Back to the Glossary

Internal Audit Program

An Internal Audit Program is the comprehensive plan or system established by an organization, typically under Clause 9.2 of ISO 9001, to carry out Internal Audits. It defines the necessary elements—including frequency, methods, responsibilities, planning requirements, and reporting—required to regularly verify that the QMS conforms to internal and external requirements and is effectively implemented and maintained.

The Internal Audit Program is a mandatory, systematic, and documented process required by international Quality Management System (QMS) standards (like ISO 9001 and ISO 13485) and regulatory frameworks (like the FDA's Quality System Regulation, 21 CFR Part 820, and the requirements for HCT/Ps).

In essence, the Internal Audit Program outlines the "who, what, where, and when" for auditing the organization's adherence to its established quality procedures and objectives.

Frequently Asked Questions (FAQs) Associated with the Internal Audit Program

1. What are the objectives of the Internal Audit Program?

The Internal Audit Program is designed to ensure that the Quality Management System (QMS):

  • Conforms to the organization's own requirements for its QMS.
  • Conforms to the requirements of the relevant International Standard (e.g., ISO 9001).
  • Is effectively implemented and maintained.
  • Is suitable to achieve quality system objectives.

For medical device manufacturers specifically, the FDA requires quality audits to ensure the quality system complies with established requirements and to determine its effectiveness.

2. What are the mandatory components of an Internal Audit Program (ISO 9001)?

Under ISO 9001:2015, the organization shall:

  1. Plan, establish, implement, and maintain an audit programme(s).
  2. The program must specify the frequency, methods, responsibilities, planning requirements, and reporting.
  3. The program must take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.
  4. The organization shall define the audit criteria and scope for each audit.

Furthermore, the Internal Audit Program is a mandatory record that must be retained as evidence of compliance with ISO 9001 (Clause 9.2).

3. What criteria must the auditors satisfy?

To ensure the integrity of the results, the organization must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process.

  • Under the FDA QSR (21 CFR 820.22), quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited.
  • Providing trained personnel is considered an adequate resource requirement for assessment activities, including internal quality audits.
  • It is considered healthier for internal auditors to audit outside their usual management line to bring a degree of independence to their judgments.

4. How are the results of the Internal Audit Program managed?

The outputs and records of the audit program drive continuous improvement:

  • Reporting: The organization must ensure that the results of the audits are reported to relevant management. Under FDA regulations, the audit report must be reviewed by management having responsibility for the matters audited.
  • Corrective Action: The organization shall take appropriate correction and corrective actions without undue delay based on the audit results.
  • Reaudit: Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. The quality audit process is a primary source for identifying issues that trigger the CAPA (Corrective and Preventive Action) process.
  • Documentation: The dates and results of quality audits and reaudits shall be documented. Management with executive responsibility must certify in writing that the required quality audits have been performed and documented, and that corrective action has been undertaken.
  • Management Review Input: Relevant information on identified quality problems, as well as corrective and preventive actions, must be submitted for management review.

5. Are there resources available to help staff implement the Internal Audit Program?

Yes, specialized resources are available:

  • Training: Organizations can enroll staff in an ISO 9001 Internal Auditor training course, which teaches participants how to effectively implement an internal QMS audit against the requirements of ISO 9001:2015.
  • Procedures: A documented procedure for the internal audit is listed as a commonly used non-mandatory document that supports ISO 9001 implementation.
  • Software: Integrated QMS software often includes an Audit Management module, which can streamline audit planning, execution, and link findings directly to the CAPA process.

Ready to see what Botable can do for you?

Book your demo now to see how Botable can transform your workplace.

Identify your unique challenges

Flexible pricing options

Easy integrations

Step-by-step implementation plan

Customize Botable for your workflow

Book a demo

Find out how Botable can answer your employee’s questions in just 30 minutes.