Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Why Internal Audits Matter During the Transition

One of the biggest challenges I see when companies move from ISO 13485:2003 to ISO 13485:2016 is figuring out what to do with their internal audit program. On paper, they already “have audits covered.” But when you dig deeper, the audit checklists still reference the 2003 clauses, the auditors haven’t been trained on the 2016 changes, and high-risk areas like supplier management or post-market surveillance barely get touched.

That’s a problem—because internal audits are your safety net during transition. They’re the one tool you have to catch compliance gaps before your certification body does. If you use them well, you’ll uncover risks early, tighten weak spots, and walk into your certification audit with confidence. If you don’t, the gaps will show up anyway—just in front of an external auditor.

Here’s what this article will give you:

• A clear picture of how ISO 13485:2016 changes internal audit expectations.

• Practical advice for updating your audit program to focus on the right areas.

• Common pitfalls I’ve seen companies fall into (and how to avoid them).

• Real-world lessons from transition audits that worked.

In my experience, companies that treat internal audits as more than a checkbox exercise transition faster, face fewer findings, and actually improve their QMS in the process.

Now that we’ve set the scene, let’s look at why internal audits are so critical during the transition and how they’ve become more than just routine compliance.

Why Internal Audits Are Critical During Transition

Internal audits are more than just a compliance checkbox during the ISO 13485:2016 transition—they’re your early warning system. They give you the chance to find and fix gaps before an external auditor does.

Here’s why they matter so much right now:

1. Proving You’ve Addressed the 2016 Changes

Certification bodies expect to see clear evidence that you’ve adapted your QMS to the new standard. Internal audits are the best way to demonstrate that. If your audit schedule, checklists, and reports don’t reflect ISO 13485:2016, it tells auditors you haven’t fully transitioned.

2. Reducing Audit Findings (and Stress)

I’ve seen companies treat internal audits as a routine paperwork exercise, only to be blindsided in their certification audit. On the other hand, the organizations that treated internal audits as “dress rehearsals” caught issues like missing supplier risk evaluations or weak training evidence before their external audit.

3. Building Confidence Across the Team

A well-run internal audit program during transition shows leadership, regulators, and staff that the company is taking compliance seriously. It builds confidence—not just for certification, but for day-to-day operations.

Pro Tip: Treat every internal audit during transition as if it were an external one. Use it to pressure-test your system, ask the tough questions, and make sure your evidence holds up.

New ISO 13485:2016 Requirements That Impact Internal Audits

One of the biggest mistakes I see during transitions is companies running their internal audits as if nothing has changed. The checklists still point to the 2003 clauses, and the auditors aren’t asking about the new requirements. That’s a missed opportunity—because ISO 13485:2016 added or expanded several areas that must be reflected in your audit program.

Here are the key ones to watch:

1. Risk Management Everywhere

• What’s New: Risk is no longer just for product design—it applies across the entire QMS.

• Audit Focus: Auditors should ask how risk-based thinking shows up in supplier selection, training, CAPA, and even document control.

2. Expanded Supplier Controls

• What’s New: Suppliers must now be evaluated and monitored with a documented, risk-based approach.

• Audit Focus: Internal audits should review supplier files, agreements, and evidence of ongoing monitoring—not just an “approved supplier list.”

3. Documentation & Software Validation

• What’s New: ISO 13485:2016 requires validation of any software used in the QMS.

• Audit Focus: Check whether tools like training systems, CAPA trackers, or complaint databases are validated and have records to prove it.

4. Training Effectiveness

• What’s New: It’s not enough to record training attendance—you need proof the training worked.

• Audit Focus: Verify evidence of training effectiveness, such as competency checks, quizzes, or supervisor sign-offs.

5. Post-Market Surveillance & Feedback

• What’s New: Stronger requirements for collecting and analyzing post-market data.

• Audit Focus: Look for links between complaints, feedback, CAPA, and risk management.

Pro Tip: Update your audit checklists now. If you’re still using a 2003-based list, you’ll miss half the issues that external auditors are going to catch.

Adjusting Your Internal Audit Program

Updating your internal audit program isn’t about reinventing the wheel—it’s about making sure your audits actually reflect the 2016 requirements. If your program still looks the same as it did under 2003, you’re leaving gaps wide open.

