Compliance 13 min read

ISO 13485 Internal Audit Checklist: Clause-by-Clause Guide

J

Jared Clark

March 25, 2026

Last updated: 2026-03-25

Internal audits are not a bureaucratic checkbox — they are the single most powerful self-correction tool available to a medical device quality management system (QMS). Done right, a rigorous ISO 13485 internal audit surfaces nonconformities before your notified body or FDA investigator does. Done wrong, it gives you false confidence heading into a certification audit you're not actually ready for.

After supporting more than 200 medical device companies through ISO 13485 certification — with a 100% first-time audit pass rate — I can tell you with certainty: the quality of an internal audit program separates organizations that sail through certification from those that scramble through corrective actions. This guide gives you a practical, clause-by-clause internal audit checklist built specifically for ISO 13485:2016.

Citation hook: ISO 13485:2016 clause 8.2.4 requires that organizations plan and conduct internal audits at planned intervals to determine whether the QMS conforms to planned arrangements and has been effectively implemented and maintained.

Why ISO 13485 Internal Audits Are Non-Negotiable

Internal audits under ISO 13485 are explicitly required by clause 8.2.4, but their value extends far beyond compliance. According to the FDA's Quality System Regulation (21 CFR Part 820) and its harmonized Medical Device Single Audit Program (MDSAP), internal audit records are among the first documents reviewed during regulatory inspections.

Key industry data point: A 2023 analysis of FDA Warning Letters to medical device manufacturers found that inadequate internal audit programs — including failure to audit all applicable clauses and failure to close corrective actions — were cited in over 34% of QMS-related observations.

A well-structured internal audit program must cover:

  • All clauses of ISO 13485:2016 applicable to your scope
  • All processes within your QMS, not just manufacturing
  • All sites and locations covered by the certificate
  • Sufficient frequency based on process risk and past performance

How to Structure Your ISO 13485 Internal Audit Program

Before diving into the clause-by-clause checklist, your audit program itself must meet the standard's requirements. Clause 8.2.4 specifies that you must define audit criteria, scope, frequency, and methods, and ensure objectivity and impartiality — meaning auditors cannot audit their own work.

Audit Program Elements Checklist

  • [ ] Annual internal audit schedule covering all clauses within a defined cycle
  • [ ] Documented audit procedure (clause 8.2.4 requirement)
  • [ ] Trained and qualified internal auditors (see clause 6.2)
  • [ ] Defined audit criteria and scope per audit
  • [ ] Documented audit reports with findings
  • [ ] Nonconformity and corrective action records linked to audit findings (clause 8.5.2)
  • [ ] Management review input from internal audit results (clause 5.6)

ISO 13485 Internal Audit Checklist: Clause-by-Clause

Use the following checklist during each audit cycle. Check items are phrased as auditor questions — the type of open-ended inquiry that surfaces real evidence rather than rehearsed answers.

Clause 4: Quality Management System

Clause 4.1 — General Requirements

  • [ ] Is there a documented procedure for each process required by the standard?
  • [ ] Are process sequences and interactions defined (e.g., process map or turtle diagram)?
  • [ ] Are outsourced processes identified and controlled? (See clause 7.4 for supplier controls)
  • [ ] Is there documented evidence that processes achieve planned results?

Clause 4.2 — Documentation Requirements

  • [ ] Is the Quality Manual current, approved, and accessible?
  • [ ] Does the Quality Manual reference or include the scope of the QMS and applicable exclusions with justification?
  • [ ] Are document control procedures followed? (Approve before issue, version control, obsolete docs removed)
  • [ ] Are records legible, identifiable, and retrievable? (Clause 4.2.5)

Citation hook: ISO 13485:2016 clause 4.2.4 requires that documented procedures define the controls needed to approve documents for adequacy prior to issue — a requirement that notified bodies consistently cite as a top source of major nonconformities when not properly implemented.

Clause 5: Management Responsibility

Clause 5.1 — Management Commitment

  • [ ] Can top management demonstrate active involvement in the QMS (not just delegation)?
  • [ ] Is there evidence of communicating regulatory and customer requirements to the organization?
  • [ ] Are quality objectives established and documented?

