Audit Report
Summary
An Audit Report documents the findings, conclusions, and corrective actions from internal or external audits of your Quality Management System (QMS). It provides objective evidence that your quality processes have been systematically evaluated against regulatory standards and identifies opportunities for improvement. The report serves as a critical record for regulatory compliance and demonstrates your commitment to maintaining effective quality controls.
Why is an Audit Report important?
The Audit Report exists because regulatory authorities require documented evidence that you actively monitor and improve your quality management system. It’s not enough to simply have procedures - you must demonstrate through systematic auditing that these procedures are being followed and are effective in practice.
For medical device manufacturers, the Audit Report is essential because it provides objective evidence of QMS effectiveness to regulatory inspectors and notified bodies. It shows you’re proactively identifying and addressing compliance gaps before they become serious issues. The report also drives your Corrective and Preventive Action (CAPA) system by documenting nonconformities that require systematic resolution. Without proper audit reporting, you risk missing critical quality issues, failing regulatory inspections, and potentially compromising patient safety through undetected process failures.
Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Audit results must be documented and reviewed by management with executive responsibility
- Findings must feed into your Corrective and Preventive Action (CAPA) system under Section 820.100
- Records must be maintained for the lifetime of the device plus two years
Special attention required for:
- Design controls (820.30) - audit findings often reveal design control weaknesses
- CAPA system effectiveness (820.100) - audit reports must trigger appropriate corrective actions
- Management responsibility (820.20) - executive review of audit findings is mandatory
- Document controls (820.40) - audit reports themselves must be controlled documents
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Audit results must be documented and reviewed by management with executive responsibility
- Findings must feed into your Corrective and Preventive Action (CAPA) system under Section 820.100
- Records must be maintained for the lifetime of the device plus two years
Special attention required for:
- Design controls (820.30) - audit findings often reveal design control weaknesses
- CAPA system effectiveness (820.100) - audit reports must trigger appropriate corrective actions
- Management responsibility (820.20) - executive review of audit findings is mandatory
- Document controls (820.40) - audit reports themselves must be controlled documents
Under EU MDR 2017/745:
- Manufacturers must implement a quality management system with regular internal audits (Article 10(9))
- Must comply with EN ISO 13485:2016 requirements for audit reporting (Section 8.2.4)
- Audit results must be available for notified body assessment and regulatory inspections
- Reports support ongoing CE marking maintenance and post-market surveillance obligations
Special attention required for:
- Clinical evaluation processes (Article 61) - audits must verify clinical data management
- Post-market surveillance system (Articles 83-86) - audit findings inform PMS activities
- Person Responsible for Regulatory Compliance (PRRC) oversight - PRRC must review audit outcomes
- Unique Device Identification (UDI) compliance (Article 27) - audits verify UDI implementation
Guide
Your Audit Report must systematically document what was audited, what was found, and what actions are required. The report transforms audit observations into actionable improvements for your quality management system.
1. Audit Information and Participants
The audit information section establishes the context and credibility of your audit. You must document the exact dates when the audit was conducted, identify the lead auditor and their qualifications, and specify whether the audit was conducted on-site or remotely. This information demonstrates that the audit was properly planned and executed by qualified personnel.
Your audit participants table identifies company personnel who were directly involved in the audit process. Focus on listing the actual participants rather than those originally planned, as audits often require additional subject matter experts or exclude planned participants due to availability. Include their specific responsibilities during the audit to show that appropriate expertise was available for each area reviewed.
2. Audit Results and Findings
The audit results table provides a systematic overview of what was evaluated and what was found. For each regulation, standard, or internal procedure reviewed, you must indicate the number of major nonconformities, minor nonconformities, and recommendations identified. This quantitative summary allows management to quickly assess the overall audit outcome and prioritize corrective actions.
Major nonconformities represent serious gaps that could affect product safety or regulatory compliance. Minor nonconformities are less critical issues that still require correction. Recommendations are opportunities for improvement that don’t represent actual nonconformities but could enhance process effectiveness.
3. Detailed Findings Documentation
Your major nonconformities section must provide detailed descriptions of serious findings that require immediate attention. For each major nonconformity, describe the specific process or procedure that was deficient, the evidence that supports the finding, and the potential impact on product quality or patient safety. Reference the specific regulatory requirement or standard clause that was not met.
The minor nonconformities section documents less critical but still important findings. These might include incomplete records, minor procedural deviations, or opportunities to strengthen existing processes. While not immediately threatening to compliance, these findings should be addressed systematically to prevent escalation to major issues.
