Internal Audits Are Now FDA-Inspectable Records. Act Accordingly.

For decades, internal audit reports occupied a protected space in the MedTech quality system. Under 21 CFR Part 820, specifically §820.180(c), manufacturers had an explicit exemption: FDA investigators could not review or copy internal audit reports during inspections. The logic was sound at the time — protect the candor of the audit process so companies would be honest with themselves about their quality system weaknesses.

That exemption is gone.

When QMSR took effect on February 2, 2026, it replaced the prescriptive Part 820 requirements with ISO 13485:2016 as the harmonized standard. And ISO 13485 Section 8.2.4 requires internal audits — planned intervals, documented procedures, objective evidence, corrective actions. There is no carve-out for regulatory review. Under QMSR, your internal audit records are FDA-inspectable. Full stop.

What Changed — and Why It Matters

The old Part 820 framework treated internal audits as a private exercise. You had to do them. You had to keep records. But the FDA couldn't look at what you found. That created a peculiar dynamic: companies could run rigorous internal audits without fear that honest findings would become regulatory ammunition. It also allowed companies to run superficial audits with no accountability.

QMSR eliminated that asymmetry. By adopting ISO 13485 as the quality system standard, the FDA accepted the ISO framework wholesale — including its transparency requirements. Your audit program, individual audit reports, findings, objective evidence, corrective action records, and evidence of CAPA effectiveness are all now reviewable during inspection.

The audit reports you wrote assuming no one outside your company would ever read them? An FDA investigator can now request them by name.

What Inspectors Will Actually Look For

If you've been through an ISO 13485 certification audit with a notified body, you have some idea what external auditors expect from an internal audit program. FDA investigators operating under CP 7382.850 will look for similar evidence — but with a regulatory enforcement lens rather than a certification lens.

Investigators are trained to evaluate whether your internal audit program is a functioning quality mechanism or a compliance artifact. They know the difference. And now they have the authority to look.

The "Gotcha" Scenarios

Let's talk about what gets companies in trouble. These aren't hypothetical — they're patterns I've seen across hundreds of audits.

The Clean Audit Report

Audit after audit that finds zero nonconformities. On paper, this looks like a mature quality system. In practice, it signals a weak audit program. No quality system is perfect. If your internal audits consistently find nothing, your auditors aren't looking hard enough — or they aren't empowered to report what they find. An FDA investigator who sees three consecutive years of clean audit reports will not conclude that your quality system is flawless. They'll conclude that your audit program is inadequate.

The Repeat Finding

The same nonconformity appears in multiple audit cycles with no meaningful improvement. This is worse than the clean audit, because it demonstrates that your organization identified a problem and failed to fix it. It calls into question the effectiveness of your entire CAPA process. Under QMSR, an investigator can trace a repeat finding from the initial audit report through the CAPA record to the verification of effectiveness — and when that chain breaks down, it becomes an observation.

The Scope Gap

Audit programs that conveniently skip certain QMS processes. Design controls haven't been audited in two years. Supplier management gets a cursory review. Complaint handling is covered but post-market surveillance isn't. ISO 13485 Section 8.2.4 requires that the audit program consider the importance of the processes concerned. If your audit schedule doesn't cover all QMS processes within a defined cycle, that's a gap an investigator will find.

How to Prepare

The good news: preparing for this change doesn't require rebuilding your audit program from scratch. It requires making your existing program rigorous enough to withstand external scrutiny.

• Ensure comprehensive coverage. Map every QMS process to your audit schedule. Every process gets audited within your defined cycle — no exceptions, no deferrals that stretch beyond reason.
• Train your auditors properly. Internal auditors should understand ISO 19011 principles: evidence-based approach, independence, ethical conduct, fair presentation. Document their training and maintain competence records.
• Document objective evidence. Every finding — conformity and nonconformity — should reference specific evidence. Which documents were reviewed. Which records were sampled. What was observed. Vague findings like "process appears adequate" won't survive regulatory scrutiny.
• Close CAPAs with verified effectiveness. When an audit identifies a nonconformity, the corrective action must address root cause, and the effectiveness verification must demonstrate that the problem was actually resolved. Not just that the corrective action was implemented — that it worked.
• Report to management. Internal audit results should feed directly into management review. Trends in findings, areas of strength, areas requiring resources — these are the inputs that demonstrate top management engagement with the quality system.

Where AI-Native Audit Intelligence Fits

Comprehensive internal audits require comprehensive document review. That's where most programs fall short — not because auditors lack skill, but because the volume of QMS documentation exceeds what any individual auditor can realistically review in the time allocated for an internal audit cycle.

Qualera's AI-native audit intelligence changes that equation. The platform reads and analyzes the full document set — every SOP, work instruction, form template, and record — identifying gaps, inconsistencies, and areas of risk that sampling-based approaches miss. It doesn't replace the auditor's judgment. It ensures the auditor walks into every audit with complete visibility into the document landscape.

Human auditors remain in command of findings and judgments. Qualera ensures they have the evidence base to make those judgments with confidence.

During beta, Qualera capabilities are delivered exclusively through MB&A engagements. Our auditors use the platform to prepare, execute, and report — ensuring that every internal audit meets the standard that QMSR now demands.

The Opportunity Most Companies Are Missing

Here's what I want quality leaders to understand: this isn't just a compliance risk. It's a competitive opportunity.

A strong internal audit program — one that finds real issues, drives real improvement, and documents real evidence — is now visible to the FDA. That visibility cuts both ways. Weak programs are exposed. But strong programs are demonstrated. When an investigator reviews your audit records and sees a well-planned program with competent auditors, objective evidence, effective CAPAs, and management engagement, it builds confidence in your entire quality system.

The companies that treat this change as a burden will spend the next year scrambling to clean up audit records. The companies that treat it as an opportunity will build audit programs that become a genuine asset — defensible to regulators, credible to acquirers, and meaningful to the people who actually run quality operations every day.

The exemption is gone. The standard is higher. Act accordingly.