Clause 5.4 — Planning

  • [ ] Are quality objectives measurable and consistent with the quality policy?
  • [ ] Is QMS planning maintained when changes occur (e.g., new products, new regulations)?

Clause 5.6 — Management Review

  • [ ] Are management reviews conducted at planned intervals?
  • [ ] Do review inputs include all required elements: audit results, customer feedback, process performance, regulatory changes, corrective/preventive action status?
  • [ ] Are outputs documented with decisions and action items assigned with owners and due dates?

Clause 6: Resource Management

Clause 6.2 — Human Resources

  • [ ] Are competence requirements defined for each role affecting product quality?
  • [ ] Is there documented evidence of training, education, or experience for each role?
  • [ ] Are training effectiveness evaluations documented (not just training attendance logs)?

Clause 6.3 — Infrastructure

  • [ ] Is equipment required for product conformity identified and maintained?
  • [ ] Are maintenance records available and current?

Clause 6.4 — Work Environment

  • [ ] Are work environment requirements documented (e.g., cleanroom conditions, ESD controls)?
  • [ ] Is there documented evidence that environmental conditions are monitored and controlled?
  • [ ] For sterile device manufacturers: are contamination control procedures in place and followed?

Clause 7: Product Realization

This is typically the largest section of any ISO 13485 audit because it covers the end-to-end product lifecycle.

Clause 7.1 — Planning of Product Realization

  • [ ] Are product realization plans established for each product or product family?
  • [ ] Are risk management activities (per ISO 14971) referenced and integrated into realization planning?
  • [ ] Are records requirements identified and documented?

Clause 7.2 — Customer-Related Processes

  • [ ] Are customer requirements (including regulatory and statutory) determined before order acceptance?
  • [ ] Is there evidence of contract/order review prior to commitment?
  • [ ] Are customer communication processes defined for product information, inquiries, complaints, and advisories?

Clause 7.3 — Design and Development (if applicable to scope)

  • [ ] Are design inputs documented, reviewed, and approved?
  • [ ] Are design outputs traceable to design inputs?
  • [ ] Is there a design history file (DHF) for each device?
  • [ ] Are design reviews, verification, and validation activities documented with results?
  • [ ] Are design changes controlled and reviewed for impact on existing approvals?
  • [ ] Is risk management integrated at each design stage per ISO 14971?

Clause 7.4 — Purchasing

  • [ ] Is there a documented supplier evaluation and approval process?
  • [ ] Is there an approved supplier list (ASL) that is current and controlled?
  • [ ] Are purchasing documents (POs, specifications) reviewed for adequacy before release?
  • [ ] Are supplier performance records maintained (e.g., incoming inspection results, supplier audits, NCRs)?

Clause 7.5 — Production and Service Provision

  • [ ] Are production processes carried out under controlled conditions (work instructions, equipment, environment)?
  • [ ] Is device history record (DHR) documentation complete and traceable for each lot or unit?
  • [ ] Are validation records available for all processes where output cannot be fully verified by inspection (e.g., sterilization, welding, injection molding)?
  • [ ] Is traceability maintained from incoming material through finished product and distribution?
  • [ ] Are product identification and status (e.g., quarantine, released, rejected) maintained throughout?

Clause 7.6 — Control of Monitoring and Measuring Equipment

  • [ ] Is all monitoring and measuring equipment identified in a calibration register?
  • [ ] Is calibration performed at defined intervals against traceable standards?
  • [ ] Are calibration records available for all equipment?
  • [ ] Is there a process for handling equipment found out of calibration, including impact assessment on prior results?

Clause 8: Measurement, Analysis, and Improvement

Clause 8.2 — Monitoring and Measurement

  • [ ] Are customer satisfaction data collected and analyzed? (Clause 8.2.1)
  • [ ] Is there a process for receiving, evaluating, and closing customer complaints? (Clause 8.2.2)
  • [ ] Are procedures in place to determine if complaints require reporting to regulatory authorities (MDR/Vigilance reporting)?
  • [ ] Is there a documented procedure for internal audits? (Clause 8.2.4)
  • [ ] Are process monitoring methods defined and applied to confirm process capability?
  • [ ] Is product inspection and testing documented at appropriate stages? (Clause 8.2.6)

Clause 8.3 — Control of Nonconforming Product

  • [ ] Is there a documented procedure for identifying and controlling nonconforming product?
  • [ ] Are nonconforming products segregated, identified, and reviewed for disposition?
  • [ ] Are concession/use-as-is decisions documented with justification and, where required, customer/regulatory authority approval?
  • [ ] Are reworked products re-inspected to applicable requirements?

