A QMS audit preparation checklist for a MedTech startup under the MDR is a six-week sequence: documentation review at six weeks out, internal mock audit at four weeks out, CAPA closure of mock findings at two weeks out, narrative rehearsal at one week out, room and records logistics the day before, and disciplined behaviour during the audit itself. The QMS is assessed against EN ISO 13485:2016+A11:2021, which is the harmonised standard giving presumption of conformity with the QMS obligations in MDR Article 10(9) and Annex IX. Clauses an auditor will sample include management responsibility, document control, design and development, production and service provision, CAPA, internal audits, management review, and post-market surveillance.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • The MDR audit of your QMS is carried out under Regulation (EU) 2017/745 Article 10(9) and Annex IX, against EN ISO 13485:2016+A11:2021 as the harmonised standard.
  • Startups that pass first audits cleanly run a six-week preparation sequence, not a six-day panic.
  • The benchmark outcome is a three-person company in Lower Austria that went through its first MDR audit with zero nonconformities. Discipline beats headcount.
  • The single most common first-audit finding is not a missing document. It is a document that does not match actual practice.
  • During the audit, answer only what is asked. Do not volunteer. Do not argue. Say "I do not know" honestly when you do not know.
  • CAPA responses to nonconformities are due within the response window the Notified Body sets, typically 30 to 90 days depending on severity.

Why audit preparation is the work, not a step before the work

The Notified Body audit is where your Quality Management System meets reality. Every document you have written, every process you have defined, every training you have recorded is about to be sampled by a trained auditor whose job is to check whether what you wrote down matches what you actually do. If the QMS is a performance put on for the auditor, the audit will find out. If the QMS is how you actually run the company, the audit will confirm it.

The benchmark story Tibor keeps coming back to is a three-person company in Lower Austria. One product. Disciplined operators. Clean documentation that followed the applicable MDR annexes and ISO 13485 clauses. They went into their first Notified Body audit with the same dread every startup feels. They came out with zero nonconformities. A three-person team outperformed ten larger companies the same Notified Body audited that quarter. The difference was not the headcount, the budget, or the consultant. It was that they had actually lived inside their QMS for months before the auditor walked in. Preparation was not a project they started four weeks out. Preparation was the work itself.

This post lays out the six-week preparation sequence that gets a resource-constrained MedTech startup to that same state of readiness.

The MDR and ISO 13485 text your auditor is working from

"Manufacturers of devices other than investigational devices shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device.". Regulation (EU) 2017/745, Article 10, paragraph 9.

Annex IX of the MDR sets out the full quality management system and technical documentation assessment procedure that Notified Bodies apply to Class IIa, IIb, and III devices (and by cross-reference, to many Class I device quality management activities). EN ISO 13485:2016+A11:2021 is the harmonised standard that provides presumption of conformity with the QMS requirements.

The auditor is not inventing the checklist. They are working from the clauses of EN ISO 13485:2016+A11:2021 and the requirements of MDR Article 10(9) and Annex IX. Your preparation checklist should mirror theirs.

Step 1. Six weeks out: documentation review

An independent pair of eyes reads your complete QMS documentation and your technical documentation against the applicable clauses and annexes. Independent means "did not write the files." A co-founder who has been heads-down on something else. A peer founder who has been through a Notified Body audit. A regulatory partner you trust. Anyone who can read a procedure and say "I do not understand what this paragraph is asking me to do" without ego.

What to cover in the six-week review:

  • Quality manual and top-level QMS structure against ISO 13485 clause 4.
  • Management responsibility records against clause 5. Quality policy, quality objectives, management review minutes.
  • Resource management and competence records against clause 6. Training records, role descriptions.
  • Product realization against clause 7. Customer-related processes, design and development, purchasing, production.
  • Measurement, analysis, and improvement against clause 8. Internal audits, CAPA, monitoring, data analysis.
  • Technical documentation against MDR Annex II and III. Device description, GSPR checklist, risk file, verification and validation, clinical evaluation, PMS plan, PSUR where applicable.

The deliverable from this step is a written list of every gap, ambiguity, and "I cannot tell what this document means" finding. It becomes the input to Step 2.

Step 2. Four weeks out: internal mock audit

Someone. Ideally not the person who wrote the QMS. Plays the auditor. They do not have to be a certified lead auditor. They have to be disciplined, willing to ask awkward questions, and willing to follow a thread to the end.

Run the mock audit the way the real one will run:

  • Sample a process. Pick three or four processes at random. Document control, CAPA, design change, supplier evaluation, internal audit itself. Ask for the procedure. Ask for the records. Check that the records are the ones the procedure describes.
  • Trace end to end. Pick a specific risk in the ISO 14971 risk file. Trace it to the design control evidence. Trace it to the clinical evaluation. Trace it to the instructions for use. If the chain breaks, that is a finding.
  • Interview process owners. Ask them to describe their own processes in their own words. Compare what they say to what the SOPs say. A mismatch is a finding.
  • Check document versions. Pick three SOPs. Ask the people who use them to produce the version they actually work from. Compare to the controlled copy. A version mismatch is a finding.
  • Sample training records. Pick a process. Ask for the training records of the people who perform it. Check competence is documented.

