Internal Audit

Internal Audit is a fundamental quality management system requirement that enables medical device organizations to systematically evaluate their own compliance with ISO 13485, regulatory requirements (FDA QSR, EU MDR), and internal procedures. Unlike external audits conducted by regulatory authorities or Notified Bodies, internal audits are performed by the organization's own personnel or contracted third parties to identify improvement opportunities and ensure ongoing QMS effectiveness.

Regulatory and standards requirements:

ISO 13485:2016 Clause 8.2.4 - Internal Audit:
ISO 13485 requires organizations to:
- Conduct internal audits at planned intervals to verify QMS conformity to ISO 13485, regulatory requirements, and the organization's own requirements
- Plan, establish, implement, and maintain an audit program including frequency, methods, responsibilities, planning requirements, and reporting
- Define audit criteria and scope for each audit
- Ensure auditors are objective and impartial (auditors shall not audit their own work)
- Ensure that management responsible for the audited area takes timely corrective action on findings
- Retain documented information as evidence of audit program implementation and results
- Verify corrective action implementation and effectiveness

FDA 21 CFR 820.22 - Quality Audit:
The FDA Quality System Regulation mandates:
- Establishment of procedures for quality audits
- Comprehensive, independent audits conducted by designated personnel who do not have direct responsibility for the matters being audited
- Results of audits documented and brought to the attention of responsible management
- Management with executive responsibility reviews audit results
- Follow-up corrective action verified and documented

EU MDR Annex IX:
Notified Body conformity assessment includes verification that the manufacturer conducts internal audits and maintains audit records demonstrating QMS compliance.

ISO 19011 - Guidelines for Auditing Management Systems:
ISO 19011:2018 provides internationally recognized guidance for conducting audits of management systems including:
- Audit principles (integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach)
- Managing audit programs
- Conducting audits (initiation, preparation, execution, reporting, follow-up)
- Auditor competence and evaluation

Purpose and objectives:
Internal audits serve critical functions in medical device quality management:
- Verify conformance to ISO 13485, regulatory requirements, and internal procedures
- Identify nonconformances, weaknesses, and improvement opportunities
- Assess effectiveness of implemented processes
- Monitor corrective action effectiveness from previous audits
- Prepare for external audits (Notified Body, FDA inspection, MDSAP)
- Demonstrate management commitment to compliance
- Drive continuous improvement culture
- Provide objective evidence of QMS effectiveness for management review
- Identify training needs and competency gaps
- Verify supplier and outsourced process controls

Types of internal audits:

System Audits:
- Evaluate entire QMS against ISO 13485, FDA QSR, or other standards
- Comprehensive review of all QMS elements
- Typically annual or semi-annual
- Often conducted before Notified Body surveillance audits

Process Audits:
- Focus on specific processes (e.g., sterilization, design control, purchasing)
- Verify process effectiveness and capability
- Check adherence to procedures and work instructions
- Examine process inputs, activities, and outputs

Product Audits:
- Trace specific product or lot from design through delivery
- Verify conformance to specifications throughout lifecycle
- Check accuracy and completeness of Device History Record (DHR)
- Assess product-specific quality controls

Compliance Audits:
- Verify adherence to regulatory requirements (21 CFR 820, EU MDR)
- Prepare for regulatory inspections
- Check documentation completeness
- Review regulatory submission accuracy

Follow-up Audits:
- Verify implementation and effectiveness of corrective actions
- Confirm closure of previous audit findings
- May be focused on specific areas with previous nonconformances

Internal audit program elements:

1. Audit Planning and Scheduling:
- Develop annual or multi-year audit program
- Schedule based on status and importance of processes/areas
- Increased frequency for critical processes or areas with previous issues
- Consider regulatory submission timelines and external audit schedules
- Ensure complete QMS coverage within defined cycle (typically 1-3 years)

2. Audit Team Selection:
- Assign qualified, trained auditors
- Ensure auditor independence (cannot audit own work)
- Consider using cross-functional teams for fresh perspectives
- May use external consultants for objectivity
- Lead auditor responsible for audit planning and reporting

3. Audit Preparation:
- Define audit scope, objectives, and criteria
- Review applicable standards, regulations, and procedures
- Prepare audit plan and checklists
- Notify auditee of audit schedule
- Review previous audit reports and outstanding corrective actions

4. Opening Meeting:
- Introduce audit team and confirm scope
- Review audit objectives, criteria, and methodology
- Establish logistics and confirm schedule
- Answer auditee questions
- Set expectations for findings communication

5. Audit Execution:
- Conduct interviews with process owners and operators
- Review documents (procedures, work instructions, records)
- Observe processes and activities
- Verify implementation of procedures
- Sample records for compliance and accuracy
- Gather objective evidence through examination and observation
- Take detailed notes and reference specific documents

6. Audit Findings Classification:

Major Nonconformance:
- Absence of or total breakdown of a required QMS element
- Situation likely to result in failure to meet regulatory requirements
- Systemic failure affecting product safety or performance
- Examples: No procedure for CAPA, design controls not implemented

