Medical Device Internal Audits: The Ins and Outs

Posted: February 18, 2023
Category: Medical Device

Medical Device Internal Audits: The Ins and Outs

In this blog post I discuss the ins and outs of internal quality audits in the medical device industry. I was responsible for the internal quality audit program in a large medical device company and I believe it is important for those  in this sector to understand the workings of this important process. 

Before we examine the details of internal quality audits it is appropriate to consider their strategic importance. A LARGE commitment of time and resources is typically a prerequisite of internal quality audits. We must make sure that the benefits of the audit outweigh the burdens associated with conducting it. Otherwise, an audit bureaucracy may be established which serves no purpose. Depending on the organisation climate conducting internal quality audits is seen either as a good exercise or a waste of time. 

To ensure that this is not the case your objective should be to have an audit program that is thoroughly planned, executed, resourced with competent auditors and has a focus on continual improvement as well as meeting the companies auditing regulatory obligations. I hope by reading this blog you will gain an understanding how how to achieve this objective.

Table of Contents

What is an Internal Quality Audit?

In simple terms an internal quality audit can be described as a process where an auditor interviews an auditee to obtain evidence regarding the workings of the quality system.  An internal quality audit is referred to as a first party audit. Those auditing and those being audited all belong to the same organization.

The audit style is generally informal and flexible. It should cause little disruption, is a low-cost exercise and promotes transfer of information. Internal quality audits are snapshots in time. They should not be confrontational. They should be always used as a tool for continuous quality improvement.

In simple terms the purpose of a quality audit is to view and assess a true picture of the “everyday” workings of the quality system.

In simple terms the purpose of a quality audit is to view and assess a true picture of the “everyday” workings of the quality system.

Internal Quality Audits in the Medical Device Industry

The internal audit program is a key aspect of a medical device company’s quality management system (QMS). Audits are used throughout all industries; for example, in financial, technical, safety, maintenance, project management, human resources and purchasing situations. Some industries conduct internal audits on a voluntary basis, however, that is not the case in the medical device industry where it is a regulatory requirement to conduct internal audits.

In addition to being a regulatory requirement to conduct quality internal audits, there are other reasons for doing internal audits in a medical device company. 

  • They are  used as tool to foster a continuous improvement culture,
  • They help assure quality systems elements operate as intended,
  • They are used to qualify prospective suppliers,
  • They are meeting any contractual requirements for auditing.

The main driver, however, for doing internal quality audits in a medical device company is the regulatory requirement to do so.

Two of the most popular medical device QMS regulations are:

  1. ISO 13485:2016  Medical devices — Quality management systems — Requirements for regulatory purposes
  2. 21 CFR 820  Quality System Regulation

Get an introduction to ISO 13485:2016 by taking our fundamentals course, Introduction to ISO 13485:2016.

If a medical device company has implemented their QMS in accordance with ISO 13485 or 21 CFR 820, they are obliged to conduct internal quality audits. These regulations require that internal quality audits are conducted as they are viewed as supporting the safety and effectiveness objectives of the products that medical companies sell. A effective internal quality audit program demonstrates that an adequate, effective quality system is established and maintained. They are therefore a critical component of a medical device companies QMS.

If a medical device company has implemented their QMS in accordance with ISO 13485 or 21 CFR 820, they are obliged to conduct internal quality audits.

Medical devices that need to be audited.

ISO 13485:2016 Internal Quality Audit Requirements

ISO 13485:2016 specifies requirements for a QMS where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Adherence to this standard certifies that throughout the product’s life cycle, customer and relevant regulatory requirements will be consistently met. As an internationally recognized standard of quality and safety for medical device manufacturing, having ISO 13485 certification helps companies get recognized as more reputable, trustworthy providers. 

ISO 13485:2016 Internal Audit Requirements are found in clauses 8.2.4 Internal Audit.

ISO 13485:2016 Clause 8.2.4 specifies the need for internal audits as follows:

“The organization shall conduct internal audits at planned intervals to determine whether the quality management system:

a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements;
b) is effectively implemented and maintained.

The organization shall document a procedure to describe the responsibilities and requirements for planning and conducting audits and recording and reporting audit results.

An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits. The audit criteria, scope, interval, and methods shall be defined and recorded (see 4.2.5).”

ISO 13485:2016 Clause 8.2.4

It also requires in clause 8.2.4

“ The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
Records of the audits and their results, including identification of the processes and areas audited and the conclusions, shall be maintained (see 4.2.5).
The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.
Follow-up activities shall include the verification of the actions taken and the reporting of verification results.”

ISO 13485:2016 Clause 8.2.4

21 CFR 820 Quality Audit Requirements

The US Food and Drug Administration (FDA) requires manufacturers to implement a QMS in accordance with the Quality System Regulation (QSR) per 21 CFR Part 820, also known as current Good Manufacturing Practice (cGMP). Manufacturers, specification developers, contract manufacturers, re-labelers/re-processors, and even some distributors must implement a quality management system compliant with the QSR.