Your recommendations section captures improvement opportunities identified during the audit. These might include suggestions for process optimization, additional training needs, or technology upgrades that could enhance quality system effectiveness. Recommendations don’t require formal corrective action but should be considered during management review.
4. Audit Conclusion and Next Steps
The audit conclusion provides management with a clear assessment of QMS effectiveness and required actions. Summarize the overall audit findings, highlight any systemic issues that require attention, and provide recommendations for improving audit performance in future cycles. If no significant issues were found, state this clearly while noting any minor improvements that could enhance system effectiveness.
The conclusion should also address the timing and responsibility for corrective actions, ensuring that findings are properly assigned and tracked through your CAPA system. Reference how audit findings will be reviewed during the next management review and how effectiveness of corrective actions will be verified.
Example
Scenario: You conduct an internal audit of your document control and risk management processes before an upcoming notified body assessment. The audit reveals that some training records are missing signatures and risk assessment updates haven’t been properly documented. You document these findings, assign corrective actions, and plan verification activities for the next audit cycle.
Complete Audit Report Document
Audit Report
ID: AR-2024-001
1. Audit Information
| Audit Information | Details |
|---|---|
| Date(s) of Audit | March 15, 2024 |
| Lead Auditor Name | Sarah Johnson |
| Lead Auditor Title and Company | Quality Manager, MedDevice Solutions Inc. |
| Other Auditor(s) Name(s) | Michael Chen, Senior Process Engineer |
| Site of Audit (or remote) | Main Office, Conference Room B |
| Person Participating in Audit | Responsibilities |
|---|---|
| Emily Rodriguez / Document Control Manager | Document control procedures, training records management |
| David Kim / Risk Manager | Risk management processes, risk assessment documentation |
| Jennifer Martinez / Quality Coordinator | Cross-functional quality processes, CAPA coordination |
| Thomas Anderson / Software Lead | Software development processes, design control implementation |
2. Audit Results
The audit was conducted on the processes identified in the table below. The number of major nonconformities (NC), minor nonconformities, and recommendations (REC) are provided as well. A description of the findings, if any, are described in the later sections.
| Regulation or Standard | Section | Description | Major NC | Minor NC | Rec |
|---|---|---|---|---|---|
| ISO 13485:2016 | 4.2.4, 4.2.5 | Control of documents and records | 0 | 1 | 0 |
| ISO 13485:2016 | 6.2 | Human resources management | 0 | 1 | 1 |
| ISO 14971:2019 | 4-8 | Risk management process | 0 | 0 | 1 |
| ISO 14971:2019 | 9 | Risk management file | 0 | 1 | 0 |
| ISO 13485:2016 | 8.2.4 | Internal audit process | 0 | 0 | 1 |
2.1 Major Nonconformities
No major nonconformities identified during the audit.
2.2 Minor Nonconformities
Document Control (ISO 13485:2016, 4.2.5): Three training records in the document control system were missing required signatures from trainees, indicating incomplete documentation of training completion. The affected records were from January 2024 training sessions on updated procedures.
Human Resources (ISO 13485:2016, 6.2): Training effectiveness evaluation for the Q4 2023 period was not documented as required by the training procedure SOP-HR-001. While training was conducted and recorded, the systematic evaluation of training effectiveness was not performed.
Risk Management File (ISO 14971:2019, 9): Risk assessment updates from the December 2023 software release were not properly integrated into the master risk management file. The individual risk assessments were completed but not consolidated into the central documentation.
2.3 Recommendations
Training Program Enhancement: Consider implementing automated reminders for training signature completion to prevent future documentation gaps. This could improve compliance and reduce administrative burden.
Risk Management Process: Develop a checklist for risk management file updates during product releases to ensure systematic integration of new risk assessments. This would strengthen the connection between development activities and risk documentation.
Audit Program Optimization: Consider extending audit cycles for consistently well-performing processes while increasing frequency for areas with recurring findings. This risk-based approach could improve audit efficiency.
3. Conclusion
The audit demonstrated that the quality management system is generally effective and well-implemented. The minor nonconformities identified are administrative in nature and do not indicate systemic process failures. All findings have been assigned to responsible personnel with target completion dates within 30 days.
The document control and risk management processes showed strong procedural compliance with only minor documentation gaps. The training program is functioning effectively but would benefit from enhanced tracking mechanisms. Overall, the QMS is ready for the upcoming notified body assessment with completion of the identified corrective actions.
Follow-up verification of corrective action effectiveness will be conducted during the next scheduled internal audit in Q3 2024. All findings will be reviewed during the annual management review to identify any systemic improvement opportunities.