Audit Strategies in MedTech: Start-ups vs Established Companies

1. Why Audits Look Different for Startups and Established Companies

All medtech companies must undergo regular external and internal audits to confirm both the safety of the device and compliance with regulatory requirements.  

In practice, however, these audits look very different for a startup compared with an established medtech company.

Startups: Getting Audit-Ready from Day One

Many startups assume audits can wait, seeing them as a distant, abstract concern. Early-stage priorities like proof-of-concept development, clinical or usability studies, and fundraising often feel  more urgent. A full ISO 13485 certification audit might still be a year or two away, but this is a misconception.

Early on, startups can face audit-like interactions long before any formal certification.  Not just from certification bodies, but through incubator or accelerator reviews, investor due diligence, and supplier or contract manufacturer audits.

For startups, this has one clear implication: even if the QMS is not fully built out, the fundamentals must be in place, documented, and ready to be demonstrated when needed.

Real-World Example (Startup)

A three-person software-as-a-medical-device startup in New Zealand is negotiating a partnership with a large European hospital group. As part of due diligence, the hospital’s quality team conducts a remote audit, requesting the risk management file, basic design controls, and an explanation of how the startup handles software changes.  

The startup cannot yet demonstrate a full ISO 13485 QMS, but it has working procedures for version control, issue tracking, and clinical risk assessment that are actively used. The hospital notes gaps but sees a credible approach, and the partnership goes ahead with a clear plan to complete ISO 13485 before deployment.

This illustrates the key point: for startups, early audits are less about perfect compliance and more about demonstrating a structured, credible path to a compliant system.

‍

Established Manufacturers: Under Continuous Scrutiny

Established medtech companies get no grace period. Their QMS must be audit-ready at all times. Audits arrive regularly in the form of:

• Internal audits covering all processes.

• Annual surveillance and periodic recertification audits by a notified body or certification body.

• Occasional customer audits, especially from large hospital groups or OEM partners.

• Regulatory inspections driven by routine scheduling, approvals, or specific events.

Being underprepared at this scale carries real consequences. When issues surface during external audits, the disruption to the business can be significant.  

Real-World Example (Established Manufacturer)

A global manufacturer of implantable devices undergoes its three-year recertification audit. The notified body spends several days on site, sampling design projects, process validations, supplier controls, complaint handling, and post-market surveillance.  

A major nonconformity is raised because trend analysis of complaint data is fragmented between regions, delaying identification of global risk signals. The company must redesign its post-market surveillance process and implement an integrated database within a defined timeframe to maintain certification.

This is not an individual error. It is a system weakness.

‍

Key Differences Between Startups and Established Companies

Despite these differences, both types of organisations are trying to demonstrate the same thing: that their quality management system is fit for purpose and aligned with ISO 13485 and regulatory requirements.

‍

2. How Auditors Account for the Differences Between Company Types

Auditors adjust their expectations based on a company’s size and stage and look for different types of evidence accordingly.

But the standard does not change. At every stage, auditors must be confident the business is in control of its activities relative to its scope and risk. Early stage does not reduce the responsibility to manage devices safely.

What Auditors Look for When Assessing a Startup

With startups, auditors primarily want to see:

• A clear understanding of the regulatory pathway and classification of the device.

• Early adoption of key ISO 13485 principles: design control, risk management, document control, and change control.

• Realistic planning for when and how the full QMS will be implemented.

• Honest recognition of gaps, with concrete actions and timelines.

Real-World Example

A startup developing a home-use diagnostic device is assessed by a potential distribution partner. The partner’s quality lead accepts that not all procedures are fully defined yet but expects robust risk management and basic controls around software and clinical evidence.  

The startup presents its risk management file, usability assessments, and a draft QMS implementation roadmap. The auditor notes several observations but no critical nonconformities, and the partner offers conditional agreement pending ISO 13485 certification.

‍

What Auditors Expect from an Established Manufacturer

In established companies, there is no leeway. All evidence must be complete, and all processes must meet the required standards.  Issues that might be tolerated in a startup can trigger action in a mature system, where the stakes are higher.

Since auditors assume that core processes are already in place and functioning, they focus on:

• Consistency: is the system implemented the same way across sites and teams?

• Integration: do design, manufacturing, and post-market activities form a closed loop?

• Data and trends: is the company using information from complaints, audits, and production to drive improvement?

• Governance: is top management actively monitoring and supporting the QMS?

‍Real-World Example

A notified body auditor reviewing a long-established manufacturer of infusion pumps finds that internal audits repeatedly highlight the same issue: incomplete batch release documentation in one plant. Despite multiple CAPAs, the problem recurs.  

The auditor concludes that the issue is not local but systemic. The company’s management review and global oversight are not picking up that local CAPAs are ineffective. This leads to a major nonconformity and a demand for global process owner accountability, not just another local fix.

‍

3. Audit Strategies for Startups: Building a Solid Foundation

Early-stage companies do not need a heavy QMS. They need a scalable one that can stand up to audits as they grow.  

The following strategies help you be audit-ready from the start without overextending yourself.

a) Start with a Focused Minimum Viable QMS

Rather than trying to implement every clause of ISO 13485 in full, focus on the processes that are critical to your current activities:

• Design and development (including software lifecycle, if relevant).

• Risk management aligned with ISO 14971.

• Document and record control.

• Supplier management for critical partners such as contract developers, manufacturers, and key software tools.

