ISO 13485:2016

INTERNAL AUDIT

B Y: M R . P R E M
C O N G R AT U L AT I O N S !
 
You have been chosen (or perhaps conscripted) to
conduct or participate in an ISO 13485 internal
quality management system (QMS) audit. For many,
the prospect of coordinating and conducting an audit
can be terrifying.
TA B L E O F
CONTENT
INTRODUCTION
TO AUDITING
PRINCIPLES OF
AUDITING
• Principles relating to auditors:
• Ethical conduct
• Fair presentation
• Due professional care
• Principles relating to audit:
• Independence
• Evidence-based approach
AUDITING
What is an audit?
Systematic, independent and documented process
for obtaining audit evidence and evaluating it
objectively to determine the extent to which audit
criteria are fulfilled.
Why audit?
Requirement of ISO 13485:2016
Monitor and measure the management system
Promote continuous improvement of the
management system
 Verifies conformity to requirements 

Increases awareness and understanding 

Provides a measurement of effectiveness of the management

system to top management 
BENEFITS
OF Reduces risk of management system failure 

AUDITING 
Identifies improvement opportunities 

Continuous improvement if performed regularly 

P D C A ( P L A N - D O - C H E C K - A C T )
A P P LY I N G T H E P R O C E S S A P P R O A C H TO A U D I T I N G  
Auditors can apply the process approach to auditing by ensuring the auditee: 
• Can define the objectives, inputs, outputs, activities, and resources for its processes 
• Analyzes, monitors, measures, and improves its processes 
• Understands the sequence and interaction of its processes 
 PROCESS AUDITING
APPROACHES 

Individual Process: 
• Input / Output / Value-added Activity 
• Plan-Do-Check-Act 
• Resources 
Relationship with other processes: 
• Flow / Sequence / Linkage / Combination 
• Interaction / Communication 
• Evidence 
• Customer and supplier contract(s) 
 With
what?  With who? 
Resources Personnel 
 

Inputs  Outputs 
From  To 
Whom/  Whom/ 
Where  Where 

How done?  What results? 

Methods/  Performance 
Documentation  indicators 

PROCESS AUDITING
“TURTLE DIAGRAM” 
P R O C E S S A U D I T I N G E X A M P L E  
MANAGING
AN AUDIT
PROGRAM
PROCESS
FLOW 
T Y P I C A L A U D I T A C T I V I T I E S  
 Appointing the audit Defining audit Determining feasibility
team leader  objectives, scope, of the audit 
I N I T I AT I N G criteria 

THE AUDIT 

Selecting the audit team  Establishing initial

contact with the auditee 
 Audit Objectives may include: 
• Determining of the extent of conformity of auditee`s
DEFINING QMS with audit criteria 
AUDIT • Evaluation of capability of QMS to ensure
OBJECTIVES,
compliance with statutory, regulatory, and
SCOPE,
CRITERIA  contractual requirements 
• Evaluation of effectiveness of the QMS to meet its
objectives 
• Identification of areas of improvement 
 For Team size and competence, consider: 
• Audit objectives, scope, criteria, and duration 
• Whether audit is combined or joint 
SELECTING • Competence of team to meet objectives 
THE AUDIT • Statutory, regulatory, contractual and
TEAM  accreditation/certification requirements 
• Independence of the team 
 Auditor competence is based on: 

Personal attributes 

AUDITOR
COMPETENCE  Application of knowledge and skills 

Competence is to be developed, maintained, and

improved 
AUDITOR COMPETENCE 
AUDITOR
COMPETENCE 

Auditor skills and competence could include: 

• Audit principles, procedures, and techniques 
• Management system and reference
documents 
• Organizational situations 
• Laws, regulations, and other requirements 
AUDITOR
COMPETENCE 

Specific knowledge and skills for quality auditors

could include: 
• Quality methods and techniques 
• Quality terminology 
• Quality management tools and their application 
• Processes and products/services specific to the
sector being audited 
 Arrive Arrive on time 

Maintain Maintain confidentiality 

Objective Be objective and ethical 

Support Support the audit team and team leader 

Plan and prepare Plan and prepare work documents 

Inform Inform auditees of the audit process 

A U D I T O R
R E S P O N S I B I L I T I E S  
Document and support Document and support all findings 

Keep Keep auditee informed 

Safeguard Safeguard all documents 

Prepare Prepare the audit report 

 AUDIT PLANNING 

Determine the Determine audit

Identify specified
objective of the duration and
requirements 
audit  resources needed 

Contact the auditee –

Select the team  Draw up audit plan 
agree the date(s) 

Prepare work
Brief the team 
documents 
 Prepare work documents 

Use as a reference and for recording audit proceedings 

Include checklists, sampling plans and forms, ISO 13485:2016

standard, etc. 
P R E PA R E
WORK Keep checklists flexible to allow changes resulting from
DOCUMENTS  information collected during the audit 

