Internal audits are not just a regulatory formality, they are a cornerstone of any effective quality management system. Required by international standards such as ISO 13485 and FDA’s 21 CFR Part 820.22, and expected under European regulations like MDR and IVDR, internal audits help organisations stay compliant, avoid costly errors, and continuously improve their processes. Any company that places medical devices on the market must conduct internal audits on a regular basis. But what exactly do these audits involve? What skills should an internal auditor bring to the table? And what are the most common mistakes to avoid?
Understanding Internal Audits
An internal audit is a structured, objective, and well-documented process that evaluates whether a company’s quality management system (QMS) complies with applicable standards and regulations. These audits are based on objective evidence, not assumptions or subjective impressions.
The most effective internal audits follow four key principles: they are systematic, independent, documented, and fact-based.
- “Systematic” means the audit follows a pre-planned and methodical approach.
- “Independent” indicates that auditors must not evaluate processes they are directly responsible for.
- “Documented” ensures transparency and traceability of findings,
- and “objective” guarantees that conclusions rest on verifiable facts.
Unlike external audits conducted by regulatory bodies or notified bodies, internal audits are typically carried out by employees within the organisation or by external experts contracted specifically for this task. And while external audits tend to focus on verifying compliance, internal audits go further. They uncover inefficiencies, point out risks before they escalate, and prepare the organisation for the scrutiny of official inspections.
Both ISO 13485:2016 (Clause 8.2.4) and FDA 21 CFR Part 820.22 require internal audits as part of a proactive quality strategy. Similarly, the EU MDR and IVDR rely on internal audits as one of the mechanisms for ensuring ongoing compliance and product safety.
The Role and Responsibilities of Internal Auditors
Internal auditors play a crucial role in making sure that the organisation’s daily operations stay in line with external regulations and internal procedures. Their work focuses on verifying whether company processes meet the expectations laid out in ISO 13485, ISO 9001, and other applicable norms. In addition to these external standards, auditors check compliance with internal rules—such as SOPs, work instructions, and policy documents.
Effective internal auditors actively search for inconsistencies, outdated practices, and improvement opportunities. By identifying these early, they give the company time to implement corrective and preventive actions before issues become systemic or trigger external findings. They also make a major contribution to preparing the organisation for official inspections by notified bodies or authorities. Their ability to simulate the logic and depth of an external audit helps remove surprises and reduce pressure during real assessments. Key benefits of strong internal audits include early risk detection, improved patient safety, and enhanced product quality. Internal auditors also act as advisors, helping departments better understand regulatory expectations and align their practices accordingly.
Clause 8.2.4 of ISO 13485 underscores the importance of conducting internal audits, though it does not dictate the exact methodology. This is where ISO 19011:2018 steps in, offering practical guidance on how to plan, conduct, and evaluate audits effectively—including those involving outsourced processes or external suppliers. Clause 4.1.5 of ISO 13485, for instance, requires that any outsourced activity affecting product quality must be controlled through appropriate measures such as supplier audits, which internal auditors may also perform.
What Makes a Good Internal Auditor?
A good internal auditor is more than just a regulatory expert. The role requires a careful balance of technical knowledge, emotional intelligence, and communication skills. Organisations should select auditors with great care, making sure they not only understand the rules but can also apply them in complex, real-world situations.
Technical Competence
ISO 19011 (Chapter 7) defines the required competencies for auditors, making it clear that they must be suitably qualified and impartial. An internal auditor cannot audit their own work or processes, as this would compromise objectivity.
Auditors must have a solid understanding of:
- ISO 13485: The core standard for medical device QMS
- ISO 9001: General quality management principles
- ISO 19011: Auditing guidelines, including planning, execution, and reporting
Depending on the nature of the products, markets, and regulatory scope, auditors may also require knowledge of:
- EU MDR / IVDR – European regulatory framework for medical devices and in vitro diagnostics
- MDSAP (Medical Device Single Audit Program) – A harmonised audit program covering multiple regulatory jurisdictions (e.g., FDA, Health Canada, TGA, ANVISA, PMDA)
- FDA Quality System Regulation (QSR)
Personal Qualities
Certain personal attributes are essential to performing the role well. Internal auditors must be objective and impartial, maintaining a neutral stance even in the face of internal pressures. Integrity is non-negotiable: auditors must be willing to report uncomfortable truths, even when the findings are politically inconvenient.
