Internal Audit Program for ISO 13485: Setup and Execution Guide

Why Internal Audits Are More Than a Checkbox Activity

ISO 13485:2016 Clause 8.2.4 requires manufacturers to conduct internal audits at planned intervals to determine whether the quality management system conforms to the requirements of the standard, is effectively implemented, and is maintained. FDA's QSR §820.22 similarly requires internal quality audits.

The compliance requirement is straightforward. The strategic value of a well-run internal audit program is less appreciated: internal audits are the manufacturer's primary mechanism for identifying quality system failures before they manifest as field problems, customer complaints, or FDA observations.

Organizations that treat internal audits as a documentation exercise — selecting low-risk audit areas, using auditors who are reluctant to raise findings, and closing nonconformances with superficial corrective actions — consistently have more significant regulatory findings during external audits. The inverse is also true: manufacturers with rigorous internal audit programs that genuinely stress-test their quality systems accumulate a track record of finding and fixing problems internally, which is exactly what ISO certification auditors and FDA investigators want to see.

An effective internal audit program requires four things: an annual audit schedule that covers all quality system processes over a defined cycle, auditors who are competent and independent of the areas they audit, audit execution that produces objective, evidence-based findings, and a CAPA process that closes audit findings with genuine root cause analysis and verified corrections.

Building the Annual Audit Schedule

ISO 13485 requires that internal audits be conducted at planned intervals, with the audit schedule considering the status and importance of the processes and areas to be audited as well as the results of previous audits. This means the audit schedule is not static — it should be risk-based and responsive to quality system performance data.

Process-based audit approach: Structure your audit schedule around quality system processes, not just organizational departments. Key processes to include: design and development controls, purchasing and supplier management, production and process controls, equipment qualification and calibration, document and record control, complaint handling and MDR reporting, CAPA, management review, internal audit process itself, and post-market surveillance.

Risk-based scheduling: Processes with higher risk (Class III device manufacturing, critical process steps, high-volume complaint areas) should be audited more frequently than low-risk processes. Results from the previous audit cycle should inform scheduling — a process with multiple open nonconformances or a history of recurring findings should receive increased audit attention.

Frequency requirements: ISO 13485 does not specify a minimum audit frequency. Most quality systems conduct full audit program cycles annually, with high-risk processes audited twice per year or more. FDA QSR §820.22 requires audits at established intervals, which FDA investigators interpret as at least annually.

Audit calendar management: The annual audit schedule should be published at the beginning of the year, reviewed and approved by management, and updated if significant changes to the quality system warrant additional audits. Audit schedule adherence — completing audits as scheduled rather than rescheduling repeatedly — is an indicator of quality system discipline that external auditors note.

Auditor Competency and Independence Requirements

ISO 13485 Clause 8.2.4 explicitly requires that auditors not audit their own work. The independence requirement exists because self-auditing creates an inherent conflict of interest — people are naturally less critical of processes they own or contribute to. FDA's QSR §820.22 has the same requirement: auditors cannot audit areas where they have direct responsibility.

Competency requirements: Beyond independence, auditors must be competent to conduct quality system audits. Competency encompasses: knowledge of ISO 13485 (or QSR/QMSR) requirements, understanding of audit methodology (planning, execution, reporting), and — critically — knowledge of the process area being audited. A quality engineer who is an excellent QMS auditor may not be competent to audit a sterile manufacturing process without additional technical knowledge.

Auditor qualification and training: Establish documented competency criteria for internal auditors. Common qualification routes include: completion of a formal ISO 13485 internal auditor training course (typically 2-3 days), participation as an observer on a supervised audit, and successful completion of an auditor assessment. Training records must document auditor qualifications and any continuing education.

Using external auditors: For smaller organizations with limited internal audit resources, supplementing internal audits with external contract auditors is a valid and often effective approach. External auditors bring independence and cross-industry perspective. However, some internal audit activity using organization personnel is expected — organizations that rely entirely on external auditors without any internal audit capability have a quality system gap.

Conducting the Audit: Evidence-Based Findings

The quality of an audit is determined by the quality of evidence collected, not by the number of findings or the absence of findings. A clean audit record from an auditor who did not look critically is worse than an audit with legitimate findings, because it creates a false picture of quality system health.

Audit planning: Before executing an audit, prepare an audit plan that defines: audit scope (which processes and locations will be covered), audit criteria (which standard or procedure requirements apply), audit team composition, and audit schedule (time allocation for each area). Share the audit plan with the auditee in advance — this is not a surprise inspection.

Evidence collection: During the audit, evidence is collected through three methods: interviews (asking personnel how they perform their work), observation (watching processes being performed), and document/record review (verifying that records exist and are completed correctly). A rigorous auditor uses all three methods and does not rely solely on interviews or document review.

Writing audit findings: Nonconformances must be documented in specific, objective terms. A finding that states "Document control is inadequate" is not useful. A finding that states "SOP-001 Rev 3, Section 4.2 requires that documents be reviewed every two years. Document review records for QF-022 (last reviewed 2023-01-15) and QF-047 (last reviewed 2022-11-03) were not found in the document management system. The review due dates of January 2025 and November 2024 have passed without documented review" is objective, specific, and actionable.

Audit report: After the audit, issue a formal audit report that documents: audit scope, criteria, and objectives; team members; date; summary of findings (nonconformances and observations); and overall conclusion regarding conformance and effectiveness. The auditee should review and acknowledge the audit report before it is finalized.