Here’s how to bring your audit program up to speed:

1. Refresh Your Audit Checklists

• What to Do: Rewrite your audit checklists to cover new requirements—risk management, supplier controls, software validation, and training effectiveness.

• Pro Tip: Don’t just copy clauses word-for-word. Rewrite them in plain language so auditors focus on process evidence, not just ticking boxes.

2. Adjust Your Audit Schedule

• What to Do: Audit high-risk processes (like supplier management or complaint handling) more often.

• Why It Matters: ISO 13485:2016 expects a risk-based approach, and your audit frequency should show that.

• Example: A sterilization supplier might need quarterly audits, while low-risk internal processes may only need annual checks.

3. Train Your Internal Auditors

• What to Do: Make sure your audit team understands ISO 13485:2016, not just the 2003 version.

• Pitfall: Many companies forget to train auditors on the changes, so audits still focus on outdated requirements.

• Pro Tip: A one-day refresher workshop can make a huge difference in how effective your audits are.

4. Audit Processes, Not Just Paperwork

• What to Do: Go beyond document reviews. Walk the process, interview staff, and ask for real-time evidence.

• Why It Matters: ISO 13485:2016 pushes for practical risk management. You can’t see that on paper alone.

5. Use Audits as Rehearsals

• What to Do: Treat each internal audit as if it were your certification audit.

• Real-World Example: I’ve seen companies catch missing supplier risk files and fix them in time simply because they approached the internal audit as seriously as an external one.

With these adjustments, your internal audit program becomes a powerful tool—not just for compliance, but for building a stronger, more resilient QMS.

Building a Risk-Based Audit Approach

One of the biggest themes in ISO 13485:2016 is risk-based thinking—and your internal audit program should reflect that. It’s not enough to run audits on a fixed calendar anymore. Auditors expect to see that you’re focusing your energy where the risks are highest.

1. Prioritize High-Risk Processes

• What to Do: Use your risk register to identify which processes could most impact patient safety or compliance.

• Example: Supplier management, complaint handling, sterilization, and CAPA usually sit at the top of the list.

• Pro Tip: Tie audit frequency directly to risk. High-risk processes may need quarterly reviews, while low-risk ones can stay annual.

2. Link Findings to Risk Management

• Why It Matters: ISO 13485:2016 expects risks to be tracked across the QMS, not just in design.

• What to Do: When you log an audit finding, link it back to your risk register. This shows auditors you’re using audit results to inform risk management.

3. Scale Audit Depth to Risk

• What to Do: Don’t give every process the same level of scrutiny. For low-risk processes, a lighter review may be fine. For high-risk ones, dive deep—walk the floor, trace records, and interview staff.

• Common Pitfall: Treating all audits as equal. This wastes resources and weakens coverage where it matters most.

4. Keep Leadership Involved

• Why It Matters: Risk-based auditing isn’t just a quality team exercise. Leadership needs to understand how risks drive your audit plan.

• Pro Tip: Bring a simple “risk vs. audit coverage” chart to management reviews. It helps leadership see why certain areas get more attention.

Done well, a risk-based audit approach not only aligns with ISO 13485:2016 but also makes your QMS stronger and more efficient.

Common Mistakes in Transition Audits

Even with the best intentions, I’ve seen companies trip up when running internal audits during the ISO 13485:2016 transition. Most of the mistakes come from treating audits as routine paperwork checks rather than as real opportunities to test the system.

Here are the pitfalls I see most often:

1. Auditing to the Old Standard

• The Mistake: Using checklists and questions designed for ISO 13485:2003.

• Why It Hurts: You’ll miss critical 2016 requirements like risk-based supplier control or software validation. External auditors will catch them instead.

• Fix: Update all audit tools and make sure your auditors are trained on the 2016 clauses.

2. Focusing Only on Documents

• The Mistake: Reviewing SOPs and records without checking how processes actually work in practice.

• Why It Hurts: ISO 13485:2016 emphasizes risk in action, not just on paper.

• Fix: Use process-based auditing—walk the floor, trace records, interview employees.

3. Ignoring Training Effectiveness

• The Mistake: Checking attendance logs but not verifying whether employees understood the training.

