Internal audits are inspections of the quality management system (QM system) and its processes by the organization itself. This is why they are also called 1st party audits.
ISO 13485 requires internal audits like its “sister standard,” ISO 9001, and other standards and regulations. Therefore, internal audits are also a subject of external audits and are a prerequisite for QM certification.
This article helps you to fulfill the normative requirements for internal audits precisely, avoid the seven most common mistakes, and successfully pass the certification.
1. Objectives of internal audits
Just like external audits, internal audits have two main objectives:
- To ensure that the QM system meets the requirements of the standards
- To ensure that the company adheres to its own rules of the game
Internal audits have the additional objective of
- finding and rectifying deviations more quickly through inspections during the year and
- ensuring the success of external audits.
2 Regulatory requirements
The requirements for internal audits are determined by ISO 13485 in Chapter 8.2.4 (“Internal Audit”) and by ISO 9001 in Chapter 9.2 of the same name.
The MDR and IVDR do not explicitly require internal audits. However, they do require the internal review of QM systems (depending on the conformity assessment procedure selected):
methods of monitoring whether the operation of the quality management system is efficient and in particular the ability of that system to achieve the desired design and device quality
MDR / IVDR Annex IX, Section 2.2
a) Requirements for an audit programme
Manufacturers must not only plan and prepare individual internal audits but also set up an audit program.
arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose
ISO 19011:2018, Chapter 3.4
For medical device manufacturers, the specific purpose includes the conformity of the QM system and the devices with the regulatory requirements and, thus also, the safety of patients.
Manufacturers use the audit program to determine when they want to audit which areas (e.g., processes and organizational units). For example, audit 1 could focus on document control (cross-departmental), audit 2 on the production department and its processes, and audit 3 on measuring equipment (cross-departmental).
Depending on the output of individual audits, manufacturers will adapt their long-term planning (the audit program). Over time, all aspects of management standard and the entire QM system must be audited.
The definition of the term audit and more can be found under the keyword “audit.“
The software audit guide helps you plan your audits for software devices perfectly, including the audit program. This guide has been developed for notified bodies who use it to conduct external software audits.
b) Requirements for the planning and preparation of internal audits
In accordance with the audit program, organizations must plan and prepare internal audits.
The planning should include (see ISO 19011:2018 Chapter 6.3.2):
- Duration & timing: Plan when to conduct the internal audits. The audit program usually only specifies the time periods.
- Methods: Plan the methods/procedures you want to use for auditing. You can read more about these methods below.
- Persons: How many auditors are needed? What competencies do they need to have?
- Criteria: Depending on the focus areas, you can determine when an internal audit has been passed. What deviations do you want to allow? You can read more about the criteria below.
The planning of internal audits must be part of your QM system and referenced, for example, in the QM manual or in a standard operating procedure for internal audits.
The topics in the specific audit plan are derived from the long-term planning and the output of the last audits: During internal audits, you should always check whether the complaints from previous audits have been implemented.
Regarding the CAPA (Corrective and Preventive Actions) process, you should also check whether errors have been corrected and lessons have been learned. In other words, whether not only corrections but also corrective actions have been taken. Include this in your planning.
Preparation is about preparing for a specific internal audit. The activities include:
- Arranging the audit date, reserve rooms
- Inviting people to be audited
- Sending out the audit plan with topics and times
c) Requirements for conducting internal audits
Internal audits should be carried out according to plan. Deviations must be documented. Organizations must take appropriate corrective action if non-conformities are found during the audit.
The ISO 19011 standard provides guidance for QM audits (internal and external audits).
3. Internal audits in practice
a) Methods for internal audits
You should take a systematic and methodical approach to internal audits. This includes the above-mentioned planning and preparations but also the methods. Examples of the various methods used in an audit are (see ISO 19011:2018 Annex A.1):
- Questioning based on previously defined checklists
- Evaluation of failure databases
- Exemplary reviews of technical documentation
- Inspection of rooms (e.g., cleanliness) and measuring equipment (e.g., date of last calibration)
- Documentation of outputs (paper, document management system, etc.)
