Contact us now to get a quotation on our services

In this article let’s talk about internal audit. There is a lot of questions about audits, there may be organization facing the notified body audit very soon, and before that they want to do their internal audit, but they are not sure to how to do it and how to take it in a proper way.

Don’t worry, in this article I will go more deeply in terms of your Quality Management System and:

  • How can you do your internal audit properly?
  • How can you do it with your staff?
  • And also, how can you do an internal audit during a pandemic.

Recently I have published an episode on the same topic how to do internal audit. You can check that by the link below:

Here we are not talking about notified body or about your certification body that are coming to audit you.  If you want to know about the notified body audit you can check out this article on audit preparation for Notified body.

Download the PDF document of this article here:

Why do we need an internal audit?

We all know that an audit is an official inspection of a company, typically done by an independent body. So, now if you audit your own organization by yourself or with the support of a consultant prior to your third-party audit to make sure your Quality management system (QMS) is compliant, this is known as an internal audit.

If you are following the ISO 13485 or the 21 CFR part 820 it is clearly mentioned that you need to perform an internal audit. Because the internal audit is the tool that is helping you to verify that your Quality management system is compliant, efficient and maintained.

Manufactures should verify by themselves, and not wait for a third-party audit to do that for them. There is more information available on the ISO 13485 and on the FDA 21 CFR part 820 section 22, mentioning specifically how you can comply to the internal audit process for your quality management system.

But there is also a guideline available with ISO 19011, which is the way to audit quality system for your organization. It explains how you can select your team, how you can audit, what is the scope of the audit. It also tells you the good practices to perform an audit. In order to perform your internal audit effectively you can go through the guideline for better understanding.

Who can audit your company?

This is mainly one of the biggest questions, because a lot of people think that they have to hire some external body or external organization to do that but NO it’s not mandatory.

If you are a small business with a few employees within your company, taking the service of a consultant is the right solution, because you cannot audit something that you have worked on and processed yourself. An important point is that, while auditing you should be impartial and provide the right feedback about the system, so when you are doing it by yourself this would not be possible. Consequently, for small businesses it’s really important to hire some consultants who can do an impartial audit. When you hire a consultant, you need to train the consultants on your audit procedure, same as if they were employed by your company. If they have to perform an audit, they have to understand what are the requirements of your audit process.

You can also train your staff to perform the internal audits. Select employees from different departments like logistic, engineering and design etc. One employee for each department would be a good strategy. The objective is that those employees are auditing other departments. They should not audit their departments, person from logistics audit the design part and vice versa. You must also define what are the different steps they have to go through so that they are really trained for performing internal audit.

Some big companies have a dedicated team only for internal audits with a department called “Regulatory Compliance”. Regulatory compliance is a department that helps you to stay compliant. They go to different sites of your multinational company to perform the audits, to verify that these sites are following the global guidance and are compliant to all the procedures mentioned on the Quality Management System.

So, multiple strategies are possible to perform an internal audit for your company. There are three things that you can do

  • Hire a consultant that will verify your system
  • Train your staff that are not specialized in Quality
  • or have a regulatory compliance team helping your organization to verify all the sites of your organization

For the last option, those people can also help to exchange good practices between different sites. The important point for an internal audit is to verify compliance but also efficiency. If your system is not working correctly, you have to improve it.

So, by making those exchanges between the different places or different entities within your organization it can really help to improve and get some good practices from other entities.

Share this article


How to train your employees for an internal audit?

If you are hiring a consultant as we’ve said previously, you need to train him on you are companies audit procedure, so that they will be able to audit your works effectively.

When it comes to your own employees, here is a strategy but you can choose another one:

  • first you have to train them completely on the internal audit process. You can also train them to ISO 19011 as this is a good guideline on audit execution.
  • Then they can participate as an observer in two-three audits,
  • For the fourth audit they should audit as a co-auditor along with a lead auditor.
  • After three Co-audits, they can be a lead auditor for the internal audit.

Doing this, you show to your Notified Body that you are really not just taking any person on your company and giving them an audit to perform, but you have really followed some steps before to appoint them as an internal auditor for your organization.

When an internal employee performs the internal audit, he can also give some ideas and ways to improve your process. This can provide another view of your process and maybe with some stupid questions (Which are never stupid), you can find a golden solution.

Why this is great? Because when we have a notified body audit, they cannot give consultation to you and rarely they are providing ideas to improve, but with internal audit people from different departments auditing other departments, they can think out of box and give some good solutions to improve.

How many internal audits should a company do per year?

There are organizations doing internal audit once a year, for example they are planning one internal audit in June and every year at the same period they are reviewing the full process.

There are also organizations using their audit to verify that they are good before a certification audit or surveillance audit from a certification body or a notified body, but that’s not the right strategy because, if you find issues then you’ll have to open some non-conformities and then you might not have time to correct that before the certification body’s audit.

It is always better to show that you are really looking at your system periodically. To do that some companies are dividing the quality management system into three, four or five blocks. During the first quarter they look into some part of the system and deep dive into it. In the second quarter they look into a different part of the system etc. In this way you can show that there are multiple audits and you are checking the quality management system periodically. This gives you also some time to perform the corrections.

