Becoming a certified internal auditor in the medical device industry requires a combination of technical knowledge, practical skills, and personal attributes.
This article outlines the key competencies necessary for internal auditing, the importance of training and certification, and offers guidance on selecting the right courses to become a certified internal auditor.
Internal auditor competence
The most important principle relating to the competence of auditors is that you should be competent enough to achieve the intended results of the audits you conduct.
Competence is defined in the ISO 9000 standard as:
the ability to apply knowledge and skills to achieve intended results.
The ISO 19011 standard on auditing includes no less than six pages relating to competence and evaluation of auditors, which shows that auditor competence is important. A lot can be done to ensure that auditors are competent, such as taking a course on auditing with ISO 13485 as audit criteria.

ISO 13485 has a subclause related to human resources. It states that personnel performing work affecting product quality shall be competent based on appropriate education, training, skills, and experience. This is a good summary of the six pages relating to auditor competence in ISO 19011.
Please note, it is easy to believe that the term “affecting product quality” in the clause above limits its applicability to people directly involved in development and production. However, it is much broader than that and most certainly includes auditors.
Is internal auditor certification a requirement?
When auditing medical device organisations, there are three areas where third-party auditors typically look for records of training that go beyond reading and understanding company internal procedures. They are:
- Risk management and ISO 14971
- Internal auditing and ISO 19011
- Person responsible for regulatory compliance (PRRC) – For EU markets
In these areas, auditors typically look for proper course certificates as evidence of the relevant competence.
Internal auditor certification
When selecting training, the most important considerations should be:
- The course achieves the competence you need.
- The supplier providing the training can be approved as a supplier.

Is training course accreditation a requirement?
Internal auditor training does not have to be accredited for the course certificate to be an appropriate record of competence in internal auditing when being audited by notified bodies. Neither does the accreditation guarantee that you achieve the necessary competence.
Those who provide accreditation for training courses and those who have accredited their courses will promote accreditation as very important. Still, internal auditing does not hold any particular status that requires this training to be accredited. It is just like any other knowledge area within the medical device industry, such as:
- Usability engineering
- Risk management
- Medical Device Regulation
- Medical device software
Internal auditor course fees
It seems like three factors increase the cost of internal auditor training courses:
- The auditor course shares the brand with a notified body organisation.
- The course is accredited.
- The course is face-to-face.
Several organisations that act as notified bodies also provide training courses as a side hustle. In our customer research, the courses provided by large notified body organisations often get relatively bad feedback. Comments include “They are living off their brand” and “The course was very theoretical”.
The accreditation also drives the price up with fees to the accreditation. One customer reported that to achieve internal auditor certification, he would have to invest 3500 USD and another 3500 USD if he wanted to become a lead auditor.
Face-to-face courses also increase the course fees compared to online and hybrid or blended courses.
Typical course fees to achieve internal auditor certification are:
- BSI
- TÜV
- Advisera
- Batalas
What is a certified internal auditor?
The Institute of Internal Auditors is an organisation that provides certification for certified internal auditors. However, this certification is rarely sought after in the medical device industry.
It is more common for auditors to look for evidence of having training on the ISO 19011 standard and the area that the auditors audit, for example:
- ISO 13485
- MDR
- IVDR, or
- QMSR
Personal attributes as an internal auditor
Personal behaviour might be the most challenging area because it involves one’s personality or intellectual capacity.

The attributes that an auditor needs to possess are based on the audit principles of the ISO 19011 auditing guideline. They are:
- Ethical (fair, truthful, sincere, honest, and discreet)
- Open-minded (willing to consider alternative ideas or perspectives)
- Diplomatic (tactful in dealing with individuals)
- Observant (actively observing physical surroundings and activities)
- Perceptive (aware of and able to understand situations)
- Versatile (able to readily adapt to different situations)
- Tenacious (persistent and focused on achieving objectives)
- Decisive (able to reach timely conclusions based on logical reasoning and analysis)
- Self-reliant (able to act and function independently while interacting effectively with others)
- Able to act with fortitude (act responsibly and ethically, even though these actions may not always be popular and may sometimes result in disagreement or confrontation)
- Open to improvement (willing to learn from situations)
- Culturally sensitive (observant and respectful to the culture of the auditee)
- Collaborative (effectively interact with others, including audit team members and auditee’s personnel)
General and sector-specific competencies
As an auditor, you need to have knowledge and skills in the audit process, the audit principles behind the process, and management systems. This includes a general understanding of management systems and sector-specific knowledge.
An auditor must also understand the organisation’s context; otherwise, it will be very difficult to understand what’s being said and what’s happening during the audit.
An understanding of regulatory requirements is also essential. ISO 13485 refers to regulatory requirements in general, this could include, for example:
- The MDR,
- QSR,
- GDPR,
- HIPAA, or
- other applicable regulations.
You do not need to know these regulations fully when auditing with ISO 13485 as audit criteria, but you need basic knowledge of the applicable regulations.
Additional competencies when using remote auditing methods
If you conduct audits using remote auditing methods, then there are a few more skills and attributes that should be added to the list, namely:
- Comfortable using technology
- Patience
- Sensitive to digital data privacy
- Adaptable
Some of the knowledge and skills listed in this article can be attained through an internal auditor training course, whereas personal behaviour is more appropriate to learn from practice through workshops or with a mentor.
Would you like to know more about internal auditing
Develop the necessary skills to conduct 1st and 2nd party audits according to ISO 13485 in Peter Sebelius’ online Internal Auditor Training course.
In this course, auditors and anyone on the receiving end of an audit will get a walkthrough of the audit process, from opening meeting to preparing the audit report. The second part of the course teaches course participants to interpret the requirements of the ISO 13485 standard.

Peter Sebelius
Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.
He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.