The ten most common QMS audit nonconformities in MDR startup audits are: documents not matching actual practice, absent or superficial management review, weak document control, CAPAs without effectiveness verification, internal audits not performed or not independent, missing competence records, no supplier evaluation, broken design control traceability, a risk management file disconnected from the QMS, and post-market surveillance that never feeds back into the system. Each one maps to a specific clause of EN ISO 13485:2016+A11:2021 and to MDR Article 10(9).

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR Article 10(9) requires manufacturers to establish, document, implement, maintain, keep up to date, and continually improve a QMS. The harmonised standard is EN ISO 13485:2016+A11:2021.
  • The same ten findings account for the large majority of startup audit nonconformities Tibor has observed across 50+ certification projects.
  • Every finding traces to a specific ISO 13485 clause. None of them are auditor preference. They are written requirements.
  • The finding pattern does not depend on company size. A three-person company has passed an audit with zero nonconformities. A thirty-person company has opened one with a QMS assessed at 0.1 percent complete.
  • The difference is whether the QMS describes the actual work of the company. Everything else flows from that single question.

Why this list exists

Notified Body assessors and ISO 13485 certification auditors see the same findings over and over. The findings are not random. They cluster around the places where a QMS stops representing real work and starts representing the idea of work — the places where someone wrote a procedure once, put it in a folder, and never looked at it again.

Under MDR Article 10(9), every manufacturer must establish a QMS that covers, among other things, strategy for regulatory compliance, risk management, clinical evaluation, product realisation, resource management, and post-market surveillance. Under Annex IX, the Notified Body assesses that QMS against the regulatory requirements and against the applicable harmonised standard — in practice, EN ISO 13485:2016+A11:2021.

The ten findings below are the ones a startup should walk into the audit already having fixed. Each entry gives the finding name, the ISO 13485 clause it violates, why auditors flag it, the fix, and where relevant a story from the field.

Finding 1: Documents do not match actual practice

ISO 13485 clause: 4.2.1 (general documentation requirements), 4.1 (general QMS requirements).

This is the root finding. Almost every other finding on this list is a symptom of this one. The procedure says the company does X. The company does Y. The auditor asks to see evidence of X, the team pulls up evidence of Y, and the nonconformity is written on the spot.

We once watched a Berlin startup buy a QMS template pack online, replace the placeholder company name with their own, and submit the result. The QMS was assessed as roughly 0.1 percent complete — because the single thing they had done was the name replacement. Every procedure described work that had never been performed. Every form referenced roles that did not exist. The assessor did not need to dig. The QMS disqualified itself in the first thirty minutes.

Fix: Write procedures that describe what your team actually does. If a procedure and reality diverge, change one of them — usually the procedure — immediately. Do not let a document describe a fantasy version of the company. EN ISO 13485:2016+A11:2021 requires the QMS to be documented, implemented, and maintained. Implemented is the word that matters. A document that is not implemented is not a QMS. It is decoration.

Finding 2: Management review not running, or running superficially

ISO 13485 clause: 5.6 (management review), 5.6.1, 5.6.2, 5.6.3.

Clause 5.6 requires top management to review the QMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. The clause specifies inputs — feedback, complaints, audit results, process performance, product conformity, CAPA status, PMS, regulatory changes — and outputs — decisions and actions related to improvement, changes to the QMS, and resource needs.

Startups fail this clause in two ways. The first is never running a management review at all. The second, more common, is running one that is a fifteen-minute check-the-box exercise with no real inputs, no real decisions, and no documented outputs. The auditor asks to see the management review record. The record exists. It says "QMS is effective. No issues." The auditor asks what data that conclusion was based on. There is no data.

Fix: Schedule management review at a realistic cadence — for most startups, quarterly is the right interval, more than annual is required by the clause. Prepare the inputs as a genuine dashboard, not a formality. Make real decisions with real resource allocations and document them. A management review of twenty minutes can be valid if it is based on real data and produces real decisions. A management review of four hours is not valid if it produces nothing.

Finding 3: Document control weak — version mismatches in use

ISO 13485 clause: 4.2.4 (control of documents), 4.2.5 (control of records).

Clause 4.2.4 requires that documents are reviewed and approved before issue, reviewed and updated as necessary, that changes and current revision status are identified, that relevant versions are available at points of use, and that obsolete documents are prevented from unintended use. This is the clause that produces the highest volume of minor findings in first audits.