Safeguard any confidential and proprietary information 

Retain work documents and records 

 One Approach is to: 
• Identify audit scope and process(es) within
scope 
• Identify applicable factors (inputs, outputs,
measures, resources, etc.) 
CHECKLISTS
PR EPARAT ION   Use these points and other requirements to: 
• Plan what to look at 
• Plan what to look for (audit evidence) 
Prepare checklist 
CHECKLISTS STRUCTURE 
 Conduct opening meeting 

Communicate during the audit 

Explain roles and responsibilities of participants 

AUDIT Collect and verify information 

ACTIVITIES 
Generate audit findings 

Prepare audit conclusions 

Conduct closing meeting 

 Hold opening meeting with auditee top management
and those responsible for processes audited 

Meeting may be informal 

Chaired by team leader 

OPENING
MEETING 
Audit team present 

Purpose is to confirm all prior arrangements 

C O L L E C T I N G A N D V E R I F Y I N G  
 Collect information relevant to: 

Audit objectives, scope, and criteria 

AUDITING interfaces between functions, activities and

PROCESS processes 
COLLECT &
VERIFY Collect audit evidence by appropriate sampling
INF ORMATI ON   and verify and record it 
Be aware on sampling limitations, if acting on the
audit conclusion 
Use only information that is verifiable as audit
evidence 
 Interview: 
• Personnel that manage, perform,

AUDITING and verify activities 

PROCESS • Also ensure they are responsible

for the activity being audited 
TECHNIQUES • Listen carefully to responses 
T O O B TA I N
Observe: 
AUDIT • Identity, status, condition,
EVIDENCE  processes, equipment, activities,
environment, and people 
 Review documents that describe: 
• Activities 
• Plans 
AUDITING • Controls 
PROCESS • Strategies 
AUDIT • Exercises 
EVIDENCE  • tests 

Review records for evidence of conformity to documents 

Review records, statements of fact, or other information which are
relevant to the audit criteria and verifiable 
Audit evidence may be qualitative or quantitative 
 C OM M UN I C AT I O N A ND I NT E RP E R S ON AL S K I L L S  

1 2 3 4 5 6 7
Put auditee at ease  Ask short questions Reflect right attitude, Smile and show eye Avoid interruptions  Avoid off-cuff and Give praise when
and listen  tone of voice, body contact  condescending appropriate 
language, and facial remarks 
expressions 
 QUESTIONING
TECHNIQUES 

Open question 
• Using why, who, what, where, when, or how gets more than a yes or no
answer 
Expansive question 
• Further elaborates the current point 
Opinion question 
• Asks opinion about current point 

Non-verbal 
• Uses body language, for example: raise eye-brow to elicit further
information 
QUESTIONING
TECHNIQUES 
Repetitive question 
• Repeats back response in form of a question 
Hypothetical question 
• Uses what if, suppose that, etc. 
Closed question 
• Gets yes or no answer 
• Avoid using too often 
• Used for confirmation 
Silence 
• Draws more information 
NOTE TAKI NG  

Notes could be used as reference for: 

• Immediate investigation 
• Investigation later 
• Use by a colleague 
• Subsequent audits 
Notes taken during an audit are a record of: 
• The audit sample taken 
• What was reported 
• What was observed 
Notes may be referenced by subsequent auditor 
 SAMPLING  

Samples should test the effectiveness of the system and should be: 
• Representative 
• Structured 
• Independently selected 
Sample size should be based on: 
• Risk 
• Importance 
• Status 
• Findings from the previous/current audit 
CONTROL OF THE
AUDIT 

Checklist is an aid, not a requirement 

If potential audit trails appear, decide to: 
• Disregard 
• Note for later 
• Follow up immediately 
Following audit trails may effect: 
• Sample size 
• Audit plan 
 HANDLING
D I F F I C U LT
S I T U AT I O N S  
E S TA B L I S H T H E FA C T S J U D G M E N T I N T H E A U D I T P R O C E S S  

Audit focus must be The auditee must be

on conformity and given the benefit of
effectiveness, NOT on any doubt where there
finding is insufficient audit
nonconformities  evidence 
 Discuss concerns 

Verify the findings 

Record all the evidence: 

• Exact observation 

E S TA B L I S H • Where, what, etc. 

