--- title: Unannounced Audits Under MDR: What They Are and How to Stay Ready description: Notified Bodies are required to carry out unannounced on-site audits of manufacturers under MDR. Here is what they look for and how to stay audit-ready every day. authors: Tibor Zechmeister, Felix Lenhard category: MDR Fundamentals & Regulatory Strategy primary_keyword: unannounced audits MDR canonical_url: https://zechmeister-solutions.com/en/blog/unannounced-audits-under-mdr source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Unannounced Audits Under MDR: What They Are and How to Stay Ready *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Unannounced audits under MDR are on-site inspections that a Notified Body performs without prior warning to the manufacturer, as part of ongoing surveillance after a certificate has been issued. Annex IX Section 3.4 of Regulation (EU) 2017/745 requires the Notified Body to randomly perform at least once every five years an unannounced audit at the manufacturer's site and, where appropriate, at the sites of suppliers and subcontractors. The auditor tests a sample of devices or manufacturing process outputs against the technical documentation. You do not prepare for an unannounced audit in the week before it happens. You prepare for it by running a QMS that is audit-ready every day.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - Unannounced audits are an MDR obligation on the Notified Body, not an optional surveillance tool. Annex IX Section 3.4 of Regulation (EU) 2017/745 requires at least one unannounced on-site audit, randomly scheduled, at least once every five years of the certificate's lifetime. - The Notified Body does not disclose the plan for unannounced audits to the manufacturer. That is the point. A disclosed plan would not be unannounced. - During an unannounced audit the Notified Body samples devices or manufacturing outputs and verifies that what is produced matches the technical documentation. Alternatively or additionally, samples are drawn from the market. - The common failures are not exotic. They are version mismatches between the QMS in use and the QMS on paper, missing records, inconsistent batch documentation, and process owners who cannot explain the work. - The only real preparation is daily discipline. If your documented state matches your actual state every day, an unannounced audit is a normal Tuesday with visitors. --- ## What an unannounced audit actually is An unannounced audit is a surveillance activity carried out by your Notified Body after you hold a valid certificate. The auditor shows up at your site without advance notice, asks to see the live QMS, samples production or finished devices, and verifies that the devices you are placing on the market still match the technical documentation that your certificate is based on. The audit produces an on-site audit report that becomes part of your surveillance record with the Notified Body. This is not the initial conformity assessment audit that precedes certification. That one is scheduled, prepared for, and heavily rehearsed. The unannounced audit is something different. It is the system verifying that the compliance you demonstrated at initial assessment is still real on an ordinary day, when nobody has tidied the shop floor or reprinted the SOPs. The obligation sits squarely on the Notified Body. They must carry out unannounced audits. They do not ask you whether it is convenient. They do not share the schedule. Under Annex IX Section 3.4, the Notified Body establishes a plan for unannounced on-site audits and explicitly does not disclose it to the manufacturer. ## What the MDR text actually says The core requirement is in the surveillance assessment section of Annex IX: > *"The notified body shall randomly perform at least once every five years unannounced audits on the site of the manufacturer and, where appropriate, of the manufacturer's suppliers and/or subcontractors, which may be combined with the periodic surveillance assessment referred to in Section 3.3. or be performed in addition to that surveillance assessment. The notified body shall establish a plan for such unannounced on-site audits but shall not disclose it to the manufacturer."*. Regulation (EU) 2017/745, Annex IX, Section 3.4. The same section continues: > *"Within the context of such unannounced on-site audits, the notified body shall test an adequate sample of the devices produced or an adequate sample from the manufacturing process to verify that the manufactured device is in conformity with the technical documentation, with the exception of the devices referred to in the second subparagraph of Article 52(8). Prior to unannounced on-site audits, the notified body shall specify the relevant sampling criteria and testing procedure."*. Regulation (EU) 2017/745, Annex IX, Section 3.4. Section 3.3 of the same annex covers the periodic surveillance assessment. At least once every 12 months. Which is separate from the unannounced audit but can be combined with it. The conformity assessment procedures that wrap all of this together are set out in MDR Article 52, and the requirements on the Notified Body itself sit in Annex VII. Two details in the text matter. First, "at least" once every five years. Not "once every five years." A Notified Body can perform more unannounced audits than the minimum and regularly does, especially where risk signals or post-market data warrant it. Second, "where appropriate, of the manufacturer's suppliers and/or subcontractors". An unannounced audit can land at a critical supplier rather than, or in addition to, the manufacturer's own site. ## Why unannounced audits exist The logic is simple. A scheduled audit tests whether you can produce a compliant version of your company on a specific date. An unannounced audit tests whether you are running a compliant company on an arbitrary date. These are not the same question. The regulator wrote this into MDR because the predecessor regime allowed manufacturers to treat audits as events to be prepared for rather than as verifications of daily reality. Unannounced audits close that gap. They are the mechanism by which the conformity assessment system checks that the certificate still means something a year, two years, four years after issue. For a founder, the honest framing is this. An unannounced audit is not a trick. It is the Notified Body doing the job the regulation requires of them. If your QMS and your devices are what you say they are, the audit is uneventful. If they are not, the audit surfaces the gap. ## What the Notified Body actually checks The scope of an unannounced audit is narrower than a full surveillance assessment, but the depth is real. Expect the auditor to focus on the production reality and the conformity of sampled devices against the technical documentation. **Device sampling against the technical file.