Every Notified Body audit produces findings. This is normal — even well-prepared companies receive observations and minor non-conformities. The goal is not zero findings (that is unrealistic for a first audit) but zero major non-conformities and rapid, effective resolution of everything else.

Tibor has been on both sides of the audit table — as a Notified Body lead auditor and as a consultant preparing startups for their audits. The patterns he sees are remarkably consistent. The same mistakes appear audit after audit, company after company.

This post catalogs the ten most common non-conformities found in MedTech startup audits under MDR, explains why they happen, and gives you specific actions to prevent them. Consider this your audit preparation checklist.

Understanding Audit Findings

Before the list, a quick framework on finding types:

Major non-conformity: A significant failure to meet a requirement. Indicates a systemic problem. Must be resolved before the certificate can be issued. Can block your entire certification.

Minor non-conformity: A failure to meet a requirement that is not systemic. Must be resolved within a defined timeframe (typically 3-6 months). Does not block certification but must be closed.

Observation: A potential for future non-conformity or an area for improvement. Documented but not formally tracked as a non-conformity. Still worth addressing.

1. Incomplete or Outdated Risk Management

What the auditor finds: Risk management files that are incomplete, outdated, or disconnected from the device's current design. Missing risk controls. Risk assessments that do not cover all identified hazards. Residual risk assessment missing or incomplete. Risk management not integrated into design and development.

Why it happens: Startups often treat risk management as a document to produce rather than a process to follow. They write a risk analysis at one point in development and then do not update it as the design evolves. Risk management is a process, not a document.

How to prevent it: - Start your risk management file from day one and update it with every design change - Use ISO 14971 as your process standard — follow it systematically - Ensure your risk management file covers the full scope: hazard identification, risk estimation, risk evaluation, risk control, residual risk evaluation, and overall residual risk acceptability - Link risk controls to design outputs and verification activities - Review the risk management file before every design review

Tibor's note: "If I had to pick the single most important document in a medical device company, it is the risk management file. Not the quality manual, not the technical file — the risk management file. It drives everything. And yet it is the document most startups neglect."

2. Design and Development Control Gaps

What the auditor finds: Design inputs not properly defined. Design outputs not traceable to inputs. Design verification not covering all design outputs. Design validation missing or inadequate. Design transfer not documented. Design changes not controlled.

Why it happens: Startups develop products fast and iteratively — which is good for innovation but challenging for design control. The tendency is to build first and document later, resulting in gaps in traceability and incomplete records.

How to prevent it: - Establish design control procedures before you start development, not after - Define design inputs (user needs, regulatory requirements, standards) and document them - Maintain a design traceability matrix linking inputs to outputs to verification to validation - Document every design review with attendees, decisions, and action items - Control design changes through your QMS — every change documented, assessed, and approved

3. Clinical Evaluation Deficiencies

What the auditor finds: Missing clinical evaluation. Clinical evaluation not following MDCG 2020-13 methodology. Literature search not systematic. Equivalence claims not adequately justified. Benefit-risk analysis missing or vague. PMCF plan absent or generic.

Why it happens: Clinical evaluation is a specialized skill that many startup teams lack. Founders with engineering backgrounds underestimate what a CER requires. Teams confuse bench testing data with clinical evidence.

How to prevent it: - Engage a clinical evaluation expert (even part-time) early in the process - Follow MDCG 2020-13 step by step - Conduct your literature search using defined, reproducible methods across multiple databases - If claiming equivalence, prepare detailed comparison tables for technical, biological, and clinical equivalence - Write an explicit benefit-risk analysis with traceable conclusions - Develop a specific PMCF plan that addresses identified gaps

4. Supplier Management Failures

What the auditor finds: Critical suppliers not qualified. Supplier quality agreements missing. Supplier audits not conducted (where required). Supplier performance not monitored. Incoming inspection not defined or not performed.

Why it happens: Startups focus on finding the right supplier technically and commercially, but neglect the quality management aspects. Supplier qualification and monitoring feel like bureaucratic overhead when you are trying to get a product to market.

How to prevent it: - Identify and classify your suppliers by criticality (critical, important, non-critical) - Qualify critical suppliers before using their products or services — audit them, assess their quality systems, establish quality agreements - Define incoming inspection criteria for critical components - Monitor supplier performance and document it - Include supplier management in your management review

5. Post-Market Surveillance System Missing or Inadequate

What the auditor finds: No PMS plan. No PMS system. PMS plan exists but is generic and not device-specific. No process for collecting and analyzing post-market data. No process for triggering corrective actions based on PMS findings.

Why it happens: Startups are focused on getting TO market, not on what happens AFTER market. PMS feels like something to worry about later. But the Notified Body assesses your PMS system as part of the initial conformity assessment — you need it before you get the certificate, not after.

How to prevent it: - Write a device-specific PMS plan per MDR Article 84 - Define your data sources (complaints, vigilance reports, literature, clinical data, EUDAMED data) - Define trigger criteria for when PMS data requires action (trend analysis, threshold values) - Establish the link between PMS findings and your CAPA process - For Class IIa and above, plan for Periodic Safety Update Reports (PSURs) per Article 86

6. Document Control Weaknesses

What the auditor finds: Documents not controlled (no version numbers, no approval dates, no revision history). Obsolete documents in circulation. Records not properly maintained. Electronic documents not adequately protected from unauthorized changes.