The typical audit failure: the team is working from an old version of a form. The current version exists on a shared drive, but a local copy from three months ago is still in circulation. Or two people have different copies with different fields. Or a procedure has been updated but the training on the update was never completed, so half the team is following the old one. Each of these is a nonconformity against 4.2.4.

Fix: Either run a disciplined document management tool where the current version is the only version people can reach, or write a very short document control procedure and enforce it ruthlessly. A lean QMS can get away with a tiny system, but not with an inconsistent one. See our post on document control for startups for the minimum viable approach that still passes audit.

Finding 4: CAPA records without effectiveness verification

ISO 13485 clause: 8.5.2 (corrective action), 8.5.3 (preventive action).

Clause 8.5.2 requires corrective actions to be appropriate to the effects of the nonconformities encountered, and — critically — requires the effectiveness of any corrective action taken to be reviewed. Clause 8.5.3 imposes the same structure for preventive action. Effectiveness verification is not optional. It is the last step of the CAPA process, and it is the step that startups skip most often.

The typical pattern: a nonconformity is raised, a root cause is identified, an action is defined, the action is executed, the CAPA is closed. The effectiveness check — weeks or months later, confirming that the nonconformity has not recurred — is never scheduled, so it never happens. The auditor opens the CAPA register, sees every CAPA closed, asks for the effectiveness verification for three of them, and finds nothing.

Fix: When you open a CAPA, schedule the effectiveness verification at the same time — not as a wish, as a dated calendar entry with an owner. The verification itself can be short: one line stating what evidence was reviewed and whether the nonconformity has recurred. It just has to exist, be dated after the action was implemented, and be based on real data. See CAPA under MDR and ISO 13485 for the full lean workflow.

Finding 5: Internal audits not independent, or not performed

ISO 13485 clause: 8.2.4 (internal audit).

Clause 8.2.4 requires the organization to conduct internal audits at planned intervals to determine whether the QMS conforms to planned arrangements, to the standard, to regulatory requirements, and to the QMS the organization itself has established. Auditors must not audit their own work. In a small company, "own work" is almost everything, which is why this clause is hard for startups.

The failure patterns: no internal audits at all ("we are too small"), audits performed by the same person who owns the process being audited ("we only have one QA person"), or audits that exist on paper but consist of a two-line summary with no findings and no evidence of scope.

Fix: Independence does not require a full-time internal auditor. It requires that the person auditing a process is not the person who wrote and runs that process. In a three-person company, cross-audit: the CTO audits the CEO's areas and vice versa, with a short written protocol. Alternatively, bring in an external auditor for one annual internal audit covering the whole QMS — this is a legitimate lean pattern and costs a fraction of what founders assume. The Lower Austria three-person company that passed its audit with zero nonconformities ran exactly this model: disciplined cross-audit with a documented scope and a written report for each cycle. Three people. Zero NCRs. See internal audits for startups for the full pattern.

Finding 6: Competence records missing or unverified

ISO 13485 clause: 6.2 (human resources), 6.2.1, 6.2.2.

Clause 6.2 requires personnel performing work affecting product quality to be competent on the basis of appropriate education, training, skills, and experience. The organization must determine the necessary competence, provide training or take other actions to achieve it, evaluate the effectiveness of the actions, and maintain appropriate records.

Startups usually have the people. They just do not have the records. The auditor asks "what makes this person competent to perform design verification?" and the team names a degree, a previous job, and a few years of experience — all of which are correct, none of which are documented in a CV on file, a training record, a competence matrix, or a qualification statement.

The harder version of this finding is when the claimed competence is not real. Tibor has seen cases where a company named a "dedicated regulatory expert" on the org chart, the auditor met the person, and within twenty minutes it was clear the person had neither the MDR knowledge nor the ISO 13485 experience the role required. The failure was not only the missing records. It was that no one had ever verified the claim before the audit did it for them.

Fix: Build a competence matrix listing every role, the required competence, and the evidence for each person holding the role — CV, diploma, training certificate, documented on-the-job training, or internal qualification. Update it whenever a role changes. Verify claimed competence with the same rigour you apply to suppliers. If someone is named as the regulatory lead, make sure they can actually lead the regulatory work.

Finding 7: Supplier evaluation missing

ISO 13485 clause: 7.4 (purchasing), 7.4.1 (purchasing process), 7.4.2 (purchasing information), 7.4.3 (verification of purchased product).

