Summary

An audit program is your strategic roadmap for internal audits over a defined period, typically covering all Quality Management System (QMS) processes within a 3-year cycle. It ensures systematic compliance verification, identifies improvement opportunities, and demonstrates regulatory commitment to authorities like the FDA and notified bodies under EU MDR.

Why is an Audit Program Important?

Your audit program serves as the backbone of quality assurance within your medical device organization. Regulatory authorities require you to systematically verify that your QMS actually works as documented, not just on paper. The audit program ensures you proactively identify potential compliance gaps before they become serious violations during regulatory inspections. It provides evidence of your commitment to quality and helps maintain CE marking or FDA clearance by demonstrating continuous monitoring of your processes. Without a structured audit program, you risk missing critical process failures that could lead to product recalls, regulatory warnings, or market withdrawal. The program also helps you allocate resources efficiently by prioritizing high-risk processes and areas with previous findings.

Regulatory Context

Under 21 CFR Part 820 (Quality System Regulation):
  • Internal audits are mandatory under Section 820.22
  • Must be conducted by individuals not directly responsible for areas being audited
  • Results must be documented and reviewed by management with executive responsibility
  • Audit findings must feed into your Corrective and Preventive Action (CAPA) system
  • Audit programs must be planned and demonstrate systematic coverage of all QMS processes
Special attention required for:
  • Design controls (820.30) - especially for software medical devices
  • CAPA system effectiveness (820.100)
  • Production and process controls (820.70)
  • Document controls and change management (820.40)

Guide

Understanding Audit Program Structure

Your audit program is fundamentally a multi-year planning document that maps out when and how you’ll audit different aspects of your QMS. The program must ensure that all critical processes receive appropriate audit attention based on their risk level and regulatory importance.

Key Components You Must Include

Audit Scheduling Matrix: Create a table showing planned audits across multiple years (typically 3 years) with columns for each planned audit cycle. This matrix should cover all ISO 13485:2016 clauses relevant to your device type, plus specific EU MDR articles for European markets. Process Prioritization: Not all processes require annual auditing. High-risk processes like design controls, risk management, and post-market surveillance typically need annual attention, while stable processes like document control might be audited every 2-3 years. Resource Allocation: Your program must account for auditor availability and independence requirements. You cannot audit your own work, so plan accordingly if you’re a small organization.

Defining Audit Scope and Frequency

Base your audit frequency on several critical factors: Regulatory Risk: Processes directly affecting patient safety (design controls, risk management) require more frequent auditing than administrative processes. Process Maturity: New or recently changed processes need more frequent verification until they demonstrate stability. Previous Findings: Areas with historical nonconformities or CAPA actions require increased audit attention. Regulatory Changes: When standards or regulations change, affected processes need immediate audit coverage.

Creating Your Audit Program Table

The core of your audit program is a comprehensive table that identifies:
  • Specific audit periods (dates when audits will occur)
  • Audit plan identifiers (linking to specific audit plan documents)
  • QMS process coverage (which ISO 13485 clauses will be reviewed)
  • Regulatory compliance verification (MDR articles, FDA requirements)
For each planned audit, mark which specific processes will be covered. Use clear indicators like checkmarks, “Yes/No,” or specific dates. Some processes marked as “n/a” (like work environment controls) may not apply to software-only medical devices.

Integrating with Your SOP Internal Audit

Your audit program must align with your SOP Internal Audit procedures. The program provides the “what and when” while your SOP defines the “how.” Ensure your program references your internal audit SOP document identifier to maintain clear procedural links.

Managing Program Updates

Your audit program is a living document that requires regular updates. After completing each audit, update the program to reflect:
  • Actual audit completion dates
  • Specific audit plan document identifiers
  • Any scope changes or additional areas covered
  • Results that influence future audit planning

Planning for Different Organizational Structures

Small Organizations: If you have limited personnel, consider using external auditors or rotating audit responsibilities. Plan audits when key personnel are available and ensure adequate coverage without overwhelming your team. Multi-site Operations: Your program must cover all sites where QMS processes occur. Consider centralizing some audits or coordinating between sites to ensure comprehensive coverage. Software-only Devices: Focus on software development lifecycle processes, design controls, risk management, and post-market surveillance. Some ISO 13485 clauses related to manufacturing facilities may not apply.

Example

Scenario: You’re a startup developing a software medical device for diabetes management. Your team includes a CEO, software engineers, a quality manager, and a regulatory consultant. You need to establish an audit program covering the next three years while building toward FDA submission and CE marking. Your audit program table would look like this:
Audit IDAudit #1Audit #2Audit #3
Date2024-03-152024-09-152025-03-15
Audit Plan IDAP-2024-001AP-2024-002AP-2025-001
ISO 13485:2016, para. 4.1, 4.21: General QMS requirements
ISO 13485:2016, para. 4.2.2, 5.3, 5.4: Quality manual and QMS planning
ISO 13485: 2016, para. 4.2.3: Medical device file
ISO 13485:2016, para. 4.2.4, 4.2.5: Control of documents and records
ISO 13485:2016, para. 5.1, 5.2, 5.3., 5.4, 5.5: Management responsibility
ISO 13485:2016, para. 5.6: Management review
ISO 13485:2016, para. 6.1, 6.3: Resource management
ISO 13485:2016, para. 6.2: Human resources management
ISO 13485:2016, para. 6.4: Work environment and contamination controln/an/an/a
ISO 13485:2016, para. 7.1: Planning product realization
ISO 13485:2016, para. 7.2: Customer-related processes
ISO 13485:2016, para. 7.3: Design and development
ISO 13485:2016, para. 7.4: Purchasing
ISO 13485:2016, para. 7.5: Production and service provision
ISO 13485:2016, para. 7.6: Measuring equipment
ISO 13485:2016, para. 8.1, 8.2.1, 8.2.2: Feedback and complaints handling
ISO 13485:2016, para. 8.1, 8.2.3: Reporting to authorities
ISO 13485:2016, para. 8.1, 8.2.4: Internal auditing
ISO 13485:2016, para. 8.1, 8.2.5, 8.2.6: Measurement of products and processes
ISO 13485:2016, para. 8.3: Nonconforming products
ISO 13485:2016, para. 8.4: Analysis of data
ISO 13485:2016, para. 8.5: Improvement
Reg. (EU) 2017/745, Chapter VII, Art. 83-86: Post-Market Surveillance
Reg. (EU) 2017/745, Chapter VII, Art. 87-90: Vigilance
Reg. (EU) 2017/745, Chapter 61 & Annex XIV: Clinical Evaluation and Post-Market Clinical Follow-up
In this example, your first audit focuses on foundational QMS processes and design controls since you’re still developing your device. The second audit emphasizes operational processes as you prepare for market entry. The third audit covers post-market processes once your device is commercially available. You use your regulatory consultant as the lead auditor for independence, with different team members participating based on their process responsibilities. Each audit generates an audit plan document (AP-2024-001, etc.) and feeds results into your management review and CAPA system.

Q&A