How to conduct an internal audit in ISO 13485

Updated: November 27, 2023.

Like many companies, you may view the internal audit process as one more necessary evil required for ISO 13485:2016 certification and maintenance. Some think of it as a waste of time, merely duplicating the work of the certification body; others see it as a witch hunt, looking for mistakes (or trying to hide their own), or searching for someone to blame or discipline. In truth, the ISO 13485 internal audit is neither of these things — at least, these are certainly not the intent.

Key steps in the internal audit process:
  1. Plan and announce the audit schedule.
  2. Plan the individual process audits.
  3. Conduct the audit.
  4. Report on the audit.
  5. Follow up on issues or improvements.

What is an internal audit in ISO 13485?

An internal audit is an important part of the Quality Management System (QMS) in ISO 13485. It is a structured process that helps companies identify areas for improvement and ensure that their QMS complies with the standard’s requirements. The internal audit provides an opportunity for companies to evaluate the effectiveness of their QMS, identify areas for improvement, and take corrective actions as necessary. By following the key steps of an internal audit, companies can ensure that their QMS is functioning effectively and identify opportunities for improvement.

Steps in the internal audit

The purpose of the internal audit is to examine your processes more closely and try to identify areas for improvement. As a process owner, it can be very helpful to step away for a moment and allow a second set of eyes to look for opportunities you may have missed. The goal is not to criticize, but rather to find ways to streamline processes so that they work more efficiently. So, without further ado, here are the five key steps in the internal audit process, plus tips for how to best use this process to the advantage of your company.


1) Plan and announce the audit schedule. Remember — the audit is not about surprising people so you can “catch them in the act” of doing something wrong. When you do that, top management sends a clear message that they don’t trust their employees, and in turn, employees may try to protect themselves by hiding data or giving false information. So, with this in mind, it is important to set up a clear audit schedule and make sure that everyone knows when each process will be audited — even if it’s just a rough guideline to start. This shows a commitment from management to supporting employees in their efforts to improve their processes. It also allows those in charge of a process to finish up any improvements they are currently working on, so they can get a clear view of the impact of those changes; also, process owners may wish to make special requests for the auditor to look for particular information related to other planned improvements.

2) Plan the individual process audits. Now that everyone has an idea of when to expect an audit, you’ll need to plan and schedule (with more precision) the audits of each individual process. This allows both auditor and auditee to find a time that works for both, and a timeline that is comfortable. This is also a good time to go over previous audit reports to determine what follow-up might be needed, and to talk about any areas that either party would like to pay extra attention to. Taking the time to plan the audit well is the best way to make sure that both the company and the process owner will benefit from the audit process.

3) Conduct the audit. To begin, the auditor and process owner should meet to discuss the audit plan, and make sure it is complete and ready to go. Then, the auditor can go to work gathering the evidence they need to determine whether the process is functioning as it should, according to the Quality Management System, and if it is producing the desired results. This information can be gathered through analyzing key process data, reviewing records, talking with employees, or observing the process itself. During the process, it is valuable if the auditor can point out any areas that do not have sufficient evidence that they are functioning as expected, or any areas they notice that could be improved.

4) Report on the audit. Once the audit is complete, the auditor should hold a closing meeting with the process owner to communicate any findings right away, such as any weaknesses in the process, any particularly positive observations, or any areas that are functioning as expected, but that could be improved. Soon after, a written report should be provided as documentation.

5) Follow up on issues or improvements. Of course, just like any other part of the QMS, follow-up is key to a successful audit. If problems were found, and corrective actions taken, it is critical to follow up and be sure that the problems were truly addressed. If improvement projects were implemented based on opportunities found during the audit, then gathering data to see just how much the process has improved will motivate employees and management to look for more opportunities for improvement.

Key steps in the internal audit process

ISO 13485 internal audit checklist: What is it, and why use it?

An ISO 13485:2016 internal audit checklist is a tool used to ensure that a company’s QMS is compliant with ISO 13485 requirements, and that it is functioning effectively. The ISO 13485 checklist for internal audit includes a list of items to be audited, along with references to the corresponding standard or procedure.

Using an ISO 13485 internal audit checklist has several benefits. First, it helps ensure that the company’s QMS is meeting the necessary standards and regulations. Second, it provides a structured approach to the internal audit process, making it easier to plan and conduct the audit. Third, it promotes consistency in the audit process, ensuring that all necessary items are covered. Finally, it provides a documented record of the audit, which can be used for future reference and to demonstrate compliance to external parties.

How to create an ISO 13485 internal audit checklist

To create an internal audit checklist and prepare well for ISO 13485 internal audit questions, follow these steps:

1) Identify the requirements. Start by identifying the ISO 13485 requirements that apply to your organization’s QMS. This might include requirements related to management responsibility; documentation; product realization; and measurement, analysis, and improvement.

2) Organize the checklist. Once you have identified the ISO 13485 internal audit requirements, organize them into a checklist. This can be done in any format that works for your company, such as a spreadsheet or a document. Make sure to include a reference to the corresponding standard or procedure for each item on the checklist.

3) Customize the checklist. Adjust this document to your organization’s specific needs. This might include adding items that are specific to your QMS or removing items that are not applicable.

4) Test the checklist. Before using the checklist for an internal audit, test it to ensure that it is accurate and complete. You might do this by conducting a trial audit or by having another department review the checklist.

5) Update the checklist. Finally, update the checklist regularly to make sure that it is up to date with the latest ISO 13485 requirements, other applicable regulations, and any changes to your company’s QMS.

By following these steps, you can create a useful internal audit checklist for ISO 13485 that will help ensure that your organization’s QMS is compliant with the standard’s requirements and functioning effectively.

Why do you need to conduct the ISO 13485 internal audit?

The benefits of conducting an internal audit in ISO 13485 are numerous. First, it helps companies maintain compliance with the standard’s requirements. By identifying areas for improvement and taking corrective actions, companies can ensure that their QMS meets the necessary standards.

Second, the ISO 13485 internal audit process helps companies improve their processes and increase efficiency. By focusing on process improvement, companies can identify areas where they can streamline their operations, reduce waste, and increase productivity.

Finally, the internal audit process promotes continual improvement. By identifying areas for improvement and taking corrective actions, companies can ensure that their QMS is constantly evolving and improving over time.

In summary, the internal audit process is a critical component of ISO 13485 compliance. By following the process and identifying areas for improvement, companies can ensure that their QMS is effective, efficient, and continually improving over time.

Focus on process improvement to get the most value from the internal audit

You can choose to see the internal audit as a necessary evil for maintaining compliance, or you can use the internal audit as a way to monitor and improve upon your company’s processes. Because ISO 13485 places heavy emphasis on process improvement within the Quality Management System, this should be a key motivator for your company, too — not to mention the other benefits that go along with improvement, like improved efficiency in terms of costs and time. Allow your internal audit to bring value to your QMS, and to your company.

For a graphical representation of the implementation process, check out this free Diagram of ISO 13485:2016 Implementation Process.