ISO 13485 Internal Audits: From Obligation to Strategic Value

Internal audits are a key requirement in ISO 13485. Clause 8.4.2 states that all organisations ‘shall conduct internal audits at planed intervals’, but what does this mean and how can they benefit your company? More importantly, how can your organization leverage ISO13485 internal audits to create real strategic value?

In this blog we will look at how to plan and execute internal audits effectively, and how doing so can provide a wide range of benefits for your quality management system (QMS) and your business.

So, what makes an ISO 13485 Internal Audit ‘well planned’?

All well planned audits start with a clear, well developed procedure. Your procedure for internal audits should describe

• Key responsibilities and requirements
• How to develop an audit programme
• Planning and conducting audits
• Recording and reporting audit results.

The audit programme

The audit programme should define:

Creating an audit calendar for the year is a great way to manage and communicate the schedule. This calendar can then be shared with everyone to ensure transparency and allow the internal audit team and the departments to prepare for the audit. 

It’s important to remember that the audit schedule should be thought of as a live document. The audit plan can and should be updated throughout the year; especially where there have been recent changes in a department/process or there has been an increase in complaints relating to a particular area.

Should internal audits just focus on ISO 13485 requirements?

No, clause 8.2.4 in ISO 13485:2016 says that internal audits should be conducted to confirm whether the QMS conforms to:

• ISO 13485:2016
• Your QMS system requirements
• Applicable regulatory requirements (e.g. EU MDR or UK MDR)

This means that when planning your audit, the scope goes beyond ISO 13485. A matrix aligning these requirements is a great audit tool.

What training do people need to be internal auditors and who can be internal auditors?

Auditor training can either be provided internally or externally. There are many companies who now offer internal audit training packages. Companies with experienced auditors can also train ‘in-house’. Regardless of the source, the training process/ requirements should be detailed in your internal audit procedure and there should be documented training records/certificates for each auditor.

As for who can be an auditor, anyone can be an internal auditor as longs as they do not audit your own work. Traditionally internal auditors are part of the quality department, but there is no reason why staff from other departments cannot be internal auditors.

For small companies where impartiality can be a challenge, internal audits can be subcontracted to qualified external parties. These service providers should be treated as suppliers, and trained on your internal audit procedure.

So what are the benefits of internal audits?

Whilst internal audits can often feel like a tick box process, there are many benefits that come from well-planned internal audits. They help strength your QMS by:  

• Maintain compliance: Internal audits ensure your processes meet necessary requirements and help highlight gaps in processes or areas where the QMS is not fully implemented or implemented correctly. Addressing these gaps proactively strengthens your compliance position.
• Reduce Risk: ISO 13495 promotes risk-based thinking. By incorporating this principle into your internal audits, you can more accurately gauge risks and identify trends across your systems and/or processes. The audit findings can be used to help create strategies to mitigate any risks.  
• Preparation for external audits:Internal audits are a dry run for external audits. Detecting gaps or non-conformities before external audits allows you to put the steps in place – and fix them - before any external/regulatory audits, reducing the number of external findings.
• Promote continuous improvement: Internal audits reports will identify non-conformities and highlight ‘opportunities for improvement’. These insights could lead to streamlined processes, improved compliance and help to create a culture which encourages continuous improvement.    
• Provide Training opportunities:Internal audits also create opportunities for training and learning. Beyond formal auditor training, they help gain insights into other areas of the business, understand interconnected processes, and build a broader view of the business.

Conclusion

When ISO13485 internal audits are well-planned, they move beyond a compliance requirement to become a strategic advantage. With the right planning, training, and mindset, internal audits can uncover hidden risks, highight improvement opportunities, and foster a culture of quality and accountability. Whether you’re a small startup or a global medical device manufacturer, investing in a thoughtful audit programme is an investment in your company’s long-term success.