Why it happens: Document control is unglamorous work. In a fast-moving startup, versioning and approval processes feel like they slow things down. Teams use shared drives, email attachments, and chat messages instead of controlled documents.

How to prevent it: - Implement an eQMS platform from day one — it handles version control, approvals, and access management automatically - Establish a simple but effective document control SOP - Train everyone on document control — it is everyone's responsibility - Conduct periodic checks to ensure obsolete documents are not in use - Ensure electronic records meet data integrity requirements (audit trails, access controls)

7. CAPA Process Not Effective

What the auditor finds: Corrective and Preventive Action (CAPA) process exists on paper but is not used. CAPAs not opened for real issues. Root cause analysis superficial or missing. CAPA effectiveness verification not performed. CAPAs open for months without progress.

Why it happens: Startups associate CAPA with large-company bureaucracy. They handle problems informally — someone fixes the issue and everyone moves on. The formal documentation does not happen.

How to prevent it: - Use your CAPA process for real issues — not just audit findings, but also customer complaints, design problems, process deviations - Require proper root cause analysis for every CAPA (use systematic methods like 5 Why, fishbone, etc.) - Set deadlines for CAPA completion and track them - Verify CAPA effectiveness — did the action actually fix the problem? - Review open CAPAs in management reviews

Tibor on this topic: "The CAPA process is where I see the biggest gap between what is written and what is practiced. Companies have beautiful CAPA SOPs and empty CAPA logs. A startup that has been operating for a year and has zero CAPAs is not a company with zero problems — it is a company not using its CAPA process. That is a major non-conformity."

8. Management Review Not Conducted or Incomplete

What the auditor finds: No management review records. Management review conducted but missing required inputs (quality objectives, audit results, CAPA status, complaint trends, PMS data, regulatory changes). No management review outputs (decisions, action items, resource allocations).

Why it happens: In a startup, management and the quality team are often the same people. The idea of a "management review" meeting feels redundant when you are already talking about everything daily. But the formal process is required — documented, with specific inputs and outputs.

How to prevent it: - Schedule management reviews at least annually (many companies do them quarterly or semi-annually) - Use a checklist of required inputs per ISO 13485 clause 5.6 - Document the review — attendees, data presented, decisions made, action items assigned - Follow up on action items and document completion - It does not need to be a full-day meeting. For a small startup, a focused 2-3 hour session covering all required inputs is sufficient.

9. Training Records Incomplete

What the auditor finds: Employees performing regulated activities without documented training. Training matrix incomplete or missing. Training effectiveness not evaluated. New employees not onboarded into the QMS.

Why it happens: In a startup, people learn by doing. Formal training feels unnecessary when the team is three people who all sit in the same room. But the audit requires evidence that people are competent to perform their roles — and that evidence is documented training.

How to prevent it: - Create a training matrix mapping roles to required training - Document all training — date, topic, trainer, attendees, method - Evaluate training effectiveness (this can be as simple as a quiz or a supervised task) - Include QMS onboarding for new employees - Update training when SOPs change

10. Labeling and IFU Non-Conformities

What the auditor finds: Labeling missing required elements per MDR Annex I Chapter III. Instructions for Use missing required content. UDI not implemented correctly. Symbols not per EN ISO 15223-1. Missing translations for target markets. Inconsistencies between labeling and technical documentation.

Why it happens: Labeling is often treated as a design exercise (how does it look?) rather than a regulatory exercise (what must it contain?). Teams design labels without checking the regulatory requirements first.

How to prevent it: - Start with the Annex I Chapter III requirements — list every required element - Cross-reference with your device-specific requirements (including any applicable harmonized standards) - Implement UDI per MDR requirements and the relevant issuing entity specifications - Verify labeling against the regulatory checklist before finalizing - Ensure labeling is consistent with the device description in your technical documentation - Plan translations early — they take time and cost money

The Meta-Pattern

Looking across all ten non-conformities, a meta-pattern emerges: startups that build their QMS on paper but do not live it operationally produce the majority of findings. The SOPs exist. The templates exist. But the actual practice — the daily habits, the records, the decisions — does not match what is documented.

The most effective audit preparation is not a last-minute documentation sprint. It is operating your QMS genuinely for months before the audit. Use your design control process while developing. Log CAPAs when problems arise. Conduct internal audits honestly. Hold management reviews with real data.

An auditor can tell the difference between a QMS that was built a month before the audit and one that has been running for a year. The records tell the story.

Your Pre-Audit Checklist

Before your Notified Body audit:

  1. Conduct a thorough internal audit against all 10 areas above
  2. Open CAPAs for anything you find and start working on them
  3. Ensure all training records are current
  4. Ensure all documents are controlled and up to date
  5. Verify your risk management file is current with the latest device design
  6. Confirm your clinical evaluation is complete and follows the methodology
  7. Check supplier qualifications and quality agreements
  8. Verify your PMS system is ready
  9. Confirm management reviews are documented
  10. Review labeling against all requirements

The best audit is a boring audit — one where the auditor reviews well-organized documentation, interviews a knowledgeable team, and finds only minor observations. That outcome is achievable with preparation, discipline, and genuine operational compliance.