ISO 13485 Audit – Medical Device QMS Compliance

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • Medical Device QMS • QA, RA, Operations, Supply Chain, IT

An ISO 13485 audit is a structured, evidence-based assessment of a medical device manufacturer’s quality management system (QMS) against the requirements of ISO 13485 – Medical devices – Quality management systems – Requirements for regulatory purposes. It is not a “nice-to-have” paperwork review; it is a line-by-line test of how design, production, installation, and servicing are controlled in reality. Auditors expect traceability from procedures to records: design controls, risk management, production controls, sterilization, cleanliness, complaints, CAPA, and post-market surveillance must all be demonstrably implemented and effective.

“An ISO 13485 audit is where your QMS either proves it lives in the plant—or dies as a binder on a shelf.”

1) What an ISO 13485 Audit Actually Looks For

The core question is simple: Does your QMS meet ISO 13485 requirements and control patient risk across the device lifecycle? Auditors sample procedures and records to test:

• Whether QMS processes (document control, training, risk, design, purchasing, production, service, complaint handling) are defined, controlled, and followed.
• Whether device design and changes are documented, verified, validated, and risk-assessed before release.
• Whether production and process controls (including cleanliness, contamination control, sterilization where applicable) are planned, validated, and monitored.
• Whether traceability supports effective recalls and Device History Record (DHR) reconstruction for each batch or unit.
• Whether complaints, vigilance, and CAPA drive real improvements—not just paperwork.

The audit is evidence-driven: auditors go where the records and risks take them, not where your slide deck wants them to go.

2) Types of ISO 13485 Audit

ISO 13485 audits come in several flavors, each with different stakes and depth:

• Internal audit: Planned and executed by your organization (or an independent third party on your behalf) to verify QMS effectiveness, detect gaps, and feed Management Review and CAPA.
• Certification (initial) audit: Conducted by a certification body/registrar or notified body to grant initial ISO 13485 certification. Typically split into Stage 1 (readiness, documentation) and Stage 2 (implementation and effectiveness).
• Surveillance audit: Regular follow-up audits (often annually) to verify continued conformity and effectiveness.
• Re-certification audit: A deeper review (typically every three years) to renew the certificate, often closer in scope to an initial audit.
• Unannounced audit: In some jurisdictions and schemes (e.g., under EU MDR/IVDR and certain notified bodies), unannounced audits test real-time control and prevent “audit theater”.

Regardless of type, auditors expect a functioning, risk-based QMS—not a clean conference room and a set of polished SOPs that nobody follows on the shop floor.

3) Regulatory & Market Anchors

ISO 13485 is a QMS standard, not a regulation—but regulators lean on it. It aligns with, and is often used to support, compliance with:

• EU MDR/IVDR: ISO 13485 implementation is a de facto expectation for CE-marked devices.
• MDSAP (Medical Device Single Audit Program): Builds on ISO 13485 and layers in country-specific requirements (e.g., FDA, Health Canada, TGA).
• US FDA QMSR: FDA has moved to align 21 CFR 820 with ISO 13485 principles; your QMS needs to bridge both.

Your audit program should explicitly reference applicable regulations and standards in the quality manual, Quality Policy, and key procedures, and ensure data integrity principles (ALCOA(+)) are embedded in QMS records.

4) Audit Scope – QMS Processes & Technical Documentation

Auditors typically structure ISO 13485 audits around core process groups:

• Leadership & QMS governance: quality manual, quality policy, objectives, Management Review, organizational structure, and resourcing.
• Document control & training: controlled procedures, work instructions, forms, training records, and competence management (Training Matrix).
• Design & development: design planning, inputs, outputs, verification, validation (including software), design transfer, and change control.
• Risk management: risk files, FMEAs, ISO 14971 alignment, and linkage to design, production, and post-market controls.
• Purchasing & suppliers: supplier qualification, incoming inspection, outsourced processes, and quality agreements.
• Production & process controls: validated processes, device history, environmental control, cleanliness, equipment calibration and maintenance.
• Identification, traceability & UDI: labels, batch/serial traceability, UDI, electronic records, and recall readiness.
• Nonconforming product, complaints & CAPA: investigations, root cause, effectiveness checks, and trend analysis.

For complex or high-risk devices, auditors expect clean linkage between technical documentation, risk files, and real-world production controls.

5) Risk Management & Clinical Safety Linkage

ISO 13485 expects risk-based thinking; ISO 14971 makes it explicit. Auditors will test whether your risk management process is:

• Consistent from design through post-market surveillance.
• Documented and maintained in living risk files, not one-time spreadsheets.
• Linked to control measures in design, labeling, instructions for use, and production.
• Connected to complaint trending and field performance (e.g., through CAPA and Post-Market Surveillance).

If risk files don’t line up with what is actually built, tested, and released, you should expect nonconformities.

