ISO 13485 & MDR Knowledge base

Five main steps in the ISO 13485:2016 internal audit

Like many companies, you may view the internal audit process as one more necessary evil required for ISO 13485 certification and maintenance. Some think of it as a waste of time, merely duplicating the work of the certification body; others see it as a witch hunt, looking for mistakes (or trying to hide their own), or searching for someone to blame or discipline. In truth, the internal audit is neither of these things – at least, these are certainly not the intent.

Steps in the internal audit

The purpose of the internal audit is to examine your processes more closely and try to identify areas for improvement. As a process owner, it can be very helpful to step away for a moment and allow a second set of eyes to look for opportunities you may have missed. The goal is not to criticize, but rather to find ways to streamline processes so that they work more efficiently. So, without further ado, here are the five key steps in the internal audit process, plus tips for how to best use this process to the advantage of your company.

1) Plan and announce the audit schedule. Remember – the audit is not about surprising people so you can “catch them in the act” of doing something wrong. When you do that, top management sends a clear message that they don’t trust their employees, and in turn, employees may try to protect themselves by hiding data or giving false information. So, with this in mind, it is important to set up a clear audit schedule, and make sure that everyone knows when each process will be audited – even if it’s just a rough guideline to start. This shows a commitment from management to supporting employees in their efforts to improve their processes. It also allows those in charge of a process to finish up any improvements they are currently working on, so they can get a clear view of the impact of those changes; also, process owners may wish to make special requests for the auditor to look for particular information related to other planned improvements.

2) Plan the individual process audits. Now that everyone has an idea of when to expect an audit, you’ll need to plan and schedule (with more precision) the audits of each individual process. This allows both auditor and auditee to find a time that works for each, and a timeline that is comfortable. This is also a good time to go over previous audit reports to determine what follow-up might be needed, and to talk about any areas that either party would like to pay extra attention to. Taking the time to plan the audit well is the best way to make sure that both the company and the process owner will benefit from the audit process.

3) Conduct the audit. To begin, the auditor and process owner should meet to discuss the audit plan, and make sure it is complete and ready to go. Then, the auditor can go to work gathering the evidence they need to determine whether the process is functioning as it should, according to the Quality Management System, and if it is producing the desired results. This information can be gathered through analyzing key process data, reviewing records, talking with employees, or observing the process itself. During the process, it is valuable if the auditor can point out any areas that do not have sufficient evidence that they are functioning as expected, or any areas they notice that could be improved.

4) Report on the audit. Once the audit is complete, the auditor should hold a closing meeting with the process owner to communicate any findings right away, such as any weaknesses in the process, any particularly positive observations, or any areas that are functioning as expected, but that could be improved. Soon after, a written report should be provided as documentation.

5) Follow up on Issues or improvements. Of course, just like any other part of the QMS, follow-up is key to a successful audit. If problems were found, and corrective actions taken, it is critical to follow up and be sure that the problems were truly addressed. If improvement projects were implemented based on opportunities found during the audit, then gathering data to see just how much the process has improved will motivate employees and management to look for more opportunities for improvement.

Focus on process improvement to get the most value from the internal audit

You can choose to see the internal audit as a necessary evil for maintaining compliance – or, you can use the internal audit as a way to monitor and improve upon your company’s processes. As ISO 13485 places heavy emphasis on process improvement within the Quality Management System, this should be a key motivator for your company, too – not to mention the other benefits that go along with improvement, like improved efficiency in terms of costs and time. Allow your internal audit to bring value to your QMS, and to your company.

For a graphical representation of the implementation process, check out this free Diagram of ISO 13485:2016 Implementation Process.