Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Why ISO 13485 Audit Non-Conformities Matter

Here’s the reality—no matter how prepared you feel, ISO 13485 audits nearly always uncover something. I’ve sat through dozens of audits, and I can tell you this: most non-conformities aren’t because a company doesn’t care about quality. They happen because the QMS isn’t consistently applied across documentation, training, and daily operations.

The problem? Even small gaps can slow down certification or trigger costly corrective actions. Major non-conformities can even block certification until they’re fixed.

The good news is that most findings are predictable. Year after year, auditors see the same weak spots: incomplete documents, poorly managed CAPAs, neglected supplier controls. Once you know what these top ISO 13485 audit non-conformities are—and how to avoid them—you’re already ahead of the curve.

This guide walks you through the most common findings I’ve seen, along with practical steps and real-world examples to help you stay clear of them.

Document Control and Record Keeping in ISO 13485 Audit Non-Conformities

If there’s one area that consistently trips companies up, it’s documentation. Auditors know that if documents and records aren’t controlled, everything else in the Quality Management System (QMS) becomes questionable. That’s why document control and record keeping is often the number one source of ISO 13485 non-conformities.

What auditors usually find:

• Procedures marked as “Draft” or outdated versions still in circulation.

• Records missing signatures, dates, or verification steps.

• Inconsistent filing systems—auditors can’t find what they ask for.

• No proof of document approval or change control.

Pro Tip: Make sure only the current version of each procedure is available where work is done. Outdated SOPs on the shop floor are one of the fastest ways to get written up.

Common pitfall: I’ve seen companies scramble when an auditor asks for a training record, only to discover it was saved on someone’s desktop instead of the controlled system. That gap turned into a non-conformity.

Real-world example: One client avoided issues by creating a simple “document master list” that tracked every procedure, its revision number, approval date, and location. When the auditor asked about calibration SOPs, the quality manager pulled it up in seconds, showing full control. The auditor commented that it was one of the cleanest systems they’d seen.

Strong document control isn’t just about passing an audit—it’s about proving your QMS is reliable and trustworthy.

Risk Management Integration in ISO 13485 Audit Non-Conformities

Risk management is one of the pillars of ISO 13485, yet it’s also one of the most frequent sources of non-conformities. Auditors expect companies to not only have a risk management procedure (usually aligned with ISO 14971) but to show that it’s consistently applied and kept up to date.

Typical audit findings:

• Risk files created once during design and never updated.

• No link between risk assessments and post-market data (complaints, incidents, CAPAs).

• Risks identified but no clear controls or verification that controls are effective.

• Missing evidence that risk management is integrated into purchasing, supplier evaluation, or production.

Pro Tip: Don’t silo risk management in R&D. Show how it flows into supplier qualification, change control, and complaint handling. This proves it’s an ongoing process, not a checkbox.

Common pitfall: I’ve seen companies treat risk files as a one-time project for certification. When the auditor asked, “How was this updated after your last product complaint?” the answer was silence. That turned into a major non-conformity.

Real-world example: A client I worked with built a quarterly “risk review” into management meetings. Every complaint, CAPA, or design change was reviewed for risk impact. The auditor highlighted this as a best practice because it showed continuous integration of risk management across the business.

Auditors know risks change over time. If your files don’t reflect reality, they’ll write it up every time.

CAPA and Nonconformity Handling in ISO 13485 Audit Non-Conformities

If document control is the number one finding, CAPA is usually a close second. Corrective and Preventive Action (CAPA) shows how your company deals with problems. Auditors want to see that issues aren’t just recorded, but actually investigated, fixed, and prevented from happening again.

Typical audit findings:

• CAPAs left open for months with no follow-up.

• Weak or missing root cause analysis — treating symptoms instead of causes.

• No proof of effectiveness checks to confirm the fix actually worked.

• Nonconformities logged but not trended, so recurring problems slip through.

Pro Tip: Always show closure and effectiveness. A CAPA that ends with “action completed” but no data proving the fix worked will almost always be flagged.

Common pitfall: I’ve seen companies close CAPAs just before the audit, hoping auditors won’t look too closely. They always do—and when the evidence isn’t there, it becomes a major finding.

Real-world example: A client implemented a CAPA dashboard showing status by age, owner, and effectiveness. When the auditor asked about overdue CAPAs, they pulled up live data showing none were past due. The auditor wrote in the report: “Strong CAPA tracking system—well controlled.”

Handled well, CAPA is one of the strongest signals of a mature QMS. Handled poorly, it’s one of the fastest ways to earn repeat findings.

Supplier Controls in ISO 13485 Audit Non-Conformities

Suppliers can make or break the safety of a medical device, which is why auditors pay close attention to how you manage them. Weak supplier controls are one of the most frequent ISO 13485 non-conformities, especially for smaller companies that assume “trusted relationships” are enough.

Typical audit findings:

• No documented process for supplier qualification or re-evaluation.

