Summary
An Audit Plan is a structured document that defines the scope, objectives, timing, and logistics of an internal or external audit. It serves as a roadmap for systematically evaluating your Quality Management System (QMS) against regulatory standards like ISO 13485 and applicable regulations. The plan ensures audits are conducted efficiently, cover all critical areas, and provide meaningful insights for continuous improvement of your quality processes.Why is an Audit Plan important?
The Audit Plan exists because regulatory frameworks require systematic verification that your quality management system actually works as intended. Rather than hoping your processes are compliant, audits provide objective evidence that your procedures are being followed and are effective. For medical device manufacturers, an Audit Plan is crucial because it demonstrates proactive quality management to regulatory authorities. It shows you’re not just documenting processes but actively monitoring and improving them. This systematic approach helps prevent quality issues that could affect patient safety and ensures you can respond effectively when notified bodies or regulatory inspectors arrive. Without proper audit planning, you risk missing critical compliance gaps, wasting resources on unfocused reviews, and facing regulatory sanctions for inadequate oversight of your quality system.Regulatory Context
- FDA
- MDR
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Must be conducted by individuals not directly responsible for areas being audited
- Results must be documented and reviewed by management with executive responsibility
- Audit findings must feed into your Corrective and Preventive Action (CAPA) system
Special attention required for:
- Design controls (820.30) - especially for software medical devices
- CAPA system effectiveness (820.100)
- Production and process controls (820.70)
- Document controls and change management (820.40)
Guide
Your Audit Plan must address four essential components that work together to ensure comprehensive and effective audits. Each section builds upon the previous to create a complete audit framework.1. Information and Participants
The audit information section establishes the fundamental logistics that make your audit possible. You must specify the exact date and time when the audit will occur, allowing all participants to prepare adequately. The audit location should be clearly defined, whether it’s your main facility, a specific department, or conducted virtually. This information ensures everyone knows when and where to be present. The auditor information identifies who will conduct the audit and their qualifications. For internal audits, you must ensure auditors are independent from the areas they’re auditing - someone from software development cannot audit software processes. Include the lead auditor’s name, position, and company to establish clear accountability. If multiple auditors participate, document each person’s role and expertise to ensure proper coverage of all audit areas. Your audit participants section lists company employees who will be directly involved during the audit. Focus on subject matter experts for each process being reviewed rather than creating an exhaustive list. Include their names and specific roles relevant to the audit scope. Remember this is a planned list - the actual participants may change slightly during the audit based on auditor requests or availability.2. Audit Criteria
The audit scope defines exactly which standards, regulations, and internal procedures will be evaluated during this specific audit. You must clearly indicate which criteria are covered in this audit versus which are excluded. This prevents scope creep and ensures focused, efficient use of audit time. Common audit criteria include ISO 13485:2016 for quality management, ISO 14971:2019 for risk management, EU MDR 2017/745 or FDA 21 CFR 820 for regulatory compliance, and IEC 62304 for software lifecycle processes. Don’t try to cover everything in one audit - it’s more effective to focus on specific areas and cycle through your entire QMS over time. The scope should align with your audit program that schedules different QMS elements across multiple audits. For example, one audit might focus on design controls and risk management, while another covers post-market surveillance and CAPA processes.3. Audit Activities
Your audit activities section provides a detailed schedule that transforms the audit from a general concept into specific, actionable time blocks. Each activity should include the date, time range, specific topic or process being reviewed, applicable audit criteria, and designated participants. Start with an opening meeting to set expectations and review the audit plan. Schedule sufficient time for each process review - complex areas like design controls typically require more time than simpler processes like document control. Include breaks and lunch to maintain productivity and allow for informal discussions that often reveal important insights. Plan for a closing meeting where auditors present preliminary findings and discuss next steps. Be realistic with timing - rushing through important processes defeats the purpose of systematic evaluation. Allow flexibility for auditors to spend additional time in areas where they identify concerns.4. Template Variable Configuration
