Audit Program
Summary
An audit program is your strategic roadmap for internal audits over a defined period, typically covering all Quality Management System (QMS) processes within a 3-year cycle. It ensures systematic compliance verification, identifies improvement opportunities, and demonstrates regulatory commitment to authorities like the FDA and notified bodies under EU MDR.
Why is an Audit Program Important?
Your audit program serves as the backbone of quality assurance within your medical device organization. Regulatory authorities require you to systematically verify that your QMS actually works as documented, not just on paper. The audit program ensures you proactively identify potential compliance gaps before they become serious violations during regulatory inspections. It provides evidence of your commitment to quality and helps maintain CE marking or FDA clearance by demonstrating continuous monitoring of your processes.
Without a structured audit program, you risk missing critical process failures that could lead to product recalls, regulatory warnings, or market withdrawal. The program also helps you allocate resources efficiently by prioritizing high-risk processes and areas with previous findings.
Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Internal audits are mandatory under Section 820.22
- Must be conducted by individuals not directly responsible for areas being audited
- Results must be documented and reviewed by management with executive responsibility
- Audit findings must feed into your Corrective and Preventive Action (CAPA) system
- Audit programs must be planned and demonstrate systematic coverage of all QMS processes
Special attention required for:
- Design controls (820.30) - especially for software medical devices
- CAPA system effectiveness (820.100)
- Production and process controls (820.70)
- Document controls and change management (820.40)
Under 21 CFR Part 820 (Quality System Regulation):
- Internal audits are mandatory under Section 820.22
- Must be conducted by individuals not directly responsible for areas being audited
- Results must be documented and reviewed by management with executive responsibility
- Audit findings must feed into your Corrective and Preventive Action (CAPA) system
- Audit programs must be planned and demonstrate systematic coverage of all QMS processes
Special attention required for:
- Design controls (820.30) - especially for software medical devices
- CAPA system effectiveness (820.100)
- Production and process controls (820.70)
- Document controls and change management (820.40)
Under EU MDR 2017/745:
- Manufacturers must implement a quality management system (Article 10(9))
- Must comply with EN ISO 13485:2016 requirements for internal audits (Section 8.2.4)
- Audit results must be available for notified body assessment
- Regular systematic reviews are required for CE marking maintenance
- Post-market surveillance processes require specific audit attention
Special attention required for:
- Clinical evaluation processes (Article 61) and ongoing clinical follow-up
- Post-market surveillance system (Articles 83-86)
- Person Responsible for Regulatory Compliance (PRRC) oversight
- Unique Device Identification (UDI) compliance (Article 27)
- Vigilance and incident reporting (Articles 87-90)
Guide
Understanding Audit Program Structure
Your audit program is fundamentally a multi-year planning document that maps out when and how you’ll audit different aspects of your QMS. The program must ensure that all critical processes receive appropriate audit attention based on their risk level and regulatory importance.
Key Components You Must Include
Audit Scheduling Matrix: Create a table showing planned audits across multiple years (typically 3 years) with columns for each planned audit cycle. This matrix should cover all ISO 13485:2016 clauses relevant to your device type, plus specific EU MDR articles for European markets.
Process Prioritization: Not all processes require annual auditing. High-risk processes like design controls, risk management, and post-market surveillance typically need annual attention, while stable processes like document control might be audited every 2-3 years.
Resource Allocation: Your program must account for auditor availability and independence requirements. You cannot audit your own work, so plan accordingly if you’re a small organization.
Defining Audit Scope and Frequency
Base your audit frequency on several critical factors:
Regulatory Risk: Processes directly affecting patient safety (design controls, risk management) require more frequent auditing than administrative processes.
Process Maturity: New or recently changed processes need more frequent verification until they demonstrate stability.
Previous Findings: Areas with historical nonconformities or CAPA actions require increased audit attention.
Regulatory Changes: When standards or regulations change, affected processes need immediate audit coverage.
Creating Your Audit Program Table
The core of your audit program is a comprehensive table that identifies:
- Specific audit periods (dates when audits will occur)
- Audit plan identifiers (linking to specific audit plan documents)
- QMS process coverage (which ISO 13485 clauses will be reviewed)
- Regulatory compliance verification (MDR articles, FDA requirements)
For each planned audit, mark which specific processes will be covered. Use clear indicators like checkmarks, “Yes/No,” or specific dates. Some processes marked as “n/a” (like work environment controls) may not apply to software-only medical devices.
