Quality Services
Internal audits are a mandatory element of both 21 CFR Part 820 and ISO 13485 quality systems. An audit program that exists on paper but doesn't produce findings — or that produces findings that never get addressed — is a quality system deficiency waiting to become a 483 observation.
Plan Your Audit ProgramAudit Services
FDA's Quality System Inspection Technique (QSIT) guides device facility inspections through four major subsystems: management controls, design controls, CAPA, and production and process controls. FDA investigators select records within these subsystems to trace horizontally across the quality system — following a CAPA from the initial complaint through root cause analysis, corrective action, and effectiveness verification, looking for evidence that each step was actually performed as the procedure requires. A mock inspection that uses the QSIT methodology provides the most realistic simulation of what an actual FDA inspection will examine.
We conduct mock QSIT inspections by starting where an FDA investigator would start — reviewing the CAPA and complaint records — and following the evidence wherever it leads. We document our findings in the same format as a 483: observations with the specific regulatory citation, evidence examined, and the nature of the noncompliance. The mock 483 is then used to drive remediation activities before an actual inspection occurs. Companies that have gone through a QSIT mock inspection with us before an FDA visit consistently report that the experience significantly reduced investigator findings and improved their overall confidence during the inspection.
ISO 13485:2016 Clause 8.2.4 requires the organization to conduct internal audits at planned intervals to determine whether the quality management system conforms to requirements and is effectively implemented and maintained. Internal audits must be planned, conducted by personnel who are not auditing their own work, documented, reported to management, and must generate CAPAs for identified nonconformities. An audit program that merely cycles through procedures on a calendar without applying risk-based scope selection, or where auditors consistently find nothing because they lack audit skill or independence, does not satisfy the standard's intent.
We design internal audit programs that are risk-stratified — higher-risk processes receive more frequent audit coverage — and executed by trained, independent auditors who know how to probe for real nonconformities. We can either train internal audit teams to conduct audits independently, or provide external auditors to supplement internal capacity for complex audit areas like design controls, CAPA, and software validation.
An audit report that documents observations vaguely ("some records were missing") rather than specifically ("five of seven complaint records reviewed lacked MDR reportability determination documentation, as required by 21 CFR 820.198(c)") does not produce actionable CAPAs. We write audit reports to the specificity level that makes root cause analysis and corrective action straightforward — naming the specific records examined, the exact requirement not satisfied, and the evidence that demonstrates noncompliance.
Get Started
Internal audits that find nothing aren't protecting your business — they're providing false confidence. We conduct audits that find real issues so you can fix them before FDA does.