ISO 13485 Compliance: What You Need to Know Before Your Next Audit

What is an ISO 13485 Audit?

ISO 13485 requires regular audits to ensure that the quality management system (QMS) conforms to the standard. An audit is a systematic and structured review of the QMS. It is conducted independently and carefully documented. The duration of an ISO 13485 audit mainly depends on the size of the company and usually takes between three and 14 days.

There are different types of audits under ISO 13485:

• Certification audit: This is required to obtain ISO 13485 certification. It is carried out by the selected registrar and checks whether the requirements of the standard have been met. If everything is in line, the organisation receives the ISO certificate.

• Surveillance audits: Once certification has been achieved, regular follow-ups are carried out, usually on an annual basis. These ensure that the ISO standards continue to be met. Failure can result in loss of certification.

• Unannounced audits: Regulatory authorities such as the FDA or EU Notified Bodies also carry out unannounced audits. It is therefore important for companies to be prepared. Internal audits are the best way to achieve this.

• Internal audits: As the name suggests, these are carried out internally, not by a registrar. They primarily serve to check the quality management system and prepare the company for the next external audit.

How Does the Audit Work?

An ISO 13485 audit takes place in several phases. Its structure is guided by ISO 19011, which provides guidelines for auditing.

1. Preparation

Before the audit, the auditors prepare an audit plan based on the QMS manual, processes, and past audit results. They also review key documents in advance, such as the QMS manual, SOPs, the risk management file, and technical documentation.

2. Opening meeting

In the opening meeting, the auditors introduce themselves and explain the purpose, scope, and procedure of the audit.

3. Conduct of the audit (Stage 2 for certification)

The audit follows a process-based approach. Rather than proceeding chapter by chapter, the assessment is conducted along the value chain. Methods applied include staff interviews, review of records (e.g., test reports, calibration certificates), and on-site observations (e.g., production, warehouse, development).

Typical areas of review include:

• Management processes: management review, quality policy, tracking of objectives, training, responsibilities.

• Risk management and product realisation: application of ISO 14971, design and development processes, design transfer.

• Production and service provision: production control, process validation (e.g. sterilisation, software), traceability.

• Documentation and record control: Device History Record (DHR), Design History File (DHF), Device Master Record (DMR), change management.

• Supplier management: evaluation, selection, monitoring.

• Customer focus / market surveillance: complaints handling, CAPA, vigilance reports, recalls.

• Internal audits and corrective actions.

4. Findings

The auditor determines conformity with ISO 13485 and notes deviations as Minor Nonconformities (smaller gaps such as a missing signature on a training record), Major Nonconformities (systematic or serious deviations such as missing process validation), as well as Opportunities for Improvement (OFIs).

5. Closing meeting

At the end, a closing meeting is held to discuss results and open questions.

6. Follow-up

After the audit, the auditor prepares a formal final report. Corrective actions must be implemented within a set timeframe, and the company must provide evidence of completion. Only after all major nonconformities have been successfully resolved is the ISO 13485 certificate issued. It is valid for three years, with annual surveillance audits.

Top 8 Tips to Make Sure the Audit Runs Smoothly

Preparation is the key to a smooth audit. Mock audits, where the real situation is rehearsed, can help, particularly if it is the very first audit in the company. To avoid stress later on, here are eight tips that can help:

1. Request and study the audit plan early
   Ask for the audit agenda in advance. Map the listed clauses to your processes and note where you’ve had recent changes, complaints, staff turnover, or CAPAs. Those areas will likely get extra scrutiny.

2. Walk through the last audit report
   Review your last audit (internal and external). Auditors often follow up on previous nonconformities or observations. Make sure actions taken are traceable and fully closed out. With evidence.

3. Trace a recent complaint from end to end
   Be ready to walk an auditor through a real complaint, from intake to resolution. Choose one where the process worked well. Have all supporting documentation on hand, including investigation rationale and risk review.

4. Sample your own records before they do
   Pull three to five random records (e.g. design changes, release, Computer System Validation, training) and check for consistency, signatures, dates, and completeness. If you find inconsistencies, fix the process before the audit.

5. Look where you’ve had turnover or reorganisations
   Teams with new hires or reorganised responsibilities often have weaker documentation or knowledge gaps. Review training records and make sure ownership of procedures is clear.

6. Ask yourself: would I be able to explain this?
   Sit with key process owners and ask them to explain their processes out loud, without slides. Can they confidently describe how complaints are handled, how supplier performance is monitored, or how they deal with in-house nonconformities? Do they know the current version of an SOP?

7. Be audit-ready, not audit-polished
   Avoid last-minute document clean-ups that hide real gaps. It’s better to show awareness of an issue with a solid mitigation plan than to present a fake-perfect record that doesn’t hold up under questioning.

8. Review how you manage evidence during the audit
   Designate someone to shadow the auditor and take notes. Assign a document retriever who can find and present records quickly. Disorganisation or delays can give the impression of noncompliance, even if the process itself is solid.

The Bottom Line

Quality management should be seen as part of a company’s philosophy. If the QMS is kept consistently up to date, the next audit will run smoothly – without headaches.

Building Quality Is Just the Beginning

‍

Meeting the requirements of ISO 13485 is one thing, putting them into practice is another. That’s why this article is part of a broader series developed for New Zealand’s HealthTech sector, aimed at helping teams turn regulatory expectations into working systems.

The QMS Series is brought to you by the HealthTech Activator, in partnership with the Johner Institute New Zealand.

Over 12 months, this series explores ISO 13485 in four parts: from first steps and system setup to risk management and audit readiness. Each quarter combines practical content with interactive workshops to support implementation in real-world settings.

‍

Got a question? Get in touch with Anne via email microconsulting@johner-institute.nz

‍

Next in the series - Introduction to ISO 13485 webinar

- When: 7 October, 11am - 12pm (NZT)

- Who should attend: NZ HealthTech companies developing medical devices or health software for global markets

- Register now! Introduction to ISO 13485 – Quality Management Series Webinar

‍