Clause 7.4.1 requires the organization to establish criteria for the evaluation and selection of suppliers, evaluate and select suppliers based on their ability to supply product in accordance with the organization's requirements, and maintain records of the evaluation. The clause explicitly requires the extent of controls to be proportionate to the risk associated with the purchased product.

Startup failure patterns: no supplier list at all, a supplier list with no evaluation criteria, evaluations performed once at onboarding and never repeated, or — most common — contract manufacturers and component suppliers that are critical to product safety being managed by a handshake and an email trail rather than a qualified supplier agreement.

Fix: Maintain a supplier register. Define the evaluation criteria for each supplier category — higher rigour for critical suppliers, lower for office consumables. Perform and document the evaluation. Re-evaluate at a defined interval, usually annually for critical suppliers. Keep the records. A lean approach can be a two-page supplier SOP plus a spreadsheet — it just has to be real and current.

Finding 8: Design control traceability broken

ISO 13485 clause: 7.3 (design and development), 7.3.2 (planning), 7.3.3 (inputs), 7.3.4 (outputs), 7.3.6 (verification), 7.3.7 (validation), 7.3.9 (control of design changes).

Clause 7.3 is long and specific. Design inputs must be determined, reviewed, and approved. Design outputs must be provided in a form suitable for verification against inputs. Verification must demonstrate that outputs meet inputs. Validation must demonstrate that the resulting product meets the requirements for its specified application or intended use. Every step must be recorded. Every change must be controlled and re-verified as appropriate.

The finding pattern: design input requirements exist. Verification test reports exist. But the thread from each requirement, through the design output, to the verification evidence, and into the risk file, cannot be traced. The auditor picks a requirement at random and asks "where is this verified?" and the team cannot produce the trace within a reasonable time. Traceability is not an auditor luxury. It is a 7.3 obligation.

Fix: Maintain a traceability matrix from the earliest design input stage. Every requirement has a unique ID. Every design output references the requirement IDs it implements. Every verification test references the requirement IDs it verifies. Every validation activity references the intended use it validates. A spreadsheet is enough — what matters is that it is kept current as the design evolves. Design changes re-run the affected rows. This is the single most valuable QMS artefact a startup can build early, because it prevents dozens of downstream findings.

Finding 9: Risk management file disconnected from the QMS

ISO 13485 clause: 7.1 (planning of product realization), with reference to ISO 14971 and EN ISO 14971:2019+A11:2021.

Clause 7.1 requires the organization to establish documented requirements for risk management throughout product realization, with records of risk management activities maintained in a risk management file. EN ISO 14971:2019+A11:2021 defines the full risk management process that MDR Annex I requires.

The common finding is not that the risk file is missing. It is that the risk file sits in a separate folder, maintained by one person, and never connects to the rest of the QMS. Hazards identified in risk analysis are not reflected in design inputs. Risk controls are not verified in design verification. Post-market data does not feed back into the risk file to update risk estimates. The file is a standalone document, not a living part of the system.

Fix: The risk management file must be cross-referenced with design inputs, design outputs, verification and validation records, the technical documentation under Annex II, and the PMS system. Every risk control traces to a design output. Every design output with safety impact traces back to a risk control. The PMS plan explicitly feeds post-market data into risk re-evaluation at a defined cadence. None of this is added work — it is the work the standard already requires, arranged so it actually connects.

Finding 10: PMS system not integrated into the QMS

ISO 13485 clause: 8.2.1 (feedback), 8.5 (improvement), with reference to MDR Article 83 (post-market surveillance system of the manufacturer).

MDR Article 83 requires manufacturers to plan, establish, document, implement, maintain, and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. The PMS system must actively and systematically gather, record, and analyse relevant data on the quality, performance, and safety of a device throughout its entire lifetime. Clause 8.2.1 of ISO 13485 requires the organization to gather and monitor information on whether requirements have been met, including feedback from the post-production phase.

Startup failure pattern: a PMS plan exists because the Notified Body required one. The plan describes data sources and review frequencies. None of it runs. No data has been collected. No PSR (for Class I) or PSUR (for Class IIa and above) has been produced. Or the PMS data that is collected never feeds into CAPA, risk management, or management review. The PMS exists as a document, not as a system.

