SOP Internal Audit
Summary
Your Internal Audit SOP establishes a systematic process for independently evaluating QMS compliance, identifying improvement opportunities, and ensuring your quality management system meets regulatory requirements through objective assessment by qualified auditors.
Why is SOP Internal Audit important?
Internal audits exist because regulators require independent verification that your QMS actually works as documented. They provide objective evidence that your organization follows its own procedures and meets regulatory requirements. This process identifies gaps before external auditors or regulatory inspectors find them, allowing you to address issues proactively.
The SOP ensures consistency and objectivity in audit execution by establishing clear qualification requirements, standardized processes, and objective criteria for findings. It transforms internal audits from informal reviews into systematic evaluations that provide meaningful insights into QMS effectiveness and compliance status.
Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Must be conducted by individuals not directly responsible for areas being audited
- Results must be documented and reviewed by management with executive responsibility
- Audit findings must feed into your Corrective and Preventive Action (CAPA) system
Special attention required for:
- Design controls (820.30) - especially for software medical devices
- CAPA system effectiveness (820.100)
- Production and process controls (820.70)
- Document controls and change management (820.40)
Under 21 CFR Part 820 (Quality System Regulation):
- Quality audits are mandatory under Section 820.22
- Must be conducted by individuals not directly responsible for areas being audited
- Results must be documented and reviewed by management with executive responsibility
- Audit findings must feed into your Corrective and Preventive Action (CAPA) system
Special attention required for:
- Design controls (820.30) - especially for software medical devices
- CAPA system effectiveness (820.100)
- Production and process controls (820.70)
- Document controls and change management (820.40)
Under EU MDR 2017/745:
- Manufacturers must implement a quality management system (Article 10(9))
- Must comply with EN ISO 13485:2016 requirements for internal audits (Section 8.2.4)
- Audit results must be available for notified body assessment
- Regular systematic reviews are required for CE marking maintenance
Special attention required for:
- Clinical evaluation processes (Article 61) and ongoing clinical follow-up
- Post-market surveillance system (Articles 83-86)
- Person Responsible for Regulatory Compliance (PRRC) oversight
- Unique Device Identification (UDI) compliance (Article 27)
Guide
Your Internal Audit SOP establishes the framework for systematic QMS evaluation through independent assessment. Design the process to provide meaningful insights rather than just checking compliance boxes.
Auditor Qualification and Selection
Establish clear qualification criteria for internal auditors including training requirements, experience levels, and competency assessment. Auditors must understand both auditing techniques and the specific regulatory requirements applicable to your organization. Consider requiring formal audit training or certification.
Ensure auditor independence by preventing individuals from auditing their own work areas. In small organizations, this may require using external auditors or cross-functional team members. Document the selection rationale and any potential conflicts of interest.
Audit Planning and Scheduling
Develop an annual audit program that covers all QMS processes over a planned cycle. Not every process needs annual auditing, but high-risk areas, processes with previous findings, or areas undergoing significant changes should receive more frequent attention.
Create detailed audit plans for each audit that specify scope, timing, resources, and specific requirements to be evaluated. Share plans with auditees in advance to ensure availability and preparation. Include relevant standards, regulations, and internal procedures in your scope definition.
Audit Execution and Evidence Collection
Structure audit activities to systematically evaluate process effectiveness through document review, interviews, and observation. Focus on verifying that processes achieve their intended outcomes rather than just checking procedural compliance.
Collect objective evidence to support findings. This includes reviewing records, observing activities, and interviewing personnel. Document evidence clearly and reference specific requirements or procedures being evaluated. Avoid subjective opinions or recommendations that cannot be supported by concrete evidence.
Finding Classification and Documentation
Establish clear criteria for classifying findings as major nonconformities, minor nonconformities, or opportunities for improvement. Major nonconformities represent systematic failures or absence of required processes. Minor nonconformities are isolated deviations that don’t compromise overall process effectiveness.
Document findings with sufficient detail for follow-up action. Include specific evidence, applicable requirements, and clear description of the gap. Avoid vague statements - be specific about what was observed and why it represents a nonconformity.
Follow-up and CAPA Integration
Connect audit findings to your CAPA system for systematic resolution. Major nonconformities typically require formal CAPA investigation, while minor findings may be addressed through simple corrective actions. Establish timelines for response and verification of corrective actions.
Use audit results as input to management review to demonstrate QMS effectiveness and identify systemic improvement opportunities. Track trends in audit findings to identify recurring issues or process weaknesses.
Example
Scenario
You schedule an internal audit of your document control process. An independent team member reviews procedures, records, and recent changes. The audit finds that some training records are missing signatures. You document the finding, assign a corrective action, and verify completion at the next audit. During the annual management review, you discuss audit results, customer complaints, and process improvements, and set new quality objectives for the coming year.
Example Internal Audit Process
Audit Planning:
- Scope: Document and Record Control SOP compliance
- Auditor: Quality Manager (independent of document control process)
- Duration: 4 hours over 2 days
- Auditees: Documentation Coordinator, Training Manager
- Standards: ISO 13485:2016 Sections 4.2.4 and 4.2.5
Audit Activities:
- Document Review - Examine 20 controlled documents for proper approval signatures
- Record Sampling - Review training records for 15 employees hired in past 6 months
- Process Interview - Discuss document change control with Documentation Coordinator
- System Verification - Check electronic document management system access controls
Findings:
- Minor Nonconformity: 3 of 15 training records lacked required signatures per SOP-HR-001
- Opportunity for Improvement: Consider automated alerts for training record completion
- Positive Observation: Document change control process working effectively
Follow-up Actions:
- Immediate Correction: Obtain missing signatures within 5 business days
- Corrective Action: Update training record checklist to include signature verification
- Timeline: Complete corrective action within 30 days
- Verification: Re-audit training records at next scheduled audit
Management Review Input:
- Document control process generally effective with minor training record gap
- Recommend consideration of automated training tracking system
- No major systemic issues identified requiring immediate attention