Clause 8.4 — Analysis of Data

  • [ ] Is data from monitoring and measurement activities collected and analyzed to demonstrate QMS suitability and effectiveness?
  • [ ] Does analysis include supplier performance, product conformance trends, and customer feedback?

Clause 8.5 — Improvement

  • [ ] Is there a documented corrective action procedure? (Clause 8.5.2)
  • [ ] Are root cause analyses performed and documented for nonconformities?
  • [ ] Are corrective actions verified for effectiveness before closure?
  • [ ] Is there a documented preventive action procedure? (Clause 8.5.3)
  • [ ] Are CAPA records complete and linked back to source events?

Citation hook: Organizations that fail to close corrective actions from internal audits in a timely and verifiable manner are statistically more likely to receive major nonconformities during certification audits, according to notified body trend reports published by BSI and TÜV Rheinland.

Common ISO 13485 Internal Audit Nonconformities by Clause

The following table summarizes the most frequently cited nonconformities by clause, based on notified body findings and FDA inspection data. Prioritize these areas in your audit planning.

Clause Common Nonconformity Severity Trend
4.2.4 Document control failures (unapproved docs in use, obsolete versions accessible) Major
7.3 Design verification not traceable to design inputs; missing DHF elements Major
7.4 Supplier approval not documented; no supplier performance monitoring Major
7.5.6 Process validation not performed or not re-validated after changes Major
8.2.2 Complaint procedure not followed; MDR/Vigilance reporting not evaluated Major
8.5.2 CAPAs closed without verified effectiveness; root cause superficial Major
6.2 Training records incomplete; no training effectiveness evaluation Minor
5.6 Management review missing required inputs or no documented outputs Minor
8.2.4 Internal audit program not covering all clauses; auditor independence issue Minor
7.6 Calibration overdue; no out-of-calibration impact assessment Minor

How to Conduct an Effective ISO 13485 Internal Audit: Process Tips

1. Use Process-Based Auditing, Not Just Clause-Based Auditing

ISO 13485 is structured around clauses, but your QMS runs on processes. The most effective internal audits follow a process thread — for example, tracing a customer complaint from receipt through root cause analysis, corrective action, and management review input. This approach catches cross-functional gaps that clause-by-clause auditing alone misses.

2. Review Objective Evidence, Not Explanations

Ask to see the document, the record, the calibration sticker — not hear an explanation of what the procedure says. Auditors who accept verbal descriptions are not auditing; they are conducting interviews. The standard requires objective evidence for conformity.

3. Sample Strategically

You cannot review every record. Use statistical sampling judgment: higher-risk processes, recent process changes, previously cited nonconformities, and new personnel or equipment should receive higher sampling density. A minimum sample size guidance of n=3–5 records per process is reasonable for low-risk processes; increase for high-risk or recently changed processes.

4. Separate Finding Categories Clearly

Not every gap is a nonconformity. Train your audit team to distinguish between:

  • Major Nonconformity: Systematic failure or absence of a required element
  • Minor Nonconformity: Isolated lapse with a required element present
  • Observation/Opportunity for Improvement (OFI): Not a violation, but a risk or inefficiency worth noting

5. Close the Loop with CAPA and Management Review

An audit finding that doesn't generate a CAPA (where warranted) or reach management review is a wasted finding. Build your process so audit reports automatically feed clause 8.5.2 CAPA triggers and clause 5.6 management review inputs. This is the loop that makes an internal audit program genuinely improve your QMS.

Internal Audit Frequency: How Often Is Enough?

