Planning an audit: Internal audit checklist

Planning an audit - internal audit checklist blog post feature image

Effective planning is a cornerstone of any successful internal audit, and one essential tool that auditors often rely on is the internal audit checklist 

This article breaks down what an audit checklist is, if it is required, as well as best practices for using internal audit checklists and tips for avoiding common pitfalls. 

The video above is an extract from medical device industry expert Peter Sebelius’ online course on ISO 13485 and internal auditing. 

What is an internal audit checklist?

An audit checklist is a list of requirements from the standard followed by questions that are applicable to each requirement, and then a column where the auditor can make notes of audit findings, documents, and records.  

The checklist can be used when preparing for an audit and while conducting the audit activities.  

Audit checklists have various names, such as audit checklist, internal audit checklist, or ISO 13485 audit checklist, depending on its specific purpose and the standards it addresses.  

In the case of ISO 13485, the checklist is tailored to meet the requirements of this standard, which focuses on quality management systems for medical devices. The checklist can be adapted to portions of the standard or the whole standard, depending on the scope of the audit. 

Internal audit checklist ISO 13485

Are you required to have an audit checklist?

The short answer is: no.  

The audit checklist is not a required document or tool. It is used by the auditor as an internal working document to: 

  • aid in asking relevant questions while conducting the audit activities,  
  • ensure coverage of relevant processes and associated requirements according to the audit plan, and
  • support note taking relating to audit evidence and audit findings with reference to the different audit criteria in the standard.  

The audit checklist should not be shared with the auditee. 

Many organisations, however, are not aware of the fact that the audit checklist is a voluntary document.  

Case study

In one organisation’s quality management system (QMS), internal audit checklists were treated as controlled documents that needed to be regularly updated as part of the company’s internal audit process. These checklists, typically numbering between 10–15 pages, were revised annually by the regulatory affairs department.

For a beginner auditor, this approach presented two main challenges. The auditor was required to use checklists prepared by someone else, limiting their ability to adapt the tool to the specific needs of the audit.

Additionally, the checklists were often complex, comprising excerpts from regulations and standards that were difficult to interpret and apply in practice.

Despite these limitations, the checklists were mandatory for use during audits, even though there were doubts about their accuracy and whether they were truly up to date. Always check your organisation’s internal processes and procedures since these can vary significantly from one company to another.

Audit checklists help inexperienced auditors ask better questions

An audit checklist can provide well-formulated questions that an auditor can use to interview the auditee for each requirement in the standard. If you are an inexperienced auditor, it can be difficult to come up with relevant questions on the fly. However, if the questions have been prepared in an orderly fashion in advance, it improves the quality of the questions asked. 

This structured approach not only ensures consistency but also helps build confidence for auditors who may feel overwhelmed by the scope of the audit. By having a reliable framework to guide the discussion, auditors can focus on analysing responses and identifying potential areas of concern. 

Audit checklists ensure coverage of all the requirements

An audit checklist also ensures that the internal audit process covers of all requirements. Even if you are only covering a part of ISO 13485, for example subclause 7.3, following an ISO 13485 audit checklist can ensure that all the requirements are addressed. 

This thoroughness reduces the risk of missing critical elements that could lead to nonconformities or compliance issues. Additionally, it provides a clear record of the areas reviewed, which can be useful for internal reporting and follow-up actions. 

An audit checklist is a helpful tool when planning an audit

An internal audit checklist can be used when reviewing documented information before conducting the audit activities. As you read up on the auditee’s procedures and documents before completing the audit plan, you can note down any questions or things you want to investigate when conducting the audit activities directly in the audit checklist. 

This proactive approach allows auditors to identify potential gaps or inconsistencies when reviewing documentation. By organising the observations made when conducting the audit activities, auditors can streamline the audit process and maximise efficiency during on-site evaluations. 

Tick box exercise with audit checklists

An auditor who leans too much on the audit checklist risks becoming too rigid in the process, meaning that the audit can become a tick box exercise rather than an exploration of areas that need deeper investigation.  

Allow yourself to take detours or dig deeper into other areas, as you deem necessary during the audit. 

Flexibility in your approach is key to uncovering potential nonconformities that may not be immediately evident within the checklist’s scope. While the checklist provides structure, an open-minded approach allows auditors to identify underlying issues that may not fit neatly into predefined categories but are nonetheless crucial for showing conformity to the audit criteria. 

Be aware of the risk of tunnel vision when using an audit checklist

One important thing to look out for as an auditor is the risk for getting tunnel vision. An example of this is if the auditor asks for a documented procedure related to design and development. The auditee presents the procedure for design and development, and the auditor ticks the box and say that there is one. 

However, as the auditor is preoccupied with subclause 7.3 on the audit checklist, he or she does not react to the fact that the design and development procedure does not conform to document control requirements at all, which would be found in subclause 4.2.4 in the checklist.  

The better you know the ISO 13485 standard, the greater your ability to identify nonconformities outside the clause that you currently work with will be. 

Use the internal audit checklist as inspiration or help with some initial questions when you start auditing a new area but do not get stuck in the outline of the audit checklist, because you are almost guaranteed to miss things.  

Would you like to know more about internal auditing?

Develop the necessary skills to conduct 1st and 2nd party audits according to ISO 13485 in Peter Sebelius’ online Internal Auditor Training course.

In this course, auditors and anyone on the receiving end of an audit will get a walkthrough of the audit process, from opening meeting to preparing the audit report. The second part of the course teaches course participants to interpret the requirements of the ISO 13485 standard.

Peter Sebelius instructor

Peter Sebelius

Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.

He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.

Receive FREE templates and quarterly updates on upcoming courses that can help you in your career! Subscribe to our newsletter now.

When you submit this form, you will be sending personal information to medicaldevicehq.com. To comply with GDPR requirements, we need your consent to store and use the personal data you submit. Take a look at our Privacy policy for more details.

MedicalDeviceHQ Menu logo
Categories
Table of contents

Get in touch to receive proposal for customised training

When you submit this form, your personal data will be processed in accordance with our privacy policy.

New Process validation for medical devices course!

Special launch offer: 349 299 EUR for the online plan & 449 349 EUR for the online lifetime plan.