Preparing for a Notified Body Audit: What Auditors Check and How to Be Ready
Quick answer: Notified body audits under EU MDR and ISO 13485:2016 come in four flavours — Stage 1 (documentation readiness), Stage 2 (implementation), annual surveillance, and unannounced audits (mandated by MDR Annex IX for manufacturers with NB certificates). Auditors sample the same high-yield areas every time: design controls with traceability to risk management, CAPA effectiveness, complaint-to-vigilance triage, management review substance, supplier controls, and whether the PRRC's verification duties are actually evidenced. The best preparation is a mock audit by someone holding the same lead auditor qualifications your notified body's team holds.
The four audit types
Stage 1 reviews your documented system and audit readiness — scope, quality manual, mandatory procedures, internal audit and management review evidence. Its output is a list of concerns to resolve before Stage 2.
Stage 2 is the certification audit proper: auditors verify the QMS is implemented and effective, on-site, by interviewing process owners and sampling records. Major nonconformities here stall certification until closed and verified.
Surveillance audits run annually on a reduced scope, plus recertification every three years. Auditors rotate focus areas — assume everything is eventually sampled.
Unannounced audits are required under MDR (Annex IX, Section 3.4): at least once every five years, no advance notice, typically focused on production and traceability. If your compliance depends on a two-week tidy-up before each audit, unannounced audits are designed to catch exactly that.
What auditors sample first
Experienced auditors go where the evidence is hardest to fake:
CAPA files — root cause quality, effectiveness checks, timeliness. A CAPA log full of "training provided, closed" is a finding generator.
Complaint handling and vigilance triage — pull ten complaints, check reportability decisions and their rationale against Article 87 timelines.
Design changes — sample a change, trace it through risk management, verification, technical documentation update, and regulatory notification assessment.
Management review — minutes showing decisions and resource allocations, not slide-deck theatre.
Supplier controls — evaluation records for critical suppliers matching what the procedure promises.
PRRC evidence — who holds the role, their qualifications, and records of their Article 15(3) verifications.
Preparation that actually works
Run a genuine mock audit 2–3 months out. Same criteria, same sampling style, graded findings — then close them with real corrective actions. A mock audit by a credentialed lead auditor (the same DEKRA/Exemplar Global qualifications NB auditors hold) reliably surfaces 80% of what the real audit would.
Rehearse the humans. Process owners should answer from their procedures and records, not improvise. Teach the discipline: answer the question asked, show the record, stop talking.
Fix your internal audit first. A thin internal audit programme tells the NB your self-monitoring is decorative — and invites deeper sampling everywhere else.
Prepare the logistics. Document retrieval speed matters; twenty minutes hunting for a DHF record changes an audit's tone. Have a runner, a front room, and a decision-maker available.
During and after the audit
Answer honestly — auditors triangulate, and a caught evasion converts a minor into a credibility problem. Take your own notes on every finding discussed. Afterwards, respond within the NB's deadline with root cause, correction, corrective action, and evidence; weak CAPA responses extend certification timelines more often than the findings themselves.
Frequently asked questions
How long does a Stage 2 audit take? Typically 2–5 auditor-days for an SME, scaled by staff count, sites, and device portfolio under IAF MD 5 rules.
Can a consultant sit in on the audit? Usually yes, as an observer/support — but employees must answer for their own processes. Auditors discount answers routed through a consultant.
What triggers an unannounced audit beyond the routine cycle? Vigilance signals, complaints to the competent authority, or certificate-related concerns can prompt one — another reason vigilance discipline matters.
Mock audit vs. internal audit — do we need both? Yes; they serve different clauses. The internal audit satisfies ISO 13485 Clause 8.2.4; the mock audit is a dress rehearsal for the NB's specific approach.
About QLE Group
QLE Group runs mock notified body audits, internal audits, and audit remediation for MedTech companies — performed by Radoslav Milkov, DEKRA-certified ISO 13485:2016 Lead Auditor and Exemplar Global-accredited Medical Device Management Systems Lead Auditor, applying the same criteria notified body auditors are qualified against. Brussels-based, complexity-indexed pricing at qle.be.
Audit on the calendar? Book a scoping call or email info@qle.be.