Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Why Corrective Actions Matter in ISO 13485 Audits

Here’s the reality—no ISO 13485 audit ends without at least a few findings. Even well-prepared companies get written up for something, whether it’s a missing signature, an outdated record, or a gap in risk management. But that’s not what auditors judge you on most. What really matters is how you respond.

Corrective actions are your chance to show that your Quality Management System (QMS) isn’t just a set of documents, but a living system that can identify issues, fix them, and prevent them from happening again. In many cases, I’ve seen auditors leave more impressed with a company that handled findings well than one with fewer findings but weak corrective action follow-up.

In this guide, we’ll unpack the difference between major and minor findings, walk through the step-by-step process for implementing effective corrective actions, and highlight common mistakes that derail companies. By the end, you’ll know exactly how to turn audit findings into proof that your QMS is strong, resilient, and audit-ready.

Understanding Audit Findings in ISO 13485

Before you can take the right corrective actions, you need to understand exactly what the auditor is flagging. In ISO 13485, findings are generally classified as either major or minor non-conformities—and the difference matters.

Major Non-Conformities

• These are systemic gaps or failures that put your QMS at risk of being ineffective.

• Examples: no evidence of risk management, missing CAPA procedure, or management reviews not conducted.

• Major findings must be corrected before certification can move forward.

Minor Non-Conformities

• These are smaller, isolated issues that don’t compromise the overall system.

• Examples: one training record missing a signature, a single outdated SOP still in circulation, or incomplete audit notes.

• Minor findings still require corrective actions, but they usually don’t block certification if you provide a solid plan.

Pro Tip: Don’t get defensive with auditors. Findings aren’t “failures”—they’re opportunities to show your system works. A professional, solutions-focused response leaves a stronger impression than arguing.

Common mistake: Some companies rush to “close” findings with quick fixes, like updating a document, without addressing the root cause. Auditors can tell when a fix is superficial, and it often leads to repeat findings in the next audit.

In short, whether the finding is major or minor, your corrective action process needs to prove that you not only fixed the issue, but also strengthened your QMS so it won’t happen again.

Steps to Implement Effective Corrective Actions in ISO 13485

When an auditor raises a finding, you don’t just “patch” the issue—you prove your Quality Management System (QMS) can learn from it. That’s exactly what corrective actions are about. Here’s the process I’ve seen work best, both in practice and with auditors:

Step 1: Contain the Issue

Take immediate action to stop the problem from continuing. For example, if a calibration record is missing, quarantine the equipment until records are updated.
This shows auditors you take findings seriously and protect product safety right away.

Step 2: Investigate and Find the Root Cause

Ask: “Why did this happen?” not just “What happened?” Use tools like the 5 Whys or Fishbone Diagrams to dig deeper.
Common pitfall: Fixing the symptom (e.g., re-training one employee) without addressing the system gap (e.g., weak training procedure).

Step 3: Plan Corrective Actions

Develop a plan that clearly defines:

• What action will be taken.

• Who is responsible.

• When it will be completed.
  Auditors expect specific owners and timelines—not vague promises.

Step 4: Implement and Document

Carry out the corrective action and record every step. Keep evidence (updated SOPs, new training records, supplier evaluations) audit-ready.
Pro Tip: Link your corrective action to your CAPA system so it can be tracked and reviewed later.

Step 5: Verify Effectiveness

The most overlooked step. Show data or evidence that the fix worked—fewer complaints, cleaner records, improved supplier performance.
Example: If the finding was about missing signatures, your follow-up audit should show 100% signed records for the next quarter.

When you follow this process, your corrective actions don’t just “satisfy” the auditor—they demonstrate that your ISO 13485 QMS is working as intended: identifying risks, fixing gaps, and continuously improving.

Common Mistakes in ISO 13485 Corrective Actions

I’ve seen plenty of companies work hard on corrective actions only to frustrate auditors because they fall into these traps. Avoiding them is half the battle.

1. Closing Findings Without Root Cause Analysis

Just fixing the immediate issue (e.g., updating a missing record) without asking why it happened means the problem will likely come back. Auditors spot this instantly.

2. Treating Corrective Actions as Paperwork

Some teams rush to fill out CAPA forms without actually changing processes or training people. On paper, it looks good—but in reality, nothing improves.