** The auditor will pull a sample of devices. Finished or in-process. And verify that what is in front of them conforms to the current approved technical documentation. Dimensions, materials, labelling, software version, serial traceability. If the device on the shelf does not match the technical file on record, that is a finding. **Manufacturing process conformity.** The auditor will observe production against the documented process. Are the process parameters within specification? Are the operators using the current revision of the work instruction? Are the in-process checks being performed and recorded as described? **Records that prove the process is running.** Batch records, device history records, calibration logs, training records for the people present, CAPA status, supplier incoming inspection records. The auditor does not need to see everything. They need to see the live evidence that the system is actually running. **Version discipline.** This is the quiet killer. The SOP in the document management system is revision 7. The SOP posted at the workstation is revision 5. The operator has been trained on revision 6. Each of those three facts is individually explainable. Together they are a nonconformity, because the system is not in control of its own document state. **Supplier sites, where applicable.** If the Notified Body's unannounced audit lands at a critical supplier's site, the same logic applies. The supplier must be running the processes that your technical file describes, not the ones they happen to be running this week. ## How to stay ready every day The mental model that works is: documented state equals actual state, every day, by default. Not because there is an audit coming. Because that is how the QMS is run. **Close the gap between SOP and work.** If the SOP does not describe what the person actually does, the SOP is wrong or the person is wrong. One of them has to change. This is the single highest-yield discipline for unannounced audit readiness because it is the single most common source of findings. **Control document revisions at the point of use.** The document posted at the workstation, saved on the tablet, printed in the binder, must be the current approved revision. Old revisions disappear the day the new one is released. No "transitional periods" with two revisions in circulation. **Keep records contemporaneous.** Batch records are completed as the batch runs, not reconstructed at the end of the week. Calibration logs are signed off when the calibration happens. Training is recorded when the training is delivered. The gap between "the work happened" and "the work is documented" is the gap an unannounced auditor walks into. **Run internal audits like they are real.** The internal audit programme required by EN ISO 13485:2016+A11:2021 exists for this purpose. If your internal audits never find anything, they are not real. A real internal audit programme surfaces the same kinds of findings that an unannounced audit would, before the unannounced audit arrives. **Make sure process owners can talk.** An unannounced audit lands on whoever is at work that day. The production supervisor, the QA technician, the shipping clerk. Each of them needs to be able to describe their own work, without a script, to a stranger. Not memorised answers. Actual understanding. **Keep the logbook current for the device on the shelf.** The serial number on the device has to trace to a batch, a manufacturing date, a set of in-process records, and a finished device release. If the auditor picks a device at random and that chain is broken, the certificate is at risk. ## Common failure patterns Tibor sees Unannounced audits surface a predictable set of problems when a QMS has drifted. None of these are exotic. They are the boring, slow drifts that compound over months and go unnoticed until someone from outside asks to see the evidence. - **Revision drift on work instructions.** The document system says one thing, the work cell has another. The operators are trained on yet another. - **Batch records completed after the fact.** The paperwork is there, but the timestamps do not match when the work happened, and the operator signatures were added later. - **CAPA backlog with old items still open.** CAPAs from twelve months ago that never closed. Effectiveness checks that were never done. - **Supplier change not reflected in the file.** A critical supplier was changed, requalified informally, and the technical documentation still references the old one. - **Software version mismatch.** The device on the production line is running a firmware version that does not match the version documented in the technical file and on the label. - **Training records that do not cover the people actually doing the work.** A new operator has been running the process for three months. The training record says otherwise. - **Nobody who can explain the process on the day.** The person who knows the process is on holiday. The person present cannot describe what is actually being done, or describes it differently from the SOP. Each of these is recoverable if it is a one-off exception caught early. Each of these is a major nonconformity if it is the normal state of the system. ## What happens if they find something If an unannounced audit surfaces findings, the response mechanism is the same CAPA discipline that applies to any audit finding. The Notified Body issues an on-site audit report with the findings classified as nonconformities or observations. You respond with root cause analysis, corrective action, preventive action, and effectiveness evidence. The response window and the escalation path depend on severity. Major findings that touch on the conformity of devices already placed on the market are more serious. In that situation the Notified Body may restrict, suspend, or withdraw the certificate, which has immediate consequences for your ability to keep shipping. This is not the common outcome for startups with honest but imperfect QMS systems. It is the outcome for manufacturers who have let reality and documentation diverge on things that matter for device safety. The practical version: close findings quickly, completely, and with real evidence. Do not treat an unannounced audit finding as a paperwork exercise. The post on [responding to MDR audit