Internal audits under MDR are mandatory. They come from clause 8.2.4 of EN ISO 13485:2016+A11:2021, which is the harmonised standard providing presumption of conformity with the QMS obligation in MDR Article 10(9). The standard requires you to plan and conduct audits at planned intervals, cover every QMS process over the audit cycle, use auditors who do not audit their own work, and feed the findings into corrective action and management review. A three-person startup meets this by rotating roles so no one audits what they built, bringing in one external reviewer for the processes where rotation does not create enough independence, and running short focused audits rather than one giant annual exercise.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • Internal audits are not optional. Clause 8.2.4 of EN ISO 13485:2016+A11:2021 makes them a mandatory QMS process, and MDR Article 10(9) makes the QMS itself a legal obligation.
  • Independence is the hard rule. Auditors cannot audit their own work. For a three-person startup this means cross-auditing, and for the one process where cross-auditing breaks down, bringing in a named external reviewer.
  • Every QMS process must be covered at least once over the internal audit cycle, with frequency weighted by risk and by the results of previous audits.
  • Internal audit findings feed CAPA and management review. An internal audit that produces a report which nobody acts on is worse than no audit at all, because it creates a paper trail of known problems left to rot.
  • Subtract to Ship applied to internal audits: short, focused audits against the actual process, run on a rolling calendar, with honest findings, instead of one annual all-hands exercise that nobody takes seriously.

A story about independence

A Vienna startup hired a QA manager who had built a QMS before. She brought the structure, interrogated every process against the real company, and produced a lean QMS that described actual operations. When it came time to run the first internal audit, she stopped. She could not audit the QMS she had just built. Clause 8.2.4 is unambiguous about that, and so is every competent Notified Body auditor who will look at her audit records later.

The founders pushed back, gently. "You know the QMS best. Who better to audit it?" Exactly the wrong question. The person who built a process is the last person who can credibly audit it, because the purpose of the audit is to catch the blind spots the builder cannot see. If the builder audits, the blind spots survive.

She brought in an external reviewer for one day. Not a full consulting engagement. A named competent person who audited the design and development process and the management review process — the two areas where rotation inside a three-person company did not create enough distance. She audited everything else herself, because she had not built those processes. Total external spend for the first annual cycle: under a thousand euros. Result: a real internal audit that an auditor from a Notified Body could look at and trust.

Compare that to the Berlin company from the QMS pillar post — the one that bought a template, ran find-and-replace on the company name, and submitted it as their QMS. Their first "internal audit" was a document produced by the same person who had produced the template, saying everything was fine. The Notified Body assessed the QMS at 0.1 percent complete. The internal audit was a fiction layered on top of a fiction.

Internal audits either work or they do not. There is no middle ground.

What clause 8.2.4 actually requires

The internal audit obligation lives in clause 8.2.4 of EN ISO 13485:2016+A11:2021. The standard requires the organisation to conduct internal audits at planned intervals to determine whether the quality management system conforms to planned and documented arrangements, to the requirements of the standard, to the QMS requirements established by the organisation, and to applicable regulatory requirements — and whether it is effectively implemented and maintained.

Read that carefully. The audit has to check four different things in parallel: does the QMS match what you wrote down, does it match the standard, does it match your own internal rules, and does it match the regulatory requirements that apply to your device. And then it has to check whether the system is actually being run, not just described.

Clause 8.2.4 then specifies several operational requirements. There must be a documented procedure for the audit programme. The programme has to be planned taking into account the status and importance of the processes and areas to be audited, as well as the results of previous audits. The criteria, scope, frequency, methods, and records of audits must be defined and maintained. Selection of auditors and conduct of audits must ensure objectivity and impartiality of the audit process — and critically, auditors must not audit their own work. Records of the audits and their results must be maintained, including identification of the processes and areas audited and the conclusions. When non-conformities are found, corrective action must be taken without undue delay, and follow-up activities must verify the implementation of corrective action and report the verification results.

Under MDR Article 10(9), the QMS must be "proportionate to the risk class and type of device" and must address, among other things, "processes for monitoring and measurement of output, data analysis and product improvement." Internal audits are one of the core processes that make "monitoring and measurement of output" real. Annex IX of the MDR, which governs the full QMS assessment route for most higher-class devices, explicitly expects the Notified Body to review the internal audit records as evidence that the QMS is self-monitoring.

The combined obligation is simple. Run internal audits. Make them real. Keep records. Act on findings.

Independence when your whole team fits in one room

The hardest part of clause 8.2.4 for a three-person startup is the independence rule: auditors shall not audit their own work. In a 500-person company, you assign the audit to someone from a different department and the problem disappears. In a three-person company, every process has been touched by every person.

There are three practical moves that work, in descending order of preference.

Cross-audit by role rotation. The CTO audits the regulatory and QMS processes the RA lead runs. The RA lead audits the design and development and software release processes the CTO runs. Neither of them audits what they built. This works cleanly for the processes where the division of labour is clean. It fails when one process has been genuinely co-owned — which in a startup is usually design controls, risk management, and management review.

