Go to Client Portal

Auditing a QMS According to ISO 13485

When considering obtaining an ISO 13485 certificate, developing and implementing a quality management system (QMS) is not the end of the road. Indeed, medical device manufacturers must first ensure that their QMS conforms to the specified requirements and is effectively implemented and maintained, i.e., conduct an audit. On the path towards ISO 13485 certification, manufacturers should undergo an internal audit and then an external certification audit. Hence, we have prepared this article to support manufacturers in understanding the auditing process toward ISO 13485 certification.


What is a QMS Audit?

The definition of audit in the context of QMS is provided in ISO 19011:2018 Guidelines on auditing, together with other essential definitions:

Audit Systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
Objective Evidence Data Supporting the existence or verity of something.
Audit Criteria Set of requirements used as a reference against which objective evidence is compared.
Requirement Need or expectation that is stated, generally implied, or obligatory.

Therefore, QMS audits objectively evaluate whether a management system complies with a pre-specified set of requirements.

In the EU medical device sector, QMS audits are conducted to ensure compliance with the requirements of certain ISO standards (13485, 14155, etc.), EU regulations (EU MDR 2017/745 and EU IVDR 2017/746), and local requirements (such as the manufacturing license in Spain).

The Audit Program, Audit Conduct and Auditors’ Competence

Audit programs aim to establish the guidelines for auditing a QMS with specific objectives during a determined period, i.e., annually. Audit programs should include the roles and responsibilities of the persons managing the audit program and their competence.

Generally, auditors will prepare a specific plan for each audit within the program. The audit plan will describe the objectives, scope, and criteria that should align with the overall audit program objectives.

Below you can see the typical audit process and the most relevant activities.

The competence of the audit team is critical for the success of QMS audits. ISO 19011 clause 7 focuses on the competence and evaluation of auditors and considers personal characteristics, generic knowledge and skills, the knowledge of the relevant management system discipline, industry sector, regulations and auditor competence.

When conducting an audit, auditors should keep in mind the principles of auditing:

  • Integrity
  • Fair presentation
  • Due professional care
  • Confidentiality
  • Independence
  • Evidence-based approach
  • Risk-based approach

Internal Audits

Internal audits are also referred to as first-party audits and are a requirement for medical device manufacturers per ISO 13485 clause 8.2.4:

“The organization shall conduct internal audits at planned intervals to determine whether the quality management system:

  • Conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization and applicable regulatory requirements;
  • Is effectively implemented and maintained.”

Internal audits are conducted by the organization to review its QMS, determine whether its processes are improving its ability to provide products and services to customers and evaluate the system’s conformance with the standard’s requirements.

Internal audits should be conducted following an audit program, including the processes/areas to be audited, the frequency of reviews, audit criteria, scope, and methods. When preparing the program, a risk-based approach should be used (i.e., a process or area that has had several findings in the past will be more often audited than one area that has consistently shown to be compliant). Most companies plan annual internal audits to cover two to four areas each quarter. The frequency of internal audits depends on the organization, but at least one annual audit would be required.

The output from the internal audits serves as one of the inputs for the management review, where the organization’s management team will discuss the findings from the internal audit and decide on follow-up actions.

When conducting internal audits, manufacturers should factor in that the internal audit should not be undertaken by the person in charge of developing the system or overseeing the process to ensure objectivity and impartiality.

External Audits

External audits include second and third-party audits:

  • Second-party audits are conducted by parties interested in the organization (i.e., a prospect or a customer). For example, a manufacturer that outsources the sterilization process might perform an audit to qualify the sterilization provider. Second-party audits are often conducted to comply with ISO 13485 clause 7.4.1.
  • Third-party audits are conducted by external, independent auditing organizations that provide certifications or governmental agencies. Third-party audits are designed to reduce the need for second-party audits as certification assures potential customers that the QMS complies with the standard. Usually, third-party audits are divided into two phases: in the first phase, the auditor focuses on the evaluation of documented procedures; if successful, in the second phase the auditors will assess the implementation and effectiveness of the QMS. However, the audit plan and methods depend entirely on the organization performing the audit and its resources.