FDA 21 Part 820, Section 820.22, similarly obliges organisations to undertake regular quality audits and be able to demonstrate that they are doing so.

21 CFR 820, Section 820.22, specifies the need for quality audits as follows:

“ Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system.

Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary.

A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”

21 CFR 820, Sec. 820.22 Quality Audit

Get an introduction to the Quality System Regulation by taking our online course, Introduction to 21 CFR 820 (Medical Device Quality System Regulation).

ISO Guidelines for Auditing a Management System

If you are designing a internal quality auditing program from scratch you should become familiar with the excellent standard ISO 19011 (Guidelines for Auditing Management Systems). In fact, this standard is actually referenced in ISO 13485:2016. I recommend that you get acquainted with ISO 19011 if you work in internal auditing.

ISO 19011 provides guidelines for auditing management systems. It describes for example why you audit  “Audit results can provide input to the analysis aspect of business planning, and can contribute to the identification of improvement needs and activities.”  The standard defines the eight principles of auditing (e.g., the process approach to auditing), provides guidance on managing audit programs and conducting audits, and includes recommendations for evaluating people for competency. There is also an appendix with details on conducting on-site and remote audits. 

I recommend that you get familiar with ISO 19011 if you work in internal auditing.

Internal Quality Audit Program and Scheduling Audits

An audit program is defined by ISO 19011 as “arrangements for a set of one or more audits (3.1) planned for a specific time frame and directed towards a specific purpose”.

The audit program lists all the internal audits planned by the organization for a certain period of time. The extent of an audit program should be based on the size and nature of the auditee, as well as on the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the management system(s) to An internal audit program gives us the ability to find problems and solve them before somebody external to the organisation finds out about them, so a good program has broad coverage across the organisation. 

Planning of the internal audit programme should permit changes in the emphasis and intervals based on associated risk as it is required by ISO 13485 (cl. 8.2.4):

An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits.”  ISO 13485 (cl. 8.2.4):

Planning of the internal audit programme should permit changes in the emphasis and intervals based on associated risk.

An internal audit program should have document procedures outlining the organisations approach to internal audits. All areas of the QMS will included in the audit program. An annual audit schedule should  is a drawn up with critical areas being audited on a more frequent basis.

Internal Audit schedule

The Audit Schedule

Schedules for internal audits are usually produced by dividing the overall quality management system into manageable parts. Each part should be of such a size that each individual audit scope can be completed by one or two auditors in a reasonable period, normally less than one day. An effective method is to define the scope of an audit so that it will focus one or more processes together with related activities.

The frequency with which each part is audited will be affected by factors such as:
1. Significant changes in organization, policy or technology that could affect the quality system,
2. Changes to the system itself,
3. Maturity of the system,
4. Previous audit results.

Typical schedules could cover a 6- or 12-month period and be reviewed every 3 or 4 months. The system for initiating audits should also provide for unscheduled audits. These should be undertaken when a breakdown (or failure) in the quality system has been identified during day-to-day operations.

The system for initiating audits should also provide for unscheduled audits. These should be undertaken when a breakdown (or failure) in the quality system has been identified during day-to-day operations.

Resourcing Quality Internal Audits

Management must buy into the fact that the internal audit process is just as critical and important an activity as any other process within the QMS. An internal auditing system must have the commitment of senior management. Without their approval, support, and encouragement, the internal audit process is doomed for failure and worse–time and money wasted.

The Medical Device Internal Auditor

Auditors represent a critical input to the audit process, and therefore the effectiveness of the process depends to a great extent on the knowledge and skills of the auditor(s).  He/she should have understanding of audit principles, management skills, as well as, technical understanding relevant to the activities to be audited. Auditors should have full-time workplace experience.

Ideally auditors should complete an internal auditor training course. In a formal training setting trainee auditors will learn things like how to scope an audit, define audit criteria, design audit checklists and learn interviewing best practices. 

Image of a medical device internal auditor

ISO 13485:2016 Clause 8.2.4 Internal Audit requires that 

“ The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work."

The 2 main options available for resourcing internal audits:

  1. A dedicated and specialist team of full-time auditors
  2. A team selected from suitable personnel from across all areas of the company.

Whatever option is chosen management must invest in the training the auditors will need to do their jobs. The training should be aimed specifically at areas where weaknesses were identified. Specific training should be provided on the regulations that are the basis of the audit. Auditor training should be undertaken to improve their auditing skills. A robust auditor training process is deemed essential to the overall success of the audit program.

Become a medical device internal auditor by taking our,Internal Auditor ISO 13485:2016 Training Course

The Internal Audit Team

If the medical device company is large there will be an internal auditor team most likely. Alternatively companies should have  a pool of internal auditors that they can use. This is beneficial as auditors must not have responsibility within areas they are auditing. 

