Preparing for your first Notified Body audit means making sure your QMS documents match your actual practice, your technical file is structured so an auditor can navigate it without a treasure hunt, and your team can explain every process in its own words. The audit is not an exam. It is a structured conversation verifying that what you have written down matches what you actually do. Startups that pass the first audit tend to have disciplined documentation, short clear narratives, and at least one person who can walk the auditor through every chapter without looking anything up.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • The Notified Body audit checks three things: does your QMS meet EN ISO 13485:2016+A11:2021, does your technical documentation meet MDR Annex II, and does what you say on paper match what you actually do.
  • The most common reason startups fail a first audit is not missing documents. It is documents that do not match reality.
  • Structure beats volume. A technical file that follows Annex II and cross-references cleanly beats a technical file twice as long with a random structure.
  • The best preparation is not last-minute cramming. It is an internal mock audit run against your own documents two to six weeks before the real one, by someone who has not built the files themselves.
  • A three-person company with disciplined documentation can outperform a thirty-person company with sloppy documentation. We have watched it happen.

The audit in one sentence

An auditor from a Notified Body arrives at your company, reviews your quality management system and your technical documentation, interviews your team, observes a small number of processes, and writes a report. The report says either "we can proceed" or "here are the nonconformities you must close before we proceed." That is the audit.

The audit is governed by MDR Article 52 (conformity assessment procedures), Article 56 (certificates of conformity), and the relevant conformity assessment annex for your device. Most commonly Annex IX (full QMS and technical documentation assessment) for Class IIa, IIb, and III, or Annex VII for Notified Body designation reference. Your QMS is assessed against EN ISO 13485:2016+A11:2021 as the harmonised standard providing presumption of conformity with MDR QMS obligations.

The auditor is not hostile. The auditor is a trained professional doing a structured job. Tibor, who has spent years on both sides of this, frames it this way: audits are not policing. They are about working together to produce safer medical devices. Founders who walk in expecting an adversarial encounter make the audit worse than it needs to be. Founders who walk in expecting a rubber stamp make it catastrophic.

Two stories, one lesson

There is a Lower Austria company. Three people, one product, disciplined operators. Their technical documentation was clean. Everything followed Annex II. Cross-references worked. Every section could be navigated without guessing where to look next. They went into their first audit with dread, like every startup does. They came out with zero nonconformities. A three-person company outperformed ten other companies with larger teams that the same Notified Body audited that quarter. The difference was not headcount. It was discipline.

There is also a startup. Location not important. That submitted a technical file the auditor described as "a treasure hunt." The structure was random. Information was scattered without logic. The auditor had to go looking for basic sections that should have been obvious. The audit took longer than expected and surfaced nonconformities that were entirely about structure, not content. The information was there, just hidden.

Volume does not matter. Structure and clarity matter. If the auditor cannot find what they need, it might as well not exist.

And there is a third story worth repeating. The breath sample analysis device from Graz. They were running out of money and needed fast NB feedback. They chose the right Notified Body for their scope and capacity. They submitted documentation that was good enough. Not perfect, but complete, well-structured, and honest. The expected NB feedback timeline was 7–10 months. They got feedback in 2.5 months. That is 75 percent faster than the industry baseline. Not because they submitted perfect documentation, but because they submitted complete documentation to the right NB and did not waste anyone's time.

What the auditor actually checks

A typical first audit for a startup covers four areas. The depth of each depends on your class and the specific annex your conformity assessment follows, but the structure is consistent.

The QMS. Does it exist as a real management system. Not just a folder of documents. And does it meet the requirements of EN ISO 13485:2016+A11:2021? The auditor will look at management review records, document control, CAPA records, internal audit records, training records, supplier evaluation, design control, and the interaction between these processes. They will check that the QMS actually runs. Meeting minutes, completed CAPAs, closed actions. Not that the documents look nice.

The technical documentation. Does it follow MDR Annex II? The device description, intended purpose, classification rationale, design and manufacturing information, GSPR checklist, benefit-risk analysis, risk management file, verification and validation records, clinical evaluation report, labels, and instructions for use. The auditor will sample sections and trace them end to end. For example, pick a specific risk from the risk file, follow it to the design control evidence, follow it to the clinical evaluation, follow it to the IFU warning.

Compliance with the GSPR (Annex I). Each General Safety and Performance Requirement in Annex I must be addressed in your technical file. Applicable or not applicable, and if applicable, how it is met and with what evidence. The auditor will sample several GSPR items and verify the evidence chain.

The people. The auditor will interview members of your team. They will ask process owners to describe their own processes in their own words. The answers are cross-checked against the documented procedures. If the process owner says one thing and the document says another, that is a nonconformity. Usually not because the person is wrong, but because the document does not reflect how the work actually gets done.

How to prepare. The practical sequence

Six weeks out: get an independent pair of eyes on the full file. Someone who did not write the documents reviews them against the applicable annexes and standards. This is not a formal internal audit (which you will also have done). This is a sanity check by a person who can say "I do not understand this section" and mean it. If your regulatory partner is competent, this is where they earn their fee. If you do not have one, find a peer founder who has been through it and trade favors.

Four weeks out: run an internal mock audit. Someone. Ideally not the person who wrote the QMS. Plays the auditor. They pick sampled processes and trace them end to end. They interview process owners. They check that document versions match the ones actually in use. Every finding from the mock audit becomes a CAPA to close before the real audit.

Two weeks out: close every mock audit finding. Not "mark it as in progress." Close it. Evidence in hand. Trail documented. Version controlled. A finding left open at the mock audit will become a finding left open at the real audit.