Log every finding. Treat them the way the real audit will. Nonconformity, observation, or opportunity for improvement. And record the clause or annex the finding maps to.

Step 3. Two weeks out: CAPA closure on mock findings

Every finding from the mock audit becomes a CAPA item. Not a to-do. A CAPA. Root cause analysis, corrective action, preventive action where needed, effectiveness check, evidence in the file.

Close them. Not "in progress." Closed. Version-controlled. Traceable. A mock-audit finding left open two weeks before the real audit will become a real-audit finding. You are not fooling anyone by marking it "under investigation." You are giving the auditor a visible hole to walk into.

If the list of mock findings is too long to close in two weeks, that is useful information. It means you are not ready. Reschedule the audit if the contract allows. A postponed audit is cheaper than a failed one.

Step 4. One week out: rehearse the narratives

Your process owners should be able to describe their processes in plain language without looking things up. Not a memorised script. The actual work, described by the person who does it.

Rehearsal in practice:

  • Each process owner gets asked three questions about their process. What does the procedure cover? What does a typical execution look like? Show me a recent record.
  • If they freeze, it is almost never because they do not do the work. It is because they have never been asked to describe it out loud. Practice fixes this.
  • Coach them on the three audit sentences: "Yes, that is what we do." "No, that is not how we do it. We do it like this." "I do not know, let me find out and come back to you within the audit window."
  • Practice saying "I do not know." Auditors trust the person who says it over the person who guesses confidently. A wrong confident answer becomes a finding. An honest "I do not know, I will find out" does not.

Step 5. One day out: room, people, records accessible

The logistics step. Small and unglamorous and the reason audits either run smoothly or turn into a treasure hunt.

  • Book a dedicated room with a desk, network access, power, and the ability to project or share a screen if the auditor asks. Not a corner of the open office.
  • Confirm who is available on which day. Process owners do not book external meetings during audit days. The person who owns design control is in the building. The person who owns CAPA is reachable.
  • Make the QMS and technical documentation accessible from the audit room. Auditor-friendly access to the controlled document system, not "I will email it to you after lunch."
  • Print or have on-screen the index of your technical documentation. The auditor should be able to ask for any section by name and have it open within a minute.
  • Check that your mock-audit CAPAs are closed in the system, not just in your head.
  • Bring coffee, water, lunch plan. The auditor is human. This is not a trivial item.

Step 6. During the audit: honesty, no volunteering

The audit day is the easiest step if the first five steps were done.

  • Answer exactly what is asked. Do not expand, do not explain how you nearly did something different, do not narrate your doubts about the procedure.
  • Do not volunteer information. If the auditor did not ask about the supplier evaluation process, do not bring it up because you are proud of it. You are opening a surface area that did not need to be opened.
  • Do not argue. If the auditor raises a concern, write it down, thank them, and discuss it when you respond formally. Arguing in the room turns a minor observation into a major nonconformity.
  • Bring the process owner, not the consultant. The auditor interviews the person who does the work. A consultant can sit in the back, take notes, and help the team between sessions. The consultant does not answer for the process owner.
  • Say "I do not know" when you do not know. Commit to producing the answer within the audit window. Then actually produce it.

The best framing Tibor knows, and he has spent years on both sides of this table, is that audits are not policing. They are about working together to produce safer medical devices. A startup that treats the audit as collaboration gets a better audit than a startup that treats it as a police interrogation.

Step 7. After the audit: CAPA response within the window

The audit report arrives within a few weeks. It will contain zero, one, or many findings. Most first audits produce findings. A first audit with zero findings. The Lower Austria three-person outcome. Is rare and noteworthy. A first audit with twenty findings is normal. A first audit with eighty findings is a problem that will not be solved by a good CAPA response.

The Notified Body sets a response window. Typical windows are 30 to 90 days depending on the severity of the finding, but the NB's contract and procedures are what govern. Check them, do not assume.

Each finding goes through the full CAPA cycle in your QMS: root cause analysis, corrective action, preventive action where needed, effectiveness check, evidence. Submit the CAPA package within the window. If you cannot, ask for an extension before the window closes, not after.

The post on responding to audit nonconformities covers the response process in detail.

The per-clause checklist an auditor will sample

This is the clause-by-clause list of what an auditor is likely to sample in a first MDR QMS audit under EN ISO 13485:2016+A11:2021. Use it as the spine of the six-week review in Step 1.

Management responsibility (clause 5). Quality policy exists, is communicated, is reviewed. Quality objectives are defined, measurable, tracked. Management review has happened within the last twelve months with inputs, outputs, and actions documented. Top management is visible in the records, not hiding behind the quality manager.

Document control (clause 4.2). Every controlled document has a version, an approval, an effective date, and a distribution list. Obsolete versions are removed from points of use or clearly marked. The document you pull off the shelf matches the one in the system. Training on new versions is recorded.

