Audits and Review
Audit Report
Document audit findings and corrective actions providing objective evidence of quality system performance.
Summary
An Audit Report documents the findings, conclusions, and corrective actions from internal or external audits of your Quality Management System (QMS). It provides objective evidence that your quality processes have been systematically evaluated against regulatory standards and identifies opportunities for improvement. The report serves as a critical record for regulatory compliance and demonstrates your commitment to maintaining effective quality controls.Why is an Audit Report important?
The Audit Report exists because regulatory authorities require documented evidence that you actively monitor and improve your quality management system. Itβs not enough to simply have procedures - you must demonstrate through systematic auditing that these procedures are being followed and are effective in practice. For medical device manufacturers, the Audit Report is essential because it provides objective evidence of QMS effectiveness to regulatory inspectors and notified bodies. It shows youβre proactively identifying and addressing compliance gaps before they become serious issues. The report also drives your Corrective and Preventive Action (CAPA) system by documenting nonconformities that require systematic resolution. Without proper audit reporting, you risk missing critical quality issues, failing regulatory inspections, and potentially compromising patient safety through undetected process failures.Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Audit results must be documented and reviewed by management with executive responsibility
- Findings must feed into your Corrective and Preventive Action (CAPA) system under Section 820.100
- Records must be maintained for the lifetime of the device plus two years
Special attention required for:
- Design controls (820.30) - audit findings often reveal design control weaknesses
- CAPA system effectiveness (820.100) - audit reports must trigger appropriate corrective actions
- Management responsibility (820.20) - executive review of audit findings is mandatory
- Document controls (820.40) - audit reports themselves must be controlled documents
Guide
Your Audit Report must systematically document what was audited, what was found, and what actions are required. The report transforms audit observations into actionable improvements for your quality management system.1. Audit Information and Participants
The audit information section establishes the context and credibility of your audit. You must document the exact dates when the audit was conducted, identify the lead auditor and their qualifications, and specify whether the audit was conducted on-site or remotely. This information demonstrates that the audit was properly planned and executed by qualified personnel. Your audit participants table identifies company personnel who were directly involved in the audit process. Focus on listing the actual participants rather than those originally planned, as audits often require additional subject matter experts or exclude planned participants due to availability. Include their specific responsibilities during the audit to show that appropriate expertise was available for each area reviewed.2. Audit Results and Findings
The audit results table provides a systematic overview of what was evaluated and what was found. For each regulation, standard, or internal procedure reviewed, you must indicate the number of major nonconformities, minor nonconformities, and recommendations identified. This quantitative summary allows management to quickly assess the overall audit outcome and prioritize corrective actions. Major nonconformities represent serious gaps that could affect product safety or regulatory compliance. Minor nonconformities are less critical issues that still require correction. Recommendations are opportunities for improvement that donβt represent actual nonconformities but could enhance process effectiveness.3. Detailed Findings Documentation
Your major nonconformities section must provide detailed descriptions of serious findings that require immediate attention. For each major nonconformity, describe the specific process or procedure that was deficient, the evidence that supports the finding, and the potential impact on product quality or patient safety. Reference the specific regulatory requirement or standard clause that was not met. The minor nonconformities section documents less critical but still important findings. These might include incomplete records, minor procedural deviations, or opportunities to strengthen existing processes. While not immediately threatening to compliance, these findings should be addressed systematically to prevent escalation to major issues. Your recommendations section captures improvement opportunities identified during the audit. These might include suggestions for process optimization, additional training needs, or technology upgrades that could enhance quality system effectiveness. Recommendations donβt require formal corrective action but should be considered during management review.4. Audit Conclusion and Next Steps
The audit conclusion provides management with a clear assessment of QMS effectiveness and required actions. Summarize the overall audit findings, highlight any systemic issues that require attention, and provide recommendations for improving audit performance in future cycles. If no significant issues were found, state this clearly while noting any minor improvements that could enhance system effectiveness. The conclusion should also address the timing and responsibility for corrective actions, ensuring that findings are properly assigned and tracked through your CAPA system. Reference how audit findings will be reviewed during the next management review and how effectiveness of corrective actions will be verified.Example
Scenario: You conduct an internal audit of your document control and risk management processes before an upcoming notified body assessment. The audit reveals that some training records are missing signatures and risk assessment updates havenβt been properly documented. You document these findings, assign corrective actions, and plan verification activities for the next audit cycle.Complete Audit Report Document