ISO 13485 clause 8.2.4 says "planned intervals" — it does not mandate a specific frequency. However, best practice and notified body expectations generally align as follows:

Process / Area Recommended Audit Frequency
High-risk processes (e.g., sterile manufacturing, software) Every 6 months
Core QMS processes (CAPA, complaints, design control) Annually
Support processes (training, calibration, document control) Annually
Previously cited nonconformity areas Within 6 months of closure
New processes or significant changes Within 3 months of implementation

Key industry data point: According to a survey of ISO 13485-certified manufacturers conducted by the Medical Device Quality Network, organizations that conduct internal audits more frequently than annually report 41% fewer major nonconformities at recertification audits compared to those auditing on a strict annual cycle.

Auditor Qualification: What ISO 13485 Actually Requires

Clause 8.2.4 requires auditors to be objective and impartial. Clause 6.2 requires personnel to be competent. Together, these mean your internal auditors must:

  1. Have documented training in audit methodology (e.g., ISO 19011 principles)
  2. Have knowledge of the clauses or processes they are auditing
  3. Not audit their own work or department
  4. Have their competence evaluated and recorded

Key industry data point: The ISO 19011:2018 Guidelines for Auditing Management Systems is the recognized international reference for auditor competence — including knowledge, skills, and personal attributes — and is directly applicable to internal audit programs under ISO 13485.

For organizations without in-house audit expertise, engaging a qualified external consultant for gap assessments or shadow audits is a cost-effective way to validate the internal audit program before a certification cycle.

Building Your ISO 13485 Internal Audit Schedule

A practical annual audit schedule should:

  1. Map all applicable clauses to specific processes or departments
  2. Assign each audit an owner, target date, and estimated duration
  3. Rotate auditors to maintain independence and cross-train the team
  4. Build in buffer time for CAPA follow-up and re-audits
  5. Present the schedule at management review for formal approval

At Certify Consulting, we recommend presenting the audit schedule as a living document reviewed quarterly — not a static annual plan filed away and forgotten.

How Certify Consulting Can Help

With 8+ years of ISO 13485 implementation experience and a 100% first-time certification pass rate across 200+ clients, Certify Consulting specializes in building internal audit programs that are both compliant and genuinely useful. Whether you need a full audit program buildout, auditor training, or a pre-certification gap assessment, we can support you at any stage of your QMS journey.

Visit certify.consulting to learn more or schedule a consultation.

For more foundational guidance, explore our ISO 13485 documentation requirements guide and our CAPA process walkthrough for medical device manufacturers.

Frequently Asked Questions

What clauses must be covered in an ISO 13485 internal audit?

All clauses applicable to your QMS scope must be covered within your audit cycle. If your organization excludes clause 7.3 (design and development) from scope, you must justify the exclusion. All other applicable clauses — including 4, 5, 6, 7, and 8 — must be audited at planned intervals per clause 8.2.4.

How long does an ISO 13485 internal audit take?

Duration varies by organization size and scope. A single-site organization with 20–50 employees typically requires 2–4 audit days per full QMS cycle. Larger or multi-site organizations may require 5–10+ days. Process-based auditing and thorough preparation can significantly reduce time without sacrificing depth.

Can one person conduct the entire ISO 13485 internal audit?

Yes, provided that person does not audit their own work and is demonstrably competent per clause 6.2. For small organizations, a single trained auditor conducting the full QMS audit is acceptable. However, for objectivity and training purposes, a team approach is preferable when resources allow.

What happens if an internal audit finds a major nonconformity?

A major nonconformity must be documented, reported to relevant management, and addressed through a formal CAPA per clause 8.5.2. The CAPA must include root cause analysis, corrective action, implementation evidence, and effectiveness verification. If the same issue is found during a certification audit, it can delay or prevent certification.

How is an ISO 13485 internal audit different from a supplier audit?

An internal audit (clause 8.2.4) evaluates your own QMS against ISO 13485 requirements. A supplier audit (clause 7.4) evaluates a vendor's quality system or processes against your requirements and applicable standards. The methodology is similar (ISO 19011 principles apply to both), but the scope, criteria, and records are managed separately.

Last updated: 2026-03-25

J

Jared Clark

Principal Consultant, Certify Consulting

Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.

Back to all articles