Audit Plan
Summary
An Audit Plan is a structured document that defines the scope, objectives, timing, and logistics of an internal or external audit. It serves as a roadmap for systematically evaluating your Quality Management System (QMS) against regulatory standards like ISO 13485 and applicable regulations. The plan ensures audits are conducted efficiently, cover all critical areas, and provide meaningful insights for continuous improvement of your quality processes.
Why is an Audit Plan important?
The Audit Plan exists because regulatory frameworks require systematic verification that your quality management system actually works as intended. Rather than hoping your processes are compliant, audits provide objective evidence that your procedures are being followed and are effective.
For medical device manufacturers, an Audit Plan is crucial because it demonstrates proactive quality management to regulatory authorities. It shows you’re not just documenting processes but actively monitoring and improving them. This systematic approach helps prevent quality issues that could affect patient safety and ensures you can respond effectively when notified bodies or regulatory inspectors arrive. Without proper audit planning, you risk missing critical compliance gaps, wasting resources on unfocused reviews, and facing regulatory sanctions for inadequate oversight of your quality system.
Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Must be conducted by individuals not directly responsible for areas being audited
- Results must be documented and reviewed by management with executive responsibility
- Audit findings must feed into your Corrective and Preventive Action (CAPA) system
Special attention required for:
- Design controls (820.30) - especially for software medical devices
- CAPA system effectiveness (820.100)
- Production and process controls (820.70)
- Document controls and change management (820.40)
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Must be conducted by individuals not directly responsible for areas being audited
- Results must be documented and reviewed by management with executive responsibility
- Audit findings must feed into your Corrective and Preventive Action (CAPA) system
Special attention required for:
- Design controls (820.30) - especially for software medical devices
- CAPA system effectiveness (820.100)
- Production and process controls (820.70)
- Document controls and change management (820.40)
Under EU MDR 2017/745:
- Manufacturers must implement a quality management system (Article 10(9))
- Must comply with EN ISO 13485:2016 requirements for internal audits (Section 8.2.4)
- Audit results must be available for notified body assessment
- Regular systematic reviews are required for CE marking maintenance
Special attention required for:
- Clinical evaluation processes (Article 61) and ongoing clinical follow-up
- Post-market surveillance system (Articles 83-86)
- Person Responsible for Regulatory Compliance (PRRC) oversight
- Unique Device Identification (UDI) compliance (Article 27)
Guide
Your Audit Plan must address four essential components that work together to ensure comprehensive and effective audits. Each section builds upon the previous to create a complete audit framework.
1. Information and Participants
The audit information section establishes the fundamental logistics that make your audit possible. You must specify the exact date and time when the audit will occur, allowing all participants to prepare adequately. The audit location should be clearly defined, whether it’s your main facility, a specific department, or conducted virtually. This information ensures everyone knows when and where to be present.
The auditor information identifies who will conduct the audit and their qualifications. For internal audits, you must ensure auditors are independent from the areas they’re auditing - someone from software development cannot audit software processes. Include the lead auditor’s name, position, and company to establish clear accountability. If multiple auditors participate, document each person’s role and expertise to ensure proper coverage of all audit areas.
Your audit participants section lists company employees who will be directly involved during the audit. Focus on subject matter experts for each process being reviewed rather than creating an exhaustive list. Include their names and specific roles relevant to the audit scope. Remember this is a planned list - the actual participants may change slightly during the audit based on auditor requests or availability.
2. Audit Criteria
The audit scope defines exactly which standards, regulations, and internal procedures will be evaluated during this specific audit. You must clearly indicate which criteria are covered in this audit versus which are excluded. This prevents scope creep and ensures focused, efficient use of audit time.
Common audit criteria include ISO 13485:2016 for quality management, ISO 14971:2019 for risk management, EU MDR 2017/745 or FDA 21 CFR 820 for regulatory compliance, and IEC 62304 for software lifecycle processes. Don’t try to cover everything in one audit - it’s more effective to focus on specific areas and cycle through your entire QMS over time.
The scope should align with your audit program that schedules different QMS elements across multiple audits. For example, one audit might focus on design controls and risk management, while another covers post-market surveillance and CAPA processes.
3. Audit Activities
Your audit activities section provides a detailed schedule that transforms the audit from a general concept into specific, actionable time blocks. Each activity should include the date, time range, specific topic or process being reviewed, applicable audit criteria, and designated participants.
