This article will provide an overview of the internal audit process in the medical device industry, covering essential audit terminology such as audit program, conformity and audit findings. Learn more about the overall audit process in this video extract from industry expert Peter Sebelius’ online course on ISO 13485 internal auditor training.
After reading this article, you will not only have a greater understanding of the audit process but also be better equipped to communicate using key terms in conjunction with planning and conducting an audit, as well as reporting the results.
The image below is a high-level overview of the internal audit process, that consists of three main steps: preparing the audit, conducting the audit activities, and preparing and distributing the audit report.
An audit will always start with a direct or indirect request for an audit to be performed. The organisation or person requesting the audit is the audit client. Essentially, there should always be someone who wants the audit to take place, and that is the audit client.
For example, the client for an audit to evaluate a supplier is likely the supplier quality assurance department. In a small company, the same person might even be the audit client and auditor at the same time.
The ISO 19011 formal definition of an audit is:
a systematic, independent, and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
The first step of preparing an ISO 13485 internal audit is to appoint an auditor. An auditor is the person who conducts the audit.
Appointing an auditor should be done by the individual responsible for the audit program, or the audit client if there isn’t an audit program.
The next step is to define or confirm the audit objectives, scope, and criteria. According to ISO 19011, the individual responsible for the audit program is also responsible for appointing the auditor and determining the audit objectives, scope, and criteria. However, the auditor may also be quite involved in this step.
Now, it’s time for the auditor to reach out to the auditee, which is the organisation, or parts thereof, being audited, to go over the details relating to the audit and get feedback from the auditee.
Based on the communication with the auditee, the auditor will determine if the audit is feasible with reference to the audit objectives. If the auditor has reason to believe that there isn’t sufficient time to perform the audit, or the auditee is not cooperating, the audit can be deemed not feasible.
For a feasible ISO 13485 internal audit, the next step is to request access to quality documents from the auditee if not already provided. For a small organisation, all the quality documents may be available to the auditor by accessing the internal quality management system and records. If the audit concerns a very large organisation or a supplier audit, the auditor may have to request quality documents. The quality documents needed depends on the audit scope but will often include the auditee’s quality manual and any standard operating procedures, or short SOPs, that are relevant to the audit scope.
The auditor should read up on the documents and create an audit schedule and audit plan based on previous information and the quality documents.
The auditor and the auditee should then agree on the plan together. Any potential issues should be brought to the attention of the individual responsible for the audit program in the hopes of achieving a resolution.
The next step is to conduct the audit activities according to the agreed-upon plan.
When conducting the audit activities, the auditor visits the auditee or starts engaging with the auditee (if remote auditing methods are used). The initiation of this part of the audit is the opening meeting between the auditor and the auditee’s representatives. This typically takes between 15–30 minutes.
After the meeting, it is time review documents and records and interview and observe people. Most people would refer to this as “conducting the audit”, but strictly speaking, according to ISO 19011, the term conducting the audit includes the steps: preparing the audit, conducting the audit activities, and preparing and distributing the audit report.
To use correct ISO 19011 audit terminology, this step is called collecting audit evidence.
Audit evidence is defined as:
records, statements of fact, or other information, which are relevant to the audit criteria and verifiable.
Examples of audit evidence are:
When the auditor collects evidence, he or she compares what the auditee should be doing according to the audit criteria with what the auditee is actually doing. Any documents and facts found when doing so is referred to as audit evidence.
It’s very important that audits are objective, and therefore, the audit evidence must be evaluated objectively against the audit criteria.
The term audit criteria is defined as:
a set of requirements used as a reference against which objective evidence is compared.
In this instance, the most apparent audit criteria are the requirements from the ISO 13485 standard, because the standard is used to compare with when determining if the auditee fulfils the requirements. But audit criteria can also be other standards, norms, or even agreements between two organisations.
Naturally, audits vary in size and scope. The collection of audit evidence could involve two people (one auditor and one auditee) that spend half a day or a whole day collecting evidence. Or it could be a larger group of people that end up spending a week or two collecting evidence.
Whether an ISO 13485 internal audit is small and quick or large and time-consuming, the same process should be used.
Once all the evidence has been collected, it is time to determine the audit conclusions. This is where the auditor (or audit team) gets his or her notes in order and makes conclusions on what has been observed, meaning, deciding what should be reported as nonconformities during the closing meeting.
A super common mistake is to think that an audit finding equals a nonconformity, meaning something is not the way it should be.
But according to the definition, the audit findings could either be that the auditee is conforming or not conforming to the audit criteria.
It is good practice to communicate nonconformities when they are found while collecting the audit evidence and determining audit findings. Ideally, there shouldn’t be any surprises during the closing meeting which is the next step.
The closing meeting will often have the same participants attending as during the opening meeting. During this meeting, the auditor will present the results of the audit; namely, if there are any nonconformities and what they are.
Conformity is the fulfilment of a requirement, whereas nonconformity, means the nonfulfillment of a requirement.
Please do not mix up the terms conformity and non-compliance. Note 3 to entry under the definition of audit findings in ISO 19011 states that audit criteria from statutory and regulatory requirements use the terms compliance or non-compliance. When referring to standards, the terms conforming or nonconforming should be used.
After the closing meeting, the auditor leaves the audit site and works on completing and approving the audit report.
The audit report should be prepared as soon as possible because it won’t be long until the auditor’s notes no longer make any sense to the auditor himself/herself. When the report is ready, it should be sent to the individual responsible for the audit program, the audit client (if appropriate), and the auditee.
Now, the audit has formally been completed. However, the internal audit process doesn’t necessarily end when the audit does. If there were nonconformities, they should be followed up, and the auditee would implement corrections and corrective actions.
More than one internal audit is likely required to cover a whole system. Thus, there will be several audit plans, audits, and associated reports.
The audit program should document the overall plan for the audits. The definition of audit program is:
defined arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.
Keep in mind that in most cases, there would only be one audit program but several audit plans.
To ensure the effectiveness and credibility of an internal audit, the appointed auditor must be competent and well-trained. According to ISO 19011, auditors should have the necessary knowledge, skills, and experience to perform audits objectively and reliably. This includes a deep understanding of audit principles, techniques, and applicable standards, such as ISO 13485. A good way of gaining the relevant competence and certification is to attend Medical Device HQ’s industry-trusted online course ISO 13485 Internal Auditor Training.
Develop the necessary skills to conduct 1st and 2nd party audits according to ISO 13485 in Peter Sebelius’ online Internal Auditor Training course.
In this course, auditors and anyone on the receiving end of an audit will get a walkthrough of the audit process, from opening meeting to preparing the audit report. The second part of the course teaches course participants to interpret the requirements of the ISO 13485 standard.
Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.
He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.
Receive FREE templates and quarterly updates on upcoming courses that can help you in your career! Subscribe to our newsletter now.
When you submit this form, you will be sending personal information to medicaldevicehq.com. To comply with GDPR requirements, we need your consent to store and use the personal data you submit. Take a look at our Privacy policy for more details.
Choose your course options below
IMPORTANT – The course will be associated with the account that the purchase is made from. Are you taking the course or is someone else?
Oops, I actually wanted to buy seats for several people. Take me to the right place.
Special launch offer: 349 299 EUR for the online plan & 449 349 EUR for the online lifetime plan.