External reviewer for the gaps. For the processes that cannot be cross-audited credibly, bring in one named external competent person for a focused audit of those specific processes. This does not have to be expensive. One day of a qualified auditor, scoped to the two or three processes where independence is a real problem, produces a legitimate internal audit record. Name the person in the audit report, along with their qualifications and the basis on which you consider them independent.

Founder or CEO as auditor of last resort — only if defensible. If the CEO genuinely has not been involved in building a particular process and has the competence to audit it, they can audit it. This is narrow and easily abused. If the CEO signed off on the QMS at management review, they are compromised on auditing the QMS as a whole. If the CEO has never touched the supplier evaluation process and can read clause 7.4 of the standard without needing it explained to them, they can audit supplier evaluation. Use this sparingly, and be ready to defend it to the Notified Body.

What does not work: the person who wrote the procedure auditing the procedure. The person who owns the process auditing the process. The CEO rubber-stamping an audit done by their own RA lead. A "peer review" by the same person under a different hat. Notified Body auditors see these patterns every week. They are not fooled.

Building the internal audit plan

The standard asks for a planned audit programme that covers every QMS process over the audit cycle. For most startups the cycle is one calendar year, though it can be shorter for higher-risk devices or longer for stable mature systems (within the limits the Notified Body accepts).

A minimum startup audit plan lists every QMS process, the frequency it will be audited, the planned date or quarter, the assigned auditor, and the scope of what that audit will cover. Processes with higher risk or with previous findings get audited more often. Processes that have been stable for multiple cycles with no findings can be audited less often, but never less than once per cycle.

The shape that works for a small team is a rolling calendar of short audits, not one big annual exercise. Audit document control in January. Audit CAPA in February. Audit design controls (with the external reviewer) in March. Audit supplier evaluation in April. And so on. Each audit is a half-day to a day. Each produces its own report. Over twelve months, every process has been covered, and the team has not had to burn a full week on a single bloated audit nobody wanted to run.

Write the plan down before the cycle starts. When the cycle ends, compare what you planned to what you actually did. Deviations become a finding against the audit programme itself, and feed the next cycle's plan.

Sampling inside an individual audit

Inside a given audit — say, CAPA in February — the auditor does not read every CAPA record in the system. They sample. The sample needs to be large enough to draw conclusions and small enough to finish the audit in the time available.

A useful default: pick three to five CAPAs from the last cycle, including at least one that was opened because of a previous internal audit finding, at least one opened from a customer complaint or PMS signal, and at least one that was closed as "no corrective action required." Trace each one end to end. Root cause analysis present? Corrective action taken? Effectiveness verification done? Records complete? If all five samples pass, record the sample and the result. If any sample fails, expand the sample and investigate whether the failure is isolated or systemic.

Sampling is a skill. Auditors who sample too narrowly miss real problems. Auditors who try to audit everything never finish and produce sloppy records. Somewhere in the middle is a sample that is defensible to the Notified Body: documented reasoning, representative coverage, honest conclusions.

Execution — the conversation, not the paperwork

An internal audit is mostly a conversation. The auditor arrives with the process they are auditing, the clauses of the standard and the MDR articles the process must satisfy, and the relevant documents from the QMS. They interview the process owner, ask to see records, trace selected examples, and check whether what the procedure says matches what the owner describes and what the records show.

The auditor is not trying to catch anyone out. They are trying to find the gaps between what is written and what happens, so the gaps can be closed before a Notified Body finds them. The process owner who treats the internal audit as adversarial makes it worse. The process owner who walks the auditor through the real work, including the parts that are messy, makes it useful.

Note any discrepancy the moment it appears. "The procedure says design reviews are minuted. I see notes from the last three design reviews in the shared drive, but they are not in the QMS records system." That is a finding. Write it down in the auditor's working notes immediately. At the end of the audit, the findings get written into a short report.

Reporting — short, honest, traceable

The internal audit report does not have to be long. It has to be clear. The audit report should identify the scope of the audit, the clauses and articles assessed, the auditor and their independence basis, the date and duration, the sample examined, the findings (non-conformities, observations, and opportunities for improvement), and the conclusion on whether the process is effectively implemented and maintained.

Every finding is phrased as a specific, evidenced statement of non-conformity against a specific clause or article. Not "CAPA process could be better." Instead: "Clause 8.5.2 of EN ISO 13485:2016+A11:2021 requires that corrective action be appropriate to the effects of the non-conformities encountered. In CAPA records C-2026-003 and C-2026-007, the corrective action consisted of retraining the operator, with no root cause analysis documented. Recorded as non-conformity IA-2026-04."

A finding that cannot be phrased as a specific evidenced statement is not ready to be a finding. It is a note for the next audit.

