Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Staying Certified Isn’t Automatic

Getting your ISO 13485 certificate feels like crossing the finish line—but really, it’s just the start of the journey. To keep that certificate valid, you’ll go through surveillance audits every year. And here’s the part many companies underestimate: these follow-up audits can be just as stressful as the first certification if you’re not prepared.

I’ve seen it play out too often. A team works hard to get certified, then relaxes. By the time the surveillance audit comes around, procedures are outdated, training logs are half-empty, and management review minutes are rushed together the week before. The result? Findings that could have been avoided, extra costs, and sometimes even warnings from the certification body.

The good news is, surveillance audits don’t have to be painful. When you know what auditors are looking for—and you treat readiness as part of daily operations—you can pass smoothly and avoid surprises. In this article, I’ll break down what surveillance audits are, how they fit into the certification cycle, and practical strategies I’ve seen companies use to stay audit-ready year-round.

What Surveillance Audits Are (and Why They Matter)

Think of surveillance audits as your annual check-up. Once you’re certified, your certification body doesn’t just hand you a certificate and disappear for three years. They come back—usually once a year—to make sure your Quality Management System (QMS) is still effective and being used day to day.

These audits aren’t as long or intense as the initial certification audit, but they’re just as important. Why? Because if you fail to maintain compliance, you risk suspension—or even losing your certificate altogether. And for most medical device companies, that’s not an option.

Pro Tip: Don’t treat surveillance as “mini-audits.” They may be shorter, but auditors still focus on critical processes like complaints, CAPA, supplier control, and training.

Common Mistake: I’ve seen companies breathe a sigh of relief after getting certified and then coast into surveillance without preparation. The result? Nonconformities that should’ve been caught internally. One client nearly faced suspension because they hadn’t closed out findings from the initial certification before the first surveillance audit.

Bottom line: Surveillance audits aren’t just a formality—they’re how you prove your QMS is alive and working.

The Surveillance Audit Timeline

Surveillance audits happen every year after your initial certification. They’re built into the three-year certification cycle:

• Year 1: Initial certification audit (Stage 1 + Stage 2).

• Year 2: First surveillance audit.

• Year 3: Second surveillance audit.

• Year 4: Recertification audit (the cycle resets).

Surveillance audits are shorter than the initial Stage 2 audit—often about one-third to one-half of the time. For example, if your Stage 2 took 6 audit days, your surveillance audits might be 2–3 days each.

Auditors won’t review your entire QMS during surveillance. Instead, they’ll sample key processes, focusing on:

• High-risk areas (like complaint handling or CAPA).

• Any nonconformities from your previous audit.

• Mandatory elements like internal audits and management reviews.

Pro Tip: Ask your certification body for the audit plan a few weeks in advance. Knowing which areas they’ll sample helps you prepare targeted evidence.

Common Mistake: Assuming surveillance is “lighter” and therefore less important. I’ve seen companies relax after year one, only to be caught by surprise when auditors zero in on neglected processes.

Handled well, surveillance audits keep you sharp and prevent nasty surprises at recertification.

What Auditors Focus On During Surveillance

Surveillance audits aren’t about re-checking everything. Instead, auditors zoom in on the most critical and high-risk areas of your QMS. If you know where their attention will be, you can prepare without scrambling.

Here’s what usually gets the spotlight:

• High-risk processes: Complaint handling, CAPA, design changes, and risk management are always on the list.

• Previous findings: Any nonconformities from the last audit will be checked for closure. If you didn’t fix them properly, expect more trouble this time.

• Mandatory requirements: Internal audits, management reviews, and regulatory updates must be in place and up to date.

• Operational consistency: Auditors want to see that processes aren’t just written down—they’re actually being followed.

Pro Tip: Keep a running “audit-readiness file.” Drop in training logs, CAPA updates, supplier evaluations, and management review minutes throughout the year. When the audit comes, you’ll have everything ready instead of digging through folders last minute.

Common Mistake: Waiting until the month before surveillance to pull records together. Auditors can tell when documentation is rushed, and it usually results in findings.

Example: A company I supported made it a rule to update their audit-readiness file monthly. By the time surveillance came, they barely had to prep—and the audit was one of the smoothest I’ve ever seen.

Common Findings in Surveillance Audits

Even companies with strong systems can stumble during surveillance. The findings I see most often aren’t dramatic—they’re the small things that get overlooked once the initial certification “pressure” is gone.

Here are the usual suspects:

• Outdated procedures: Teams update how they work, but the QMS documents never catch up.

• Weak CAPA follow-up: Nonconformities are logged, but corrective actions drag on or aren’t verified.

• Incomplete training records: Staff were trained, but no one signed the forms or updated the log.

• Supplier monitoring gaps: Approved supplier lists aren’t updated, or evaluations are skipped.

Pro Tip: Treat CAPA like a living process. Assign clear owners and deadlines, and review progress monthly. Auditors love seeing a structured approach.

