Internal Audits: Clear Rules, Confusing Practice
Section 8.2.4 of ISO 13485 sets clear requirements for internal audits, yet many organisations still struggle with how to apply them in practice. This article explores the key requirements and outlines practical approaches for building an internal audit process that is both compliant and genuinely effective.
Meeting internal audit requirements can be challenging. Startups driving innovation often lack awareness of regulatory expectations, while larger companies may become mired in bureaucracy, treating audits as a box-ticking exercise.
Common pain points include:
Ambiguity in standards can lead to confusion, and ISO13485 is no exception.
Scheduling is a frequent challenge. Some organisations take the approach that every clause should be audited annually, and we have seen some certification agencies insist on this despite there being no requirement to do so.
Timelines for audit completion can also create problems. While the standard does not define specific timelines, delays can raise concerns. In small and medium-sized enterprises (SMEs) especially, where individuals often perform multiple roles and responsibilities, impartiality can also be difficult.
Despite ISO13485 not defining specific auditor training requirements, it is often expected that auditors will have attended an external course, often provided by and promoted by the certification body. Ultimately, however, it is the organisation’s responsibility to define training requirements and undertake accordingly.
Finally, classifying findings, such as distinguishing non-conformities from observations or opportunities for improvement, can be inconsistent. Corrective actions are often left open too long or handled insufficiently, leading to issues during external assessments.
Organisations often focus on what ISO 13485 does not say, rather than what it does require. Section 4.2.1(b) clearly states that organisations must “apply a risk-based approach to the control of the appropriate processes needed for the quality management system.” This principle should drive your internal audit programme (see ‘Risk & Efficiency in ISO 13485’). Below are practical ways to overcome common obstacles.
Scheduling
The standard requires audit planning to consider the status and importance of processes but does not dictate which ones must be audited. Applying a risk-based approach aids in the development of an audit schedule that is both pragmatic and effective.
Processes that pose a greater risk to product safety, effectiveness, product or regulatory compliance should be audited more frequently. High-risk processes — such as product design and development for SaMD (section 7.3) — may require more frequent auditing than low-risk activities, such as control of customer property (section 7.5.10). For example, design might be audited annually while customer property is audited every two to three years.
Use objective data to refine the schedule: quality objectives, previous audit results, management review outputs, complaints, and trends. Strong performance may justify reduced audit frequency, while poor performance may warrant more frequent audits and root-cause investigation. Risk and performance data should always drive scheduling decisions.
Timelines
Once you know what will be audited, set a realistic when. Allow for unexpected events such as large orders, customer audits, or staff illness.
Schedule audits with a target date and a sensible window. For example, an audit targeted for August could reasonably be scheduled anytime between mid-July and mid-September. Document this flexibility in your Internal Audit SOP and always justify any audit falling outside the window. Repeated delays signal a lack of management commitment and will attract negative findings during external assessments.
Impartiality
This is often challenging for small organisations with limited auditor pools. Many SMEs successfully outsource to qualified consultants, gaining both independence and an external perspective. Ensure consultants are trained to lead assessor level and can genuinely add value.
Alternatively, in startup clusters, reciprocal auditing with non-competing companies (under NDA) works well. If keeping audits in-house, define the scope very carefully to avoid conflicts of interest. Also consider appointing auditors from other departments to minimise impartiality conflicts.
In larger organisations, train auditors from multiple departments and use cross-site auditing. This improves independence and spreads learning.
Training
ISO 13485 does not prescribe specific training requirements, but your internal audit procedure should define auditor competence. Public “Internal Auditor” courses are an efficient route and usually provide a certificate. However, training alone does not prove competence, and organisations should consider including an examination or observed audit as evidence.
Choose auditor courses carefully. Courses recommend by certification bodies may not be the most suitable for your organisation. Ensure that training and competency criteria are clearly defined in your SOP.
In-house training is acceptable, but organisations must be able to robustly demonstrate competency, especially since your certification body will review the process annually.
Classification of findings:
Keep classification systems simple and consistent. Common categories include Major NC, Minor NC, Observation, Opportunity for Improvement. Classification often becomes needlessly complex. ISO19011 defines nonconformity (NC) as “non-fulfilment of a requirement.” A practical approach is to define an NC as a failure to meet a stated requirement. Major/minor distinctions are optional and can add ambiguity and inconsistency. Observations aren’t recommended. Opportunities for Improvement (OFI) are useful for driving continual enhancement.
Ensure process owners take ownership of findings, investigations are thorough, and corrective actions are risk-based, focused on root causes, and closed in a timely manner. Use findings to strengthen the system rather than close them quickly.
Internal audits are frequently viewed as a tool for maintaining compliance with ISO13485, when in fact they are intended to drive improvement. Audits should be engaging, and improvement-focused, rather than purely compliance-driven. The best outcomes come when auditors focus on understanding processes and helping teams solve problems, rather than simply ticking a box.
Awareness creates ownership. When people understand the purpose behind a requirement, compliance becomes more natural, and internal audits become a valuable tool for continual improvement.
Meeting the requirements of ISO 13485 is one thing, putting them into practice is another. That’s why this article is part of a broader series developed for New Zealand’s HealthTech sector, aimed at helping teams turn regulatory expectations into working systems.
Over 12 months, this series explores ISO 13485 in four parts: from first steps and system setup to risk management and audit readiness. Each quarter combines practical content with interactive workshops to support implementation in real-world settings.
The QMS Series is brought to you by the HealthTech Activator, in partnership with Elevate Medtech.
.png)