Skip to main content

Summary

Your Internal Audit SOP establishes a systematic process for independently evaluating QMS compliance, identifying improvement opportunities, and ensuring your quality management system meets regulatory requirements through objective assessment by qualified auditors.

Why is SOP Internal Audit important?

Internal audits exist because regulators require independent verification that your QMS actually works as documented. They provide objective evidence that your organization follows its own procedures and meets regulatory requirements. This process identifies gaps before external auditors or regulatory inspectors find them, allowing you to address issues proactively. The SOP ensures consistency and objectivity in audit execution by establishing clear qualification requirements, standardized processes, and objective criteria for findings. It transforms internal audits from informal reviews into systematic evaluations that provide meaningful insights into QMS effectiveness and compliance status.

Regulatory Context

  • FDA
  • MDR
Under 21 CFR Part 820 (Quality System Regulation):
  • Quality audits are mandatory under Section 820.22
  • Must be conducted by individuals not directly responsible for areas being audited
  • Results must be documented and reviewed by management with executive responsibility
  • Audit findings must feed into your Corrective and Preventive Action (CAPA) system
Special attention required for:
  • Design controls (820.30) - especially for software medical devices
  • CAPA system effectiveness (820.100)
  • Production and process controls (820.70)
  • Document controls and change management (820.40)

Guide

Your Internal Audit SOP establishes the framework for systematic QMS evaluation through independent assessment. Design the process to provide meaningful insights rather than just checking compliance boxes.

Auditor Qualification and Selection

Establish clear qualification criteria for internal auditors including training requirements, experience levels, and competency assessment. Auditors must understand both auditing techniques and the specific regulatory requirements applicable to your organization. Consider requiring formal audit training or certification. Ensure auditor independence by preventing individuals from auditing their own work areas. In small organizations, this may require using external auditors or cross-functional team members. Document the selection rationale and any potential conflicts of interest.

Audit Planning and Scheduling

Develop an annual audit program that covers all QMS processes over a planned cycle. Not every process needs annual auditing, but high-risk areas, processes with previous findings, or areas undergoing significant changes should receive more frequent attention. Create detailed audit plans for each audit that specify scope, timing, resources, and specific requirements to be evaluated. Share plans with auditees in advance to ensure availability and preparation. Include relevant standards, regulations, and internal procedures in your scope definition.

Audit Execution and Evidence Collection

Structure audit activities to systematically evaluate process effectiveness through document review, interviews, and observation. Focus on verifying that processes achieve their intended outcomes rather than just checking procedural compliance. Collect objective evidence to support findings. This includes reviewing records, observing activities, and interviewing personnel. Document evidence clearly and reference specific requirements or procedures being evaluated. Avoid subjective opinions or recommendations that cannot be supported by concrete evidence.

Finding Classification and Documentation

Establish clear criteria for classifying findings as major nonconformities, minor nonconformities, or opportunities for improvement. Major nonconformities represent systematic failures or absence of required processes. Minor nonconformities are isolated deviations that don’t compromise overall process effectiveness. Document findings with sufficient detail for follow-up action. Include specific evidence, applicable requirements, and clear description of the gap. Avoid vague statements - be specific about what was observed and why it represents a nonconformity.

Follow-up and CAPA Integration

Connect audit findings to your CAPA system for systematic resolution. Major nonconformities typically require formal CAPA investigation, while minor findings may be addressed through simple corrective actions. Establish timelines for response and verification of corrective actions. Use audit results as input to management review to demonstrate QMS effectiveness and identify systemic improvement opportunities. Track trends in audit findings to identify recurring issues or process weaknesses.

Example

Scenario

You schedule an internal audit of your document control process. An independent team member reviews procedures, records, and recent changes. The audit finds that some training records are missing signatures. You document the finding, assign a corrective action, and verify completion at the next audit. During the annual management review, you discuss audit results, customer complaints, and process improvements, and set new quality objectives for the coming year.

Example Internal Audit Process

Audit Planning:
  • Scope: Document and Record Control SOP compliance
  • Auditor: Quality Manager (independent of document control process)
  • Duration: 4 hours over 2 days
  • Auditees: Documentation Coordinator, Training Manager
  • Standards: ISO 13485:2016 Sections 4.2.4 and 4.2.5
Audit Activities:
  1. Document Review - Examine 20 controlled documents for proper approval signatures
  2. Record Sampling - Review training records for 15 employees hired in past 6 months
  3. Process Interview - Discuss document change control with Documentation Coordinator
  4. System Verification - Check electronic document management system access controls
Findings:
  • Minor Nonconformity: 3 of 15 training records lacked required signatures per SOP-HR-001
  • Opportunity for Improvement: Consider automated alerts for training record completion
  • Positive Observation: Document change control process working effectively
Follow-up Actions:
  • Immediate Correction: Obtain missing signatures within 5 business days
  • Corrective Action: Update training record checklist to include signature verification
  • Timeline: Complete corrective action within 30 days
  • Verification: Re-audit training records at next scheduled audit
Management Review Input:
  • Document control process generally effective with minor training record gap
  • Recommend consideration of automated training tracking system
  • No major systemic issues identified requiring immediate attention

Q&A

Internal audits are required for ISO 13485 compliance and involve testing your team’s understanding of processes. Management reviews should be done annually, focusing on KPIs and quality performance. They are recommended before a conformity assessment but are not mandatory before product release. The SOP should establish clear connections between these processes.
Unofficial audit recommendations should be reviewed and considered for implementation. They don’t require a CAPA but can be managed through change management by updating documents to improve compliance. Document the evaluation and decision regarding implementation of recommendations.
In small organizations, auditors can come from within the company or be external, as long as they don’t audit their own work. Cross-functional team members or external consultants are common solutions. The key is ensuring objectivity and appropriate qualifications for the audit scope.
A full audit of the QMS is not required annually but should be planned with consideration of processes most important to your organization or those at highest risk. High-risk areas, processes with previous findings, or areas undergoing changes should receive more frequent attention.
Major nonconformities represent systemic failures to meet regulatory requirements or the complete absence of required processes. Minor nonconformities are isolated deviations that don’t compromise overall process effectiveness. The classification affects the response required and CAPA initiation.
All major nonconformities should initiate formal CAPA according to your CAPA SOP. Minor nonconformities may be addressed through simple corrective actions. Include the audit report as inputs for management review to ensure systematic follow-up and trend analysis.
I