Are We Misunderstanding Internal Audits?

Introduction

Does your organization conduct internal audits as an exercise in fault-finding? Internal auditing is not merely an activity designed to identify errors and problems. Rather, it is an activity whose primary purpose is to improve the entire Quality Management System (QMS) through verification of the QMS’s conformity and effectiveness. The presence or absence of this awareness significantly influences the impact and value of internal audits.

ISO 13485:2016 establishes two principal requirements regarding internal audits: confirmation of QMS conformity and confirmation of QMS effectiveness. When these two elements function in a mutually complementary manner, the organization can achieve meaningful improvement in overall quality performance.

The True Nature and Role of Internal Audits

Internal audits are not designed to identify faults; rather, they serve as a critical tool for evaluating the conformity and effectiveness of the QMS and, based on those findings, implementing improvements that enhance the organization’s overall performance. In essence, internal audits form the foundation for building a quality culture within the organization and establishing a mechanism for continuous improvement.

Regulatory authorities and certification bodies assess the organization’s commitment to QMS through the results of internal audits and the organization’s approach to implementing improvements based on audit findings. A well-developed internal audit program directly contributes to enhanced credibility during external audits. Therefore, internal auditing should be positioned not merely as a compliance activity, but as an integral part of management strategy.

Confirmation of QMS Conformity

Scope of Conformity Verification

Organizations must conduct internal audits to evaluate conformity to the following matters:

Verification of conformity to the organization’s planned and documented arrangements means assessing whether the quality policy, quality objectives, and procedures or work instructions established by each department are actually being executed. This process verifies that the organization’s internal commitments are being fulfilled.

Verification of conformity to ISO 13485’s requirements encompasses all core elements of a medical device QMS, including quality management, resource management, product realization, and measurement, analysis, and improvement.

Verification of conformity to QMS requirements established by the organization means confirming the status of conformity to specific KPIs (Key Performance Indicators), control metrics, or designated areas for strengthening as specified by management.

Verification of conformity to applicable regulatory requirements means assessing adherence to the regulatory requirements of each jurisdiction in which the organization conducts business. This includes simultaneous compliance verification against multiple regulatory frameworks such as FDA 21 CFR Part 820, EU MDR, the Pharmaceuticals and Medical Devices Act (PMDA Act), and relevant PMDA notifications.

Methods of Conducting Conformity Verification

Internal audits must be conducted at planned intervals with appropriate frequency to ensure conformity to these requirements. Through such conformity verification, the organization can determine whether its QMS possesses sufficient compliance with both external regulations and internal standards.

Organizations are expected to plan internal audits at appropriate frequencies and adopt a risk-based approach. Although all processes and departments fall within the audit scope, special emphasis should be placed on high-risk areas, processes with significant customer impact, and areas prone to regulatory observations. For example, design and development processes, manufacturing process control, complaint handling, Corrective and Preventive Actions (CAPA), and supplier management are typically planned as high-priority audit areas.

The audit plan must include the audit’s objectives, scope, methods, and schedule, all of which must be documented. Many organizations employ a two-tier planning structure: a master audit schedule (annual plan) and detailed audit plans (formulated 2-3 weeks prior to execution). During the planning phase, consideration should also be given to the status of corrective actions from previous audits and the occurrence of significant organizational changes (process modifications, personnel changes, new product introductions, etc.).

During audit execution, it is essential to maintain objectivity and independence, ensuring that auditors are not influenced by the auditee. In other words, a department manager should avoid auditing their own department; auditors should be drawn from different departments whenever possible. In smaller organizations where independence is difficult to ensure, alternative measures such as engaging external experts should be considered. Auditors require appropriate knowledge of the audited processes, understanding of ISO 13485 requirements, and training in audit techniques.

Conformity verification extends beyond documentary review; it must verify how processes are actually being implemented and whether daily operations proceed as planned. Therefore, auditors must examine relevant records, observe actual process operations in the field, and conduct interviews with involved personnel. For example, in a manufacturing process audit, review of work instruction documents alone is insufficient; direct observation of manufacturing activities and verification of quality record entries are essential.

Confirmation of QMS Effectiveness

The Significance of Effectiveness Verification

Evaluating whether the QMS is effectively implemented, maintained, and functioning to achieve expected results is also a critical objective of internal audits. Whereas conformity verification asks “Are planned activities being executed as planned?” effectiveness verification poses a higher-order question: “Are the executed activities producing the outcomes the organization intends to achieve?”

This evaluation includes verifying the degree to which the QMS is achieving its intended results and determining whether necessary measures are in place to sustain those results. For example, if a corrective action process is functioning effectively, the same nonconformity should not recur. Declining trends in customer complaints or reduced severity levels indicate QMS effectiveness.

Effectiveness verification evaluates QMS functionality across the entire product lifecycle, from design and development through Post-Market Surveillance (PMS). Additionally, the achievement of quality objectives, customer satisfaction, and various internal quality metrics established by the organization serve as evaluation criteria.

Implementing Effectiveness Verification and Linking It to Improvement

Organizations must implement corrective actions for nonconformities and improvement opportunities identified through audits and verify their effectiveness. This process prevents problem recurrence and promotes overall system improvement.

ISO 13485 emphasizes that corrective action execution and follow-up are documented and appropriately managed. Following corrective action implementation, verification is necessary to confirm that the corrective action has indeed been effective—that is, the root cause has been eliminated and the problem has not recurred. This verification typically occurs during subsequent audits.

When the effectiveness of corrective actions is confirmed, the organization can proceed to the next stage of improvement activities, and the reliability of quality management processes is enhanced. Through this approach, the organization can position internal auditing within a continuous improvement cycle, moving beyond reactive problem management. The evaluation of effectiveness transcends mere compliance verification; it continuously assesses whether the process itself is delivering expected results—a critical factor in the organization’s quality improvement. For instance, if a supplier monitoring process is effective, the defect rate of products received from suppliers should decrease. If a design change management process is effective, quality problems resulting from changes should be minimized. Evaluating QMS effectiveness through such qualitative and quantitative metrics is pragmatic and meaningful.

Practical Perspectives for Enhancing Internal Audit Effectiveness

Integrated Operation of the Audit Program

Internal audits must not function in isolation; they must be closely coordinated with Corrective and Preventive Actions (CAPA) processes, management review, and continuous improvement activities. For example, nonconformities identified in internal audits should be discussed in management review meetings, where improvement priorities are determined, thereby establishing integrated operations.

Furthermore, internal audit results should not be merely archived as records; they should be utilized in fostering the organization’s quality culture. For instance, analysis of audit results can help the organization recognize its strengths (processes already functioning effectively) and weaknesses (areas for improvement), and sharing these insights across the organization elevates quality awareness among all personnel.

Preparation for External Audits

A comprehensive internal audit program serves as preparation for periodic audits conducted by certification bodies and unannounced inspections by regulatory authorities. External auditors assess the organization’s commitment to QMS improvement by reviewing internal audit results. Conversely, if internal audits are conducted merely as a formality and audit findings are not addressed through corrective actions, the number of external audit observations will likely increase.

Conclusion

The true purpose of internal auditing is not “fault-finding” but rather “enhancement of overall organizational quality performance.” Internal audits should be positioned within the continuous process of evaluating and improving the QMS from both conformity and effectiveness perspectives. When this understanding is shared throughout the organization, internal auditing evolves from a mere compliance activity into a critical management tool that supports organizational success.