Design and development (clause 7.3). Design inputs trace to outputs trace to verification trace to validation trace to design transfer. Design changes are controlled. Design reviews are recorded. The design history file (the ISO 13485 term. Think of it as the record trail that shows how the device was designed) is complete and navigable.

Production and service provision (clause 7.5). Production processes are defined and controlled. Where outputs cannot be verified by later monitoring (special processes), the process is validated. Identification and traceability are in place. Customer property, if applicable, is handled.

CAPA (clause 8.5.2 and 8.5.3). Nonconformities are recorded. Root cause is actually analysed, not stated. Corrective actions are implemented. Preventive actions are considered. Effectiveness is verified. Not just "we fixed it" but "we checked it stayed fixed."

Internal audits (clause 8.2.4). Internal audit programme exists. Audits are carried out by someone independent of the area being audited. Findings are recorded. Corrective actions on findings are closed. The programme covers the full QMS within a planned cycle, not a single audit done once and called complete.

Management review (clause 5.6). Conducted at planned intervals. Inputs include audit results, customer feedback, process performance, CAPA status, follow-up from previous reviews, recommendations for improvement, PMS data where applicable. Outputs include decisions and actions with owners and dates.

Post-market surveillance (MDR Article 83, Annex III, and its feed into the QMS). PMS plan exists. PMS data is being collected. The data actually feeds back into risk management, clinical evaluation, and CAPA. The feedback loop is visible in the records. Not declared in a procedure.

The Subtract to Ship approach to audit prep

Subtract to Ship audit preparation means cutting every activity that is not the documentation the auditor will actually look at, the processes the auditor will actually sample, or the conversations the auditor will actually have.

What to cut: speculation about what the auditor might ask, last-minute rewrites of procedures that have been in use for months, dry-run presentations of "here is how we do things at our company," pre-emptive essays on topics the auditor will never raise, preparation for adversarial questioning that is not going to happen.

What to keep: the six-step sequence above, the per-clause checklist, the honest mock audit, the closed CAPAs, the rehearsed process-owner narratives, and a quiet confidence that your QMS is actually how you run the company.

Everything else is noise. The three-person Lower Austria company did not outperform larger teams by preparing more. They outperformed by living inside a disciplined QMS and then doing the six things above.

Reality Check. Where do you stand?

  1. Six weeks before your audit, can you name the person who will do the independent documentation review, and have they agreed?
  2. Can you describe your last management review in two sentences, including three specific decisions that came out of it?
  3. If the auditor asks for a specific SOP by name, can the process owner produce the exact version they work from and show it is the same as the controlled version in the system?
  4. Have your process owners ever been asked, out loud, to describe their processes to a stranger? If not, they have not been rehearsed.
  5. Is there a closed CAPA in your system from the last three months with a documented effectiveness check, or are all your CAPAs still "in progress"?
  6. Does your PMS plan produce data that has changed something else in the QMS in the last twelve months? If not, the feedback loop is on paper only.
  7. If the audit started tomorrow, what would the first finding be. And why have you not closed it yet?

Frequently Asked Questions

How far in advance should a MedTech startup start preparing for a QMS audit? The structured preparation sequence runs six weeks before the audit date. The QMS itself should be running in real use for substantially longer. Typically six to twelve months minimum. Because an auditor will sample records, and records only exist if the QMS has been running. Preparation at six weeks is the final check, not the moment the work starts.

What is the single most common finding in first MDR QMS audits? Documents that do not match actual practice. The SOP says one thing. The person who does the work says another. The records do not exist or do not match either. The fix is to write SOPs that describe actual work, not aspirational work, and to update them when the work changes.

Should I hire a consultant to help with audit prep? A competent regulatory partner earns their fee at the six-week documentation review stage and the four-week mock audit stage. They do not answer questions for your process owners during the real audit. The auditor interviews the person who does the work. Use the consultant for preparation and internal audits, not as a stand-in during the audit itself.

What happens if the mock audit surfaces too many findings to close in two weeks? That is a signal you are not ready. If your contract with the Notified Body allows it, reschedule. A postponed audit costs money and time. A failed audit costs more, damages the relationship with the NB, and pushes your timeline further than a voluntary reschedule would.

How long is the CAPA response window after a Notified Body audit? Typical response windows are 30 to 90 days depending on the severity of the finding and the NB's procedures. The exact window is set by the NB in the audit report and the contract between you and the NB. Always confirm the window in writing, and if you need more time, request an extension before the window closes.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10(9) (quality management system obligations) and Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Clauses referenced: 4.2 (document control), 5 (management responsibility), 5.6 (management review), 6 (resource management), 7.3 (design and development), 7.5 (production and service provision), 8.2.4 (internal audit), 8.5.2 and 8.5.3 (corrective and preventive action).

This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Tibor has spent years on both sides of the Notified Body audit table. As a lead auditor conducting QMS assessments and as a founder preparing his own companies for them. The checklist in this post is the one he uses with the startups he coaches.