Ultimate Internal Audit Checklist: FDA QSR & ISO 13485 Audit Checklist

It was nothing more than a checklist that saved $175 million and 1,500 lives.

Professional surgeon and public health researcher Atul Gawande reported, in a now-famous article for The New Yorker, that the simple act of requiring doctors to use checklists as they did their rounds helped one hospital system drop its quarterly infection rate to zero. Hospitals across the region saved millions of dollars and thousands of lives, all because of a simple checklist.

The lesson here applies across industries, particularly for the medical device industry. If you want your product and processes to be efficient, effective, and accurate, the checklist is the tool to use.

There are few times when efficiency, effectiveness, and accuracy are more important than during your internal audits. FDA and ISO require medical device companies to conduct internal audits although the quality of these audits can vary widely.

This guide will provide the ultimate internal audit checklist you can begin using today to ensure every system, process, and operation associated with your device is performing at its best.

FREE RESOURCE: Click here to download a printable version of The Ultimate Internal Audit Checklist.

Review FDA and ISO standards

Internal audits are not a “nice to have” procedure. Both FDA and ISO require manufacturers to conduct regular internal audits. Before we continue, let’s review the language each uses.

FDA 21 CFR Part 820.22 states:

Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and re-audits shall be documented.

In other words, manufacturers must conduct quality audits to ensure compliance. Internal auditors have to be objective and initiate corrective actions as necessary. Of course, all this needs to be documented and made available to the necessary stakeholders, too.

ISO 13485:2016 Section 8.2.4 Internal audit states:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system: a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements; b) is effectively implemented and maintained.

In other words, ISO, too, requires organizations to conduct internal audits. The goal, similar to FDA, is to determine compliance to ISO requirements and effective implementation of QMS best practices.

The quality management system standard for medical devices goes on to say that the audit program must take “into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits” and requires companies to define and record the “audit criteria, scope, interval and methods.”

Without defining things like criteria, scope, interval, and methods—as ISO 13485:2016 outlines—the internal audit process can quickly go haywire.

We worked with one company that included an annual internal audit in their SOPs but realized on month eleven that they hadn’t followed their own requirement. They had to scramble and hire an external consultant who could only make judgments from afar. The company learned nothing and gained little more than a check mark from the audit.

You can do better.

Determine the scope of your internal audits

Determining the scope of your internal audit will give it the best chance of success. With a plan in mind, you can turn internal audits—something most quality managers lose sleep over—into an opportunity for company-wide improvement.

The scope of your internal audit is a combination of your timeline and your checklist. Your timeline determines when you perform internal audits, and the checklist determines what you do during those audits.

The timeline for your internal audits will vary depending on several factors. A modern QMS solution like Greenlight Guru with specific audit management workflows can expedite the overall audit prep time and improve audit outcomes. 

^{Click here to see how Greenlight Guru can shorten your audit prep time from weeks to hours}

Your internal audit timeline will also vary based on the markets your device is entering. Different regulations will apply, and different timing will be necessary.

ISO audits, for instance, usually occur before your device enters a market. It’s best to do your internal audits as early as possible so you can heed off ISO audits. FDA inspections occur after a device passes the review process and is ready for market launch. Conduct internal audits as you prepare your device submissions to FDA so you’re ready in the event of an FDA inspection.

The checklist for your internal audits will ensure that your internal audits are comprehensive—not so short that they miss things and not so long that they become burdensome. 

Separate your checklist by section, and make sure that each item complies with its applicable regulation. Verify the standard during the audit, including listing procedures and their associated records.

The goal of an external auditor isn’t to focus individual requirements; it is to determine the overall effectiveness of your QMS. As such, you should ensure that during your internal audit, you don’t lose the forest for the trees. 

Write your internal audit checklist from the perspective of an external auditor. Be stricter than the auditor and you’ll pass easily when the actual external auditor comes.

Management

The management section of your internal audit checklist is meant to verify that management reviews are being held in an effort  to support and maintain an effective QMS.

The second check box above asks you to confirm that objective parties conduct your audits. In a big company, that means pulling in someone who can do audits but wasn’t responsible for the components they’re auditing. In smaller companies, that is more difficult to do.

Objectivity can be difficult in a company with only four or five people and perhaps one person in charge of quality. That’s why the management section also covers training. Training can break down silos and encourage the spread of knowledge. 

The end result is that other staff, now objective and capable parties, can help conduct audits. Staff can pursue training from the American Society for Quality or get a Regulatory Affairs Certification (RAC).

Design and Development

The design and development section of your internal audit checklist helps you verify that your company controls the design and development processes. The goal is to ensure that your company can produce medical devices that meet user needs as well as align with the intended uses and specified requirements you defined.

External auditors will take a risk-based approach, and because of that, the components in this section will receive extra scrutiny. Auditors will focus on the aspects of these processes that are most likely to affect the safe performance of your medical devices.

As such, this is a section that might warrant special audits. Special audits focus directly on the most sensitive, important parts of your QMS, such as design control, validations, and risk management.

