ISO 13485 audits can intimidate anyone. It sounds rigid and technical, and like it is designed to catch you out.But over the years, I’ve come to see these audits not as something to fear, but as incredibly valuable checkpoints for any medical device company that wants to grow responsibly, build trust, and deliver consistently safe products.
In simple terms, an ISO 13485 audit is a systematic, independent, and documented process for evaluating whether a company’s quality management system (QMS) aligns with the ISO 13485 standard. ISO 13485 is the benchmark for quality management systems specific to medical devices.
What an ISO 13485 audit actually looks like
An ISO 13485 audit can be conducted internally (by your own trained team or a third party you hire) or externally (by a certification body or regulatory authority). The scope of the audit usually includes:
- Reviewing your QMS documentation
- Checking whether policies and procedures comply with ISO 13485 requirements
- Interviewing employees at all levels
- Observing processes in real time
- Sampling records to verify compliance
- Identifying gaps or nonconformities and recommending corrective actions
I like to think of it as both a mirror and a map. It reflects how well your system is working, but it also helps guide your next steps.
ISO 13485 audit requirements
Now, let’s talk about the bones of it: what an ISO 13485 audit requires.
The most critical ISO 13485 audit requirements include:
Quality management system documentation
This includes your quality manual, procedures, and records. The auditors will look for evidence that your QMS is not only documented but also implemented and maintained.
Your procedures should reflect your reality. Don’t just write what you think auditors want to hear - document what actually works for you, and keep improving it.
Management responsibility
Auditors assess how leadership demonstrates commitment to the QMS. This includes management reviews, quality objectives, customer focus, and resource planning. If your leadership is disconnected from the quality system, the system won’t survive under pressure.
Resource management
This requirement covers personnel, training, infrastructure, and the work environment. Your team must be competent, well-trained, and supported by the tools and facilities needed to do their jobs safely and effectively.
Product realization
Auditors will examine your planning, design, development, purchasing, production, and servicing processes. They want to see traceability, risk management, design controls, and process validation.
Measurement, analysis, and improvement
Continuous improvement is a cornerstone of ISO 13485. Auditors will look for evidence of internal audits, complaint handling, CAPA (Corrective and Preventive Actions), data analysis, and efforts to continually enhance your QMS.
ISO 13485 audits typically fall into one of four categories:
Internal audits: These are performed within your organization to prepare for certification or maintain ongoing compliance. Surprisingly, internal audits might be the most important type of audit you’ll face (more on that later).
Certification audits: Conducted by a notified body or certification body, these determine whether your QMS meets ISO 13485 and can be certified.
Surveillance audits: Once certified, your organization will undergo periodic audits (usually annually) to ensure continued compliance.
Unannounced audits: Notified bodies and regulatory authorities like the FDA may conduct unannounced audits. These can feel like a curveball - but if your QMS is healthy, they’re manageable.
Tips and tricks: How to prepare for an ISO 13485 audit
Approaching an audit as a “test” you need to pass is short-sighted. Yes, certification is important. Yes, you want a clean report. But the real win is using the audit process to deeply understand your system’s strengths and vulnerabilities.
Here are some of the most practical, real-life strategies I rely on and recommend for how to prepare for an ISO 13495 audit.
Treat your internal audits like the real thing
One of the biggest mistakes I see companies make is treating internal audits like box-ticking exercises. But the best way to prepare for an external ISO 13485 audit is to simulate it internally - with all the formality, curiosity, and attention to detail you’d expect from a notified body.
Real-life tip: Schedule regular internal audits with a rotating internal “guest auditor” system, for example, every quarter. By the time a “real” audit rolls around, everyone is comfortable being questioned and answering with confidence.
Conduct a pre-audit mock interview with key staff
Auditors always want to speak directly with people on the floor - technicians, engineers, production staff, even customer service. That can be nerve-wracking for folks who aren’t used to compliance language.
Real-life tip: In the week before your audit, do 15-minute mock interviews with key employees. Ask things like:
- “What do you do if you find a defective component?”