Common Mistake: Thinking “minor” findings don’t matter. I’ve seen companies ignore a small documentation issue two years in a row—by year three, the CB flagged it as a systemic problem, which risked suspension.

Example: One SME I worked with kept missing supplier evaluations. They fixed it by scheduling reminders in their QMS software. At the next surveillance audit, the auditor praised their corrective action and closed the issue.

Surveillance findings don’t have to be painful—they’re opportunities to show your system is alive and improving.

Strategies to Stay Audit-Ready Year-Round

The easiest way to fail a surveillance audit is to treat it like an annual event instead of part of daily business. The strongest companies I’ve worked with don’t scramble the month before—they build audit readiness into their routine.

Here are practical strategies that work:

• Spread out internal audits: Don’t leave them all for December. Break them across the year so every process gets attention.

• Make management reviews meaningful: Hold real discussions about performance and improvements, not just a box-ticking meeting before the audit.

• Keep training logs current: Update records right after training. Waiting months to “catch up” almost guarantees errors or missing signatures.

• Track CAPAs consistently: Use a dashboard or tracker to follow open issues, owners, and due dates.

• Update documents regularly: When processes change, update the procedure right away—not the week before the auditor visits.

Pro Tip: Set up a simple monthly QMS health check. Spend an hour reviewing open CAPAs, training logs, and supplier evaluations. By the time the audit comes around, you’ll already be ready.

Common Mistake: Treating the QMS as a project with a start and end date. ISO 13485 is about continuous operation, and auditors will know if you’ve only been “active” in the weeks before they arrive.

Done right, surveillance audits stop feeling like stress tests—and become smooth checkpoints that confirm your system is working.

Costs and Consequences of Poor Surveillance Results

Surveillance audits aren’t just about keeping your certificate clean—they can directly impact your budget, your reputation, and your ability to sell products. When companies underestimate this, the consequences can be painful.

Here’s what can happen if surveillance goes badly:

• Extra audit days (and costs): If auditors find major gaps, they may need to come back for a follow-up. That means more audit days billed to you.

• Suspension warnings: Certification bodies can issue warnings if problems aren’t fixed quickly. During suspension, your certificate is technically invalid—customers and regulators may not accept it.

• Withdrawal of certification: If issues remain unresolved, your CB can withdraw the certificate entirely. At that point, you’re starting from scratch.

• Business impact: Customers lose trust fast when they hear a supplier’s ISO certificate is suspended. In some regulated markets, losing certification means you legally can’t sell your devices.

Example: I worked with a company that didn’t take a minor CAPA issue seriously. By the next surveillance, it was still open—and the CB escalated it. They had to pay for an additional 2-day follow-up audit and spent weeks in suspension until they closed the gap.

Pro Tip: Treat every finding—big or small—as an opportunity to strengthen your QMS. Closing them quickly keeps costs down and shows auditors you’re committed to improvement.

Surveillance audits aren’t meant to punish—they’re designed to keep your system sharp. But if ignored, the financial and reputational damage can outweigh the cost of the audit itself.

FAQs on ISO 13485 Surveillance Audits

Q1: How long do surveillance audits take compared to the initial audit?

They’re usually shorter—often one-third to one-half the time of your Stage 2 certification audit. For example, if Stage 2 took six days, each surveillance audit might be two days. The exact duration depends on your size, scope, and previous findings.

Q2: Can surveillance audits be unannounced?

Yes. While most are scheduled in advance, some certification bodies (and regulators) require unannounced visits, especially if you manufacture higher-risk devices. These are designed to check that your QMS is always active, not just polished for audit day.

Q3: What happens if we fail a surveillance audit?

It depends on the severity. Minor findings can be corrected with documented CAPAs, but major issues may require a follow-up audit. In serious cases, your certificate can be suspended or withdrawn—which can stop you from selling in regulated markets until you’re back in compliance.

Conclusion: Surveillance Audits Keep Your Certification Alive

ISO 13485 certification isn’t a “one and done.” Surveillance audits are the checkpoints that prove your QMS is still effective, year after year. They may be shorter than the initial certification audit, but their impact is just as serious—because without passing them, your certificate (and market access) is at risk.

Here are the big takeaways:

• Surveillance audits happen annually in years 2 and 3 of the cycle.

• Auditors focus on high-risk processes, previous findings, and mandatory requirements like CAPA, complaints, and management review.

• The most common pitfalls are outdated procedures, weak CAPA follow-up, and incomplete training records.

• Staying audit-ready year-round—through routine internal audits, meaningful management reviews, and updated records—makes surveillance far less stressful.

• Poor results don’t just cost money, they can damage reputation and even suspend your ability to sell.

In my experience, the companies that thrive are the ones that stop treating surveillance as an event and start treating it as part of their everyday operations.

Next Step: Build a simple, monthly “QMS health check” routine now. By the time your surveillance audit comes around, you’ll already be ready—and you’ll pass with confidence.