A three-person MedTech startup runs internal audits under clause 8.2.4 of EN ISO 13485:2016+A11:2021 by writing an annual audit plan that covers every QMS process, rotating auditor roles so no one audits work they built, bringing in one named external reviewer for the two or three processes where rotation cannot create enough independence, sampling three to five records per process, and feeding every finding into CAPA and management review. The plan is short, the audits are short, the reports are short. And every one of them is traceable to clause 8.2.4 and MDR Article 10(9).

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A three-person team is not exempt from internal audits. Clause 8.2.4 of EN ISO 13485:2016+A11:2021 applies regardless of headcount, and MDR Article 10(9) makes the QMS itself a legal obligation.
  • Independence at this size is achieved by role rotation first, one external reviewer for the gaps second, and never by letting the process owner audit their own process.
  • An annual audit plan written before the cycle starts, with every QMS process assigned to an auditor and a quarter, is the minimum documented programme the standard expects.
  • Audits are short and focused. Half a day to a day each, sampling three to five records per process, producing a one- or two-page report anchored to specific clauses.
  • Findings feed CAPA and management review. An audit that produces a report nobody acts on is worse than no audit, because it documents known problems left to rot.

A 3-person company in Lower Austria that ran a clean cycle

A three-person company in Lower Austria. Two founders and one regulatory lead hired part-time. Decided to run their first full internal audit cycle six months before their Notified Body Stage 2. They did not have the budget for a consultancy to run it for them. They did not have the headcount for a dedicated internal auditor. What they had was clause 8.2.4 of EN ISO 13485:2016+A11:2021, a QMS that honestly described how they worked, and a willingness to do the audits the way the standard actually describes rather than the way a template would have them performed.

They wrote an annual plan in one afternoon. Every QMS process on one page, with a quarter assigned, an auditor assigned, and a one-line scope for each audit. They rotated the two founders against each other's processes. They booked one day from an external competent person. A retired Notified Body auditor available for short assignments. To cover design controls and management review, the two processes neither founder could audit independently. Total external spend: under one thousand euros.

They ran the audits on the rolling calendar they had set. Short, focused, honest. Seven findings across the full cycle, every one of them phrased as a specific non-conformity against a specific clause, every one opened as a CAPA, every one discussed at the next management review. At Stage 2 the Notified Body auditor reviewed the internal audit file and recorded zero non-conformities against the internal audit process itself. The auditor told them, on the way out, that the internal audit file was one of the cleanest she had seen at a company that size.

That is the bar. Not perfection. Not volume. Just a real process run honestly, on a small team, with one external day paid for where independence genuinely required it.

Step 1. Write the annual internal audit plan

The plan is the first thing the Notified Body asks to see, and the first thing that falls apart if it is improvised. Clause 8.2.4 requires a planned audit programme taking into account the status and importance of the processes to be audited and the results of previous audits. Translation: one document, written before the cycle starts, listing every QMS process and how it will be audited.

A minimum plan for a three-person team fits on one page. One row per QMS process. Columns for: scope, clauses and articles to be assessed, scheduled quarter, assigned auditor, independence basis, and sample strategy. Processes with higher risk or with findings from the previous cycle go earlier in the calendar and get audited in more depth. Processes that have been stable with no findings can be lighter, but never skipped. Every required process under EN ISO 13485:2016+A11:2021 appears somewhere on the page.

The plan is approved by top management before the cycle starts. Under clause 5.6.2 of EN ISO 13485:2016+A11:2021, management review reviews the previous cycle's audit results as an input. So the new plan is normally written immediately after a management review, while the previous cycle's findings are fresh.

Step 2. Define the scope of each individual audit

Each audit on the plan needs its own short scope statement. Not "audit CAPA." Something like: "Audit the CAPA process against clause 8.5.2 of EN ISO 13485:2016+A11:2021 and the company CAPA procedure QMS-SOP-08.5.2. Sample five CAPAs from the last twelve months, including at least one opened from an internal audit finding, at least one opened from a customer complaint, and at least one closed without corrective action."

That paragraph tells the auditor what to look at, what clauses to assess it against, and how to sample. It also tells the Notified Body auditor months later exactly what the internal audit was supposed to achieve, which makes the audit record defensible.

Scopes are written when the plan is written, not at the start of each audit. Writing them upfront forces the team to think about which clauses matter for which process, and surfaces any gaps in the QMS before the audits start running.

