Outsourcing ISO 13485 Internal Audits: Requirements, Independence, and What Good Looks Like

Quick answer: ISO 13485:2016 Clause 8.2.4 requires internal audits at planned intervals, conducted objectively and impartially — auditors shall not audit their own work. In a five-person MedTech company, nobody is independent of anything, which is why outsourcing internal audits to a qualified external auditor is both permitted and often the only structurally sound option. The auditor should hold recognised lead auditor credentials and audit against the same criteria your notified body will apply.

What Clause 8.2.4 requires

Internal audits must: verify the QMS conforms to planned arrangements, ISO 13485, applicable regulatory requirements, and your own documented requirements; run to a defined programme considering process importance and previous results; be objective and impartial; and produce records, with corrective action taken without undue delay on findings. ISO 19011 provides the accepted methodology.

The independence requirement is the trap for small teams. The quality manager who wrote the procedures cannot credibly audit them. Certification bodies notice — "internal audit performed by process owner" is a recurring audit finding.

Why outsourcing solves the structural problem

An external internal auditor gives you: genuine independence; calibration against notified body expectations (a credentialed lead auditor knows what BSI, TÜV, or DEKRA auditors probe, because they hold the same qualifications); efficiency (a practiced auditor completes in two days what an untrained employee stretches across weeks); and findings you can act on, prioritised by certification risk rather than formatted as a checklist.

Outsourcing the audit does not outsource the responsibility: your management review must still evaluate results, and CAPAs remain yours to close.

What to demand from an external auditor

Recognised credentials. Certified Lead Auditor status (e.g., DEKRA-certified ISO 13485 Lead Auditor, Exemplar Global accreditation). Ask for certificates, not claims.

Regulatory integration. The audit should cover EU MDR obligations woven through the QMS — PMS procedures, vigilance readiness, PRRC verification points, UDI/EUDAMED workflows — not just the ISO clause set.

A real audit plan and report. Risk-based programme, sampled records, objective evidence cited per finding, graded findings (major/minor/observation), and a report your notified body could read without embarrassment.

No conflict with consulting work. If the same firm built your QMS, the audit must be honest about its own design decisions — or use a second practitioner. Ask how the provider handles this.

Typical engagement structure

A full-system internal audit for a single-site SME typically runs 1–3 auditor-days on-site or remote, plus reporting: audit programme and plan agreed against your certification calendar; document review; process audits with records sampling; closing meeting with graded findings; report plus CAPA-ready finding statements. Annual cadence is the norm; pre-certification audits are scheduled 2–3 months before Stage 2 or surveillance, leaving time to close findings.

Frequently asked questions

Is it acceptable to notified bodies to outsource internal audits? Yes. Clause 8.2.4 requires objectivity and competence, not employment. Keep the auditor's credentials and contract in your supplier file — the audit function is an outsourced process under Clause 4.1.5.

How often must internal audits run? At planned intervals — in practice, the full QMS at least annually, weighted by risk and previous findings.

Can the auditor also fix the findings? The auditor can recommend; your team (or a separately-scoped consulting engagement) implements. Keep the paper trail distinguishing the two.

What does an outsourced internal audit cost? Priced by scope and complexity — sites, processes, device portfolio. QLE Group publishes complexity-indexed pricing at qle.be.

About QLE Group

QLE Group provides outsourced internal audits, supplier audits, and mock notified body audits for MedTech companies. Audits are performed by Radoslav Milkov — DEKRA-certified ISO 13485:2016 Lead Auditor and Exemplar Global-accredited Medical Device Management Systems Lead Auditor with 21 CFR 820 parallel-track experience — applying the same criteria notified body auditors use.

Internal audit due? Book a scoping call or email info@qle.be.

Previous
Previous

EU MDR CE Marking Roadmap: Every Step from Classification to Certificate

Next
Next

Building an ISO 13485:2016 QMS from Scratch: A Realistic Guide for MedTech Startups