Do I Need to Perform an Internal and External Audit? 

As stated above, the internal audit is a requirement according to ISO 13485 clause 8.2.4. In addition, to build a 13485-compliant QMS, the organization should document a procedure to describe how the internal audit will be planned, conducted and reported. The organization should also maintain records of the audit results.

The external audit is not compulsory to comply with ISO 13485, but it is required to obtain official certification. Although several organizations provide ISO 13485 certificates, we recommend selecting an accredited certification body. These bodies are independently assessed by accreditation bodies and comply with ISO 17021 (Conformity assessment. Requirements for bodies providing audit and certification of management systems).

Maintain Your QMS under ISO13485: Follow-up Audits

Once the QMS has been established, implemented and certificated, the organization should ensure the maintenance of the system. Towards this purpose, the organization should periodically plan and conduct internal audits. The internal audit’s scope, objectives and plan will be detailed annually and vary according to company objectives and performance. Moreover, following certification, the certification body will audit the QMS system annually. In addition, top management needs to include any feedback received from audits, both internal and external, as input to the management review meeting.

NAMSA 13485 Quality Services

Our Quality Assurance team can support you with a wide range of activities:

  • If you are a MedTech start-up, our team can support you in developing and implementing the complete QMS under ISO 13485 and MDR/IVDR.
  • Perform gap assessments of the QMS under ISO 13485, where the team identifies the gaps of your QMS and proposes implementation measures.
  • Our team of certified Lead Auditors can also support your company in developing and implementing specific QMS documentation required under ISO 13485, MDR, IVDR, or local requirements (such as the manufacturing license in Spain) for your activities.
  • Our internal auditors will support you in performing internal audits under ISO13485 to ensure independence in your auditing process.
  • Have you already had your external audit? We can provide consultancy services to support you in resolving the findings or designing methods to implement the opportunities for improvement.


AKRN, Now Part of NAMSA 13485 Lead Auditors

Ariadna Navarro Aragall, PhD
Associate Director RA & QA

José Velazquez, MSc
Quality Assurance Manager

Arancha López-Pérez, PhD
Regulatory Affairs Scientist

How Can NAMSA Help?
NAMSA is the industry leader in driving successful regulatory outcomes through effective interactions with the EU Commission and Notified Bodies. Our internal teams of regulatory and quality experts communicate with EU entities nearly every day and are the most experienced in industry at accelerating regulatory submissions and approvals for manufacturers. In fact, many of our Associates have previously held positions within these organizations, which provides Clients the benefit of a clearer understanding on how to proactively plan for international requirements and expectations.

To learn about NAMSA’s full suite of Regulatory and Quality services and solutions, including the development, implementation, adherence and continuous improvement of a compliant Quality Management System (QMS), please visit: https://namsa.com/services/regulatory-and-quality-consulting/.

Ariadna Navarro

Dr. Ariadna Navarro has a strong scientific background with a PhD in Cardiovascular Sciences and close to ten years of experience in preclinical and clinical research. During her academic career, she collaborated with In Vitro Diagnostic (IVD) manufacturers in the design of strategies and the set up of in vitro techniques to diagnose several cardiovascular and neurological disorders. Dr. Navarro’s medical device industry experience includes working as Clinical Research Scientist and Clinical Study Manager, gaining thorough knowledge in the design, set-up and conduct of clinical investigations according to ICH/GCP guidelines, ISO 14155 and ISO 20916. Ariadna has also developed a strong experience in Regulatory Affairs and Quality Assurance, and she has expert competence on the European regulatory landscape (MDR 2017/745, IVDR 2017/746 and the MEDDEV/MDCG guidance documents). She is a certified ISO 13485 Lead Auditor with experience in setting up medical device quality management system standards aiming to support manufacturers placing and maintain their devices in the market.