Cover image featuring a snowy mountain landscape with a digital network graphic overlay and the title "WHY INTERNAL AUDITS MATTER MORE THAN YOU THINK".

Internal Audits: Why They Matter for Your Quality Management System

Leave a Comment / CE, EU MDR, FDA, IVDR, QMS, QMSR, Regulatory / By

Why Internal Audits Matter More Than You Think (Especially in Medical Device Companies)

In many medical device companies, internal audits are often seen as something that must be done simply because the standard requires it whether the quality management system has been built to comply with ISO 13485, FDA QMSR, MDSAP, or EU MDR.

A checkbox. Something that needs to be completed so the requirement can be marked as fulfilled.

Something to finish before the notified body audit.

But in reality, internal audits are one of the most powerful tools an organization has to understand how well its quality management system actually works.

When done properly, internal audits are not about finding mistakes  they are about learning how the system functions in real life. The mindset should also be that it is actually a positive outcome when issues or mistakes are identified, because there is always room for improvement.

They provide a way to truly validate whether the system actually works, or whether we have simply built a set of processes that fulfill regulatory requirements but do not support everyday work.

Internal audits are also a great way to prepare for external audits. They allow organizations to identify gaps, clarify responsibilities, and ensure that processes are actually implemented before a notified body or regulatory inspection takes place.

What is an Internal Audit?

An internal audit is a systematic and independent review of a company’s processes and quality management system (QMS).

That is what the standard directly says.

But what does it actually mean in practice?

In reality, an internal audit is simply a way to step back and look at how the organization truly operates. It is an opportunity to ask whether the processes described in procedures and documents are actually followed in everyday work and whether they support the way personnel work in practice. This is actually one of the most common mistakes when building a medtech QMS: creating processes that fulfill regulatory requirements but do not reflect how people actually work.

In medical device (medtech) companies, internal audits play a particularly important role because the quality management system must ensure both regulatory compliance and the safe development and manufacturing of medical devices.

It is also a great opportunity to involve process owners and users, and to collect feedback on whether the processes really work in practice or whether there is room for improvement.

Often companies have well-written procedures that meet regulatory requirements on paper. However, internal audits help reveal whether those processes are really implemented, understood by the team, and functioning as intended within the QMS.

The purpose of an internal audit is to verify that:

• the organization follows its own procedures
• the QMS complies with regulatory requirements (e.g. ISO 13485, EU MDR, FDA QMSR)
• processes defined in the QMS actually work as intended in practice

Internal audits help identify gaps, weaknesses, and risks in the QMS before they become bigger problems.

In other words, they allow companies to fix issues early long before a regulator or notified body finds them, and before a potential risk turns into a real problem.

Common Mistakes Companies Make

Many organizations struggle with internal audits for simple reasons.

Some audits are performed too late often only shortly before certification.

Sometimes the audit becomes a quick document review rather than a real evaluation of how processes work in practice.

Another common issue is lack of independence: the person auditing the process may also be responsible for it. Internal audits must be independent, meaning that auditors cannot audit their own work.

In such cases, the audit rarely reveals the real challenges and does not provide the required output.

Who Can Perform an Internal Audit?

One common question organizations ask is: who is allowed to perform internal audits?

ISO 13485 does not require internal auditors to hold a specific certification. However, the standard does require that auditors are competent, objective, and independent from the activities being audited.

In practice, this competence is often demonstrated through relevant training, experience in the audited area, and auditor training based on guidelines such as ISO 19011, which provides guidance for auditing management systems. 

In practice, this means a few key things.

First, the auditor must have sufficient knowledge of quality management systems and the relevant regulatory requirements, such as ISO 13485, EU MDR, or FDA regulations where applicable.

Second, the auditor must understand the process being audited well enough to evaluate whether it works as intended. For example, an auditor cannot effectively audit design controls without having sufficient knowledge or competence in design control processes.

Third, and very importantly, the auditor must be independent from the process they are auditing. This means that auditors cannot audit their own work or processes for which they are directly responsible.

Fourth, the auditor must have sufficient auditing competence and experience of audits, including understanding how to plan, conduct, and report audits in a structured and objective manner.

Organizations typically address this requirement by:

  • auditing processes across departments
  • using trained internal auditors from different functions
  • or using an external auditor to ensure independence and to gain the full benefit of the audit through an objective external review and practical feedback.

Many companies, especially smaller organizations, choose to use external support for internal audits to ensure both independence and sufficient audit experience.

Organizations should also ensure that the competence of internal auditors is documented. Evidence of training, experience, and auditing competence should be recorded as part of the quality management system records.

Many organizations maintain a list of approved internal auditors, including documentation of their qualifications, training, and audit experience.

Internal Audits Should Be a Learning Tool

The best internal audits are not designed to “pass an exam”.

They are designed to improve the system.

A good audit should raise questions such as:

  • Do our procedures reflect how work is actually done?
  • Are responsibilities clearly defined?
  • Are risks properly managed? Are risks identified?
  • Is documentation sufficient to support regulatory compliance?
  • Do the processes actually work in practice, or do they only exist in written procedures?
  • Is there need for extra training for personnel?

These discussions often provide valuable insights that improve both quality and efficiency.

Something to think about in an AI-driven world

Today, building a medtech quality management system (QMS) has become easier than ever. There are numerous digital QMS platforms and AI-based tools that can quickly generate procedures and documentation that align with regulatory requirements such as ISO 13485.

But an important question remains: does the system only fulfill the regulatory requirements, or does it actually work for the organization using it?

It is relatively easy to build a system that looks correct on paper. However, a quality management system only becomes valuable when the processes are designed around the organization’s real way of working and are actually followed in everyday practice.

This is where internal audits become extremely important tool.

Final Thought

A strong quality system is not created by documents alone.

It is built through continuous evaluation, discussion, and improvement.

Medical Device companies internal audits should not be seen as a mandatory item on the calendar.
Instead, they are one of the most effective tools for learning, validating how the system works in practice, and identifying weaknesses and potential risk areas in the organization before they become real problems.

At Nometech, we support medical device companies in building and evaluating quality systems including independent internal audits aligned with ISO 13485 and regulatory expectations. Contact us and lets discuss more: https://nometech.eu/about/