3. Skipping the Effectiveness Check

Auditors expect proof that your fix worked. If you don’t review records, run follow-up audits, or show data, you’ll get repeat findings.

4. Waiting Until the Next Audit to Act

Corrective actions should be implemented quickly with evidence shared in your certification body’s required timeframe (usually 30–90 days). If you wait, you’ll be flagged for poor responsiveness.

Pro Tip: Auditors would rather see one solid corrective action that took time to investigate and implement than five rushed “quick fixes” with no evidence of improvement.

Example: A client once closed a CAPA by saying, “Staff retrained.” But when the auditor interviewed employees, they had no idea about the updated procedure. The finding was escalated because the corrective action wasn’t effective.

The bottom line: strong corrective actions aren’t about paperwork—they’re about showing your QMS is alive, self-correcting, and reliable.

Real-World Examples of ISO 13485 Corrective Actions

Sometimes the best way to understand corrective actions is to see what they look like in practice. Here are a few examples I’ve seen firsthand that illustrate the difference between weak and strong responses:

Example 1: Document Control Finding

• Audit Finding: Outdated SOP found in use on the production floor.

• Weak Corrective Action: “Removed old copy and retrained staff.”

• Strong Corrective Action: Implemented a document control system that automatically archives obsolete SOPs, trained staff on accessing controlled documents, and verified through follow-up audit that only current versions are in circulation.

Example 2: CAPA Process Finding

• Audit Finding: CAPAs open for more than six months without closure.

• Weak Corrective Action: “Closed overdue CAPAs.”

• Strong Corrective Action: Revised CAPA procedure with escalation timelines, assigned CAPA owners accountable to management review, and added a dashboard to monitor CAPA status. Follow-up audit confirmed all CAPAs closed on time with effectiveness checks.

Example 3: Supplier Control Finding

• Audit Finding: No documented re-evaluation of a critical supplier in two years.

• Weak Corrective Action: “Requested updated certificates from supplier.”

• Strong Corrective Action: Created a supplier evaluation schedule based on risk, updated supplier files with performance scorecards, and ensured re-evaluation results were reviewed in management review.

Pro Tip: Notice the pattern—the strong responses don’t just fix the issue; they improve the system and prove the fix works. That’s exactly what auditors want to see.

FAQs on ISO 13485 Corrective Actions

Q1. How long do we have to close audit findings in ISO 13485?
Most certification bodies give 30–90 days depending on the severity of the finding. Majors usually require evidence of implementation before certification can proceed. Minors can sometimes be closed with a corrective action plan, but proof of action will be checked at the next audit.

Q2. Do all audit findings require a CAPA?
Not always. Minor findings can often be corrected directly without raising a formal CAPA (e.g., updating a single missing signature). Systemic issues or repeated problems should always go through the CAPA process with root cause analysis and effectiveness checks.

Q3. Can we challenge an auditor’s finding?
Yes. If you believe the finding is incorrect or misinterpreted, you can provide objective evidence or ask for clarification. That said, it’s usually smarter to treat it as a chance to strengthen your system—even if you don’t fully agree.

Q4. What’s the difference between corrective and preventive action in ISO 13485?

• Corrective action: fixing a problem that already occurred and preventing it from happening again.

• Preventive action: identifying a potential issue before it happens and putting controls in place to stop it.

Conclusion: Building a Culture of Continuous Improvement in ISO 13485 Corrective Actions

At the end of the day, audit findings aren’t the problem—they’re feedback. What matters is how you respond. A well-handled corrective action not only satisfies the auditor but also strengthens your Quality Management System (QMS) and builds long-term trust.

The companies that excel at ISO 13485 corrective actions do three things consistently:

• They address root causes, not just symptoms.

• They document and prove effectiveness with data.

• They treat findings as opportunities to improve, not just gaps to patch.

In my experience, organizations that embrace corrective actions as part of their culture rarely struggle with repeat findings. Instead, they walk into surveillance audits confident, because they know their QMS is designed to evolve and get stronger over time.

Your next step: take your most recent audit report, map each finding into a corrective action plan, and make sure you verify effectiveness. That simple shift will turn audit stress into a clear path toward certification success.