- “How do you know your procedure is up to date?”
- “Where do you find work instructions?”
It isn’t about training people to memorize answers. It is about helping them understand why they do what they do and feel confident explaining it.
Know your recent CAPAs and complaints inside out
Auditors love to pick one or two (or ten) recent CAPAs (Corrective and Preventive Actions) or complaints and follow them like threads through your entire system. If you handled a field complaint three months ago, they might want to see:
- The complaint log
- The investigation report
- The root cause analysis
- Corrective actions taken
- Verification of effectiveness
- Related training or procedure updates
Real-life tip: Before your audit, do a “CAPA walkthrough” with your quality team. Pull the five most recent CAPAs and rehearse explaining how they were closed out. This shows maturity, transparency, and control - three things auditors are looking for
Medical Device QMS: ISO 13485:2016 Essentials from Clause 1 to Clause 4
How to conduct an internal ISO 13485 audit
In my experience, internal audits are where the real work of ISO 13485 happens. They’re less about passing an inspection and more about creating space to pause, reflect, and ask: “Are we actually doing what we say we’re doing - and is it working?”
And when they’re done right, they’re gold.
So let’s walk through the key steps I follow when conducting an internal ISO 13485 audit, from planning to follow-up.
Create an annual audit schedule
It all starts with a plan.
ISO 13485 requires that internal audits be performed at planned intervals. What that looks like depends on your size, complexity, and risk profile. Some companies audit their full QMS once a year; others use a rolling schedule to audit different processes quarterly.
Real-life tip: Publish your audit schedule internally at the start of the year so teams can prepare and no one feels caught off guard.
Define the audit scope and objectives
Not all audits are the same, and so each audit should have a clear purpose. Are you auditing the design control process? Supplier qualification? Complaint handling?
You’ll want to define:
- Scope: which process, product, site, or department is being audited
- Objectives: what you’re trying to verify (e.g. conformity to procedures, effectiveness, or compliance with ISO 13485 clauses)
- Criteria: which documents, standards, or regulations you’ll be measuring against
Example:
- Audit Scope: Post-market surveillance activities
- Objective: Verify compliance with ISO 13485:2016 clause 8.2.1 and internal procedure QMS-008
- Criteria: ISO 13485:2016, QMS-008 Rev.3, and the MDR (EU 2017/745)
Develop your audit checklist
A good checklist keeps the audit focused, traceable, and aligned with the standard. It shouldn’t be a rigid script, but it should cover at least:
- Applicable ISO 13485 clauses
- Internal procedures and work instructions
- Specific process controls or outputs
- Past audit findings or CAPAs (to check follow-up)
Example checklist item:
- Are complaints evaluated to determine if they must be reported to regulatory authorities?
- Objective Evidence: CAPA-0023, Complaint Log Q2 2025, SOP-POSTMRKT Rev.4
Perform the audit
I always start the audit with a short kickoff meeting, even for internal audits. It helps set expectations and reduce nervousness.
During the audit, I:
- Ask open-ended questions (“How do you know this document is current?”)
- Observe processes in action
- Sample records (not every single one, just enough to verify consistency)
- Compare actual practices to documented procedures
- Take notes with neutral, factual language
Real-life tip: Stay curious, not combative. The goal isn’t to catch people - it’s to understand what’s happening and why.
Record findings clearly and objectively
There are typically three categories of audit findings:
- Conformity: the process meets requirements
- Opportunity for improvement (OFI): not noncompliant, but could be better
- Nonconformity: process does not meet a requirement
For nonconformities, I document:
- What requirement wasn’t met (cite the clause or procedure)
- Objective evidence (what I saw, heard, or read)
- Context if needed (e.g. “Recurring issue noted in 3/10 sampled records”)
Example nonconformity:
- Clause 7.5.3.2.1 – Identification
- Observation: 2 of 5 sampled finished devices were missing product labels at final inspection.