• Complaint and issue tracking, even if you are still in early clinical or pilot use.

Real-World Example

A startup developing an AI-based diagnostic algorithm begins by writing simple but clear procedures for design control, software change management, and clinical risk assessment. They use a cloud-based system to manage documents and store records.  

When an investor’s technical due diligence team asks how changes are controlled, the startup can show a complete history of code versions, testing, and approvals. This early discipline impresses the reviewers and supports a successful funding round.

b) Use Internal Audits as a Rehearsal

Even if certification is a year away, internal audits help teams build confidence in a low-risk setting:

• Start small at first, for example risk management and design controls.

• Use an external auditor or someone independent of the process.

• Treat findings as learning, not failure.

Real-World Example

A small startup schedules a half-day internal audit of its design process before its first notified body visit. The internal auditor finds that risk controls are documented in design files but not reflected in the user manual and labelling.  

The issue is corrected before the external audit, avoiding a likely nonconformity.

c) Be Honest About Your Stage of Development

Auditors, partners, and investors can usually tell when a startup has pasted in a large QMS template that is not being used. A smaller system that reflects real practice, supported by a clear growth plan, is far more credible.

Procedures should match actual workflows. Gaps should be acknowledged, with defined timelines to reach full ISO 13485 compliance.

‍

4. Audit Strategies for Established Manufacturers: Staying Sharp at Scale

For established companies, the challenge is no longer getting a QMS off the ground. It is about keeping the QMS effective without losing the thread across multiple products, sites, and years.  Those that address issues early, rather than allowing them to accumulate, move through audits with far greater confidence.

a) Use Trend Data Across Audits

Multiple audits create valuable data. Used well, this reveals patterns:

• Are similar issues appearing across sites or teams?  

• Do certain processes, such as CAPA or supplier control, show recurring weaknesses?  

• Are corrective actions resolving root causes, or just closing findings?

Real-World Example

A company notices that over three years of internal and external audits, nonconformities about incomplete risk file updates after design changes keep recurring across multiple product lines.

They conclude this is not a local documentation problem but a systemic flaw in change control. The company redesigns its change control workflow so that risk management updates are mandatory steps before any change is approved.

In subsequent audits, the issue no longer appears.

b) Strengthen Internal Audits as a Strategic Tool

Internal audits can turn into , box-ticking exercises if they are not managed well. To keep them effective:

• Rotate auditors between sites or departments to bring fresh perspectives.

• Include cross-functional audits, for example following a complaint from the field through to CAPA, to design change, and back to the field.

• Use internal audit results in management review as a leading indicator of risk.

Real-World Example

An established manufacturer introduces thematic audits on areas such as  cybersecurity, usability, or data integrity. One such audit reveals inconsistent handling of electronic records in service centres.  

The company strengthens training and tools for those teams, preventing potential regulatory data integrity issues before an inspector finds them.

c) Treat Every External Audit as a Feedback Opportunity

It is tempting to measure success purely by the number of nonconformities, aiming for zero, but that mindset can discourage honest discussion and learning. Instead:

• Encourage open conversation with auditors about best practices and industry trends.

• Invite auditors to comment, within their role, on areas where they see strong performance as well as risk.

• Use observations and informal feedback as input to your continuous improvement programme.

Real-World Example

During a surveillance audit, a notified body auditor mentions that other clients have had success using visual dashboards to track CAPA status. The audited company adopts a similar approach, improving visibility for managers.  

Six months later, overdue CAPAs have dropped significantly, and this is noted positively in the next audit.

‍

5. What Both Startups and Established Companies Can Do

Regardless of size or stage, some principles apply:

• Build a culture of transparency. People should feel safe raising issues and answering auditors honestly.

• Focus on evidence. If it is not documented, it did not happen. This applies at every size.

• Make audits routine. The more often people experience audit-like discussions internally, the less intimidating external audits become.

• Connect findings to strategy. Whether you are a startup deciding where to invest limited resources or a large company reallocating budgets, use audit results to drive decisions.

Real-World Example

A mid-sized company originally a startup, still holds an annual quality and risk summit involving staff from R&D, manufacturing, clinical, and support teams.

They review the previous year’s internal and external audit findings, major complaints, and CAPAs, and then agree on three organisation-wide priorities for improvement. Over time, this maintains the agility of a startup while operating at the scale of an established manufacturer.

‍

6. Final Thoughts

Audits are not events to brace for, get through, and then forget until the next one. The companies that perform best are those that have moved beyond that mindset.

A startup with an honest, working processes will always impress more than one with a polished, formatted QMS that is not used. And an established manufacturer that uses audit findings to address systemic problems rather than applying another local fix, will find audits get easier over time.

• Know where you are.

• Document what you do.

• Be honest about what is not there yet.

• Make sure what you have works.

• Treat every audit as information, not just a verdict.

‍

QMS Learning Series

Meeting the requirements of ISO 13485 is one thing, putting them into practice is another. That’s why this article is part of a broader series developed for New Zealand’s HealthTech sector, aimed at helping teams turn regulatory expectations into working systems.

Over 12 months, this series explores ISO 13485 in four parts: from first steps and system setup to risk management and audit readiness. Each quarter combines practical content with interactive workshops to support implementation in real-world settings.

Explore all the QMS learning series resources here.

The QMS Series is brought to you by the HealthTech Activator, in partnership with Elevate Medtech.

‍