Audit Report ID: AR-2024-0011. Audit Information
| Audit Information | Details |
|---|---|
| Date(s) of Audit | March 15, 2024 |
| Lead Auditor Name | Sarah Johnson |
| Lead Auditor Title and Company | Quality Manager, MedDevice Solutions Inc. |
| Other Auditor(s) Name(s) | Michael Chen, Senior Process Engineer |
| Site of Audit (or remote) | Main Office, Conference Room B |
| Person Participating in Audit | Responsibilities |
|---|---|
| Emily Rodriguez / Document Control Manager | Document control procedures, training records management |
| David Kim / Risk Manager | Risk management processes, risk assessment documentation |
| Jennifer Martinez / Quality Coordinator | Cross-functional quality processes, CAPA coordination |
| Thomas Anderson / Software Lead | Software development processes, design control implementation |
2. Audit Results
The audit was conducted on the processes identified in the table below. The number of major nonconformities (NC), minor nonconformities, and recommendations (REC) are provided as well. A description of the findings, if any, are described in the later sections.| Regulation or Standard | Section | Description | Major NC | Minor NC | Rec |
|---|---|---|---|---|---|
| ISO 13485:2016 | 4.2.4, 4.2.5 | Control of documents and records | 0 | 1 | 0 |
| ISO 13485:2016 | 6.2 | Human resources management | 0 | 1 | 1 |
| ISO 14971:2019 | 4-8 | Risk management process | 0 | 0 | 1 |
| ISO 14971:2019 | 9 | Risk management file | 0 | 1 | 0 |
| ISO 13485:2016 | 8.2.4 | Internal audit process | 0 | 0 | 1 |
2.1 Major Nonconformities
No major nonconformities identified during the audit.2.2 Minor Nonconformities
Document Control (ISO 13485:2016, 4.2.5): Three training records in the document control system were missing required signatures from trainees, indicating incomplete documentation of training completion. The affected records were from January 2024 training sessions on updated procedures. Human Resources (ISO 13485:2016, 6.2): Training effectiveness evaluation for the Q4 2023 period was not documented as required by the training procedure SOP-HR-001. While training was conducted and recorded, the systematic evaluation of training effectiveness was not performed. Risk Management File (ISO 14971:2019, 9): Risk assessment updates from the December 2023 software release were not properly integrated into the master risk management file. The individual risk assessments were completed but not consolidated into the central documentation.2.3 Recommendations
Training Program Enhancement: Consider implementing automated reminders for training signature completion to prevent future documentation gaps. This could improve compliance and reduce administrative burden. Risk Management Process: Develop a checklist for risk management file updates during product releases to ensure systematic integration of new risk assessments. This would strengthen the connection between development activities and risk documentation. Audit Program Optimization: Consider extending audit cycles for consistently well-performing processes while increasing frequency for areas with recurring findings. This risk-based approach could improve audit efficiency.3. Conclusion
The audit demonstrated that the quality management system is generally effective and well-implemented. The minor nonconformities identified are administrative in nature and do not indicate systemic process failures. All findings have been assigned to responsible personnel with target completion dates within 30 days. The document control and risk management processes showed strong procedural compliance with only minor documentation gaps. The training program is functioning effectively but would benefit from enhanced tracking mechanisms. Overall, the QMS is ready for the upcoming notified body assessment with completion of the identified corrective actions. Follow-up verification of corrective action effectiveness will be conducted during the next scheduled internal audit in Q3 2024. All findings will be reviewed during the annual management review to identify any systemic improvement opportunities.Q&A
How often do I need to create audit reports?
How often do I need to create audit reports?
You must create an audit report for every internal audit conducted. The frequency depends on your audit program, but typically youβll audit all QMS processes over a 1-3 year cycle, generating multiple reports annually.
Who should review and approve audit reports?
Who should review and approve audit reports?
Audit reports must be reviewed by management with executive responsibility for the QMS. This is typically your quality manager and senior management team. The lead auditor should also review the report for accuracy before approval.
What's the difference between major and minor nonconformities?
What's the difference between major and minor nonconformities?
Major nonconformities are serious gaps that could affect product safety or regulatory compliance and require immediate corrective action. Minor nonconformities are less critical issues that still need correction but donβt pose immediate risks.
How do audit findings connect to the CAPA system?
How do audit findings connect to the CAPA system?
All nonconformities identified in audit reports must be entered into your CAPA system for systematic investigation and corrective action. The audit report provides the initial documentation that triggers CAPA activities.
What should I do if an audit finds no nonconformities?
What should I do if an audit finds no nonconformities?
If no nonconformities are found, clearly state this in the report and explain why the processes are effective. Consider whether the audit scope was sufficient and if any recommendations for improvement can still be made.
How long should I retain audit reports?
How long should I retain audit reports?
Audit reports must be retained for the lifetime of the device plus two years (FDA) or as required by applicable regulations. Theyβre critical records for demonstrating ongoing QMS effectiveness to regulatory authorities.