- Evidence: Batch 24B and 24C inspection records dated July 5, 2025
Follow up and close the loop
This part is just as important as the audit itself.
All nonconformities should lead to a corrective action. You’ll want to:
- Assign responsibility
- Set a realistic due date
- Verify implementation and effectiveness
- Document everything in your CAPA system
Real-life tip: Even when findings are minor, I always make a point of recognizing what is working well. It helps maintain morale and reinforces the purpose behind the audit: improvement, not blame.
I also like to review OFIs at quarterly quality meetings. Even though they’re not mandatory, they often point to strategic opportunities that would otherwise go unnoticed.
Best auditing practices for auditees - get the confidence and clarity you need for inspections and internal audits!
What are the post-audit activities after an ISO 13485 internal audit?
An audit with no post-audit follow-up is like going to the doctor, getting a diagnosis, and then ignoring the prescription. The real benefit comes from what you do with what you found.
Here’s what that looks like in practice:
Compile and review the audit report
As soon as possible after the audit, I recommend finalizing a clear, structured audit report. This should include:
- The scope and objective of the audit
- Who conducted it and when
- A summary of the processes and documents reviewed
- All findings, categorized appropriately
- Supporting objective evidence
- Any recommendations or notes
I always make sure the report is reviewed and approved by both the lead auditor and the quality manager (or relevant leadership). This ensures consistency and gives the findings weight when it’s time to act.
Initiate corrective actions for nonconformities
This is the heart of post-audit work. Every nonconformity must go into your Corrective and Preventive Action (CAPA) system.
That process typically includes:
- Root cause analysis: Use tools like 5 Whys or fishbone diagrams to get beyond symptoms.
- Action plan development: Define corrective actions with owners and due dates.
- Implementation: Put the fixes into practice: update procedures, train staff, modify forms, etc.
- Effectiveness check: Come back later to verify that the action actually worked.
Real-world tip: Set a rule for how long it should take to close out audit CAPAs, like 30 days. It gives your team a deadline and a goal to hit and you won’t have audit CAPAs hanging around for months, or even years.
Update documentation if needed
An audit often reveals where procedures, forms, or training materials are outdated or unclear. As part of your corrective actions, or even your OFIs, you may need to:
- Revise SOPs and work instructions
- Retire obsolete forms
- Add clarity to process maps
- Re-train personnel on new versions
Real-life tip: Keep a change log and communicate document revisions clearly to affected teams.
Conduct effectiveness checks
This step is sometimes overlooked, but ISO 13485 expects it. It’s not enough to take corrective action; you have to check that the action worked.
Typically, that looks like:
- Reviewing new records for compliance
- Interviewing staff post-training
- Re-auditing the same area a few months later
Real-life tip: A focused mini-audit three months after the audit finding can help not only closing the loop but boost everyone’s confidence in the system.
Key takeaways
- Internal ISO 13485 audits are essential tools for identifying gaps, improving processes, and maintaining compliance - not just a box-ticking exercise.
- Thorough preparation and clear communication are the foundation of a successful audit - know your scope, train your auditors, and use a tailored checklist.
- Post-audit follow-up is where the real improvement happens - document findings, take meaningful corrective actions, and verify their effectiveness.
Conclusion: Ensuring ISO 13485 compliance with QMS software
At the end of the day, ISO 13485 isn’t just about passing an audit; it’s about building a culture of quality that supports safe, effective medical devices and continuous improvement. Internal audits are a key part of that journey, but they can quickly become overwhelming without the right tools in place.
That’s where a smart, purpose-built QMS can make all the difference.
With Scilife’s eQMS for medical devices, teams can go from reactive to proactive; from scrambling to meet audit requirements, to actually using audit insights to drive real improvements. Features like automated audit scheduling, linked CAPA workflows, and built-in document control take the complexity out of compliance and let your team focus on what matters most: quality.
Because in the end, ISO 13485 isn’t just about ticking off clauses - it’s about building trust. And with the right system in place, that gets a whole lot easier.