Minor Nonconformance:
- Isolated lapse in conformity to requirement
- Does not indicate systemic breakdown
- Unlikely to result in product failure or regulatory issue
- Examples: Missing signature on one document, minor procedural deviation

Observation/Opportunity for Improvement:
- Not a nonconformance but area for enhancement
- Potential risk if not addressed
- Best practice not implemented
- Emerging trend that could become nonconformance

7. Closing Meeting:
- Present audit findings to management and auditee
- Classify and explain each finding
- Allow auditee to ask questions or clarify
- Discuss expected corrective action timeline
- Confirm next steps and reporting

8. Audit Reporting:
- Prepare detailed audit report within defined timeframe (typically 2 weeks)
- Include audit scope, objectives, criteria, and dates
- List audit team members and auditees
- Detail findings with objective evidence references
- Classify findings by severity
- Distribute to auditee and management
- Submit to Management Review

9. Corrective Action and Follow-up:
- Auditee develops corrective action plan with root cause analysis
- Quality/management approves corrective action plan
- Auditee implements corrective actions
- Auditor verifies implementation and effectiveness
- Document closure with objective evidence
- Escalate overdue or ineffective corrective actions

Auditor qualifications and competence:
Effective internal auditors must possess:
- Training in ISO 13485, FDA QSR, and relevant regulations
- Knowledge of ISO 19011 auditing principles and techniques
- Understanding of medical device industry and technologies
- Ability to objectively assess conformance
- Effective communication and interviewing skills
- Report writing capabilities
- Ability to remain impartial and independent
- Ongoing professional development and calibration

Documentation requirements:
Complete internal audit records include:
- Audit program defining scope, frequency, and methodology
- Annual audit schedule
- Auditor qualification and training records
- Individual audit plans with scope and criteria
- Audit checklists and sampling plans
- Detailed audit findings with objective evidence
- Audit reports with findings, observations, and conclusions
- Corrective action plans and root cause analyses
- Verification of corrective action implementation
- Closure documentation and effectiveness confirmation

Best practices for effective internal audits:

Planning:
- Risk-based approach: audit critical areas more frequently
- Rotate auditors to provide fresh perspectives
- Coordinate timing with regulatory calendars and business cycles
- Allow sufficient time for thorough audits (don't rush)
- Involve cross-functional team members when appropriate

Execution:
- Focus on objective evidence, not opinions
- Sample strategically to identify trends
- Follow audit trails (trace documents to activities and vice versa)
- Ask open-ended questions to understand processes
- Observe actual practices, not just review documents
- Verify corrective action effectiveness from previous audits
- Look for systemic issues, not just isolated instances

Reporting:
- Write findings clearly with specific references
- Distinguish between requirements and best practices
- Avoid personal judgments or inflammatory language
- Provide context and severity assessment
- Deliver findings promptly while evidence is fresh
- Ensure findings are actionable and verifiable

Follow-up:
- Track corrective actions in centralized system
- Verify both implementation and effectiveness
- Don't close findings prematurely
- Trend findings across audits to identify systemic issues
- Report audit metrics in Management Review

Common audit focus areas:
- Management Responsibility and Quality Policy
- Document and Record Control
- Design and Development Controls
- Purchasing and Supplier Management
- Production and Process Controls
- Acceptance Activities (inspection and testing)
- Identification and Traceability
- Nonconforming Product Control
- CAPA System
- Labeling and Packaging Controls
- Complaint Handling and MDR Reporting
- Internal Audit Process
- Calibration and Maintenance
- Training and Competency
- Risk Management (ISO 14971)
- Post-Market Surveillance
- Statistical Techniques and Data Analysis

Metrics for audit program effectiveness:
- Percentage of planned audits completed on schedule
- Number and severity of findings by process area
- Average time to close corrective actions
- Repeat findings indicating ineffective CAPA
- Audit coverage of QMS elements
- Auditor utilization and development
- Correlation between internal audit findings and external audit results
- Preventive value (issues identified before external detection)

Integration with other QMS processes:
- Management Review - Audit results are key input; management allocates resources
- CAPA - Audit findings frequently trigger corrective actions
- Risk Management - Audit findings may reveal process risks requiring assessment
- Training - Audits identify training needs and verify competency
- External Audits - Internal audits prepare organization and predict external findings
- Continuous Improvement - Audit observations drive improvement initiatives

Common pitfalls to avoid:
- Auditing for sake of compliance rather than value
- Auditor bias or lack of independence
- Insufficient preparation and sampling
- Focus on documentation over effectiveness
- Superficial reviews that miss underlying issues
- Delayed or incomplete corrective action follow-up
- Failure to verify effectiveness of corrective actions
- Inadequate auditor training or calibration
- Not trending findings across time or areas

A robust internal audit program is essential for maintaining ISO 13485 certification, preparing for regulatory inspections, identifying improvement opportunities, and demonstrating organizational commitment to quality and patient safety in medical device manufacturing.