Step 3. Solve independence with three practical moves

Independence is the hard rule in a three-person company. Clause 8.2.4 explicitly states that auditors shall not audit their own work. In descending order of preference, here is how to achieve that at small scale.

Role rotation. The two founders audit each other's primary processes. If founder A runs software development and release, founder B audits those. Provided founder B has not been materially involved in building those processes. The rotation has to be genuine. A founder who signs off on every design review cannot claim independence from design controls just because someone else owns the folder.

External reviewer for the gaps. For the two or three processes where rotation does not create enough distance. Typically design controls, management review, and sometimes risk management. Bring in one named external competent person for a focused audit. One day, scoped in advance, is usually enough. Document the external reviewer's qualifications, the basis on which they are independent, and the fee arrangement in the audit file. This is not a full consulting engagement. It is a narrow audit booking.

Founder as auditor of last resort, narrowly. If the CEO has genuinely not touched a specific process and is competent to audit it, they can audit it. This applies to a few processes at most. Supplier evaluation is the common example. It does not apply to anything the CEO has approved, signed, or contributed to. Used sparingly, it is defensible. Used broadly, it destroys the independence of the entire audit programme.

What does not work: the person who wrote a procedure auditing that procedure; the RA lead auditing the QMS the RA lead built; a "peer review" by the same person under a different hat. Notified Body auditors see these patterns weekly. They are not fooled.

Step 4. Sample deliberately inside each audit

Sampling is where most startup internal audits go wrong. Either the auditor tries to audit everything and produces sloppy records, or they sample one record and call it done. Neither is defensible.

A useful default for a small team: three to five records per process, selected to cover the range of cases. For CAPA, pick records that represent different trigger sources. For document control, pick documents from different parts of the QMS at different lifecycle stages. For design controls, pick records from different phases of a design project. Write down the sample and why it was chosen in the audit report, so the sampling logic is auditable.

If any sample fails, expand the sample and investigate whether the failure is isolated or systemic. A single failing record is a finding. A pattern across the expanded sample is a bigger finding, and the scope of the investigation widens until the auditor has a defensible conclusion about whether the process is functioning.

Step 5. Conduct the audit as a conversation

An internal audit is mostly a conversation. The auditor arrives with the process, the clauses and articles to assess against, and the relevant documents. They talk to the process owner, ask to see records, trace selected examples, and check whether the procedure matches what the owner describes and what the records show.

The auditor is not trying to catch anyone out. They are looking for gaps between what is written and what happens, so the gaps can be closed before the Notified Body finds them. The process owner who walks the auditor through the real work, including the messy parts, makes the audit useful. The process owner who treats it as adversarial makes it worse.

Note any discrepancy the moment it appears, in working notes. "The procedure says design reviews are minuted. The last three design reviews have notes in the shared drive, but the notes are not in the QMS records system." That is a finding, captured in the moment, written up later.

Step 6. Report in one or two pages, anchored to clauses

The report does not have to be long. It has to be clear and traceable. A one- or two-page report for each audit covers: scope, clauses and articles assessed, auditor and independence basis, date, duration, sample examined, findings, and the conclusion on whether the process is effectively implemented and maintained.

Every finding is phrased as a specific, evidenced statement of non-conformity against a specific clause or article. Not "CAPA process could be stronger." Instead: "Clause 8.5.2 of EN ISO 13485:2016+A11:2021 requires corrective action appropriate to the effects of the non-conformities encountered. In CAPA records C-2026-003 and C-2026-007, corrective action consisted of operator retraining with no root cause analysis documented. Recorded as non-conformity IA-2026-04."

A finding that cannot be phrased as a specific evidenced statement is not a finding yet. It is a note for the next audit.

Step 7. Open every finding as a CAPA

Every non-conformity from an internal audit goes into the CAPA system as a CAPA, with the same rigour as any other CAPA. Root cause analysis, corrective action, preventive action where appropriate, effectiveness verification, and closure. The internal audit is not where the correction happens. It is where the ticket is raised.

For a three-person team, the temptation is to "just fix it" without opening a CAPA, because the team can talk across the room. Resist that. A finding fixed without a CAPA leaves no trace, and the Notified Body will read the absence of traces. A finding opened, tracked, and closed in the CAPA system produces exactly the paper trail the QMS is supposed to generate.

Step 8. Feed findings into management review

At the next management review, the open internal audit findings and their CAPA status are a required input. Clause 5.6.2 of EN ISO 13485:2016+A11:2021 lists audit results explicitly as a management review input. If the minutes do not show internal audit findings being discussed, the loop is broken, and the Notified Body auditor will find it.