Integrating with Your SOP Internal Audit
Your audit program must align with your SOP Internal Audit procedures. The program provides the “what and when” while your SOP defines the “how.” Ensure your program references your internal audit SOP document identifier to maintain clear procedural links.
Managing Program Updates
Your audit program is a living document that requires regular updates. After completing each audit, update the program to reflect:
- Actual audit completion dates
- Specific audit plan document identifiers
- Any scope changes or additional areas covered
- Results that influence future audit planning
Planning for Different Organizational Structures
Small Organizations: If you have limited personnel, consider using external auditors or rotating audit responsibilities. Plan audits when key personnel are available and ensure adequate coverage without overwhelming your team.
Multi-site Operations: Your program must cover all sites where QMS processes occur. Consider centralizing some audits or coordinating between sites to ensure comprehensive coverage.
Software-only Devices: Focus on software development lifecycle processes, design controls, risk management, and post-market surveillance. Some ISO 13485 clauses related to manufacturing facilities may not apply.
Example
Scenario: You’re a startup developing a software medical device for diabetes management. Your team includes a CEO, software engineers, a quality manager, and a regulatory consultant. You need to establish an audit program covering the next three years while building toward FDA submission and CE marking.
Your audit program table would look like this:
| Audit ID | Audit #1 | Audit #2 | Audit #3 |
|---|---|---|---|
| Date | 2024-03-15 | 2024-09-15 | 2025-03-15 |
| Audit Plan ID | AP-2024-001 | AP-2024-002 | AP-2025-001 |
| ISO 13485:2016, para. 4.1, 4.21: General QMS requirements | ✓ | ✓ | |
| ISO 13485:2016, para. 4.2.2, 5.3, 5.4: Quality manual and QMS planning | ✓ | ||
| ISO 13485: 2016, para. 4.2.3: Medical device file | ✓ | ||
| ISO 13485:2016, para. 4.2.4, 4.2.5: Control of documents and records | ✓ | ✓ | |
| ISO 13485:2016, para. 5.1, 5.2, 5.3., 5.4, 5.5: Management responsibility | ✓ | ||
| ISO 13485:2016, para. 5.6: Management review | ✓ | ✓ | |
| ISO 13485:2016, para. 6.1, 6.3: Resource management | ✓ | ||
| ISO 13485:2016, para. 6.2: Human resources management | ✓ | ||
| ISO 13485:2016, para. 6.4: Work environment and contamination control | n/a | n/a | n/a |
| ISO 13485:2016, para. 7.1: Planning product realization | ✓ | ||
| ISO 13485:2016, para. 7.2: Customer-related processes | ✓ | ||
| ISO 13485:2016, para. 7.3: Design and development | ✓ | ✓ | ✓ |
| ISO 13485:2016, para. 7.4: Purchasing | ✓ | ||
| ISO 13485:2016, para. 7.5: Production and service provision | ✓ | ✓ | |
| ISO 13485:2016, para. 7.6: Measuring equipment | ✓ | ||
| ISO 13485:2016, para. 8.1, 8.2.1, 8.2.2: Feedback and complaints handling | ✓ | ||
| ISO 13485:2016, para. 8.1, 8.2.3: Reporting to authorities | ✓ | ||
| ISO 13485:2016, para. 8.1, 8.2.4: Internal auditing | ✓ | ||
| ISO 13485:2016, para. 8.1, 8.2.5, 8.2.6: Measurement of products and processes | ✓ | ||
| ISO 13485:2016, para. 8.3: Nonconforming products | ✓ | ||
| ISO 13485:2016, para. 8.4: Analysis of data | ✓ | ||
| ISO 13485:2016, para. 8.5: Improvement | ✓ | ✓ | |
| Reg. (EU) 2017/745, Chapter VII, Art. 83-86: Post-Market Surveillance | ✓ | ||
| Reg. (EU) 2017/745, Chapter VII, Art. 87-90: Vigilance | ✓ | ||
| Reg. (EU) 2017/745, Chapter 61 & Annex XIV: Clinical Evaluation and Post-Market Clinical Follow-up | ✓ |
In this example, your first audit focuses on foundational QMS processes and design controls since you’re still developing your device. The second audit emphasizes operational processes as you prepare for market entry. The third audit covers post-market processes once your device is commercially available.
You use your regulatory consultant as the lead auditor for independence, with different team members participating based on their process responsibilities. Each audit generates an audit plan document (AP-2024-001, etc.) and feeds results into your management review and CAPA system.