- Communication of outputs: Channels, deadlines, recipients
These methods can be assigned to the following classes
- Questioning
- Observing (of actions)
- Reviewing evidence/records
b) Determination of criteria
Even if it is occasionally recommended (similar regarding notified bodies) to differentiate between “minor” and “major” non-conformities in internal audits, it should be clear that no standard requires these non-conformities to be defined. According to ISO 19011, however, non-conformities can be classified on a risk basis.
Defining a key performance indicator of how many deviations are allowed (minor and major) can also be counterproductive. On the other hand, using the key performance indicator of how many of the errors found have been sustainably corrected seems to make sense.
c) Requirements for internal auditors
The standards place requirements not only on the internal audits but also on the auditors. Make sure that they can demonstrate the necessary competence!
The internal auditor seminar provides you with all the necessary competencies. You can demonstrate these to external auditors and your notified bodies using the certificate of attendance and the certificate of achievement.
Internal auditors must fulfill several requirements:
- Competence: You must be able to demonstrate that you have the necessary competence, e.g., know the standards, are able to draw up audit plans, assess deviations, etc.
- Objectivity, independence: Auditors must be independent in order to be able to judge objectively. They must be able to justify this independence, for example, using an organization chart or a job description.
- Communication and moderation: Auditors are not always welcome due to their job: They must touch the sore points and uncover grievances. Therefore, internal and external auditors should be good communicators and able to conduct difficult conversations confidently.
4. The seven most common mistakes in internal audits
Mistake 1: Inadequate audit program, wrong focus
Organizations make several mistakes in the audit program:
- The audit program is missing, i.e., the companies only plan the individual audits, but not – as required – a set of audits.
- The audit program does not ensure that the organization audits the entire QM system with all processes, if provided, e.g., including outsourced processes.
- The audit program is only aimed at conformity with the requirements of ISO 13485. In most cases, other requirements must also be observed, such as the requirements of the MDR or IVDR, the requirements of the FDA in 21 CFR part 820, or those of integrated management systems such as ISO 27001.
Mistake 2: Wrong frequency
The standards speak of “planned intervals” but do not specify a time period. As a result, many organizations only carry out internal audits once a year. However, this interval may be too long. Reasons for additional audits would be, for example, a process change, an organizational change, or measures in the event of serious deviations.
Mistake 3: Lack of competence, wrong persons
The task of carrying out internal audits should not be the sole responsibility of the QM Representative. He/she often lacks the procedural knowledge.
Organizations must also ensure the neutrality of the auditors. For example, QM Representatives should not audit the process of internal audits if they are responsible for them.
Mistake 4: Lack of consequences
Lack of consequences is probably the worst mistake. The auditors’ task is to find errors, even if the auditees don’t like it.
If nonconformities are found, the causes must be investigated and corrected. In the case of corrective action, “without undue delay.”
If a non-conformity still exists in the following year, the QM system is ineffective.
Mistake 5: Insufficient documentation
Documentation is also error-prone:
- What is not documented does not exist. Documentation is therefore required.
- This also explicitly applies to proof of conformity and not just proof of non-conformities. A neutral third party must be able to understand what auditors have checked and how they reached their output.
- The evidence usually relates to records, e.g., test reports, incoming goods inspections, review logs, etc. These must be identifiable.
Documentations of internal audits are records that must be controlled.
Read more about document control.
Mistake 6: Concealing the output
During external audits, it hardly makes sense to conceal the deviations found during internal audits. Rather, it is a sign of the effectiveness of internal audits to find these mistakes and a sign of a practiced QM system that these deviations are eliminated quickly and consistently.
Mistake 7: Insufficient commitment from management
The problem arises from the top. This also applies to QM systems. If the management is not committed to the QM system, it is not only the QM officers who have a hard time.
One indicator of this commitment is the extent to which the management considers the output of internal audits in management reviews.
5. Conclusion and summary
Internal audits are an integral part of every QM system. An organization uses them to review the system’s effectiveness in a previously defined manner (audit program, audit plan). If the impression of “QM overhead” arises, it is a sign of incorrectly conducted internal audits or a lack of quality culture.
Would you like to ensure that your QM system passes the next external audit and that you obtain or retain your certificate?
The Johner Institute team will check the conformity of your QM system with mock audits. With these mock audits, you also fulfill the requirements for internal audits. So, you kill two birds with one stone.
Get in touch if you would like to discuss the next steps with us.
Change history
- 2023-05-26: Article completely revised and updated
- 2015-07-02: First version published