6) Data Integrity & Electronic Records

ISO 13485 references documented evidence, but in modern plants this evidence is overwhelmingly electronic. Auditors increasingly ask how you control:

• Electronic device history and batch records (eDHR, eBR).
• Access control, user management, and segregation of duties in QMS, MES, and ERP systems.
• Audit trail configuration and review (who changed what, when, and why).
• Electronic signatures and approvals (alignment with 21 CFR Part 11 and EU Annex 11 expectations).
• Backups, restore testing, and disaster recovery for critical systems.

Uncontrolled spreadsheets, shared logins, and missing audit trails are still among the fastest routes to serious findings.

7) Supplier & Outsourced Process Controls

ISO 13485 puts heavy emphasis on control over suppliers and outsourced processes. Auditors will sample:

• Supplier qualification and monitoring records (Supplier Qualification).
• Quality agreements defining responsibilities, communication, and change notification.
• Incoming inspection and release criteria for purchased product.
• Evidence that outsourced sterilization, testing, contract manufacturing, or logistics are controlled and periodically assessed.

Your responsibility does not end at the loading dock; if a supplier failure could harm patients, expect auditors to go deep here.

8) The Evidence Pack – What Auditors Expect to See

A typical ISO 13485 audit trail touches:

• Quality manual and QMS process map.
• Controlled procedures for all major requirements (document control, training, design, risk, production, servicing, complaints, CAPA, internal audit).
• Design history records (DHF) for sample products showing planning, inputs, outputs, verification, validation, and transfer.
• Risk management files and links to IFU, labeling, and production controls.
• Device history records (DHR) or eDHR extracts.
• Calibration and maintenance records for critical equipment.
• Supplier files, quality agreements, and incoming inspection records.
• Complaint investigations, CAPA, and trend analysis outputs.
• Internal audit reports and management review minutes, with follow-up actions closed.

The less scrambling you do to “assemble” this pack, the more credible your QMS will look.

9) Audit Planning & Logistics

Effective ISO 13485 audits are structured, not improvised. A typical plan includes:

• Defined scope, objectives, and criteria (including sites, processes, and product families).
• An audit program and schedule based on risk and past performance.
• Entrance meeting to confirm scope, timing, and logistics.
• Process-based audit routes (e.g., from order to shipment; from complaint to CAPA).
• Daily wrap-ups to share observations, potential nonconformities, and missing information.
• Exit meeting summarizing findings and next steps for responses and corrections.

For internal audits, using independent auditors and clear checklists helps avoid “we know it’s weak but we’ll fix it later” blind spots.

10) Common Nonconformities in ISO 13485 Audits

• Risk files not maintained: risk assessments created once and never updated when design or production changes.
• Design controls on paper only: poor evidence of design verification/validation, or weak traceability from requirements to tests.
• CAPA without effectiveness: repeat issues, superficial root cause, no verification that actions worked.
• Poor supplier control: approved supplier list not maintained; no real monitoring; expired certificates.
• Data integrity gaps: shared logins, uncontrolled spreadsheets, missing or unused audit trails.
• Weak internal audit program: audits too narrow, not risk-based, or findings not closed.

A pattern of repeat minor nonconformities can be as damaging as a single major—because it signals a weak culture of follow-through.

11) Internal Audits vs. Certification & Notified Body Audits

Internal audits are your chance to find problems first. Done properly, they should be at least as tough as external audits, and clearly documented with findings, risk ranking, and CAPA.

Certification / notified body audits focus on conformity and effectiveness from an independent standpoint. They will not fix your QMS for you; they will record what they see and expect you to respond. If your internal audit program doesn’t regularly identify nonconformities, auditors will question its credibility.

12) Surveillance & Re-Certification Cycles

Once certified, you are on a multi-year cycle:

• Initial certification (Stage 1 + Stage 2).
• Surveillance audits (e.g., annually) covering rotating slices of the QMS, often with focus on complaints, CAPA, and changes since last audit.
• Re-certification audit (e.g., every three years) with broader scope, similar to an initial audit.

Auditors use trends across audits—finding recurrence, CAPA effectiveness, complaint patterns—to judge if your QMS is genuinely improving or just patching holes before each visit.

13) Metrics That Show Audit Readiness

• Internal audit coverage: % of processes audited vs. plan; aging of open findings.
• CAPA effectiveness: recurrence of issues; % of CAPA closed on time with verified effectiveness.
• Complaint and field performance: trend of complaint rates, severity, and time to closure.
• Training compliance: on-time training rates for QMS-critical procedures and changes.
• Document control health: overdue reviews, obsolete procedures in use, untrained staff on new revisions.

If these metrics are out of control, your ISO 13485 audit will surface it—one way or another.