• Why It Hurts: Auditors want proof of competence, not just participation.

• Fix: Add “effectiveness checks” (like short quizzes or supervisor sign-offs) into your audit criteria.

4. Skipping Software Validation

• The Mistake: Overlooking validation of QMS software tools (CAPA trackers, complaint databases, training systems).

• Why It Hurts: This is one of the most common nonconformities raised in 2016 audits.

• Fix: Always ask: “Show me the validation records for this software.”

5. Treating Findings as a Checklist Item

• The Mistake: Recording nonconformities without linking them back to risk or CAPA.

• Why It Hurts: It makes your audit program look weak and reactive.

• Fix: Always tie findings into your CAPA and risk management processes.

Pro Tip: The best way to avoid these mistakes is to approach your transition audits as mini certification audits. If you wouldn’t feel confident defending your evidence to an external auditor, it’s a gap worth fixing now.

Case Study: Transition Audit in Practice

Sometimes the best way to understand how internal audits support the ISO 13485:2016 transition is to look at a real example.

The Situation

A medical device manufacturer I worked with had been ISO 13485:2003 certified for years. Their internal audits were well established, but when they prepared for their transition audit, the cracks started showing:

• Their checklists hadn’t been updated for the 2016 clauses.

• Supplier files lacked evidence of risk-based evaluation.

• Training records only tracked attendance, not effectiveness.

They realized that if an external auditor walked in tomorrow, they’d be in trouble.

The Actions

We overhauled their internal audit program in three key steps:

1. Updated Checklists → Added 2016-specific requirements like supplier risk management, software validation, and post-market surveillance.

2. Focused Audits → Ran targeted internal audits on high-risk areas, including supplier control and complaint handling.

3. Auditor Training → Delivered a refresher session for their audit team so they could recognize and test compliance against 2016 clauses.

The Results

• During the next certification audit, the external auditor specifically praised their internal audits, noting they had “clearly addressed the 2016 requirements.”

• The company went from multiple potential major findings to just two minors, both easily corrected.

• More importantly, they built an audit culture that actively supported risk management instead of just ticking boxes.

Key Lesson

Internal audits during transition aren’t just about passing certification—they’re about pressure-testing your system. Done right, they turn gaps into opportunities to strengthen the QMS before anyone else points them out.

Pro Tip: Treat your transition audits like a stress test. The harder you push internally, the easier your certification audit will be.

FAQs: ISO 13485 Internal Audits During Transition

Q1: Do we need to audit both ISO 13485:2003 and 2016 during transition?

No. Your focus should be on ISO 13485:2016. While some certification bodies referenced 2003 during the early overlap period, today auditors expect to see that your internal audits are fully aligned with 2016.

Q2: How often should internal audits be done during transition?

At minimum, you need a full audit cycle each year. But during transition, many companies increase the frequency for high-risk processes—quarterly reviews of supplier controls, complaint handling, or CAPA, for example.

Q3: Who should conduct the audits?

Trained internal auditors who understand the 2016 requirements. If your team hasn’t been refreshed on the changes, invest in training or bring in an external consultant. A poorly run audit can create more confusion than clarity.

Conclusion: Turning Internal Audits Into a Transition Advantage

ISO 13485:2016 raised expectations, and internal audits are the best tool you have to make sure your QMS is ready. Done right, they’re not just a compliance exercise—they’re a way to find gaps early, build confidence with leadership, and walk into certification audits without surprises.

Here are the big takeaways:

• Update your audit program to reflect the 2016 clauses—risk, supplier controls, training effectiveness, and software validation.

• Adopt a risk-based approach—audit high-risk processes more often and in more depth.

• Avoid common pitfalls like auditing only documents or ignoring training and supplier controls.

• Use audits as practice—treat them like mini certification audits to pressure-test your system.

In my experience, companies that invest in strong internal audits during transition don’t just pass certification—they end up with a more resilient QMS that genuinely improves how they operate.

Your next step: Refresh your audit checklist for ISO 13485:2016 and schedule a focused internal audit on high-risk areas within the next quarter. It’s the simplest way to protect your certification and strengthen your quality system.

Because at the end of the day, internal audits aren’t just about compliance—they’re about making your QMS stronger where it matters most.