One week out: rehearse the narratives. Your process owners should be able to describe their processes without looking things up. Not because they have memorized a script, but because they actually do the work. If they cannot, the processes are not real. The audit will discover this.

The day of: show up rested, bring the right people, answer the questions you are actually asked. Do not volunteer information. Do not argue. Do not over-explain. If you do not know the answer to a question, say so and commit to finding it within the audit window. Auditors trust people who say "I do not know" more than they trust people who guess confidently.

The common failure patterns

  • Documents that do not match practice. The single most common source of nonconformities. The SOP says one thing. The person who does the work says another. The auditor asks to see the records and they do not exist. Fix this by making sure your documented processes are descriptions of actual work, not aspirations.
  • Technical file that does not follow Annex II. The treasure hunt pattern. Information is present but scattered. Fix this by rewriting the file with Annex II as the table of contents, not as a checklist to cross off at the end.
  • Missing or incomplete GSPR checklist. Every GSPR item in Annex I must be addressed. "Not applicable" is a valid answer if justified. "Forgot" is not.
  • Risk management file disconnected from design. The ISO 14971 risk file exists in one binder. The design control evidence exists in another. Nothing cross-references. The auditor asks "how did you control this risk?" and the team has to reconstruct the connection from memory.
  • The process owner who freezes under questioning. Not because they do not know the work, but because they have never been asked to describe it out loud. Practice this in the mock audit.
  • Last-minute panic rewrites. Rewriting documents in the week before the audit creates version control problems and introduces errors. If something needs to be rewritten a week before, you should not be having the audit yet.

What to do after the auditor leaves

The audit report lands within a few weeks. It will contain zero, one, or many findings. Nonconformities ("majors" and "minors" in practice, depending on the NB's convention) and observations.

Resist the urge to panic about the number of findings. The number by itself does not predict outcome. What matters is whether the findings can be closed within the response window the NB gives you, usually 30 to 90 days depending on severity. Most first audits produce findings. A first audit with zero findings. The Lower Austria three-person outcome. Is rare and noteworthy. A first audit with 20 findings is normal. A first audit with 80 findings is a problem.

The response to each finding follows the CAPA discipline in your QMS. Root cause analysis, corrective action, preventive action, effectiveness check, evidence. The full cycle, documented. Not "we fixed it." Evidence that the fix works and that the same problem cannot recur.

The post on responding to audit non-conformities covers the CAPA response in detail.

The Subtract to Ship approach to audit preparation

Do not prepare for the audit you fear. Prepare for the audit that will actually happen.

The audit you fear is adversarial, trick-question-heavy, and populated by people trying to catch you out. It does not exist. The audit that actually happens is a structured conversation about whether your documentation matches reality. Prepare for that one, and the fear takes care of itself.

Subtraction in audit preparation means cutting anything that is not the documentation the auditor will actually look at, the processes the auditor will actually sample, or the conversations the auditor will actually have. Templates, planning documents, speculation about what the auditor might ask. All of this is waste. The auditor will tell you in advance which annex and which GSPR items they will sample. Prepare those. Stop preparing things they will never see.

Reality Check. Where do you stand?

  1. Could a competent outsider open your technical file and locate the intended purpose, classification rationale, GSPR checklist, risk file, and clinical evaluation within 60 seconds each?
  2. If you asked your three most senior process owners to describe their processes to a stranger tomorrow morning, could they?
  3. When was your last internal audit, and did it surface any findings? (If "never" or "no findings ever," the audit was not real.)
  4. Are your document versions in use the same as the document versions in your QMS?
  5. Have you run a mock audit with someone who did not write the documents?
  6. If the auditor asks to see evidence that a specific risk in your risk file is controlled in the design, can you produce the evidence chain in under five minutes?
  7. Do you know, with confidence, which GSPR items apply to your device and which do not, and why?

Frequently Asked Questions

How long does a first Notified Body audit take? For most startups, the on-site portion is two to five days depending on device complexity and class. The documentation review happens before the on-site audit and can take several weeks. The final report typically arrives two to four weeks after the audit.

Can I bring my regulatory consultant to the audit? Usually yes, though the auditor will want to interview your employees directly, not the consultant. A consultant can observe and help the team after hours but should not answer questions for process owners during the audit itself.

What happens if I get major nonconformities? Major nonconformities must be closed before the certificate can be issued. You will receive a response window, typically 30 to 90 days. You submit CAPA evidence. The NB reviews it. Sometimes a follow-up audit is required to verify closure. Your timeline gets pushed, but the audit is not "failed" in any permanent sense.

Can the auditor see things I did not show them? They can request any document that falls within the scope of the audit, and you are obliged to produce it under your contract with the NB. Hiding documents is the fastest way to destroy the relationship and invite deeper investigation. Answer honestly, even when the honest answer is "we do not have that yet."

How do I know if I am actually ready for the audit? The single best indicator is the result of an honest internal mock audit, run by someone who did not build the files. If the mock audit surfaces more than a handful of substantive findings two weeks before the real audit, you are not ready and should reschedule if possible.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 52 (conformity assessment procedures), Article 56 (certificates of conformity and EU declaration of conformity), Annex VII (requirements to be met by notified bodies), Annex IX (full quality management system and technical documentation assessment), Annex II (technical documentation), Annex I (general safety and performance requirements). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes.
  3. EN ISO 14971:2019 + A11:2021. Medical devices. Application of risk management to medical devices.

This post is part of the MDR Fundamentals & Regulatory Strategy series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Tibor has spent years on both sides of the Notified Body audit table. As a lead auditor conducting assessments and as a founder preparing his own companies for them. That dual experience shapes everything in this post.