nonconformities](/blog/respond-to-mdr-audit-nonconformities) covers the mechanics. ## The Subtract to Ship angle The instinct when founders learn unannounced audits exist is to build a parallel "audit-ready" layer of documentation on top of the normal QMS. Folders that are specifically for showing to auditors. Binders that live in a conference room. A preparation protocol that kicks in when the receptionist calls to say the Notified Body is in the lobby. All of that is waste, and worse than waste. It creates two versions of the QMS. The one that runs the company and the one that gets shown to auditors. The moment an auditor asks for something the "audit-ready" layer does not contain, the fiction collapses and the finding is worse than it would have been otherwise. The subtracted version is simpler and harder. Run one QMS. Make it match reality every day. Make the documented state and the actual state the same state. Delete the "audit-ready" layer because it does not exist. The system is either ready or it is not, and the only thing that makes it ready is the discipline of keeping it honest continuously. You cannot out-prepare an unannounced audit. You can only out-operate one. ## Reality Check. Where do you stand? 1. If a Notified Body auditor arrived at your site tomorrow morning, could they pick any device on the shelf and trace it to a batch, to in-process records, to a finished device release, and to the correct technical documentation revision? 2. Is the document posted at every work cell guaranteed to be the current approved revision? How do you know? 3. When was your last internal audit, and did it surface findings comparable to what a Notified Body would surface? 4. If the three most senior people at your company were all out on the day of the audit, could the people present describe their processes without a script? 5. Are there any open CAPAs older than 90 days? If yes, why? 6. Would your batch records survive a timestamp check against the actual production schedule? 7. Have you had a formal internal change since your last audit that did not make it fully into the technical documentation? ## Frequently Asked Questions **How often does a Notified Body have to perform unannounced audits under MDR?** Annex IX Section 3.4 of Regulation (EU) 2017/745 requires the Notified Body to randomly perform at least one unannounced on-site audit at least once every five years of the certificate's lifetime. "At least" is the operative phrase. A Notified Body can and sometimes does perform unannounced audits more frequently, especially when post-market data or other risk signals warrant it. **Will the Notified Body tell me when an unannounced audit is coming?** No. The MDR explicitly requires the Notified Body to establish a plan for unannounced on-site audits and not to disclose it to the manufacturer. Advance notice would defeat the purpose. You learn an unannounced audit is happening when the auditor arrives. **Can an unannounced audit take place at my supplier instead of at my site?** Yes. Annex IX Section 3.4 extends the scope to the manufacturer's suppliers and subcontractors where appropriate. Critical suppliers are in scope. Your supplier control and the contractual right to accept Notified Body audits at the supplier's site must be in place before the Notified Body needs them. **What does the auditor actually sample during an unannounced audit?** The auditor tests an adequate sample of devices produced or a sample from the manufacturing process to verify that what is being manufactured conforms to the technical documentation. Instead of or in addition to this, the Notified Body can also take samples of devices from the market. The sampling criteria and testing procedure are specified by the Notified Body in advance. **Can an unannounced audit be combined with a scheduled surveillance audit?** Yes. The text of Annex IX Section 3.4 explicitly allows unannounced audits to be combined with the periodic surveillance assessment under Section 3.3 or performed in addition to it. Combining them is a matter of Notified Body planning, which is not disclosed to you. **What is the worst thing that can happen as a result of an unannounced audit?** If findings are severe enough, the Notified Body can restrict, suspend, or withdraw the certificate. This is the worst case and it is rare for manufacturers operating an honest QMS. The common outcome when there are findings is a set of nonconformities that must be closed through the normal CAPA response process. ## Related reading - [What Is a Notified Body and How Do They Audit Your Startup?](/blog/what-is-notified-body) – the role of the Notified Body in the MDR conformity assessment system. - [How to Choose the Right Notified Body for Your MedTech Startup](/blog/choose-right-notified-body) – the strategic decision behind which Notified Body you engage. - [How to Prepare for Your First Notified Body Audit as a Startup](/blog/prepare-for-first-notified-body-audit) – the preparation sequence for the scheduled initial audit. - [Stage 1 vs Stage 2 Audits Under MDR: What Happens in Each Phase](/blog/stage-1-vs-stage-2-audit-mdr) – the structure of the two-stage initial audit process. - [The 10 Most Common MDR Non-Conformities Found in Startup Audits](/blog/ten-most-common-mdr-non-conformities-startup-audits) – the patterns that repeat across first audits and surveillance. - [The Auditor's Perspective: What Notified Body Auditors Actually Look For](/blog/notified-body-auditor-perspective) – what the other side of the table is thinking. - [How to Respond to Audit Non-Conformities: A Step-by-Step Guide for Startups](/blog/respond-to-mdr-audit-nonconformities) – the CAPA response process after any audit. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Annex IX Section 3.3 (periodic surveillance assessment), Annex IX Section 3.4 (unannounced on-site audits), Article 52 (conformity assessment procedures), Annex VII (requirements to be met by notified bodies). Official Journal L 117, 5.5.2017, consolidated text. 2. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. --- *This post is part of the MDR Fundamentals & Regulatory Strategy series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Tibor has carried out Notified Body audits under the MDR, including unannounced ones, and has been on the receiving end of them as a founder of four MedTech companies. The perspective in this post is built from both sides of that table.* --- *This post is part of the [MDR Fundamentals & Regulatory Strategy](https://zechmeister-solutions.com/en/blog/category/mdr-fundamentals) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*