MDSAP QMS Internal Auditing Must Verify Regulatory Compliance

MDSAP QMS Internal Auditing Must Verify Regulatory Compliance

Posted by Kevin Randall In Certification, ISO 13485, ISO QMS, MDSAP, QMS 0 comment

November 24, 2025

MDSAP QMS Internal Auditing Must Verify Regulatory Compliance

If an organization performs internal auditing only to its SOPs but not also to check the SOPs’ and the organization’s regulatory compliance, then it would be in violation of MDSAP’s requirements for internal auditing. Such an approach would, upon discovery, result in an official nonconformity issued by the MDSAP AO. I explain further below.

First, remember that an MDSAP internal audit shall determine whether the MDSAP QMS conforms to planned and documented arrangements and QMS requirements established by the organization (i.e., auditing to the organization’s own SOPs), but also to requirements of ISO 13485 and applicable regulatory requirements. Remember also that “applicable regulatory requirements” is officially defined (in part) as requirements contained in any law applicable to the ISO 13485 organization (e.g., statutes, regulations, ordinances or directives). In addition, MDSAP elaborates on, and requires conformity with, applicable regulatory requirements like vigilance, recall, premarket authorization, registrations, etc., etc. So be sure your internal audit program covers all these.

Note also that internal audits are mandatory in addition to any external audits (except for colloquial “external” audits that are outsourced internal audits such as our clients do with us). True external audits (e.g., by the MDSAP Auditing Organization) do not fulfill the requirement for you to do internal audits. The longstanding general reasoning for this is because the external audits are relatively limited sampling opportunities to assess the QMS, whereas it is expected that the organization’s internal audit program will fill the gaps.

Finally, neither MDSAP nor ISO 13485 prohibit the organization from doing audits in phases. Thus, if the organization chooses to do a procedural audit first and an implementation audit separately, or in any other phased approach, then that is fully acceptable. Therefore, if a phased approach works best for your organization, then by all means, do so. The most important thing is that it works for the organization to meet applicable requirements. Avoid overly strict logistical mandates. Indeed, ISO 13485 and MDSAP specifically and intentionally allow for this kind of flexibility.

Feel free to reach out to ComplianceAcuity for help with your MDSAP QMS!

Write a Reply or Comment Cancel reply

You must be logged in to post a comment.

© Compliance Acuity. Website by Modernize My Site
This website uses GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Search

Generic filters

Exact matches only

* Type a keyword then press Enter

Home

Services

Compliance and Regulatory Affairs

FDA / Third-Party Audit Support

FDA 483, Warning Letters, Other Agency Citations

Liaison with Regulatory Agencies

Global Premarket Submissions

U.S. Agent

Adverse Event Reporting

Recalls and Safety Alerts

Ad/Promo Regulation

U.S. Import/Export

FDA Establishment Registration / Device Listings

Quality Management Systems (QMS)

Corrective & Preventive Action (CAPA)

Complaint Handling

Design Controls

Risk Management

GMP Training

Internal/Mock Audits

Management Responsibility

Production and Process Control

Testimonials

About Us

Blog

Contact Us