ISO 13485 Audit Checklist: What to Review Before Your Next Internal or External Audit
ISO 13485 audits are not the time to “figure it out as you go.”
Whether you’re preparing for an internal audit, a certification audit, a surveillance audit, or a customer audit, the goal is always the same…to prove your Quality Management System (QMS) is implemented, maintained, and effective.
That means more than having documents in place. It means you can demonstrate control, traceability, consistency, and evidence.
To help teams prepare faster and more confidently, we created an ISO 13485 Audit Checklist you can download and use immediately. It organizes audit questions into key QMS areas.
This post breaks down the checklist and explains what each section is designed to guide you through, so you know exactly what to check and why it matters.
What this ISO 13485 audit checklist helps you do
Think of this as a working tool to help aid with audit preparation, not a one-time download.
The checklist helps quality teams:
- Verify QMS processes are defined and enforced
- Identify gaps before a formal audit
- Standardize audit preparation across sites and departments
- Help ensure controlled documentation and training records are ready
- Confirm CAPA, change control, supplier quality, and production controls are audit-ready
ISO 13485 Audit Readiness Checklist (Summary)
Section 1: Management Controls
This section focuses on the foundation of your QMS. It includes checks for whether the quality manual and system documentation define what ISO 13485 requires and whether the organization maintains ongoing control through planned reviews, monitoring, and improvement.
What the checklist prompts you to confirm
- Your quality manual defines scope, exclusions, and process interactions
- QMS processes have criteria and methods for control and monitoring
- Management reviews are conducted on schedule
- Management review inputs and outputs are documented and actionable
- The company tracks quality system effectiveness and makes updates when needed
Why it matters
Auditors will start by evaluating whether your QMS is built to be maintained, not just documented. A QMS that isn’t monitored or reviewed at the management level signals risk.
Section 2: Design and Development Controls
If you design medical devices (or software as a medical device), you will be expected to demonstrate disciplined design control and traceability across development stages.
This section of the checklist focuses on design planning and governance. It also supports verifying that design and development controls are applied consistently and documented as required.
What the checklist prompts you to confirm
- Design and development procedures exist and are applied
- Design plans define responsibilities, stages, and review points
- Design inputs and outputs are controlled and documented
- Design reviews occur at planned stages and include required functions
- Design verification and validation are documented and traceable
- Design changes are controlled and evaluated appropriately
Why it matters
Auditors often treat design control as an indicator of overall maturity. Weak design traceability leads to major findings quickly, especially if design documentation is scattered, incomplete, or uncontrolled.
Section 3: Corrective and Preventive Action (CAPA)
CAPA is where auditors look for proof that your QMS actually improves.
A CAPA system is not just “issue tracking.” It is a closed-loop process that demonstrates:
- investigation
- root cause analysis
- correction
- corrective action
- effectiveness verification
Your checklist includes CAPA questions designed to evaluate whether your system is structured, consistent, and compliant.
What the checklist prompts you to confirm
- CAPA procedures meet ISO 13485 requirements
- Nonconformities are investigated and documented
- Root cause analysis is required and actually performed
- Actions taken are appropriate to risk and impact
- Effectiveness checks are performed and documented
- Issues are escalated and communicated as required
Why it matters
Auditors will ask to see CAPA records. They will look for patterns like repeat issues, poor investigations, missing effectiveness checks, and CAPAs that drag on without closure.
Section 4: Medical Device Reporting (MDR)
If your organization is subject to complaint handling and reporting requirements, you need to demonstrate that you can detect and report events properly.
The MDR section is short, but critical. It prompts review of key reporting controls and regulatory alignment.
What the checklist prompts you to confirm
- MDR processes meet regulatory requirements
- Reporting responsibilities and escalation steps are defined
- Records show reporting decisions are documented
- Complaint management ties into regulatory reporting triggers where applicable
Why it matters
Auditors want to see that you can recognize reportable events and act quickly. Weak MDR control is a high-risk compliance issue.
Section 5: Production and Process Controls
This is one of the most detailed sections of the checklist for a reason.
Production is where procedures meet reality. Even a strong QMS can fail when production controls aren’t consistently applied.
This section helps teams verify that production planning, execution, monitoring, and control processes align with ISO 13485.
What the checklist prompts you to confirm
- Product realization processes are planned and controlled
- Process outputs meet defined requirements
- Production instructions are available, current, and followed
- Monitoring and measuring equipment is controlled and calibrated
- Nonconforming product is identified, segregated, and dispositioned properly
- Traceability, identification, and status control are maintained
- Process validation is performed where required
Why it matters
This section catches gaps that teams often miss: undocumented steps, outdated work instructions, inconsistent sign-offs, and missing evidence of control.
Section 6: Sterilization Process Controls
If you sterilize product or manage sterilization through suppliers, sterilization control is a major audit target.
This section prompts a review of sterilization process validation and control.
What the checklist prompts you to confirm
- Sterilization process parameters and validation are documented
- Sterilization equipment is current, controlled, and calibrated
- Sterilization changes are evaluated and documented appropriately
Why it matters
Sterilization is a high-risk process. The evidence must be strong, clear, and traceable.
Section 7: Purchasing Controls
Supplier quality is quality.
ISO 13485 expects a structured approach to supplier evaluation, selection, monitoring, and verification. The checklist supports auditing your supplier controls without relying on memory or informal practices.
What the checklist prompts you to confirm
- Suppliers are evaluated based on ability to meet requirements
- Supplier approval criteria are defined and documented
- Purchasing requirements specify what needs to be controlled
- Purchased product verification is defined and performed
- Supplier performance monitoring is consistent and documented
Why it matters
Many audits identify supplier quality issues because organizations treat supplier controls as procurement tasks instead of QMS processes.
Section 8: Documentation and Records
Auditors do not audit intent. They audit evidence.
This section of the checklist helps teams validate that documentation control is real, enforced, and traceable.
What the checklist prompts you to confirm
- Documents are approved prior to use
- Document changes are controlled
- Obsolete documents are removed from points of use
- Records are legible, identifiable, retrievable, and retained properly
- Training and execution records are complete and traceable
- Record retention meets regulatory and internal requirements
Why it matters
This is where audits often generate findings because teams can’t produce records fast enough or records lack signatures, dates, version references, or approval evidence.
Section 9: Customer Requirements
ISO 13485 expects teams to confirm requirements before committing to deliverables.
This section helps confirm that customer requirements are reviewed, understood, and met through a controlled process.
What the checklist prompts you to confirm
- Product requirements are reviewed before acceptance
- Any differences between customer requirements and internal ability are resolved
- The company confirms it can meet requirements before committing
Why it matters
This is about control and risk reduction. A QMS that does not formally confirm requirements put you at risk of downstream nonconformance.
Section 10: Technical Files
Auditors expect technical documentation to exist and to be organized.
This section supports review of technical documentation control, including traceability and alignment to documented processes.
What the checklist prompts you to confirm
- Technical procedures are documented and followed
- Technical files support QMS processes and product compliance
- Records demonstrate control of technical activities
- Documentation supports traceability and product requirements
Why it matters
When technical files are incomplete or inconsistent, it creates risk during audits and raises red flags around compliance readiness.
Download the ISO 13485 Audit Checklist
Audit readiness should not depend on tribal knowledge, rushed document collection, or last-minute scrambling.
This checklist gives you a structured way to validate your ISO 13485 readiness across the QMS areas auditors care about most.
Download the ISO 13485 Audit Checklist today.