Based on the template structure, you need to populate five key elements: The audit-information table captures basic logistics including audit date, time, and location. The auditor-information table identifies lead auditors and supporting auditors with their positions and companies. The audit-participants table lists your company personnel who will participate, focusing on process owners and subject matter experts. The audit-scope table marks which standards and regulations are covered in this specific audit, allowing you to focus efforts and manage scope effectively. The audit-activities table provides the detailed schedule with dates, times, topics, criteria, and participants for each audit session. Each table supports adding additional rows as needed, giving you flexibility to accommodate complex audits involving multiple auditors, extensive participant lists, or detailed activity schedules spanning multiple days.Example
Scenario: You’re planning an internal audit of your document control and risk management processes before an upcoming notified body assessment. Your quality manager will lead the audit, supported by a senior engineer who’s independent from both processes. The audit will review ISO 13485 requirements and your internal procedures to ensure everything is working effectively and ready for external scrutiny.Complete Audit Plan Document
Audit Plan ID: AP-2024-0011. Information and Participants
| Audit Information | Details |
|---|---|
| Audit Date | March 15, 2024 |
| Audit Time | 09:00 - 17:00 |
| Audit Location | Main Office, Conference Room B |
| Auditor Information | Details |
|---|---|
| Lead Auditor Name | Sarah Johnson |
| Lead Auditor Position & Company | Quality Manager, MedDevice Solutions Inc. |
| Auditor Name | Michael Chen |
| Auditor Position & Company | Senior Process Engineer, MedDevice Solutions Inc. |
2. Planned Audit Participants
| Name | Position / Role |
|---|---|
| Emily Rodriguez | Document Control Specialist |
| David Kim | Risk Management Lead |
| Jennifer Martinez | Regulatory Affairs Manager |
| Thomas Anderson | Software Development Manager |
3. Audit Criteria
| Audit Criterion | Covered in this Audit |
|---|---|
| EN ISO 13485:2016 | Yes |
| ISO 14971:2019 | Yes |
| (EU) Medical Device Regulation 2017/745 | Partially (Articles 10, 61) |
| IEC 62304:2006 | No |
| IEC 62366-1:2015 | No |
| FDA Quality System Regulation (21 CFR 820) | No |
| Internal SOP-003 Document Control | Yes |
| Internal SOP-007 Risk Management | Yes |
4. Audit Activities
| Date | Time | Topic / Process / Requirement | Audit Criteria | Participants |
|---|---|---|---|---|
| March 15, 2024 | 09:00 - 09:30 | Opening Meeting & Audit Plan Review | ISO 13485:2016, cl 8.2.4 | All participants |
| March 15, 2024 | 09:30 - 11:30 | Document Control Process Review | ISO 13485:2016, cl 4.2.4, 4.2.5; SOP-003 | Emily Rodriguez, Jennifer Martinez |
| March 15, 2024 | 11:30 - 11:45 | Break | N/A | N/A |
| March 15, 2024 | 11:45 - 13:00 | Document Control Records Review | ISO 13485:2016, cl 4.2.5 | Emily Rodriguez |
| March 15, 2024 | 13:00 - 14:00 | Lunch | N/A | N/A |
| March 15, 2024 | 14:00 - 15:30 | Risk Management Process Review | ISO 14971:2019, cl 4-8; SOP-007 | David Kim, Thomas Anderson |
| March 15, 2024 | 15:30 - 15:45 | Break | N/A | N/A |
| March 15, 2024 | 15:45 - 16:30 | Risk Management Files Review | ISO 14971:2019, cl 9; MDR Art 61 | David Kim, Jennifer Martinez |
| March 15, 2024 | 16:30 - 17:00 | Closing Meeting & Next Steps | ISO 13485:2016, cl 8.2.4 | All participants |
Q&A
How often should I conduct internal audits of my QMS?
How often should I conduct internal audits of my QMS?
You must audit all QMS processes over a defined cycle, typically every 1-3 years. The frequency should be based on process risk, complexity, and previous audit findings. Critical processes like design controls or risk management may need annual audits, while stable processes like document control might be audited every two years.
Who can perform internal audits in my organization?
Who can perform internal audits in my organization?
Auditors must be independent of the area being audited. In small companies, consider using external auditors or rotating responsibilities among staff members. For example, your quality manager can audit software development, but someone from software development cannot audit their own processes.
What should I do if my audit reveals non-conformities?
What should I do if my audit reveals non-conformities?
Document all findings in your audit report and initiate corrective actions through your CAPA system. Assign responsibility for addressing each finding, set target completion dates, and verify effectiveness of corrections during subsequent audits or management reviews.
How detailed should my audit activities schedule be?
How detailed should my audit activities schedule be?
Your schedule should be detailed enough to ensure comprehensive coverage while remaining flexible. Allocate realistic time for each process review - complex areas like design controls typically need 2-3 hours, while simpler processes might only need 1 hour. Include breaks and buffer time for unexpected discoveries.
What documents should auditors review during the audit?
What documents should auditors review during the audit?
Auditors should review your quality manual, relevant SOPs, work instructions, records of implementation, training records, and any previous audit or inspection findings. Focus on evidence that your processes are actually being followed, not just documented.
How do I prepare my team for an internal audit?
How do I prepare my team for an internal audit?
Brief participants on the audit scope and schedule in advance. Ensure all relevant records are accessible and up-to-date. Remind staff that audits are improvement opportunities, not evaluations of individual performance. Have process owners prepare to explain their procedures and show evidence of implementation.