So, it is better to not make the internal audit, once a year and too close before the certification body audit.

EU MDR 2017/745 Training

During a pandemic how can we do internal audit?

We all know that due to a pandemic a lot of people are locked down at home and many organizations have adopted the practice of home-office with their employees. Even in this situation, you have to perform your internal audit. But maybe you can set up some flexibility on your quality management system too.

For example, on your Internal Audit procedure, you may say that the audit can be done within a fixed period date, plus one or two month as an extra time (with a justification), because as we all know there can be some issues that pop up and you have to justify why the audit cannot be done at the specified time. So, this is also teaching you another lesson. Have flexible procedures.

Virtual audits are also possible, if for example some people are working at the plant and some are working from home, a virtual audit can be set through a video conference call and documents can be shared on a shared folder. If you need to check the validation process then a validation procedure will be required and through video conference call you can ask for the documents to be placed on the shared folder or you can share your screen and open the document and show them exactly what they are looking for.

But to be clear, it’s really difficult to stay focused within a screen to always try to read things when people are waiting for you on the other side. It’s really difficult so be patient with the auditor and with all the team that are doing that, because it’s a learning curve. The idea is really to show that you did put all the resources in place and you have no issue in doing it remotely.

Please make sure to include that on your procedures, “that in case of no possibility to do audit on-site we authorize to do it remotely and here are the tools used etc.” Be flexible with your procedures that “you are writing what you are doing and then you are doing what you are writing” so don’t be too strict on some procedures explain that in some case we can do audit remotely. If you have not done it now on your procedure update it before the next internal audit. There will be a small chapter saying in case of some issues we can also use the virtual audit for performing our internals and you have to be explaining just how you do that what are the different cases it’s possible.

The objective of the audit either virtual or onsite is, you need to look at your process and you are trying to verify that your quality management system is confirmed, efficient and maintained.

How to deal with Non-conformance?

Non-conformance in general can be fair or not, sometimes you being the auditee know the consequences of non-conformance. For example, like in a football match as the referee gives his decision, we accept it, not saying anything back, the referee may not be right all the time. Same way we have to deal with auditor and non-conformance, accept it however small it may be, try to solve it and move to the next thing.

Keep in mind that the non-conformance you find will be on your audit report and will be seen by a notified body or certification body, because they have to check that you are really doing an internal audit and what are the non-conformance you have found. The notified body will not judge that you found a right one or wrong one, they just check whether the internal audit system is working correctly, instead of just faking it showing.

When you are writing your report, it should be really providing a lot of information that will help you understand the situation that happened, to understand how you solved the non-conformance, to show some evidence that you have solved them correctly and efficiently.

So, you should also remember that this report will be seen by a Notified body or certification body auditor, so write as much information as possible, first to remember the context of this audit (yourself) as this may have happened some months ago and then when the auditor reads it, he will have no questions to address and everything is clear to them.

Read also this article


During an audit issues can occur, but issues must be mostly minor ones instead of major ones. Though you cannot be so perfect major issues may occur but what matters is how you solve them properly. The important points to note in an internal audit is to:

  • Find issues yourself – do not wait for notification body/certification body to come and find the issues yourself. So that you can maintain a good quality management system.
  • Perform continuous improvement – use the internal audit as a tool to improve your system and process, do not try to hide things in the internal audit, as this may create more work and problem during a notified body audit. Fix any issues as soon as possible and show the auditor that your maintaining the quality management system in a good way.
  • Increase awareness – Educate your team as much as possible. During an internal audit when an internal employee does the audit for other departments, they are happy because they are able to learn what’s happening in another area of the company. What are the issues occurring? How they have identified and solved them? etc… They can then understand what’s happening before and what is happening after the audit.
  • Satisfy external auditors – During external audit, mostly only the quality manager sits with the auditor explaining things and showing the document, but if each department faces the auditor explaining their procedures, which are specific to their department, then it shows that the organization is concerned by the quality and gives importance to it.

So, don’t think that internal audit is just a formality that you have just to check a box, it can be a powerful tool for your company to change the culture to increase awareness to increase quality and also to show to your notified body that your company is really quality focused.

Do you need an Internal Auditor?

Contact us to get your quotation for an internal audit regarding ISO 13485, EU MDR & IVDR or MDSAP.

We can also perform a mock inspection prior to your Notified Body audit. This can help your team to get prepared to the type of questions that the auditor will ask.

How to perform your Internal Audit the right way? [ISO & QSR]
Article Name
How to perform your Internal Audit the right way? [ISO & QSR]
Internal audit is a tool that is available within ISO 13485 or QSR 21 CFR part 820. We will explain how to perform it the right way. We will also explain the way to do internal audits during a pandemic.
Publisher Name
Easy Medical Device
Publisher Logo
Categories: Quality

Monir El Azzouzi

Medical Device expert. Monir founded Easy Medical Device to help Medical Device companies to place compliant products on the market. He proposes his consulting services so don't hesitate to contact him at or +41799036836 My objective is to share my knowledge and experience with the community of people working in the Medical Device field.

UK Representative from January 1st, 2021

Contact us