• Missing supplier performance monitoring (on-time delivery, defect rates, complaints).

• Approved supplier lists not maintained or outdated.

• No clear risk-based approach for critical suppliers (e.g., sterilization providers, material suppliers).

Pro Tip: Keep supplier files audit-ready. Each file should include the approval form, contracts/agreements, performance evaluations, and any corrective actions.

Common pitfall: I’ve seen companies rely on email chains as “proof” of supplier approval. Auditors expect formal documentation, not casual notes. This gap almost always becomes a non-conformity.

Real-world example: One client set up a quarterly supplier scorecard that tracked delivery performance, defect rates, and complaint history. When the auditor asked, “How do you monitor your suppliers?” the quality manager pulled up the scorecards. The auditor noted it as an excellent practice because it proved continuous oversight.

Strong supplier controls show auditors you’re managing your risks before they become product problems.

Training and Competence in ISO 13485 Audit Non-Conformities

Even with perfect procedures, nothing works if your people aren’t trained to follow them. That’s why auditors spend time during Stage 2 speaking directly with employees. Training and competence issues regularly show up as ISO 13485 audit non-conformities because they expose whether the QMS is truly embedded.

Typical audit findings:

• Training records incomplete, missing signatures, or not updated.

• Employees unable to explain their role in the QMS or recall the quality policy.

• Training treated as a one-time event with no follow-up on effectiveness.

• No formal process to evaluate competence beyond attendance sheets.

Pro Tip: Don’t just show training records—show how you measure competence. Quizzes, on-the-job observations, or supervisor sign-offs all demonstrate effectiveness.

Common pitfall: I’ve seen auditors ask a machine operator, “How do you know this procedure is current?” If the operator shrugs, it becomes a finding—even if the document system itself is solid.

Real-world example: A medical device company I worked with created a training matrix that mapped every role to required competencies. Each employee had a record showing completed training and an assessment of effectiveness. The auditor noted it as one of the best systems they’d seen because it tied training directly to job requirements.

At the end of the day, auditors want proof that your team isn’t just trained—they’re capable.

Internal Audits and Management Reviews in ISO 13485 Audit Non-Conformities

Internal audits and management reviews are the backbone of a functioning QMS. They prove you’re checking your own system and that leadership is engaged. When they’re weak or superficial, auditors flag them quickly.

Typical audit findings:

• Internal audits rushed just before the certification audit.

• Audit reports that only “tick boxes” instead of identifying real findings.

• No corrective actions raised from internal audits (which makes auditors wonder if you’re being thorough).

• Management reviews missing required inputs like regulatory updates, complaints, or CAPA status.

• No evidence that outputs (decisions, resource needs, improvements) were followed up.

Pro Tip: A strong internal audit program should find issues. Auditors don’t expect perfection—they expect self-awareness and improvement.

Common pitfall: I once saw a company present a management review with only one slide: “QMS is effective.” No data, no actions, no review of CAPAs. The auditor immediately wrote a major non-conformity.

Real-world example: A client built their management review around metrics—customer complaints, audit findings, supplier performance, training effectiveness. They documented not just what was reviewed, but the actions taken and deadlines. The auditor called it “a clear demonstration of leadership commitment.”

Done right, internal audits and management reviews show auditors that you take ISO 13485 seriously and that your QMS is more than just paperwork.

FAQs on Top ISO 13485 Audit Non-Conformities

Q1. What’s the difference between a major and minor non-conformity in ISO 13485 audits?

• A minor non-conformity is a small gap (e.g., a missing signature on one record). It requires correction but usually doesn’t block certification.

• A major non-conformity is systemic (e.g., no evidence of risk management or no CAPA process). Certification is delayed until it’s resolved.

Q2. Can a company fail an ISO 13485 audit because of non-conformities?
Yes. Major non-conformities must be closed before certification can be granted. Too many minors can also add up and trigger corrective actions that delay approval.

Q3. How much time do we get to fix ISO 13485 audit non-conformities?
Typically, you’ll have 30–90 days depending on the certification body. Minor ones can often be closed with a corrective action plan, while majors require evidence of implementation before certification.

Conclusion: Reducing ISO 13485 Audit Non-Conformities

The truth is, most ISO 13485 audit non-conformities aren’t surprises. They show up year after year in the same areas: documents, risk management, CAPA, suppliers, training, and management oversight.

The companies that pass smoothly don’t just prepare paperwork—they run a QMS that works in real life. They keep documents under control, update risk files regularly, close CAPAs effectively, monitor suppliers, train their people, and hold meaningful management reviews.

From what I’ve seen, the organizations that invest in mock audits and clause-by-clause readiness checks catch 80% of these issues before the auditor even walks in. That’s the difference between scrambling to fix findings and walking confidently toward certification.

Next step: Review this list with your team, run an internal audit against it, and close the gaps now. If you can show evidence for each of these areas, you’ll avoid the most common ISO 13485 audit non-conformities—and put yourself on a clear path to certification.