Start with an opening meeting to set expectations and review the audit plan. Schedule sufficient time for each process review - complex areas like design controls typically require more time than simpler processes like document control. Include breaks and lunch to maintain productivity and allow for informal discussions that often reveal important insights.
Plan for a closing meeting where auditors present preliminary findings and discuss next steps. Be realistic with timing - rushing through important processes defeats the purpose of systematic evaluation. Allow flexibility for auditors to spend additional time in areas where they identify concerns.
4. Template Variable Configuration
Based on the template structure, you need to populate five key elements:
The audit-information table captures basic logistics including audit date, time, and location. The auditor-information table identifies lead auditors and supporting auditors with their positions and companies. The audit-participants table lists your company personnel who will participate, focusing on process owners and subject matter experts.
The audit-scope table marks which standards and regulations are covered in this specific audit, allowing you to focus efforts and manage scope effectively. The audit-activities table provides the detailed schedule with dates, times, topics, criteria, and participants for each audit session.
Each table supports adding additional rows as needed, giving you flexibility to accommodate complex audits involving multiple auditors, extensive participant lists, or detailed activity schedules spanning multiple days.
Example
Scenario: You’re planning an internal audit of your document control and risk management processes before an upcoming notified body assessment. Your quality manager will lead the audit, supported by a senior engineer who’s independent from both processes. The audit will review ISO 13485 requirements and your internal procedures to ensure everything is working effectively and ready for external scrutiny.
Complete Audit Plan Document
Audit Plan
ID: AP-2024-001
1. Information and Participants
| Audit Information | Details |
|---|---|
| Audit Date | March 15, 2024 |
| Audit Time | 09:00 - 17:00 |
| Audit Location | Main Office, Conference Room B |
| Auditor Information | Details |
|---|---|
| Lead Auditor Name | Sarah Johnson |
| Lead Auditor Position & Company | Quality Manager, MedDevice Solutions Inc. |
| Auditor Name | Michael Chen |
| Auditor Position & Company | Senior Process Engineer, MedDevice Solutions Inc. |
2. Planned Audit Participants
| Name | Position / Role |
|---|---|
| Emily Rodriguez | Document Control Specialist |
| David Kim | Risk Management Lead |
| Jennifer Martinez | Regulatory Affairs Manager |
| Thomas Anderson | Software Development Manager |
3. Audit Criteria
| Audit Criterion | Covered in this Audit |
|---|---|
| EN ISO 13485:2016 | Yes |
| ISO 14971:2019 | Yes |
| (EU) Medical Device Regulation 2017/745 | Partially (Articles 10, 61) |
| IEC 62304:2006 | No |
| IEC 62366-1:2015 | No |
| FDA Quality System Regulation (21 CFR 820) | No |
| Internal SOP-003 Document Control | Yes |
| Internal SOP-007 Risk Management | Yes |
4. Audit Activities
| Date | Time | Topic / Process / Requirement | Audit Criteria | Participants |
|---|---|---|---|---|
| March 15, 2024 | 09:00 - 09:30 | Opening Meeting & Audit Plan Review | ISO 13485:2016, cl 8.2.4 | All participants |
| March 15, 2024 | 09:30 - 11:30 | Document Control Process Review | ISO 13485:2016, cl 4.2.4, 4.2.5; SOP-003 | Emily Rodriguez, Jennifer Martinez |
| March 15, 2024 | 11:30 - 11:45 | Break | N/A | N/A |
| March 15, 2024 | 11:45 - 13:00 | Document Control Records Review | ISO 13485:2016, cl 4.2.5 | Emily Rodriguez |
| March 15, 2024 | 13:00 - 14:00 | Lunch | N/A | N/A |
| March 15, 2024 | 14:00 - 15:30 | Risk Management Process Review | ISO 14971:2019, cl 4-8; SOP-007 | David Kim, Thomas Anderson |
| March 15, 2024 | 15:30 - 15:45 | Break | N/A | N/A |
| March 15, 2024 | 15:45 - 16:30 | Risk Management Files Review | ISO 14971:2019, cl 9; MDR Art 61 | David Kim, Jennifer Martinez |
| March 15, 2024 | 16:30 - 17:00 | Closing Meeting & Next Steps | ISO 13485:2016, cl 8.2.4 | All participants |