14) Digital QMS, MES & eDHR in ISO 13485 Audits

For device manufacturers using digital systems, auditors will expect consistent control between:

• QMS software: document control, CAPA, complaints, internal audits, training.
• MES / shop-floor systems: routing, in-process checks, electronic batch and device history records.
• ERP: materials, inventory, serials, and financial transactions.
• LIMS / lab systems: analytical data, stability, sterilization and bioburden testing.

Misalignment (e.g., one system showing different status than another) is a red flag and often leads to deeper data integrity questions.

15) Preparing for the Next ISO 13485 Audit – Practical Steps

• Run risk-based internal audits that mirror the structure and sampling techniques of certification audits.
• Perform a focused review of complaints, CAPA, and post-market surveillance in the 12–18 months before the audit.
• Walk through end-to-end scenarios (e.g., from design change to field complaint) to ensure records align.
• Check that training on key QMS procedures and recent changes is up to date and evidenced.
• Test your ability to reconstruct a DHR/eDHR quickly for any batch or device serial chosen by an auditor.

“We’ll find that later” is not a reassuring phrase in an audit. If you can’t pull it up during a dry run, you won’t magically find it on the day.

16) What Belongs in the ISO 13485 Audit Record

For each audit (internal or external), maintain a complete record including:

• Audit plan and scope.
• Checklist, notes, and objective evidence sampled.
• Nonconformities with clear assignment (clause, process, risk impact).
• Agreed corrective actions, owners, and due dates.
• Verification of effectiveness and closure.
• Inputs to Management Review and QMS improvements.

These records demonstrate not just conformity on the day, but a functioning feedback loop for continuous improvement.

17) How This Fits with V5 by SG Systems Global

Audit-ready QMS where production actually happens. The V5 platform connects QMS processes (document control, training, CAPA, internal audits) with shop-floor execution and electronic device history records. That means ISO 13485 evidence is generated in real time at the point of work, not rebuilt from spreadsheets before an audit.

Electronic DHR and traceability. V5 captures lot, batch, and serial data, operator actions, equipment status, and in-process checks into a structured eDHR. Auditors can follow a device from raw materials to shipment, with full traceability to audit trails, calibration, and training records.

Integrated CAPA, complaints, and risk. Findings from audits, nonconforming product, and complaints can raise CAPA directly in V5, linked to affected lots and customers. Risk controls and effectiveness checks are visible across production, warehouse, and quality teams.

Role-based training and access control. Documented procedures live under Document Control with effective-dating and e-signatures. V5 ensures only trained, authorized users can perform critical actions, aligning with ISO 13485 expectations for competence and data integrity.

Inspection-ready exports. During an ISO 13485 or MDSAP audit, V5 can generate read-only, time-stamped dossiers—DHR/eDHR extracts, audit trails, CAPA packages, and training summaries—so you don’t waste audit hours hunting for records across multiple systems.

Bottom line: V5 helps medical device manufacturers move from “collecting evidence at audit time” to “producing audit-ready records every day”, directly supporting ISO 13485 and related regulatory expectations.

18) FAQ

Q1. Is ISO 13485 certification mandatory?
Legally, ISO 13485 itself is a standard, not a law—but in many markets and for many customers it is effectively mandatory. Regulators and notified bodies strongly expect a QMS aligned to ISO 13485, and major customers often require certification as a condition of doing business.

Q2. Does ISO 13485 certification guarantee regulatory approval?
No. ISO 13485 certification supports your regulatory submissions and ongoing compliance, but it does not replace product-specific requirements under MDR, IVDR, FDA, or other regulations. You still need device-level technical documentation, clinical evidence, and vigilance systems.

Q3. How often are ISO 13485 audits performed?
Typically you will have an initial certification audit (Stage 1 & 2), annual surveillance audits, and a broader re-certification audit every three years, plus internal audits according to your own, risk-based audit program.

Q4. What happens if we get a major nonconformity?
You must implement corrective action within an agreed timeframe and demonstrate effectiveness. Serious or unaddressed issues can lead to suspension or withdrawal of certification, and regulators may be informed under certain schemes (e.g., MDSAP).

Q5. Can we rely on suppliers’ ISO 13485 certificates?
Supplier certification helps, but it does not replace your responsibility. You must still define requirements, approve suppliers, and verify that purchased product and outsourced processes meet your needs and protect patient safety.

Q6. How can digital systems like V5 help with ISO 13485 audits?
Digital systems centralize QMS, production, and traceability records; enforce training and access control; provide audit trails; and generate structured DHR/eDHR and CAPA summaries. That reduces manual work, closes data integrity gaps, and makes audits faster and less risky.

Related Reading
• Core Governance: Quality Management System (QMS) | Document Control | Management Review | Data Integrity
• Device Records & Traceability: eDHR Software | Device History Record (DHR) | Electronic Batch Record (eBR)
• Risk & Improvement: Risk Management (QRM) | CAPA | Post-Market Surveillance | Internal Audit
• Digital Execution: MES | LIMS | WMS