Auditors also need resilience and emotional intelligence. They often conduct interviews, review sensitive documents, and challenge assumptions. In this environment, empathy, patience, and tact go a long way. Strong interpersonal skills help them build trust with staff while still holding people accountable.
Communication Skills
Clear, confident communication is central to the auditor’s job. This includes not only verbal skills, but also an awareness of tone, timing, and body language. Being able to ask the right questions—and to listen carefully to the answers—can make the difference between a superficial audit and one that uncovers the root causes of recurring issues.
Methods from Transactional Analysis, such as managing communication dynamics between “parent”, “adult”, and “child” modes, can be especially helpful during difficult conversations.
Lifelong Learning
The regulatory environment for medical devices is constantly evolving. Auditors must therefore engage in continuous professional development. Participation in refresher courses, industry seminars, and regular certification updates ensures their expertise stays relevant and sharp.
Planning and Conducting Internal Audits
Internal audits are only effective if they are well-structured and consistently applied. This begins with an audit programme that defines the scope, frequency, and strategy over a defined time horizon.
The Audit Programme
According to ISO 19011, a comprehensive audit programme should cover all relevant processes over a period of time—typically three years. For medical device companies, this aligns well with the surveillance cycle of notified bodies. High-risk areas, recurring CAPAs, or processes known for their complexity should be audited more frequently.
The programme should also consider supplier audits, especially for outsourced processes that impact product quality. These are typically scheduled on a risk-based cycle of one to three years.
Audit Planning
Each individual audit within the programme needs a tailored audit plan. This outlines the audit objectives, criteria, and scope, as well as who will perform the audit, when, and how. Good planning also includes a clear timeline, allocation of resources, and preparation materials for both auditors and auditees.
Conducting the Audit
Internal audits usually follow a structured sequence:
- Opening meeting: The auditor outlines the purpose, scope, and procedure of the audit, setting expectations from the start.
- Execution phase: This involves a combination of document reviews, interviews with staff, and direct observations. A skilled auditor uses a mix of questioning techniques—open, closed, clarifying, summarising—to uncover meaningful insights.
- Nonconformity identification: When deviations from defined requirements are found, these must be recorded clearly and supported by objective evidence. Proposed corrective actions should be discussed immediately.
- Closing meeting and reporting: The audit ends with a summary of findings. These are documented in an audit report, which includes evidence, identified risks, and required follow-ups.
Following Up and Driving Continuous Improvement
An internal audit doesn’t end with the report. The real value lies in what happens next. Follow-up is critical to ensure that corrective actions are implemented and remain effective over time. This might involve re-audits, performance monitoring, or system changes. Regular reviews and a culture of transparency help embed these improvements into the organisation’s day-to-day operations.
External Support—How Johner Institute can help
While internal audits must be carried out regularly, companies do not always need to rely solely on their own staff. Qualified external experts can conduct audits on behalf of the organisation—particularly when internal resources or impartiality are lacking.
Johner Institute New Zealand offers not only audit services, but also in-depth auditor training. This dual approach allows companies to meet their current audit obligations while building internal capacity for future audits. By combining practical audits with hands-on training, organisations can establish long-term independence while ensuring that current audits are both credible and effective. Contact us to learn more!
Conclusion
Internal audits are far more than bureaucratic requirements. When done well, they serve as a powerful tool to strengthen the quality system, prevent compliance issues, and improve products and processes across the board. But their impact depends heavily on how well they are planned, executed, and followed up. Organisations that invest in skilled auditors, robust audit planning, and a learning-focused culture can turn internal audits into one of their most valuable quality tools.
