not an aggregation of individual opinions – it must represent the conclusion of the lead auditor with input from the entire audit team. In other words, the audit report provides a consensus opinion that incorporates the full benefit of the audit team’s collective experience and reduces the bias of individuals.

Under no circumstances should you “blindside” auditees by including nonconformities that were not discussed in the closing meeting. Including surprise nonconformities will invariably earn scorn, suspicion, and distrust, and could jeopardize the outcome of your audit. Most important, never use language that derides a specific person.

Choose Your Words Wisely and Make Your Executive Summary Count

In the age of information overload, less is more. Avoid the urge to make yourself sound smart with big words and long sentences, because if people think the report is too long or boring they won’t even bother to read it. Writing style has a lot to do with how people react to an audit report.

Avoid passive, rambling language…

It is recommended that procedures associated with the procurement of parts from critical suppliers be reviewed on a semi-annual basis to ensure that only approved parts are being ordered from these suppliers and that all newly evaluated critical suppliers are included on the Approved Supplier List distributed to employees.  (49 words)

Instead, make it shorter and more readable…

Purchasing procedures should be reviewed every 6 months to ensure that:

  • New critical suppliers have been added to the Approved Supplier List (ASL).
  • Only approved parts listed on the ASL are being ordered. (33 words)

Regarding the summary, spend extra time on this. If you think the senior management team is going to pore over every word of your scintillating report, think again. The executive summary may be the only part of the report they read, so it should quickly evaluate the effectiveness of the QMS elements that were audited. Good and bad points should be summarized along with any trends observed and key items requiring action. The executive summary should be no more than 1 or 2 pages long.

Audit Templates Are Fine but Add Some Visual Interest to Boost Readability

Most companies use a template to standardize the content of audit reports and ensure the collection of specific data. Doing so can also make audits more efficient by ascertaining that all bases are covered. Nonetheless, don’t be afraid to add your own pizazz. There is nothing in the auditing standard ISO 19011:2018 that says your audit report must be all text and boring.

Add pictures, diagrams, tables, boxes, and examples to bring important content to the forefront. Bold, highlight, or underline key points to make them stand out …but don’t go crazy. Use ALL CAPS sparingly. 

Medical Device Audit Report Contents and Format

The nature of your audit should determine the length, format, emphasis, and sequence. Audit reports should be organized by specific areas of the auditee facility and/or requirements of the standard. The auditing standard ISO 19011:2018 recommends inclusion of these essential elements:

  • Client name
  • Audit team members
  • Auditee participants
  • Location/date of audit
  • Audit objectives
  • Audit scope
  • Audit criteria
  • Audit findings and conclusions
  • Degree of conformity
  • Unresolved issues

Generally, a medical device audit report follows this basic format:

Title page

  • Report of (function or site) at (locations)
  • Date of submittal
  • Names and addresses of auditors and auditees
  • List of personnel who receive the report

Executive summary

  • Summary of results, including assessment of process effectiveness
  • Review of nonconformities and their implications
  • Statement of system effectiveness based on audit conclusions
  • Summary of open items
  • Status of follow-up items

 Audit overview

  • Date of the audit
  • Purpose of the audit
  • Scope: a brief description of areas and processes covered in the audit and a list of audit criteria
  • Persons contacted during the audit
  • Audit team members, audit functions, and company affiliation
  • Signatures of the lead auditor and audit manager (if applicable)

Areas audited

  • Requirements
  • Strengths
  • Nonconformities and their severity (major or minor), including process effectiveness nonconformities (NCs)
  • Audit evidence
  • Opportunities for improvement (include on a case-by-case basis)
  • Concerns


  • Audit plan and schedule
  • Attendance lists
  • Checklists
  • CAR forms or nonconformities, opportunities for improvement, and/or concern reports
  • List of documented info that was reviewed

The following elements can be added as appropriate but are not considered essential:

  • Confidentiality statement
  • Summary of the audit process
  • Confirmation that objectives were achieved
  • Identification of best practices
  • Agreed-on follow-up actions

Deliver Your Audit Report Soon After the Closing Meeting

It’s important that you deliver your report quickly, while the issues are fresh in everyone’s mind. You need to carefully consider who will reading the report and/or take action based on it. The managers responsible for any activity found to be deficient should receive copies of the corrective action requests, if the scope warrants it. Their managers may also receive copies as well.

The auditee is responsible for distributing the report but, when emailing the report to your primary contact, it’s a good idea to add a friendly reminder that it that should be distributed to all auditee team members and other appropriate management. Remember, your desired outcome is that people will take action on issues you uncovered. Also, keep in mind that senior management will be asking their direct reports how the audit went so you don’t want to keep people hanging.

Take the Next Step in Advancing Your Knowledge of Auditing

Since 1968, Oriel STAT A MATRIX has trained more than 130,000 auditors and conducted thousands of quality system audits. We offer auditor training for ISO 13485MDSAP and EU MDR; our experienced auditor consultants can also provide outsourced audit support.

Our team is here to help. Call 1.800.472.6477 or contact us online ›