Feeding findings into CAPA and management review

Internal audit findings do not live in their own silo. Every non-conformity from an internal audit must be opened as a CAPA in the CAPA system, with the full root cause analysis, corrective action, preventive action, and effectiveness verification cycle. The internal audit is not the place to do the correction — it is the place that raises the ticket.

At the next management review, the open internal audit findings and their CAPA status are a required input. Clause 5.6.2 of EN ISO 13485:2016+A11:2021 lists audit results explicitly as a management review input. If management review minutes do not show internal audit findings being discussed, the loop is broken, and the Notified Body will find it.

This is where internal audits either become a real quality mechanism or stay decorative. A finding opened, tracked, closed with effectiveness evidence, and reported to management review is a functioning QMS. A finding written in an audit report that nobody ever looks at again is a paper trail of known problems that makes the company look worse, not better, when a Notified Body auditor reads the file.

The Subtract to Ship approach to internal audits

The default failure mode in startup internal auditing is not skipping audits. It is running audits that do not match the real operations of the company — either by copying a template audit checklist from a different company, or by running the audit as a theatrical exercise where everyone already knows the answer will be "fine."

Subtraction means three things here. First, one rolling calendar of short real audits instead of one annual all-hands exercise. Second, audit against the actual process the company actually runs, not against the procedure as written — because if the procedure and the real process have diverged, that divergence is the finding. Third, write findings as evidenced specific statements against specific clauses, not as generic observations. Every sentence in an internal audit report that is not anchored to a clause or an article or a specific record is waste.

What you keep: independence, coverage of every QMS process across the cycle, real sampling, real findings, a feed into CAPA, and a feed into management review. That is what clause 8.2.4 actually requires. Everything else is theatre.

Reality Check — Where do you stand?

  1. Do you have a documented internal audit programme that covers every QMS process over the current audit cycle, written down before the cycle started?
  2. For each audit in the programme, can you name the auditor and the specific basis on which they are independent of the work being audited?
  3. For the processes where no one on your team is independent, do you have a named external reviewer scheduled, with qualifications recorded in the audit file?
  4. Are your internal audit findings opened as CAPAs in your CAPA system, with the same rigour as any other CAPA?
  5. At your last management review, did the minutes show internal audit results being discussed as a review input?
  6. If a Notified Body auditor asked to see the internal audit records for the last twelve months, could you produce a report for every planned audit, or are some of them "in progress" or "to be scheduled"?
  7. If you look honestly at your last internal audit report, were the findings specific and evidenced, or were they generic observations that could have been written without actually doing the audit?

Frequently Asked Questions

How often do internal audits have to be done under ISO 13485? Clause 8.2.4 of EN ISO 13485:2016+A11:2021 does not prescribe a fixed frequency. It requires audits at planned intervals, with the programme planned taking into account the status and importance of the processes and areas and the results of previous audits. In practice, every QMS process should be audited at least once per annual cycle, with higher-risk or previously problematic processes audited more often.

Can the person who wrote a procedure audit that procedure? No. Clause 8.2.4 explicitly states that auditors shall not audit their own work. If the person who wrote or runs the procedure is the one auditing it, the independence requirement fails and any Notified Body auditor reviewing the records will raise a non-conformity against the internal audit process itself.

Does a three-person startup really have to do internal audits? Yes. The proportionality principle in MDR Article 10(9) allows the depth and frequency of QMS processes to scale with risk class and type of device, but it does not allow any required process to be skipped. Internal audits are a required process under clause 8.2.4, which is the harmonised means of meeting the Article 10(9) QMS obligation. A three-person startup runs them by cross-auditing where possible and bringing in one external reviewer for the gaps.

Do I have to use an external auditor for internal audits? Not in general. Internal audits are called internal because they are performed by or on behalf of the organisation itself. External auditors can be used as part of the internal audit programme when internal independence is not achievable, but using an external resource does not convert the audit into a third-party audit. The audit is still internal in the sense of clause 8.2.4.

What happens if an internal audit finds a major non-conformity? It gets opened as a CAPA with the same rigour as any other major non-conformity. Root cause analysis, corrective action, preventive action where appropriate, effectiveness verification, and closure. The finding and its closure status then appear as an input to the next management review. If the major non-conformity is material enough to affect device safety, it can also trigger vigilance and PMS actions depending on the nature of the finding.

Can the Notified Body see my internal audit reports? Yes. Under MDR Annex IX, the full QMS assessment route explicitly includes review of internal audit records. Your internal audit programme, plans, reports, findings, and CAPA closures are all within the scope of what the Notified Body can and will examine. Internal audit records that look thin, generic, or inconsistent with the rest of the QMS are themselves a red flag for the Notified Body auditor.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 8.2.4 (Internal audit) and clause 5.6 (Management review).

This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The internal audit is the mechanism by which a QMS checks itself honestly. Run it as a real process, keep it proportionate to the team you actually have, and it becomes one of the most useful tools in the QMS rather than one of the most decorative.