Internal audits are inspections of the quality management system (QM system) and its processes by the organization itself. This is why they are also called 1st party audits.
ISO 13485 requires internal audits like its “sister standard,” ISO 9001, and other standards and regulations. Therefore, internal audits are also a subject of external audits and are a prerequisite for QM certification.
This article helps you to fulfill the normative requirements for internal audits precisely, avoid the seven most common mistakes, and successfully pass the certification.
1. Objectives of internal audits
Just like external audits, internal audits have two main objectives:
- To ensure that the QM system (the “own rules”) meets the requirements of the standards
- To ensure that the company adheres to its own rules
Internal audits have the additional objective of
- finding and rectifying deviations more quickly through inspections during the year and
- ensuring the success of external audits.
2. Regulatory requirements
The requirements for internal audits are determined by ISO 13485 in Chapter 8.2.4 (“Internal Audit”) and by ISO 9001 in Chapter 9.2 of the same name.
The MDR and IVDR do not explicitly require internal audits. However, they do require the internal review of QM systems (depending on the conformity assessment procedure selected):
methods of monitoring whether the operation of the quality management system is efficient and in particular the ability of that system to achieve the desired design and device quality
MDR / IVDR Annex IX, Section 2.2
a) Audit programme
Manufacturers must not only plan and prepare individual internal audits but also set up an audit programme.
arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose
ISO 19011:2018, Chapter 3.4
For medical device manufacturers, the specific purpose includes the conformity of the QM system and the devices with the regulatory requirements and, thus also, the safety of patients.
Manufacturers use the audit programme to determine when they want to audit which areas (e.g., processes and organizational units). For example, audit 1 could focus on document control (cross-departmental), audit 2 on the production department and its processes, and audit 3 on measuring equipment (cross-departmental).
Depending on the results of individual audits, manufacturers will adapt their long-term planning (the audit programme). Over time, all aspects of management standard and the entire QM system must be audited.
The definition of the term audit and more can be found under the keyword “audit.“
b) Audit plan
Organizations must plan and prepare internal audits in accordance with the audit programme.
The audit plan should include (see ISO 19011:2018 Chapter 6.3.2):
- Duration & timing: Plan when to conduct the internal audits. The audit programme usually only specifies the time periods.
- Methods: Plan the methods/procedures you want to use for auditing. You can read more about these methods below.
- Persons: How many auditors are needed? What competencies do they need to have?
- Criteria: Depending on the focus areas, you can determine when an internal audit has been passed. What deviations do you want to allow? You can read more about the criteria below.
The planning of internal audits must be part of your QM system and referenced, for example, in the QM manual or in a standard operating procedure for internal audits.
The topics in the specific audit plan are derived from the long-term planning and the results of the last audits: During internal audits, you should always check whether the complaints from previous audits have been implemented.
Regarding the CAPA (corrective and preventive actions) process, you should also check whether errors have been corrected and lessons have been learned. In other words, whether not only corrections but also corrective actions have been taken. Include this in your planning.
c) Audit preparation
Preparation is about preparing for a specific internal audit. The activities include:
- Arranging the audit date, reserve rooms
- Inviting people to be audited
- Sending out the audit plan with topics and times
d) Requirements for carrying out internal audits
Internal audits should be carried out according to plan. Deviations must be documented. Organizations must take appropriate corrective action if non-conformities are found during the audit.
The ISO 19011 standard provides guidance for QM audits (internal and external audits).
3. Internal audits in practice
a) Methods for internal audits
You should take a systematic and methodical approach to internal audits. This includes the above-mentioned planning and preparations but also the methods. Examples of the various methods used in an audit are (see ISO 19011:2018 Annex A.1):
- Questioning based on previously defined checklists
- Evaluation of failure databases
- Exemplary reviews of technical documentation
- Inspection of rooms (e.g., cleanliness) and measuring equipment (e.g., date of last calibration)
- Documentation of the results (paper, document management system, etc.)
- Communication of the results: Channels, deadlines, recipients
These methods can be assigned to the following classes
- Questioning
- Observing (of actions)
- Reviewing evidence/records
b) Determination of criteria
Even if it is occasionally recommended (similar regarding notified bodies) to differentiate between “minor” and “major” non-conformities in internal audits, it should be clear that no standard requires these non-conformities to be defined. According to ISO 19011, however, non-conformities can be classified on a risk basis.
Defining a key performance indicator of how many deviations are allowed (minor and major) can also be counterproductive. On the other hand, using the key performance indicator of how many of the errors found have been sustainably corrected seems to make sense.
c) Requirements for internal auditors
The standards place requirements not only on the internal audits but also on the auditors. Make sure that they can demonstrate the necessary competence!
The internal auditor seminar provides you with all the necessary competencies. You can demonstrate these to external auditors and your notified bodies using the certificate of attendance and the certificate of achievement.
Internal auditors must fulfill several requirements:
- Competence: An internal auditor must be able to demonstrate that he or she has the necessary competence, e.g., knows the standards, is able to draw up audit plans, to assess deviations, etc. An internal auditor must also be able to evaluate the “audit object,” for example, the process to be audited.
- Objectivity, independence: Internal and external auditors must be independent in order to be able to judge objectively. They must be able to justify this independence, for example, using an organization chart or a job description.
- Communication and moderation: Like external auditors, internal auditors are not always welcome due to their job: They must touch the sore points and uncover grievances. Therefore, internal and external auditors should be good communicators and able to conduct difficult conversations confidently.
An internal auditor should see himself/herself as part of his/her organization that needs to be continuously improved just as much as any other part of the organization. Feedback is helpful for this from
- external auditors who audit the entire QM system,
- other internal auditors who audit the process of internal audits,
- persons audited by him/her.
