Documented audit program, independent auditors, findings records, and corrective action tracking — 820.22 audit requirements preserved.
820.180(c) inspection exemption removed — audit reports are now directly inspectable; risk-based scheduling and auditor independence must be documented.
Audit reports and finding-to-closure records — previously informal internal audit documentation must now be inspection-ready.
Maps to
QMSR / ISO 13485: §820.180 General requirements.
ISO 13485: §8.2.4 Internal audit
Requirement text
Internal audits shall be conducted at planned intervals to determine whether the QMS conforms to planned arrangements and is effectively maintained.
Why this clause exists
The internal audit program is the QMS's self-correcting mechanism: it provides a systematic, periodic evaluation of whether the quality management system is actually operating as documented and whether documented arrangements are adequate for the organization's regulatory obligations. Without internal audits, an organization may believe its QMS is effective because no external finding has surfaced, while gaps accumulate in procedures, implementation, or conformance that would be visible under any objective examination. QMSR's incorporation of ISO 13485:2016 § 8.2.4 adds important scope beyond what Part 820 required: internal audits must evaluate conformance not only to documented arrangements but also to ISO 13485 requirements and applicable regulatory requirements — expanding the audit scope to include regulatory conformance, not just internal procedure conformance. The removal of the 820.180(c) records exemption under QMSR means that internal audit records — programs, plans, reports, and follow-up actions — are now fully subject to FDA inspection and cannot be protected from review. Auditor independence is structurally required because an auditor evaluating their own work cannot provide objective assessment; the independence requirement creates the conditions under which audits can surface real findings rather than confirmations of desired conclusions. The follow-up and verification step is where the program earns its value: an audit that identifies findings without verifying that corrections were effective is an incomplete cycle — the improvement loop is only closed when corrective action has been verified.
What changed
§820.180 — Part 820 (legacy)
"All records required by this part shall be maintained at the manufacturing establishment or other location that is reasonably accessible to responsible officials of the manufacturer and to employees of FDA designated to perform inspections. Such records, including those not stored at the inspected establishment, shall be made readily available for review and copying by FDA employee(s). Such records shall be legible and shall be stored to minimize deterioration and to prevent loss. Those records stored in automated data processing systems shall be backed up. Confidentiality. Records deemed confidential by the manufacturer may be marked to aid FDA in determining whether information may be disclosed under the public information regulation in part 20 of this chapter. Record retention period. All records required by this part shall be retained for a period of time equivalent to the design and expected life of the device, but in no case less than 2 years from the date of release for commercial distribution by the manufacturer. Exceptions. This section does not apply to the reports required by § 820.20(c) Management review, § 820.22 Quality audits, and supplier audit reports used to meet the requirements of § 820.50(a) Evaluation of suppliers, contractors, and consultants, but does apply to procedures established under these provisions. Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed, and that any required corrective action has been undertaken."
§8.2.4 — ISO 13485:2016 (current)
"The organization shall conduct internal audits at planned intervals to determine whether the quality management system: a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements; b) is effectively implemented and maintained. The organization shall document a procedure to describe the responsibilities and requirements for planning and conducting audits and recording and reporting audit results. An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits. The audit criteria, scope, interval and methods shall be defined and recorded (see 4.2.5). The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work. Records of the audits and their results, including identification of the processes and areas audited and the conclusions, shall be maintained (see 4.2.5). The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. NOTE Further information can be found in ISO 19011."
Δ Internal audit (not general records) is the ISO 13485 counterpart here; audit program must be risk-prioritized using previous audit results, and follow-up must include verified closure of nonconformities.
Common gaps (what we see in audits)
- Audit Reports Not Inspection-Ready — With the removal of 820.180(c) confidentiality protections, internal audit reports are now subject to FDA review. Many organizations have audit reports that contain informal language, incomplete corrective action records, or findings without documented closure evidence. These reports were never written with the expectation of regulatory scrutiny.
- Lack of auditor impartiality — Quality Managers are auditing the Quality Department, or engineers are auditing their own design projects. ISO 13485 §8.2.4 requires auditors to be impartial.
- Failure to address audit findings — Internal audits identify 'critical' gaps, but no CAPA is opened and no follow-up is documented. Under QMSR, this is now visible to the FDA.
- No Risk-Based Audit Scheduling — ISO 13485 requires that audit frequency and scope account for process status, importance, and results of previous audits. Many legacy audit programs use a simple annual schedule that covers all QMS elements equally, without risk-based prioritization of high-risk or historically problematic processes.
- Undocumented Auditor Independence — ISO 13485 requires that auditors do not audit their own work and that independence is documented. Many small to mid-size organizations lack formal auditor qualification records or assign auditors to areas where independence cannot be demonstrated.