This is where the audit programme becomes a functioning quality mechanism instead of a decorative one. Management review reads the findings, tracks the CAPA closures, evaluates trends across audits, and adjusts the next cycle's audit plan accordingly. Processes with repeat findings get audited more often in the next cycle. Processes that have been clean for multiple cycles can be audited more lightly. The feedback loop is what makes the audit programme "planned taking into account the results of previous audits," which is the exact wording clause 8.2.4 uses.

The Subtract to Ship angle

The default failure mode at small scale is not skipping internal audits. It is running audits that do not match the real company. Either by copying a template checklist from somewhere else, or by running the audit as theatre where everyone knows the answer is "fine."

Subtraction means three things here. One rolling calendar of short real audits instead of one annual exercise nobody takes seriously. Audits against the actual process the team actually runs, not against the procedure as written. Because if the procedure and the real process have diverged, the divergence is the finding. Findings written as specific evidenced statements against specific clauses, not as generic observations.

What you keep: independence, coverage of every QMS process across the cycle, real sampling, real findings, CAPA, management review. That is what clause 8.2.4 and MDR Article 10(9) actually require. Everything else is theatre, and a three-person team cannot afford theatre.

Reality Check. Where do you stand?

  1. Do you have an annual internal audit plan that covers every QMS process, written down before the current cycle started?
  2. For each audit on the plan, can you name the auditor and the specific basis on which they are independent of the work being audited?
  3. For the processes where no one on your team can audit independently, have you booked a named external reviewer with qualifications recorded in the audit file?
  4. Does each audit on the plan have a written scope that names the clauses and articles to be assessed and the sampling strategy?
  5. Are your internal audit findings being opened as CAPAs with the same rigour as every other CAPA, or are they being "fixed informally"?
  6. At your last management review, did the minutes show internal audit results being discussed as a review input?
  7. If a Notified Body auditor asked to see the internal audit file for the last twelve months tomorrow, could you hand it over without caveats?

Frequently Asked Questions

Can a 3-person startup do internal audits without hiring an auditor? Yes, with one caveat. Most processes can be audited by rotating roles across the team, provided no one audits work they built or approved. For the two or three processes where rotation does not create genuine independence. Typically design controls and management review. One day from a named external competent person covers the gap. Total external spend is usually under a thousand euros for the first annual cycle.

How many audits do we need to run per year? Clause 8.2.4 of EN ISO 13485:2016+A11:2021 requires every QMS process to be covered across the audit cycle, but does not fix a number. For a small team, running five to eight short audits across the year, each covering one process or a small cluster of related processes, is the typical pattern. That produces full coverage without the burden of one giant annual exercise.

What if the same person built and runs every QMS process? Then internal independence is impossible for any of those processes, and every audit in the first cycle needs an external reviewer. That is expensive for a three-person team, and the better structural fix is to redistribute process ownership across the team so cross-auditing becomes possible from the second cycle onward. One externally audited cycle to start, rotation internally after that.

Does the external reviewer have to be a certified lead auditor? The standard does not mandate specific certifications for internal auditors. It requires objectivity, impartiality, and the competence to perform the audit. A retired Notified Body auditor, an independent QMS consultant with ISO 13485 experience, or a lead auditor from a non-competing company can all meet that bar. Record the qualifications and the basis for competence in the audit file.

Can management review findings be closed at the same meeting where they are reported? No. Management review reads the findings as an input, tracks CAPA status, and adjusts the audit programme. But the findings themselves close through the CAPA cycle, with root cause analysis, corrective action, and effectiveness verification. A finding closed at the same management review where it was first reported is almost always a finding that skipped the CAPA process, and a Notified Body auditor will read that as a red flag.

Will the Notified Body actually look at our internal audit file? Yes. Internal audit records are explicitly within the scope of Notified Body QMS assessment. They will sample audit reports, check whether independence is defensible, trace findings into the CAPA system, and check whether management review minutes reflect the findings. A thin or generic internal audit file is itself a red flag, because it signals that the QMS is not self-monitoring.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Clause 8.2.4 (Internal audit) and clause 5.6 (Management review).

This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. Internal audits on a three-person team are not a scaled-down version of enterprise audits. They are a different shape that still meets every requirement of clause 8.2.4, run honestly and sized for the team that actually exists.