How far in advance of my Notified Body assessment should I complete the internal audit?

At minimum, complete your internal audit eight to twelve weeks before your NB assessment date. That gives you time to address findings from the audit before the NB auditor arrives. If your QMS is new or hasn't had a rigorous internal audit in over a year, budget for a full three-round audit process: document review, records sampling, and process walk-throughs with staff.

What are the most common reasons manufacturers fail their first ISO 13485 NB assessment?

The most common causes of first-time failures are: (1) CAPA records with shallow root cause analysis, (2) incomplete or undated design input records in the design history file, (3) complaint handling gaps where verbal complaints were never formally captured, and (4) process validation documentation that is missing or doesn't meet the acceptance criteria defined in the validation protocol. These four areas account for the majority of major nonconformities in first-time assessments.

Can my quality manager conduct the internal audit, or do I need an independent auditor?

ISO 13485:2016 clause 8.2.4 requires that auditors not audit their own work. A quality manager can conduct internal audits of areas outside their direct responsibility. For smaller organizations, this often means cross-training staff from other departments as internal auditors or engaging an external consultant to provide independent audit coverage, particularly for the QMS areas the quality manager directly owns.

How does the FDA QMSR change what I need to demonstrate in my ISO 13485 audit?

FDA's Quality Management System Regulation, effective February 2, 2026, adopts ISO 13485:2016 as its framework. Manufacturers complying with ISO 13485:2016 generally satisfy QMSR requirements. Practically, this means your NB audit is now doing double regulatory duty: a strong ISO 13485 audit trail also supports FDA compliance. The areas FDA inspectors historically focus on — CAPA, design controls, and complaint handling — align directly with the highest-finding clauses in NB assessments.

What is the difference between a minor and major nonconformity in an ISO 13485 NB assessment?

A major nonconformity indicates a systematic failure of a QMS element or a failure that could affect device safety or performance. It requires corrective action and verification before certification can be granted or maintained. A minor nonconformity is an isolated lapse or weakness that doesn't indicate a systematic failure. Minors can typically be addressed with a corrective action plan submitted after the audit. Multiple minors in the same area can be elevated to a major, so patterns matter as much as individual findings.

ISO 13485 Internal Audit Checklist: 40 Requirements to Verify

The gap between a smooth Notified Body assessment and a painful one usually doesn't come down to whether you have the right procedures written. It comes down to whether those procedures actually describe what your team does every day on the floor.

I've worked through this process with more than 200 medical device clients, and the pattern holds consistently: manufacturers who treat their internal audit as a genuine rehearsal show up to their NB assessment ready. Everyone else is hoping the auditor doesn't look too closely at the production area, or doesn't ask the line operator to describe the nonconforming product process without coaching.

This checklist covers all 40 requirements across ISO 13485:2016 that notified bodies probe most aggressively. Use it to run a real pre-assessment internal audit — not just a document review.

Why the Internal Audit Is the Most Important Step You're Probably Rushing

ISO 13485:2016 clause 8.2.4 requires documented procedures for internal audits and records of audit results. Most manufacturers have those. What they often don't have is evidence that the audit actually verified conformance — not just document existence.

The stakes got higher on February 2, 2026. FDA's Quality Management System Regulation (QMSR), which took effect that day, incorporates ISO 13485:2016 by reference — making a strong NB certification directly relevant to FDA compliance in a way it has never been before. A gap your notified body identifies in a European surveillance audit this year may shape an FDA inspector's scope next quarter.

In my experience, the single most common reason manufacturers fail their first NB assessment is a gap between their documented procedures and their actual shop-floor practices. Not missing documents — disconnected ones. Your NB auditor will ask your production staff to explain the process. Not your quality manager. Your line operators. If those conversations surface something different from what the procedure says, no amount of documentation will recover the day.

How to Use This Checklist

Each item maps to a specific ISO 13485:2016 clause. For each one, you need objective evidence — not a document reference. "We have a procedure for that" is not conformance. Objective evidence means records demonstrating the procedure was followed, outputs that look like the procedure says they should, and staff who can describe the process in their own words.

Flag each item as: - ✅ Conforming — objective evidence exists and is current - ⚠️ Gap — procedure exists but evidence is weak, dated, or incomplete - ❌ Missing — no documented requirement or record trail at all

Work through three rounds: document review (confirm procedures exist), records sampling (pull three to five records per procedure and check they match), then process walk-throughs (talk to the people doing the work). Most gaps surface in Round 2. Most surprises happen in Round 3.

Clause 4: Quality Management System (Items 1–8)

1. QMS scope (4.1) — Is your scope statement documented and does it accurately reflect the devices you actually manufacture today, including all applicable regulatory requirements? Scope statements that haven't been revisited since initial certification are a common flag.

2. Process identification and interaction (4.1) — Have you identified all QMS processes, their sequence, and how they interact? An org chart is not a process map. The auditor will want to see both.

3. Outsourced process controls (4.1.5) — For any outsourced processes — sterilization, contract manufacturing, software development — do you have documented controls, supplier agreements, and monitoring records? Outsourcing doesn't transfer accountability.

4. Quality manual completeness (4.2.2) — Does your quality manual define the QMS scope, reference all documented procedures, and describe process interaction? Verify the exclusions section justifies anything excluded with a documented rationale.

5. Document control procedure (4.2.3) — Can you demonstrate that document approval, review, and distribution are controlled? Pull a recent document revision and trace it: who approved it, when, and how was the change communicated to affected staff?

6. Record control procedure (4.2.4) — Are records legible, identifiable, and retrievable? Test this: ask for a specific record from 24 months ago. If it takes more than ten minutes to locate, that's a real gap.

7. Medical device file currency (4.2.3) — Do you maintain a technical file or design history file for each device, and is it current? Auditors check whether recent design changes, regulatory updates, or field observations are reflected.

8. Change control history (4.2.3) — Does every change to a controlled document have a change history and impact assessment? Notified bodies commonly pull a random controlled document and ask to see its entire revision history.

Clause 5: Management Responsibility (Items 9–14)

9. Quality policy relevance (5.3) — Is the quality policy still relevant to your organization? If your device portfolio changed in the last two years and the quality policy wasn't reviewed and re-approved, that's a flag waiting to happen.

10. Measurable quality objectives (5.4.1) — Are quality objectives measurable, consistent with the quality policy, and documented as reviewed for achievement? Pull last quarter's data. Can you demonstrate progress or explain why objectives were revised?

11. Management review records (5.6) — Do management review records address all required inputs: audit results, complaint data, post-market surveillance feedback, process performance, regulatory changes? Minimal minutes reading "all items reviewed, no actions required" tend to attract close scrutiny.

12. Regulatory intelligence process (5.6.1) — With EU MDR post-market surveillance requirements mature and FDA QMSR now in effect, can you demonstrate that management tracks applicable regulatory changes systematically? This input has become significantly more probed in 2025–2026 NB assessments.

13. QMS planning records (5.4.2) — When changes to the QMS were planned and implemented, was the integrity of the QMS maintained through the transition? Document a specific change and the planning record that preceded it.

14. Internal communication evidence (5.5.3) — Is there evidence that quality information reaches staff? Meeting minutes, training records, and internal communications all count — but they need to exist as records.

Clause 6: Resource Management (Items 15–18)

15. Competency records (6.2) — For every person whose work affects product quality — including contractors and temporary workers — do you have records of education, training, skills, and experience? This is one of the most consistently under-documented areas.

16. Training effectiveness (6.2) — Not just completion records, but evidence of effectiveness. Test scores, demonstrated performance observations, and supervisor sign-offs after observed work all qualify. Completion alone does not.

17. Infrastructure maintenance (6.3) — Are preventive maintenance records current for all equipment affecting product quality? Check calibration records at the same time (see item 28). Overdue maintenance schedules and lapsed calibrations routinely appear in the same audit cycle.

18. Controlled environment monitoring (6.4) — For cleanrooms or other controlled environments, are monitoring records complete, reviewed, and trended? Out-of-spec events should have documented investigation and product disposition.

Clause 7: Product Realization (Items 19–32)

ISO 13485:2016 Clause 7 consistently generates the highest density of notified body findings — particularly in design controls, supplier qualification, and process validation. In my experience with 200+ client assessments, about 60% of major nonconformities originate here.

19. Product realization planning (7.1) — Does planning for each product document quality objectives, processes, required documentation, and verification/validation activities? A project schedule is not a quality plan.

20. Regulatory requirements in customer review (7.2.1) — Are applicable regulatory requirements — including EU MDR Article 10, applicable harmonized standards, and FDA QMSR requirements — formally included in your customer requirements review?

21. Contract review records (7.2.2) — Can you demonstrate that requirements were reviewed and documented before accepting a customer order? For custom or patient-matched devices, auditors probe this in detail.

22. Design input completeness (7.3.3) — Are design inputs documented to include performance, safety, regulatory, and applicable standard requirements — and were they documented before design outputs were generated? Incomplete or vague inputs are a top finding category.

23. Design output traceability (7.3.4) — Do design outputs reference their corresponding design inputs and include acceptance criteria? Can you trace each output to a specific input in your design history file?

24. Design review records (7.3.5) — Were formal design reviews held at appropriate stages, with qualified participants including at least one function not directly responsible for the design? Review minutes should document attendees, scope, and open actions.

25. Design verification records (7.3.6) — Is there documented evidence that design outputs meet design inputs? Test reports, analysis results, and inspection records all count — but each needs to reference the specific input it addresses.

26. Design validation records (7.3.7) — Does validation evidence demonstrate the device meets user needs and intended use under actual or simulated conditions? Auditors check whether validation used representative devices from initial production, not only prototypes.

27. Design transfer records (7.3.8) — Can you demonstrate that the design was formally transferred to manufacturing with documented confirmation that production processes can consistently meet specifications? This area has seen rising NB attention since 2024, especially for software-driven devices.

28. Design change controls (7.3.9) — Every post-approval design change needs a documented evaluation for impact on safety, performance, regulatory status, and the need for re-validation. Pull any change from the last 12 months and trace its approval record end to end.

29. Supplier evaluation currency (7.4.1) — Does your approved supplier list reflect a risk-based classification of suppliers, and are re-evaluation records current? Critical suppliers need more rigorous and more frequent documented evidence.

30. Purchasing data adequacy (7.4.2) — Are purchase orders specific enough to describe what you're actually purchasing, including applicable specifications and quality requirements? Vague POs for critical materials appear often in NB findings.

31. Incoming inspection records (7.4.3) — Is incoming inspection documented per procedure, with acceptance and rejection records retained? If you rely solely on a certificate of conformance, document that risk-based decision in writing.

32. Process validation records (7.5.6) — For processes where output cannot be fully verified by inspection — sterilization, welding, molding, aseptic filling, software — is there documented validation with defined and met acceptance criteria? Re-validate when the process changes.

Clause 8: Measurement, Analysis, and Improvement (Items 33–40)

33. Complaint handling completeness (8.2.1) — Is there a documented procedure for complaint handling, and are all complaints — including verbal ones received at trade shows or by sales staff — captured, investigated, and trended? NBs look for the gap between complaints received and complaints formally investigated.

34. Adverse event reporting documentation (8.2.2) — Can you demonstrate timely MDR/Vigilance reporting when thresholds are met, with documented evidence of the reportability analysis for each qualifying event? Threshold decision records are probed closely under current EU MDR requirements.

35. Risk-based audit schedule (8.2.4) — Is your internal audit program risk-based, and does it cover all QMS processes and clauses within the defined audit cycle? Show the schedule, the completed audits, and the records. "We audit everything" requires documentation to back it up.

36. Process performance monitoring (8.2.5) — Are you collecting and reviewing data that demonstrates QMS processes achieve planned results? Trend charts and dashboard summaries work — but there needs to be a documented management review of the data, not just collection.

37. Product conformance data (8.2.6) — Is product conformance to requirements documented and reviewed for trends? Connect product monitoring data explicitly to your post-market surveillance system.

38. Nonconforming product controls (8.3) — Are nonconforming products identified, segregated, and formally dispositioned? Pull five recent NCRs. Each should show a documented disposition (rework, scrap, concession) with appropriate authorization.

39. CAPA system effectiveness (8.5.2 / 8.5.3) — Are corrective and preventive actions documented, root-cause analyzed, implemented, verified for effectiveness, and formally closed? Shallow root cause analysis — "human error" without systemic correction — is the single most common major nonconformity I see in first-time assessments.

40. Data analysis for improvement (8.4) — Are you aggregating quality data to identify trends and drive improvement? Management review is the usual vehicle, but the data needs to be analyzed and the analysis documented — not just presented on a slide and moved past.

Gap Areas by Frequency and Severity

Gap Area	ISO 13485:2016 Clause	Finding Frequency	Typical Severity
Design input completeness	7.3.3	Very High	Major
CAPA root cause depth	8.5.2	Very High	Major
Complaint capture completeness	8.2.1	High	Major
Process validation documentation	7.5.6	High	Major
Supplier re-evaluation currency	7.4.1	High	Minor / Major
Training effectiveness evidence	6.2	High	Minor
Management review input completeness	5.6	High	Minor
Design transfer records	7.3.8	Medium (rising)	Major
Adverse event threshold documentation	8.2.2	Medium	Major
Calibration record currency	7.6	Medium	Minor

What Notified Bodies Are Focusing on in 2026

Two things are reshaping NB audit scope right now, and they're worth understanding before you schedule your assessment.

First, EU MDR transition grace periods are largely exhausted for most device classes. NBs are auditing post-market surveillance systems with considerably more scrutiny than they applied in 2022 or 2023. If your PMS plan is still generic — the same boilerplate for a class IIa active device as for a class I accessory — that's a target. Auditors are specifically looking for evidence that PMS data flows back into design and risk management files.

Second, FDA's QMSR, effective February 2, 2026, adopts ISO 13485:2016 as its framework. FDA has stated that manufacturers complying with ISO 13485:2016 will generally satisfy the QMSR requirements. NBs are aware of this dual relevance, and assessments are increasingly treating the QMS as a system that serves multiple regulatory masters simultaneously. That's a good thing for manufacturers who run a genuine QMS — and a problem for those running a certification-theater QMS.

In my view, if you're preparing for an NB assessment this year, your highest-return investments are design control records and CAPA effectiveness evidence. Those two areas account for the majority of first-time major nonconformities I've seen across 200+ client engagements at Certify Consulting.

Running Your Pre-Assessment Internal Audit: Three Rounds

Round 1 — Document review. Confirm that procedures exist for each item and reference the correct clauses. For a typical Class II manufacturer, this takes about two days with a focused quality team.

Round 2 — Records sampling. For each procedure, pull three to five recent records and verify they match what the procedure describes. This is where most gaps surface — not in the procedures, but in the trail left behind.

Round 3 — Process walk-throughs. Talk to the people doing the work. Ask them to describe their process without coaching. If what they describe matches the procedure, you're in solid shape. If it doesn't, you've found what your NB auditor will almost certainly find too.

Manufacturers who complete all three rounds tend to arrive at their NB assessment with clarity — either confidence in their system or a specific remediation list they've already started working through. Both are better than walking in uncertain.

If you want a structured pre-assessment review with an experienced consultant before your NB audit, Certify Consulting's ISO 13485 readiness assessment covers all 40 of these areas, typically takes four to six weeks, and has supported a 100% first-time pass rate across our client base.

You can also review our full-service medical device certification consulting services to understand where pre-assessment internal audit support fits in the broader certification process.

Last updated: 2026-06-10