Establish why a nonconformity or otherwise 

T H E FA C T S  
State who (if relevant) – preferably by job title 

Obtain agreement with the facts 

GE NE RATE AUDI T F INDINGS  

Indicate if findings are

Evaluate audit evidence against
conformities, nonconformities
audit criteria to generate audit
or opportunities for
findings 
improvement 

Specify (with supporting

evidence) or summarize
Meet (audit team) to review
conformity by location,
findings 
function, or processes, as
required by audit plan 
 Non-fulfillment of a specified requirement: 
• Not doing it 
• Partially doing it 
• Doing it the wrong way 
Specified requirement: 
• Conditions of the customer contract 
• Quality standard (ISO 13485) 
• Quality management system 
• Statutory or regulatory requirements 

NONCONFORMITY 
GE NE RATE AUDI T F INDINGS  

Obtain auditee
Record nonconformity findings acknowledgement of
and supporting evidence  nonconformities for accuracy
and understandability 

Try and resolve differences of Keep a record of unresolved

opinion  issues 
 NONCONFORMITY -
MINOR 
• Failure to comply with a requirement which (based on judgment and
experience) is not likely to result in QMS failure 
• Single observed lapse or isolated incident 
• Minimal risk of nonconforming product or service 
• Examples: 
• A two month lapse in the internal audit program 
• A training record not available 
• No actions taken to improve system based on previous result
findings 
NONCONFORMITY -
MAJOR 

• Absence or total breakdown of a system to meet a

requirement 
• A number of minors related to the same clause or
requirement 
• A nonconformity that experience and judgment indicate will
likely result in QMS failure or significantly reduce its ability
to assure controlled processes and products 
 Examples: 
• No documented procedure for a required
documented ISO 22716 process/activity 
• Document changes routinely made without
authorization 
NONCONFORMITY • No awareness program for the Food safety
- MAJOR  management system 
• No future planned internal audits 
• Insufficient scope 
• Numerous minor nonconformities found in the
production process 
 Consider the seriousness: 

What could go wrong if the nonconformity remains

uncorrected? 

Is it likely the system would detect it before the customer

N O N C O N F O R M I T Y is affected? 
C L A S S I F Y I N G T H E
N O N C O N F O R M I T Y  
If you are not certain it is a nonconformity, it is not. 

You must have: 

• A requirement that has been broken 
• Proof that it has been broken 
N O N C O N F O R M I T Y G O O D R E P O RT
E X A M P L E S  
NONCONFORMITY POOR
REPORT EXAMPLES 

• The nonconformity statements below are inadequate due to

the lack of specified requirements and detailed evidence: 
• Steering Group meeting minutes are not adequate 
• The authority level for the Emergency Controller must
be documented for clarify purposes 
P R E PA R I N G A U D I T C O N C L U S I O N S  
• Audit team confer prior to the closing meeting: 
• Scheduling of the audit plan 
• To plan for closing meeting 
• Purpose is to: 
• Review audit findings and other information 
• Agree on audit conclusions 
• To prepare the audit report and recommendations 
• If included in audit plan, to discuss audit follow-up 
 1.Audit reference 

2.Client and Auditee details 

3.Audit team details 

AUDIT
REPORT 4.List of auditee representatives 
P R E PA R E , 5.Objectives, scope, and criteria 
APPROVE &
DISTRIBUTE  6.Audit plan – dates, places, areas audited and timing 

7.Summary of audit process 

8.Audit Summary 

9.Uncertainty due to sampling 

 10.Nonconformity reports 

11.Recommendation 

AUDIT 12.Obstacles encountered 

REPORT
13.Any areas in audit scope not covered 
P R E PA R E ,
APPROVE & 14.Any unresolved issues between the auditee and team 
DISTRIBUTE 
15.Confirmation that audit objectives accomplished 

16.Confidentiality statement 

17.Distribution list 
 Issue within agreed time period 

If delayed, provide reasons and agree on new issue date 

Report must be dated, reviewed, and approved as per

procedures 

AUDIT REPORT
Distribute to recipients designated by audit client 
DISTRIBUTION 

Report is property of audit client 

Recipients and audit team must respect the confidentiality of

the report 
 Audit is complete when all activities in audit
plan have been carried out and audit report is
distributed 
Maintain or dispose of audit documents based
on contractual, regulatory, and audit program
procedures 
COMPLETING Maintain confidentiality of audit documents,
THE AUDIT  information, and report 

Notify audit client and auditee ASAP if

disclosure of audit information is required. 
 Hold closing meeting to present audit findings and
conclusions 
Cover situations encountered during audit that may
decrease reliance on audit conclusions 
Discuss and resolve diverging audit findings and
conclusions 
Keep a record if not resolved 
CLOSING
MEETING  Provide recommendations for improvement where
specified by audit objectives 
Keep minutes and attendance records 

Will normally be informal for internal audits 

 Audit conclusions may require corrective,
preventive, or improvement actions 
Auditee decides and carries out these actions
within agreed timeframe 
COMPLETING
THE AUDIT These actions are not part of the audit 
CONDUCTING
THE Audit team number should verify completion and
FOLLOW-UP  effectiveness of actions taken 
This verification may be part of a subsequent
audit 
Maintain independence in subsequent audit
activities 
 Auditee receives the nonconformity report 

Auditee prepares and approves a corrective action plan 

COMPLETING Auditee submits the plan to auditors 

THE AUDIT
CORRECTIVE Auditors evaluate and approve the plan 
THE
FOLLOW-UP  Auditee implements the approved corrective action plan 

Auditor verifies the implementation and effectiveness 

Records of all actions taken by auditor and auditee 

THANK YOU