Fix: Treat PMS as a live process from day one of the post-market phase. Assign owners. Define the data sources — complaints, incident reports, literature, similar devices, PMCF activities per Annex XIV Part B. Define the review cadence. Connect the outputs to CAPA, risk management, and management review so the data actually changes something. MDCG 2025-10 (December 2025) is the reference guidance for what a compliant PMS system looks like in practice.

The Subtract to Ship angle

The ten findings above share a pattern: each one is the result of adding a QMS artefact without adding the work that makes the artefact real. The fix is never more documents. The fix is fewer documents that actually describe what happens and actually connect to each other.

A Vienna startup we worked with started its QMS build with a QA manager who had done this once before and refused to copy anyone else's template. She wrote the shortest QMS that could pass audit for that specific company — no filler, no inherited clauses from another org, every procedure describing actual work. The audit passed. There were findings, because there are always findings, but none of the ten above. Compare with the Berlin template disaster and the Lower Austria three-person company and the pattern holds across every case: the QMS that describes real work passes. The QMS that describes imaginary work fails. Size has nothing to do with it.

Subtract to Ship applied to QMS means: start from what you actually do, write it down, connect the pieces, and stop there. Everything beyond that is overhead that will eventually drift from reality and become one of these findings.

Reality Check — Where do you stand?

  1. Of the ten findings above, how many can you honestly say do not apply to your current QMS?
  2. Pick one procedure at random from your QMS. Does it describe what your team does today, or what someone wrote down eighteen months ago?
  3. When was your last management review? Did it produce documented decisions, or just a signed record?
  4. Pick three CAPAs from your register. Do all three have effectiveness verification records dated after the action was implemented?
  5. Could you produce a traceability matrix from one design input to verification evidence in under five minutes?
  6. Does your risk management file reference design outputs and PMS data, or does it live in its own folder?
  7. If a Notified Body assessor arrived next Monday, which of the ten findings would they open first?

If you winced at more than three of these, the next decision is not "rewrite the QMS." It is "fix the three places where documents and reality diverge the most." The rest follows.

Frequently Asked Questions

What is the single most common QMS audit nonconformity in MDR startup audits? Documents not matching actual practice. It is the root finding, and most of the other nine findings on this list are downstream symptoms of it. Every procedure the QMS contains must describe work the company actually performs.

Which ISO 13485 clause gets cited most often in startup audit findings? Clause 4.2.4 (control of documents) produces the highest volume of minor findings in first audits, because version mismatches and obsolete documents in use are easy for an auditor to spot and hard for a small team to prevent without a disciplined document control process.

Can a three-person company pass an MDR QMS audit with zero nonconformities? Yes. Tibor has seen a three-person company in Lower Austria do exactly this. The determining factor is whether the QMS describes real work and whether the team cross-audits with discipline. Size is not the obstacle.

Do online ISO 13485 templates help or hurt? They can help as a starting point for the layout of procedures. They hurt when a startup treats the templates as the finished QMS without rewriting every procedure to match the company's actual processes. The Berlin template disaster — a QMS assessed at 0.1 percent complete — is what happens at the extreme end of template misuse.

Does management review have to happen quarterly? EN ISO 13485:2016+A11:2021 clause 5.6 requires management review at planned intervals without specifying a frequency. Annual is the minimum that assessors typically accept. For most startups in the certification phase, quarterly is more defensible and produces better data for the auditor to see.

Is a lean QMS compatible with passing an MDR audit? Yes — provided lean means "smaller and connected to reality," not "missing required elements." MDR Article 10(9) and Annex IX set the requirements. EN ISO 13485:2016+A11:2021 describes the standard that gives presumption of conformity. A lean QMS meets both. A thin QMS with missing clauses does not. See build a lean QMS for MDR and the minimum viable QMS for the practical boundary.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10(9) (quality management system), Article 83 (post-market surveillance system of the manufacturer), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clauses cited: 4.1, 4.2.1, 4.2.4, 4.2.5, 5.6, 6.2, 7.1, 7.3, 7.4, 8.2.1, 8.2.4, 8.5, 8.5.2, 8.5.3.
  3. EN ISO 14971:2019 + A11:2021 — Medical devices — Application of risk management to medical devices.
  4. MDCG 2025-10 — Guidance on post-market surveillance of medical devices and in vitro diagnostic medical devices, December 2025.

This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Every finding in this list was observed in real audits across more than fifty MedTech certification projects.