Improvement measures should be derived from the feedback, implemented, and checked for effectiveness.
d) Checklist/questionnaire for internal audits
Internal audits review process conformity with the company’s own requirements (see section 1). One of these processes concerns the audit system itself, i.e., the planning, preparation, and performance of internal audits. A checklist for this is provided in section i) below. Notes on questionnaires for the other processes are provided in section ii).
i) Checklist/questionnaire for internal audits: Focus on the audit process
The following questionnaire will help companies prepare:
- Do you have a current audit program that covers at least the next internal audit?
- How did you verify that this audit program ensures that all processes are audited during the audit?
- How did you derive the audit program from the results of management reviews, past internal and external audits, and market feedback?
- What criteria were used to determine the competence of the auditors?
- How were these competencies reviewed?
- Who approved the audit program?
- Does this approval comply with the requirements in the relevant standard operating procedure?
- Were the internal audits carried out in accordance with the audit plan (focus areas, auditors, dates)?
- Were the (corrective) measures resulting from the audits implemented?
ii) Checklist/questionnaire for internal audits: Focus on other processes
The typical questions internal and external auditors ask depend heavily on the respective audit focus or processes. For example, companies should be prepared for the following questions regarding corrective actions:
- Is there a standard operating procedure for handling corrective actions (e.g., “SOP CAPA”)?
- Do these standard operating procedures specify all information channels through which feedback on non-conformities is collected?
- Do these information channels take internal and external sources of information into account?
- Do the standard operating procedures contain clear criteria for evaluating feedback to determine whether it must result in corrective action?
- Is the computerized system (e.g., ticket system) for collecting and tracking corrective actions validated?
- Are users trained in how to use this system?
- Do the standard operating procedures describe how risk related information is transferred to risk management?
- Are the defined deadlines by which corrective actions must be completed traceable and compliant with the requirements of ISO 13485?
- Are there any overdue measures?
- Manufacturers should create (or have created) comparable lists of questions for the other processes to optimally prepare for the audits.
The Audit Guide for software audits helps you plan your audits perfectly, including the audit programme and other processes, e.g., in development, testing, and post-market surveillance. This guide was developed for notified bodies that use it for external audits.
4. The seven most common mistakes in internal audits
Mistake 1: Inadequate audit programme, wrong focus
Organizations make several mistakes in the audit programme:
- The audit programme is missing, i.e., the companies only plan the individual audits, but not – as required – a set of audits.
- The audit programme does not ensure that the organization audits the entire QM system with all processes, if provided, e.g., including outsourced processes.
- The audit programme is set once without further adaptation. However, this is particularly necessary regarding findings in internal and external audits, incidents involving the company’s devices, or other observations.
- The audit programme is only aimed at conformity with the requirements of ISO 13485. In most cases, other requirements must also be considered, such as the requirements of the MDR or IVDR, the requirements of the FDA in 21 CFR part 820, or those of integrated management systems such as ISO 27001.
Mistake 2: Wrong frequency
The standards speak of “planned intervals” but do not specify a time period. As a result, many organizations only carry out internal audits once a year. However, this interval may be too long. Reasons for additional audits would be, for example, a process change, an organizational change, or measures in the event of serious deviations.
Mistake 3: Lack of competence, wrong persons
The task of carrying out internal audits should not be the sole responsibility of the QM representative. He/she often lacks the procedural knowledge.
Organizations must also ensure the neutrality of the auditors. For example, QM representatives should not audit the process of internal audits if they are responsible for them.
Mistake 4: Lack of consequences
Lack of consequences is probably the worst mistake. The auditors’ task is to find errors, even if the auditees don’t like it.
If non-conformities are found, the causes must be investigated and corrected. In the case of corrective action, “without undue delay.”
If a non-conformity still exists in the following year, the QM system is ineffective.
Mistake 5: Insufficient documentation
Documentation is also error-prone:
- What is not documented does not exist. Documentation is therefore required.
- This also explicitly applies to proof of conformity and not just proof of non-conformities. A neutral third party must be able to understand what auditors have checked and how they reached their results.
- The evidence usually relates to records, e.g., test reports, incoming goods inspections, review logs, etc. These must be identifiable.
Documentations of internal audits are records that must be controlled.
Read more here about document control.
Mistake 6: Concealing the results
During external audits, it hardly makes sense to conceal the deviations found during internal audits. Rather, it is a sign of the effectiveness of internal audits to find these mistakes and a sign of a practiced QM system that these deviations are eliminated quickly and consistently.
Mistake 7: Insufficient commitment from management
The problem arises from the top. This also applies to QM systems. If the management is not committed to the QM system, it is not only the QM officers who have a hard time.
One indicator of this commitment is the extent to which the management considers the results of internal audits in management reviews.
5. Conclusion and summary
Internal audits are an integral part of every QM system. An organization uses them to review the system’s effectiveness in a previously defined manner (audit programme, audit plan). If the impression of “QM overhead” arises, it is a sign of incorrectly conducted internal audits or a lack of quality culture.
Do you want to ensure your QM system passes the next external audit and you obtain or retain your certificate?
The Johner Institute team will check the conformity of your QM system with mock audits. With these mock audits, you also fulfill the requirements for internal audits. So, you kill two birds with one stone.
Get in touch if you want to discuss the next steps with us.
Change history:
- 2025-04-22: Headings in chapter 2 renamed; audit plan and audit preparation separated; chapter 3.d) with questionnaires added
- 2025-01-22: Chapter 3.c) on the internal auditor revised and supplemented
- 2023-05-26: Article completely revised and updated
- 2015-07-02: First version published
