One of the most effective acts that organization may conduct in order to monitor, analyze control and improve is the internal audit. I am a big fan of it. This article would last too long if I had to go into most specific details about its significance. The audit main goal is to give a status report. The tactic of an audit (external or internal) is to evaluate the organization's performances with reference to the requirements. In plain words, it is required from your organization to maintain several activities. The audit evaluates whether the activities are performed and how well they are performed. The organization is required to perform the internal audit in defined periodical intervals in order to assess the quality management system and to confirm that:

Luckily the ISO 13485 Standard does not require any additional requirements more than the ISO 9001 Standard. As if it is not enough? Let us go over the requirements with a bit further details.

The ISO 13485 requires maintaining a documented procedure describing the method for conducting an internal audit process. This is not a recommendation but a requirement. The documented procedure must define:

• Who must conduct the audit – which is responsible for executing the internal audit process.
• What organizational units are under the scope – departments, specific processes, activities, sites, function, etc.
• Describing the process itself – who meets with whom where and what should everybody bring with them.
• The supervision after the internal audit plan (don’t get excited, we will go into details soon).
• Where the audit's evidence are documented.

It is possible to add as annex the audit's plan and all sort of forms and documentation regarding to the process.

The auditor

The auditor must be objective related to the organizational unit he is auditing. Beside his personal approach, the audit must have a minimum acquaintance with the field of the organization, in order to evaluate the processes and their quality beyond the working procedures, work instructions and documentation (the documented criteria). That kind of knowledge can give him the ability and the consideration to evaluate situations while he identifies any nonconformities or faults. Within the ISO 19011 Standard there is a specification for the auditor's qualities required:

• Ethics – credibility, integrity and honesty.
• Open minded – willing to listen, learn and accept new ideas.
• Diplomatic – polite with high manners to his colleagues – after all he is working with people and he is the representative of the top management.
• Observer – owns the ability to recognize what he sees and understand without interrogating.
• Perspective – owns the ability to evaluate situations beyond appearance and with a wide systematic view of things – has the ability to understand the organizational consequences of his evidence.
• Versatile – owns the ability to mobilize from one situation to another without losing direction.
• Persistence – must be persistence with his objectives and to not stray away.
• Decisive – ready to make decision
• Independent – must have his own opinion of things and to not be influenced by the environment.

The audit Program

The organization must maintain a documented program for conducting the audits. The program must be documented. This is not a recommendation but a requirement! The purpose of this program is to ensure that the audits are conducted as planned. So, first, you need a program. The ISO 13485 Standard requires performing the audits within scheduled and fixed time frames. This requirement ensures that employees would know that the audit is a part of the quality management system and not a momentarily capricious decision made by the top management. It is recommended to publish the audit schedules. And for "unexpected" audits – you need to define the time frames, just don’t publish them.

The audits program must cover:

• Quality plans for the medical device – For any requirement for product realization, you must evaluate if it is performed as planned. The best way is to sample. Pick the medical device, review its quality plan, and check whether the product was realized according to the plan. Then Document the results.
• The ISO 13485 Standard requirements –Including the documentation requirements (customer complaints, purchasing information, CAPA, training, etc). The examination must be conducted throughout the entire organizational units which related to product realization or are under the quality management scope. Any unit must be examined at least once a year.
• Processes and procedures – the audit must evaluate whether the processes that are related to the product realization are performed as required. It could be a correlated with quality plans. But generally an audit must sample processes and evaluate its performance.
• Quality objectives – the audit must examine whether the organization is achieving his quality objectives. He evaluates the objectives – whether they are related to the product and evaluates the results. Where he revealed that the objectives are not fulfilled – he must be presented with reasons and measures.
• Quality management system effectiveness – the audit must provide the ability to evaluate whether the quality management system is effective or not. The auditor may review the objectives and examine whether the expected improvement occurred.

Audit's evidences and findings

By the end of the audit the auditor must deliver a specific report about the audits evidences and findings. The report must specify:

• Who were the participants - it is recommended to document who participated during the audit. The purpose is when top management would like to conduct its inquiry - they would know to whom they must approach.
• The auditee – the organization or unit that were audited.
• General detail to shed light upon the auditee: how many workers, special projects, special recent events – information that would support the evidences.
• Reference to prior audits and prior findings - the auditor must verify that all nonconformities that were revealed during the last audit are eliminated the treatment was documented and most important, they are not repeated.
• The audits findings according to the evidences – that mean what the auditor discovered and how is it referred to the criteria: good, an opportunity for an improvement or requires corrective action (we would not deal in this article with classification of findings). Actually this is the most important part of the report. It specifies what the auditor saw, and discovered. The auditor must document the evidences as accurate as possible.
• Recommendations – for every finding the audit may pay his recommendation.
• A sum of all nonconformities discovered during the audit – the purpose for that is:

• To gather all the nonconformities for the top management for review
• To trace the corrective action for the next audit

This sum will become a corrective action report – but that is a whole different topic.
Bear in mind – this report is designated for the top management and the function that is responsible for the auditee. That report is a tool for him to understand the status. Therefore it is recommended that the report would in a format that is easy for him to understand.

The audit's results

Any finding during the audit should be indicated as three states:

• Conformity – the process sampled was according to the relevant requirement – the audit's criteria
• Opportunity for improvement (OFI) – the organization may or may not adopt this opportunity
• Non conformity – the process sampled, was not according to the requirements – the audit's criteria

Now' we are getting to the most thrilling part - The nonconformities! Nonconformities may be documented three times during the audit.

• First time, within the audit's report along with the audit's findings. We can also refer it as the report itself.
• Second time, where it is suitable, as nonconformities. Any audit report should bear at the end a summary of the nonconformities.
• Third time, as a corrective action.

When you reveal nonconformities, those nonconformities should be applied to a controlled process. The purpose is to verify that the nonconformities are removed. The organization shall prove to the auditor that a corrective action was taken over any nonconformity (revealed during the audit) within the time frame that was scheduled. The organization must prove closing these nonconformities by the next audit.

The report's summit

Any audit's report must have a summit. The auditor should concentrate all the non conformities and opportunities for improvement and present them together. The purpose is to go over them during the next audit and to review the treatment and to verify that all nonconformities are closed.