External auditors will select a design project to focus on. Auditors can’t review every single record. Auditors use samples to get a granular perspective on one aspect of your company so that they can extrapolate the conclusions for application to other aspects.

Similarly, your internal audit should involve the selection of a design project that you can home in on, using items on the checklist below. To select a good candidate for a design project, find one that contains software, take a single product focus, choose candidates from a risk-based perspective, and prioritize candidates that had problems or generated complaints.

The design and development section links out to numerous other sections and items. The output of your product design, for instance, will be an input to production. Due to these links, design and development is one of the most likely components to have gaps. As part of your internal audit, perform a gap analysis, and document any gaps found in your audit report.

Keep in mind that you have to check not only the components of each section but also the links between them. No section has more numerous links than design and development.

Production and Process Controls

The production and process controls section of your internal audit checklist helps you verify that your company has production and process controls that will produce products that meet specifications. Auditing will include your testing processes, your infrastructure, your facilities, your equipment, and your supplier management processes.

Similar to the design and development section, external auditors will select a specific process to review in greater depth. Internal auditors should do the same.

The production and process controls section is good to do early in the internal audit process. If you audit your warehouse near the beginning of your audit, you can select samples that you’ll use in other sections. 

Auditing production and process controls early also enable you to better audit traceability. You can trace both forward and backward, from production to inputs or from production to outputs.

Corrective and Preventive Actions (CAPA)

The corrective and preventative actions (CAPA) section of your internal audit checklist helps you verify that your QMS is self-regulated.

Your company must be collecting and analyzing information so that you can identify and investigate problems and determine whether corrective and preventive actions are necessary and what those actions might look like.

One of the most common issues we see companies do as they conduct internal audits is to log all issues as needing CAPA. If you found an issue in your audit, that doesn’t necessarily need to lead to CAPA. We’ve written before, in our Ultimate Guide to CAPA for Medical Devices, that CAPA is best for systemic issues. 

You have (or should have) complaint handling procedures in place to deal with complaints and nonconformances; many of the issues your internal audit uncovers will be lesser and will need those procedures instead of CAPA.

Additionally, think of your internal audit as one part of your quality system. If your audit uncovers a nonconformance, you needn’t immediately trigger a CAPA. You can instead trigger a request for more records to help you figure out the extent of the nonconformance. You can then include the severity of the nonconformance in your audit report. If the same nonconformance recurs or worsens, you can then trigger CAPA.

The CAPA section is another area of your QMS that you can subject to a specialized audit. After your initial internal audit, you can conduct a specialized audit that focuses on whatever was affected by the nonconformance you discovered. You can then verify how effective your CAPA was in correcting and preventing that nonconformance.

Purchasing Controls

The purchasing controls section of your internal audit checklist helps you verify that the processes you have in place to check the products, materials, and services that your suppliers offer are effective and compliant. 

The purchasing controls section is important for all medical device companies but is especially important for those that outsource design and development or production.

The purchasing controls section of your internal audits is the section that can vary the most in terms of timeline. Depending on how many processes you outsource and how important they are, external auditors can spend up to a fifth of their time auditing processes from this section. 

Purchasing controls can be particularly time-consuming because auditors will need to gather information from every outsourced partner, meaning communication is inherently and inevitably delayed.

Make sure your internal audit spends a similar amount of time so your level of scrutiny matches or exceeds that of an external auditor.

Documentation and Records

The documentation and records section of your internal audit checklist helps you verify that your company can control documentation and make records available to staff and to auditors.

As you audit documentation and records, document the specific reports and files that you reviewed.

Also, unlike the production and process controls section, which is good to do early, the documentation and records section is good to do later or last. This makes it easier for you to follow up on components that you uncovered as you went through other sections of the audit.

Customer-related Processes

The customer-related processes section of your internal audit checklist helps you verify that your company is handling customer-related processes compliantly.

Take care to audit this section carefully. When an FDA auditor or ISO registrar shows up, they will almost definitely want to see how you manage complaints. In the past, a struggle to manage complaints has been one of the most common reasons companies receive warning letters.

FREE RESOURCE: Click here to download a printable version of The Ultimate Internal Audit Checklist.

Pass your next audit with ease

The auditors are here. Your back stiffens, your lips purse, your teeth grit. Whether internal or external, it’s time to be on your best behavior, right?

Wrong. If your behavior changes when an auditor shows up, that’s a sign you’re not prepared. Your processes should be so effective that you can trust them when auditors arrive. Your SOPs should be so comprehensive that you run them the same way you do with or without auditors present. You should be ready at any time. After all, unannounced audits can happen at any time.

Internal audits, and an internal audit checklist, are your start. A good process turns what could be a procedural check mark into a valuable activity. To make internal audits even more valuable—and even easier to do—you need the best QMS solution that’s purpose-built to support them.

A modern QMS software like Greenlight Guru makes internal audits easy to accomplish and external audits easy to pass. Greenlight Guru comes with an audit workflow that helps internal auditors create schedules, assign due dates, determine section owners, and set reminders.

Looking for an all-in-one QMS solution to advance the success of your in-market devices that can integrate your post-market activities with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →