ISO 13485 Internal Audit Checklist: 40 Requirements

Internal audits are where you find the problems before your Notified Body does. That's the whole point. And yet, in my experience working with 200+ medical device clients at Certify Consulting, the internal audit is the step companies rush or hollow out — treating it as a box to check rather than a dress rehearsal.

If your Notified Body assessment is coming up, this checklist is built to close that gap. It covers all 40 of the most commonly cited clause-level requirements under ISO 13485:2016, organized by QMS section so your audit team can move through it without losing the thread. I've structured it this way deliberately — clause by clause is how your auditor will walk through it, and you should too.

A note on context: With the EU MDR transition timeline placing increasing pressure on Notified Body capacity throughout 2024 and 2025, assessment slots have been harder to get and harder to reschedule. A failed first-time audit doesn't just cost you time — it puts your whole market access window at risk. In my view, that makes preparation more important now than it's been at any point in the last decade.

What ISO 13485 Internal Audit Requirements Actually Demand

Before running down the checklist, it's worth being precise about what clause 8.2.4 actually requires. ISO 13485:2016 clause 8.2.4 requires that the organization conduct internal audits at planned intervals to determine whether the QMS conforms to planned arrangements and to the requirements of the standard, and whether it has been effectively implemented and maintained.

That language — "effectively implemented and maintained" — is doing a lot of work. Conformance on paper isn't enough. Your Notified Body auditor will probe whether your procedures are actually being followed in practice, whether records demonstrate real implementation, and whether your corrective actions from prior audits have closed. The checklist below is built around that test.

The Full 40-Item Internal Audit Checklist

Section 1: Quality Management System (Clauses 4.1–4.2)

1. Clause 4.1.1 — Is the scope of the QMS defined, documented, and consistent with regulatory requirements for the markets where devices are sold?
2. Clause 4.1.2 — Are outsourced processes identified, and is there documented evidence that the organization maintains control over them (supplier qualification records, agreements, monitoring data)?
3. Clause 4.1.3 — Is there a documented risk-based approach to the application of requirements across the QMS, consistent with applicable regulatory requirements?
4. Clause 4.2.1 — Does the quality manual describe the scope of the QMS, any exclusions with justification, and the interaction of QMS processes?
5. Clause 4.2.3 — Are documents controlled per the documented procedure — review and approval, version history, distribution, and removal of obsolete documents?
6. Clause 4.2.4 — Are records legible, identifiable, retrievable, and retained per the documented retention schedule?

Section 2: Management Responsibility (Clause 5)

1. Clause 5.1 — Is there objective evidence that top management has communicated the importance of meeting customer and regulatory requirements throughout the organization?
2. Clause 5.3 — Is the quality policy documented, communicated, understood by personnel with responsibilities affecting quality, and reviewed for continuing suitability?
3. Clause 5.4.1 — Are quality objectives established at relevant functions and levels, and are they measurable and consistent with the quality policy?
4. Clause 5.4.2 — Is there documented evidence that QMS planning has been conducted to meet quality objectives and that QMS integrity is maintained through changes?
5. Clause 5.5.1 — Are responsibilities and authorities defined, documented, and communicated within the organization?
6. Clause 5.5.2 — Has a management representative been appointed with documented authority for QMS implementation and reporting to top management?
7. Clause 5.6.1 — Are management reviews conducted at planned intervals, with documented records covering all required inputs and outputs per clause 5.6.2/5.6.3?

Section 3: Resource Management (Clause 6)

1. Clause 6.2 — Is there documented evidence that personnel performing quality-affecting work are competent based on education, training, skills, and experience? Are training effectiveness records current?
2. Clause 6.3 — Is infrastructure (buildings, workspace, equipment, utilities) determined, maintained, and documented, with records of maintenance activities?
3. Clause 6.4 — Are work environment requirements, including health, cleanliness, and clothing requirements, documented and monitored where conditions could affect product quality?

Section 4: Product Realization (Clause 7)

1. Clause 7.1 — Is there documented quality planning for product realization, covering objectives, verification/validation activities, records required, and resources needed for each product type?
2. Clause 7.2.1 — Are customer requirements, including regulatory requirements applicable to the intended use, fully determined and documented?
3. Clause 7.2.3 — Are records of customer communication maintained, including feedback, complaints, and advisory notice information?
4. Clause 7.3.1 — Is design and development planning documented, with stages, review/verification/validation activities, and responsibilities defined?
5. Clause 7.3.2 — Are design inputs documented, reviewed, and approved? Do they include functional, performance, usability, safety, and regulatory requirements?
6. Clause 7.3.3 — Are design outputs documented in a form that allows verification against inputs, and do they include or reference acceptance criteria?
7. Clause 7.3.4 — Are records of design reviews maintained, including participants and any actions required?
8. Clause 7.3.5 — Is design verification performed per planned arrangements, and are results and conclusions documented?
9. Clause 7.3.6 — Is design validation performed under defined operating conditions, with results documented? Does validation include clinical evaluation or performance testing as applicable?
10. Clause 7.3.9 — Is a Design History File (or equivalent) maintained that demonstrates the design was developed in accordance with the approved design plan?
11. Clause 7.4.1 — Are purchasing processes documented, with criteria for supplier evaluation, selection, and re-evaluation? Are records maintained?
12. Clause 7.4.3 — Is incoming product verified against documented acceptance criteria before release for use?
13. Clause 7.5.1 — Are production and service provision carried out under controlled conditions, including documented procedures, work instructions, and qualified equipment?
14. Clause 7.5.3 — Is product identified throughout realization, with traceability maintained to the extent required by regulatory requirements and the organization's documented procedures?
15. Clause 7.5.4 — Is customer property (including intellectual property) identified, verified, protected, and safeguarded? Are losses recorded and reported?
16. Clause 7.5.6 — Are monitoring and measuring devices calibrated or verified at specified intervals, and are calibration records maintained showing traceability to international or national measurement standards?
17. Clause 7.5.8 — Is there a documented procedure for cleanliness of product, covering product cleaned prior to sterilization or cleaning requirements as applicable?
18. Clause 7.5.11 — Are documented procedures in place for servicing, and are service reports maintained as records?
19. Clause 7.6 — Are records of calibration and verification results, including the validity of previous measuring results when equipment is found out of calibration, maintained?

Section 5: Measurement, Analysis, and Improvement (Clause 8)

1. Clause 8.2.1 — Is there a documented feedback system for gathering and monitoring information from post-production stages? Is feedback used as an input to risk management?
2. Clause 8.2.2 — Is there a documented procedure for handling complaints? Do records show that complaints are evaluated and that regulatory reporting obligations have been met?
3. Clause 8.3 — Is there a documented procedure for nonconforming product control, with records of nonconformances and their disposition? Has the impact on delivered product been evaluated?
4. Clause 8.5.2 — Are corrective actions documented, with root cause analysis performed, actions taken, and records showing verification of effectiveness?
5. Clause 8.5.3 — Is there a documented preventive action process, and is it being used? Are records of preventive actions maintained through completion and effectiveness verification?

Common Findings That Derail Notified Body Assessments

Based on audit outcomes across my client work at Certify Consulting, five clause areas generate the majority of major findings during Notified Body assessments:

Design controls and complaints are where assessments fail most often, and in my experience those two areas are also where companies underinvest during internal audit preparation. If you're short on time, audit those sections hardest.

How to Structure Your Internal Audit Program for Maximum Readiness

Frequency and sampling. ISO 13485:2016 doesn't specify a number of audits per cycle, but it does require that the audit program account for the status and importance of processes and previous audit results. A risk-based audit frequency — auditing higher-risk processes like design controls and complaint handling more often — is both compliant and practical.

Auditor independence. Clause 8.2.4 requires that auditors not audit their own work. This sounds simple, but in smaller organizations it requires real planning. Document how you've handled this, because your Notified Body will ask.

Closing the loop. The internal audit record isn't complete until corrective actions from the audit are verified as effective and closed. Notified Body auditors will look at open corrective actions from your last internal audit cycle, and open items without verified closure read as a systemic problem regardless of the finding severity.

Timing before your Notified Body assessment. In my view, you want your internal audit complete and corrective actions closed at least 90 days before your assessment. That gives you time to demonstrate effectiveness verification without rushing it, and it gives you a clean audit trail to show the assessor.

What a 100% First-Time Pass Rate Actually Requires

I'm sometimes asked what separates companies that sail through their Notified Body assessment from companies that don't. In my experience, it comes down to one thing: the internal audit is treated as a real audit, not a self-congratulatory walkthrough.

That means using objective evidence — records, observations, interviews — not memory or assurances. It means writing findings honestly, even when a finding points at a process someone senior owns. And it means closing the findings with actual root cause analysis, not just a quick fix that addresses the symptom.

The companies in my client portfolio that have maintained a 100% first-time pass rate across Notified Body assessments share that discipline. They find the problems themselves. That's the whole advantage of an internal audit program — and it only works if you use it.

If you want help running a gap assessment or preparing your QMS for an upcoming Notified Body assessment, explore Certify Consulting's ISO 13485 services or reach out directly to discuss your timeline and scope.

Last updated: 2026-05-27