Maps to
QMSR / ISO 13485: §820.180 (now inspectable)
ISO 13485: §8.2.4
Requirement text
Internal audits shall be conducted at planned intervals to determine whether the QMS conforms to planned arrangements and is effectively maintained.
What changed
The most significant change for internal audits under the QMSR is not in the audit requirements themselves but in their visibility. Under the legacy QSR, section 820.180(c) explicitly exempted internal audit reports, management review records, and supplier audit documentation from FDA inspection. The QMSR removes this exemption entirely. Internal audit reports, findings, corrective actions, and all supporting documentation are now subject to FDA review during inspections.
The FDA preamble justified this change by noting that manufacturers already provide these documents to other regulatory authorities globally (notified bodies, MDSAP auditors), so making them available to FDA inspectors does not create additional burden. However, this represents a fundamental shift in how organizations must approach internal audit documentation. Findings, observations, and especially audit nonconformities will now be directly visible to FDA investigators, meaning audit reports must be written with the understanding that they are inspection-ready documents.
ISO 13485 clause 8.2.4 adds more structure to internal audit programs than Part 820 required. Specifically, it requires: a documented audit procedure, a risk-based audit program that considers process status, importance, and previous audit results when determining audit frequency and scope, defined audit criteria and scope for each audit, documented auditor independence requirements, and formal corrective action tracking to closure with verification. Part 820.22 required quality audits but with less explicit structure around planning, risk-based scheduling, and auditor qualification.
The combination of increased FDA visibility and more rigorous program requirements means organizations must simultaneously upgrade their audit program maturity and ensure every audit artifact is defensible under regulatory scrutiny.
Atomic constraints
- •Audit program must be planned
- •Audit criteria and scope must be defined
- •Auditor independence must be ensured
- •Audit results must be recorded
- •Corrective actions must be tracked to closure
Common gaps
Audit Reports Not Inspection-Ready
majorWith the removal of 820.180(c) confidentiality protections, internal audit reports are now subject to FDA review. Many organizations have audit reports that contain informal language, incomplete corrective action records, or findings without documented closure evidence. These reports were never written with the expectation of regulatory scrutiny.
Lack of auditor impartiality
majorQuality Managers are auditing the Quality Department, or engineers are auditing their own design projects. ISO 13485 §8.2.4 requires auditors to be impartial.
Failure to address audit findings
majorInternal audits identify 'critical' gaps, but no CAPA is opened and no follow-up is documented. Under QMSR, this is now visible to the FDA.
No Risk-Based Audit Scheduling
moderateISO 13485 requires that audit frequency and scope account for process status, importance, and results of previous audits. Many legacy audit programs use a simple annual schedule that covers all QMS elements equally, without risk-based prioritization of high-risk or historically problematic processes.
Undocumented Auditor Independence
moderateISO 13485 requires that auditors do not audit their own work and that independence is documented. Many small to mid-size organizations lack formal auditor qualification records or assign auditors to areas where independence cannot be demonstrated.
Evidence signals
- •
FILE_EXISTS
(Internal.*Audit|Audit.*Schedule|Audit.*Report|Audit.*Finding|Audit.*SOP)
- •
CONTENT_MATCH
Does this document describe internal audit planning, execution, findings, or corrective action tracking?
Audit defense
Internal audits for our QMS are documented in [your document ID]. The audit program covers all QMS elements at planned intervals with independent auditors. Findings are formally recorded and corrective actions tracked to verified closure per ISO 13485 8.2.4.