The QMSR has changed the landscape for internal audits at medical device companies. Not only must internal audit programs now align with ISO 13485 requirements, but the fact that internal audit records are now subject to FDA inspection adds a new dimension to how these programs should be managed.
Internal Audit Requirements Under QMSR
Under the QMSR, internal audit requirements are derived from ISO 13485:2016 Clause 8.2.4, which requires organizations to conduct internal audits at planned intervals to determine whether the quality management system conforms to planned arrangements, requirements of ISO 13485, and QMS requirements established by the organization. The organization must also verify that the quality management system is effectively implemented and maintained.
This represents a shift from the legacy QSR, which had its own internal audit requirements under 21 CFR 820.22. While both frameworks require internal audits, the ISO 13485-based requirements provide more specificity around audit planning, competency, and documentation.
The FDA Can Now Inspect Your Internal Audit Records
Under the legacy QSR, internal audit records including audit reports, findings, and corrective actions were explicitly exempt from FDA inspection under 21 CFR 820.180(c). This exemption no longer exists under the QMSR. FDA inspectors can now request and review your internal audit records during inspections.
This change has significant practical implications. Internal audit reports must be complete, well-documented, and demonstrate the effectiveness of your audit program. Findings must be clearly stated, supported by objective evidence, and traceable to applicable requirements. Corrective actions resulting from internal audit findings must be documented, implemented, and verified for effectiveness. The overall audit program must demonstrate systematic coverage of all quality system processes at appropriate intervals.
Audit Program Planning
ISO 13485 requires that audit programs be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. This risk-based approach to audit planning means organizations must demonstrate that audit frequency and depth are proportional to the risk and importance of the processes being audited.
Auditor Competency and Independence
The QMSR requires that auditors be competent and independent from the activities being audited. Organizations must define criteria for auditor selection, ensure auditors have appropriate training and experience, and maintain records demonstrating auditor qualifications. For small organizations where internal independence is difficult to achieve, engaging independent external auditors may be the most practical solution.
Documentation Requirements
Internal audit documentation under QMSR should include a documented audit program showing planned and completed audits, individual audit plans defining scope, criteria, and methodology, audit reports with clear findings supported by objective evidence, records of corrective actions and effectiveness verification, and evidence of management review of audit results.
Upgrading Your Internal Audit Program
Organizations transitioning from the legacy QSR should evaluate their internal audit programs against QMSR requirements and consider whether audit planning is risk-based, whether auditor competency and independence requirements are met, whether audit reports are sufficiently detailed and evidence-based to withstand FDA review, and whether corrective actions from audit findings are tracked through closure with effectiveness verification. Engaging independent auditors for all or part of your internal audit program ensures both competency and independence while producing defensible audit records.
Qualyx Group provides independent internal audit services that meet QMSR requirements. Contact us for a free consultation.
Implementation Considerations and Best Practices
Successful implementation requires careful planning, adequate resources, and sustained management commitment. Organizations should begin by conducting a thorough assessment of their current practices against the requirements discussed in this article. This baseline assessment identifies specific gaps that need to be addressed and provides a foundation for prioritizing improvement activities based on risk and regulatory impact.
Resource allocation is a critical success factor. Organizations must ensure that sufficient personnel, training, equipment, and time are dedicated to implementation efforts. Under-resourced implementation attempts often result in superficial changes that do not achieve genuine compliance or process improvement. Management must recognize that quality system investments produce returns in the form of reduced regulatory risk, improved product quality, greater customer satisfaction, and enhanced operational efficiency.
Training is another essential element. Personnel at all levels must understand the requirements applicable to their roles and must be competent to perform their quality-related responsibilities. Training should cover both the regulatory basis for requirements and the practical procedures the organization has established to meet them. Effectiveness of training should be evaluated through testing, observation, or other appropriate methods to ensure that competence has been achieved.
Documentation must be complete, current, and accessible. Quality system documentation provides the framework within which personnel operate, and records provide evidence that activities have been performed as planned. Organizations should invest in documentation management systems that support version control, accessibility, and retention while preventing the use of obsolete documents.
Regulatory Context and Industry Trends
The regulatory landscape for fda qmsr continues to evolve, with regulatory authorities worldwide placing increasing emphasis on quality management system effectiveness, risk-based approaches, and post-market surveillance. Organizations that stay ahead of these trends by proactively strengthening their quality systems are better positioned for regulatory success and market competitiveness.
Industry trends also indicate growing expectations for supply chain transparency, data integrity, and integration of quality management with broader organizational objectives. The convergence of regulatory harmonization efforts across major markets creates both opportunities and challenges for organizations operating globally. Those that invest in robust, harmonized quality systems benefit from reduced duplication of effort and stronger compliance posture across multiple regulatory jurisdictions.
Technology adoption in quality management is accelerating, with electronic quality management systems, data analytics, and digital documentation tools becoming standard practice in regulated industries. Organizations that leverage these technologies effectively can improve quality system efficiency, enhance data analysis capabilities, and strengthen their ability to identify and respond to quality issues proactively.
The increasing focus on quality culture — the values, attitudes, and behaviors that determine how quality is practiced throughout the organization — reflects a recognition that procedures and documentation alone are insufficient. Genuine quality requires a culture where every individual understands the importance of their contribution to product quality and patient safety, and where quality considerations are integrated into every decision and action.
Common Challenges and How to Overcome Them
Organizations frequently encounter several challenges when implementing the requirements discussed in this article. One common challenge is balancing compliance rigor with operational efficiency. Quality system requirements must be met without creating processes so burdensome that they impede productive work. The key is designing processes that are as simple and streamlined as possible while still meeting all applicable requirements.
Another challenge is maintaining consistency across the organization. Quality system implementation often varies between departments, shifts, or locations, creating compliance gaps that are easily identified during audits. Standardized procedures, regular training, and internal auditing help maintain consistency, but sustained management attention is required to prevent drift over time.
Change management presents additional challenges. Quality systems must evolve in response to regulatory changes, technology advances, organizational growth, and lessons learned from quality events. However, changes must be managed carefully to avoid introducing new risks or disrupting established processes. A robust change management process that evaluates the impact of proposed changes, plans implementation carefully, and verifies effectiveness after implementation is essential.
Resource constraints are a persistent challenge, particularly for small and medium enterprises. Organizations must prioritize their quality activities based on risk, focusing available resources on the areas of greatest impact. This risk-based approach ensures that limited resources are used where they can do the most good, rather than spread thinly across all activities regardless of their significance.