Preparing for a Notified Body Audit: What Auditors Check and How to Be Ready

Quick answer: Notified body audits under EU MDR and ISO 13485:2016 come in four flavours — Stage 1 (documentation readiness), Stage 2 (implementation), annual surveillance, and unannounced audits (mandated by MDR Annex IX for manufacturers with NB certificates). Auditors sample the same high-yield areas every time: design controls with traceability to risk management, CAPA effectiveness, complaint-to-vigilance triage, management review substance, supplier controls, and whether the PRRC's verification duties are actually evidenced. The best preparation is a mock audit by someone holding the same lead auditor qualifications your notified body's team holds.

The four audit types

Stage 1 reviews your documented system and audit readiness — scope, quality manual, mandatory procedures, internal audit and management review evidence. Its output is a list of concerns to resolve before Stage 2.

Stage 2 is the certification audit proper: auditors verify the QMS is implemented and effective, on-site, by interviewing process owners and sampling records. Major nonconformities here stall certification until closed and verified.

Surveillance audits run annually on a reduced scope, plus recertification every three years. Auditors rotate focus areas — assume everything is eventually sampled.

Unannounced audits are required under MDR (Annex IX, Section 3.4): at least once every five years, no advance notice, typically focused on production and traceability. If your compliance depends on a two-week tidy-up before each audit, unannounced audits are designed to catch exactly that.

What auditors sample first

Experienced auditors go where the evidence is hardest to fake:

  • CAPA files — root cause quality, effectiveness checks, timeliness. A CAPA log full of "training provided, closed" is a finding generator.

  • Complaint handling and vigilance triage — pull ten complaints, check reportability decisions and their rationale against Article 87 timelines.

  • Design changes — sample a change, trace it through risk management, verification, technical documentation update, and regulatory notification assessment.

  • Management review — minutes showing decisions and resource allocations, not slide-deck theatre.

  • Supplier controls — evaluation records for critical suppliers matching what the procedure promises.

  • PRRC evidence — who holds the role, their qualifications, and records of their Article 15(3) verifications.

Preparation that actually works

Run a genuine mock audit 2–3 months out. Same criteria, same sampling style, graded findings — then close them with real corrective actions. A mock audit by a credentialed lead auditor (the same DEKRA/Exemplar Global qualifications NB auditors hold) reliably surfaces 80% of what the real audit would.

Rehearse the humans. Process owners should answer from their procedures and records, not improvise. Teach the discipline: answer the question asked, show the record, stop talking.

Fix your internal audit first. A thin internal audit programme tells the NB your self-monitoring is decorative — and invites deeper sampling everywhere else.

Prepare the logistics. Document retrieval speed matters; twenty minutes hunting for a DHF record changes an audit's tone. Have a runner, a front room, and a decision-maker available.

During and after the audit

Answer honestly — auditors triangulate, and a caught evasion converts a minor into a credibility problem. Take your own notes on every finding discussed. Afterwards, respond within the NB's deadline with root cause, correction, corrective action, and evidence; weak CAPA responses extend certification timelines more often than the findings themselves.

Frequently asked questions

How long does a Stage 2 audit take? Typically 2–5 auditor-days for an SME, scaled by staff count, sites, and device portfolio under IAF MD 5 rules.

Can a consultant sit in on the audit? Usually yes, as an observer/support — but employees must answer for their own processes. Auditors discount answers routed through a consultant.

What triggers an unannounced audit beyond the routine cycle? Vigilance signals, complaints to the competent authority, or certificate-related concerns can prompt one — another reason vigilance discipline matters.

Mock audit vs. internal audit — do we need both? Yes; they serve different clauses. The internal audit satisfies ISO 13485 Clause 8.2.4; the mock audit is a dress rehearsal for the NB's specific approach.

About QLE Group

QLE Group runs mock notified body audits, internal audits, and audit remediation for MedTech companies — performed by Radoslav Milkov, DEKRA-certified ISO 13485:2016 Lead Auditor and Exemplar Global-accredited Medical Device Management Systems Lead Auditor, applying the same criteria notified body auditors are qualified against. Brussels-based, complexity-indexed pricing at qle.be.

Audit on the calendar? Book a scoping call or email info@qle.be.

Previous
Previous

The EU AI Act and Medical Devices: How MDR and AI Act Obligations Stack

Next
Next

EUDAMED Registration: SRN, UDI, and the Phased Mandatory Deadlines Explained