ISO 13485 Standard - 8.2.2 Internal Audit E-mail
ISO 13485 internal audit
One of the most effective activities that organizations may implement in order to monitor, analyze, control, and improve its quality management system (QMS) is the internal audit.
The audit’s main goal is to give a status report regarding your quality management system. The tactic of an audit (external or internal) is to evaluate the organization’s performances with reference to any kind of requirements. Your organization is required to maintain several activities. The audit evaluates whether the activities are performed and how well they are performed.


The Auditor


The auditor must be objectively related to the organizational unit or function that they are auditing. Beside their personal approach, the auditor must have a minimum acquaintance with the field of the organization in order to evaluate the processes and their results beyond the working procedures, work instructions, and documentation (the documented criteria). That kind of knowledge can give them the ability and the consideration to evaluate situations while they identify any nonconformities or faults. The ISO13485 standard refers us to the ISO 19011 (guidelines for quality and/or environmental management systems auditing). The ISO 19011 specifies the required auditor qualities:

  • Ethics: Auditors will possess personal characteristics like credibility, integrity, and honesty, and provide reliable information and results regarding the unit they are auditing.
  • Open minded: Auditors will be willing to listen, learn, and accept new ideas, and to reflect them on the situations or requirements. Sometimes they may encounter new approaches or opinions. Auditors must have the ability to assess and to accept different ideas as long as they achieve the requirements.
  • Diplomatic: Auditors will be polite and good mannered; they are representative of the top management.
  • Observer: Auditors will have the ability to recognize and evaluate what they see, and to understand and interpret events without deep interrogation.
  • Perspective: Auditors will have the ability to evaluate situations beyond their appearance, and with a systematic view of things. They will have the ability to understand the organizational consequences of the evidence they find.
  • Versatile: Auditors will have the ability to mobilize from one situation to another without losing direction. One moment they may audit one field; the next moment it may be another. They must be able to stay focused.
  • Structured: Auditors will advance and progress the audit according to a defined method or a plan.
  • Persistence: Auditors must be persistent with their objectives, so that when they ask a question, they must receive an answer to it and not to be diverted by interferencesor disturbances.
  • Independent: Auditors shall have their own opinions on things and will not be influenced by the environment.
  • Decisive: Auditors must be ready to make decisions even when they are hard or will not satisfy the auditee.

The Audit Program

The organization must maintain a documented program for conducting audits (internal as well as external). The goal of the program is to identify the required organizational elements that will be audited and determine an audit for them. The program must be documented. The program has five main objectives:

  • The program shall introduce the auditor with the scope and objectives of the audit (fields, subjects, departments, locations, sites, products, areas, roles, processes or the specific status of processes)
  • The program shall specify the authorities and responsible parties that will participate in the audit (the auditor or audit team, employees, specific roles, management representatives, technical experts, etc.)
  • The program shall detail the resources required for the audit (meeting rooms, records, products, production lines, etc.)
  • The program shall give a description of the topics and issues that will be audited and discussed
  • The program shall indicate scheduled timeframes for the different audit’ stages.

It is recommended that you publish and communicate the audit program. If you would like to perform “unexpected” audits, then define them on the program but do not publish them. Bear in mind that no matter how you schedule the program, all organizational units must be audited at least once a year.
The program can appear as a checklist or in a procedure. Below is a table for demonstrative purposes (Table 8.5).
Some organizations also include the details of the test and examinations that they conduct during the audit. I will refer to it as the “plan” of the audit. The audit program will ensure that the audits are conducted as planned. Employees and workers will understand that the internal audit is a part of the quality management system and not a capricious decision made by the top management. The program will be a controlled record under the records control process.


In order to conduct effective tests, you need to assign and document criteria to each test. The objective of the criteria is to support decisions for judging, evaluating, and determining by facts, values, and data the compliance of the outputs to the requirements. The criteria will provide a successful validation by indicating whether the findings are accepted or rejected. The criteria will present a method for the evaluation and will refer not only to products, parts, or components, but also to realization processes and conditions for realization. Types of criteria include:

  • Working instructions, test instructions, and procedures
  • Drawing and specifications
  • Quality plans
  • Standards and technical specifications
  • Regulations and directives
  • Documented customer requirements

The audit plan shall refer each test to its appropriate criteria.

The Closing Report

Any audit report must have a summary. The auditor should gather all the information, data, findings, nonconformities, and opportunities for improvement, and process and present them together in one report. The goals are to provide the organization with a status report regarding the quality management system and for follow up during the next audit; to review the treatment and to verify that all nonconformities are closed. The report must specify:

  • Who the participants were—it is required that you document who participated in the audit.
  • The scope of the audit, the auditee, and the organization or functional units that were audited.
  • The audit’s objectives.
  • General details and information that will support the evidence and shed light on the auditee or explain some findings (e.g., the amount of workers, special projects, special recent events, etc.).
  • The audit findings that were sampled, observed, asked, and examined. This section will refer to the criteria that were used to evaluate the findings.
  • Reference to prior audits and prior findings. The auditor must verify that all nonconformities that were revealed during the last audit are eliminated, the treatment is documented, and (most importantly) the treatment was effective and the nonconformities have not repeated.
  • Recommendations—for every finding, the auditor may offer his/her recommendation.
  • Nonconformities discovered during the audit—the objective is to concentrate all the nonconformities that were discovered in one list for the follow up in the next audit so that corrective actions can be initiated and the nonconformities are eliminated, and not repeated.

This summary will generate a corrective action report (which is a separate topic, and will not be discussed here). Bear in mind, this report is designated for the top management and the function that is responsible for the auditee. The report is a tool for him/her to understand the status of the organization with reference to the requirements or the criteria. Therefore, it is recommended that the report be designed in a format that would be easy to understand.

Nonconformities Revealed in the Audit

Nonconformities are documented three times during the audit process:

  • First—within the audit report along with the audit findings. We can also refer to it as the report itself.
  • Second—where it is suitable, as nonconformities. Any audit report should contain a summary of the nonconformities at the end.
  • Third—as an input for a corrective action.

When you reveal nonconformities, they should be applied to a controlled process. The ISO 13485 standard specifically requires that for each nonconformity a decision and an action will be determined in order to ensure that they will be handled and removed. The goal is to verify that the nonconformities are removed or eliminated, and will not be repeated. The organization shall prove to the auditor that a corrective action was taken over any nonconformity (revealed during the audit) within the scheduled timeframe, the treatment was effective and the nonconformity did not occur again. In order to close the loop, you need to initiate the interface between the internal audit process and the corrective action process. Define and document the fact that audit findings may serve as inputs for the corrective action process. If you wish to be more creative and proactive, you may define that audit findings are also inputs to the continual improvement process (Subclause 8.5.1 (Improvement—General)).

This webpage contains only a fragment of the chapter 8 Measurement, Analysis, and Improvement from the book: ISO 13485: A Complete Guide to Quality Management in the Medical Device Industry published by:

CRC Press

 You may purchase the book through:



Complete Guide to Quality Management in the Medical Device Industry


Feel free to submit any question regarding the standard or its requirements through the Contact Us Page.


Copyright © 2018 13485quality. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.