The Internal Quality Audit Program Basics

The quality manager or designate should ensure that the following is in place before the audit program begins:

  1. Internal audit standard operating procedure.
  2. Audit schedule.
  3. Audit forms – record system for recording audit findings & corrective actions.

Phases in an Internal Quality Audit Cycle

To achieve its’ objective efficiently an audit should be thoroughly planned, carefully structured, systematically performed, faithfully reported, and remedial actions progressed to a timely and satisfactory conclusion. The whole process of conducting an internal quality audit typically follows a 4-phase process, which includes audit preparation, performing the audit (fieldwork), audit reporting, and following up on corrective action plans.

Phase 1- Audit Preparation

The quality manager or designate should assign the members of the audit team for the audit being undertaken.

ISO 19011:2018, Clause 5.5.3, addresses the formation of an audit team as follows:

"An audit team should be selected, taking into account the competence needed to achieve the objectives of the individual audit within the defined scope.". If there is only one auditor, the auditor should perform all applicable duties of an audit team leader."

An internal audit plan shall be established separately for each internal quality audit taking into consideration the status and importance of the processes and areas to be audited. 

A number of steps need to be done in this phase

  1. Define the Audit Objective
  2. Establish the Audit Scope
  3. Allocate Resources
  4. Contact the Auditee
  5. Develop Checklists
  6. Review History
  7. Understand the Process and Control Systems

Phase 2 – Performing the Audit

Performance of the audit normally involves 4 steps:

  1. Conduct opening meeting.
  2. Perform the audit.
  3. Meet with audit team to discuss findings.
  4. Conduct closing meeting

Phase 3 - Reporting the Audit

The audit report is an central outcome of an audit which outlines the results of an auditor’s investigation, providing correct and clear data that along with recommendations will address corrective actions for improvement that need to be taken.The compilation of any audit report should be consistent and covered by the audit procedure. The lead auditor is responsible for the preparation and contents of the report. 

The audit report should drafted audit with findings based on clear, referenced evidence or regulatory requirements, categorized in a risk manner and accompanied by a recommendation for corrective action to be taken.

Example  of Categorizing Audit Findings

Major and minor are two types of nonconformities identified through audits, that differ based on the infraction and the steps needed to correct it.

Minor non-conformance is a system weakness, that can easily be fixed and in less time, that it does not detrimentally affect the operation or quality control of the company.

Major non-conformance is evidence of the absence or total breakdown of a system to meet standard requirement.

The statement of nonconformity needs to be presented as a report that helps the management to take the necessary corrective action. It is recommended that a draft of the report be supplied to the auditee to review, check, edit and suggest changes to avoid misunderstandings arising over observations and recommendations . The audit process ends by issuing the final corrected and approved audit report to the auditee management.

Phase 4 - Follow up on Corrective Action Plans

Corrective action plans and their implementation, is considered an effort for continuous improvement by the auditee management. Minor non-conformances usually do not cause any major consequences therefore the corrective actions required, may be followed up at the next routine audit, while major issues should be reported within an agreed timeframe. It may also be necessary to re-audit to ensure that serious remedial action has been satisfactorily completed for critical or major deficiencies. The auditee should report corrective action plans and their status to the top leadership/process manager.

Internal Audits and Quality Improvement

Internal quality audits should be applied as a continuous improvement tool. If implemented correctly, an effective auditing program offers numerous benefits such as identifying weak areas in a companies QMS through identification of unsatisfactory findings or findings trends. The primary purpose of internal quality audits is to allow self-evaluation of the medical device company’s QMS. This allow you to detect and correct any deficiencies of the system without pressure from a third party. Audits identify opportunities for improvement as well as non-conformances, the audit program is therefore a vital element of any continuous improvement program.


I hope you found this post useful and will help you when working with internal quality audits. The internal quality auditing process plays an important role in medical device companies as they help ensure that the product(s) manufactured comply with regulatory expectations of a quality product(s) as well as with customer specifications for effectiveness and safety. It ensures a thorough examination and appraisal of the company activities and helps prevent, predict, and detect mistakes and weaknesses in order to minimize losses. Internal a quality audits should be carried out by competent suitably trained individuals that are independent of the area being audited.

Need help with your internal audit program?

Sign up to our Newsletter
Stay up to date with our latest news by subscribing to The Learning Reservoir’s newsletter! As a subscriber, you’ll receive exclusive access to our latest blog posts, expert insights, and updates on our latest courses and training programs. Plus, you’ll be the first to hear about our special offers and promotions. Don’t miss out on this valuable resource – sign up today!

    You can request the removal of your details at any time by clicking the link in the footer of the emails or by emailing us at


    Picture of Dr. Fiona Masterson

    Dr. Fiona Masterson

    Fiona is the Managing Director and founder of The Learning Reservoir. Fiona has over 20+ years of experience in the Life Sciences, Food and Drink industries and third level education. Her Doctorate focused on the regulation of drug/device combinations products in the US and European Union. She has also published peer review publication on combination products.