Your Internal Audits Are No Longer Internal: How FDA's Expanded Inspection Authority Changes the Game for Quality Teams

For as long as most quality professionals can remember, internal audit reports have operated under an unspoken compact: be honest, be thorough, be candid — because the FDA will never see this document.

That compact has been voided.

When the Quality Management System Regulation took effect on February 2, 2026, it did not merely change how FDA aligns its quality requirements with ISO 13485. It fundamentally altered the inspection boundary between what is visible to regulators and what is not. Internal audit reports, supplier audit reports, and management review documentation — three categories of records that have been shielded from routine FDA inspection for decades — are now subject to investigator review.

This is not a minor procedural adjustment. It is a strategic disruption that forces every medical device company to rethink the purpose, structure, and quality of its internal audit program.

How We Got Here: The Rise and Fall of CPG 130.300

The Compliance Policy Guide Section 130.300 has been the industry's security blanket since the late 1990s. It established that FDA investigators would not, as a matter of policy, request or review reports from internal quality audits during routine inspections. The rationale was sound: if companies feared regulatory reprisal from candid self-assessment, they would stop conducting candid self-assessments. The policy encouraged transparency within organizations by guaranteeing that transparency would not be used against them.

QMSR changed the calculus. ISO 13485, which QMSR incorporates by reference, does not distinguish between internal and external audit documentation for the purpose of regulatory review. When FDA harmonized with the international standard, the protective boundary that CPG 130.300 created became incompatible with the new regulatory framework.

The old CPG technically remains on FDA's website, noted as current as of February 3, 2026. But the QMSR final rule preamble and the new inspection compliance program make the agency's position unambiguous: investigators can and will request internal audit reports, supplier audit reports, and management review records during QMSR-based inspections.

The Tension: Candor Versus Exposure

This creates a genuine strategic dilemma for quality leaders. The entire value of an internal audit program rests on candor. An internal audit that softens findings, avoids identifying systemic issues, or documents only what looks good is an audit that fails its primary purpose. ISO 13485 Clause 8.2.4 explicitly requires that internal audits evaluate whether the QMS conforms to requirements and is effectively maintained.

But candor in a world where FDA can see the output creates new risks. An internal audit report that identifies a significant quality system gap becomes, in the wrong context, a documented acknowledgment of noncompliance. If that report shows no corresponding corrective action, no risk file update, and no management review discussion, it transforms from a sign of good governance into evidence of negligence.

The resolution of this tension is not to write less honest audits. That path leads to an internal audit program that fails to identify risks, which creates even greater regulatory and business exposure. The resolution is to ensure that every finding in an internal audit report has a clear, documented, traceable path to resolution.

The finding must trigger appropriate action — whether a CAPA, a risk assessment, a process change, or a documented risk acceptance decision. The action must be implemented and verified. The outcome must be communicated to management through the review process. And the evidence trail connecting finding to action to closure must be complete, current, and audit-ready.

In other words, the standard for internal audits has not changed. The standard for what you do after the audit has changed dramatically.

The Retroactive Exposure Problem

There is a time bomb in this transition that too few quality leaders have recognized. FDA has stated explicitly that investigators may review records created before February 2, 2026, to assess compliance with QMSR requirements. This means your 2024 and 2025 internal audit reports — written under the assumption that CPG 130.300 would protect them — are now potentially on the table.

Consider what that means in practice. Your quality team conducted internal audits in 2024 and 2025 with the understanding that these were internal working documents. The language may be informal. The findings may be stark. The corrective actions may be incomplete. The follow-through may be documented inconsistently.

If an investigator requests these reports during a 2026 inspection and finds documented but unresolved findings, the exposure is immediate. It is not a matter of the auditor being unfair. It is a matter of the company having documented evidence that it identified a problem and did not close the loop.

The corrective action is straightforward but time-sensitive: review all internal audit reports from the past 24 months. For any findings that remain open, either close them with documented corrective action or document a risk acceptance decision with supporting rationale. For any findings where the corrective action trail is incomplete or untraceable, reconstruct the evidence trail now. Waiting for an investigator to find these gaps is the worst possible approach.

From Periodic Checklists to Continuous Intelligence

The traditional internal audit model — annual schedule, checklist-based execution, report filed, CAPAs tracked to closure — was adequate for a regulatory environment where internal audits were shielded from external review and inspections followed predictable subsystem patterns.

The new environment demands something different. When FDA investigators use risk-based sampling across the entire QMS and have access to your internal audit output, the question is no longer whether your audit program checks the box. The question is whether your audit program generates the kind of intelligence that drives proactive quality improvement.

A risk-based internal audit program does not audit on a calendar. It audits based on where the data shows risk is concentrating. When complaint trends shift, the audit program responds. When CAPA data shows recurring root causes in a specific process, the audit program investigates. When supplier performance data flags a concern, the audit program evaluates the interaction between supplier controls and production outcomes.

This is what audit intelligence enables: a continuous, data-driven audit approach that treats internal auditing not as a compliance obligation but as a strategic sensing mechanism. The output is not just a report. It is an integrated view of quality system health that connects audit findings to CAPA trends, complaint data, supplier performance, and management actions.

What an Intelligence-Driven Audit Program Looks Like

Traditional audit program: annual schedule, process-based scope, checklist execution, findings documented, CAPAs tracked, management review summary prepared. The cycle repeats regardless of what the data shows.

Intelligence-driven audit program: audit scope and frequency determined by real-time risk signals from complaint data, CAPA trends, supplier metrics, and previous audit findings. Audit resources are deployed where the data indicates risk is highest. Findings are integrated into the quality system's risk management framework. Management review receives not just audit results but predictive risk analysis that informs resource allocation decisions. The program adapts continuously based on what the data reveals.

The second model is not only more effective at identifying risks — it is inherently more defensible under the new inspection framework. When an investigator asks how you determined the scope and frequency of your internal audits, the answer is not "we follow our annual schedule." The answer is: we use quality data to direct audit resources toward the areas of highest risk, and here is the documented evidence of how that analysis informed our audit plan.

That is the kind of answer that demonstrates governance, not just compliance.

Five Actions for Quality Leaders

First, conduct an immediate review of all internal audit reports from 2024 and 2025. Identify any findings with incomplete corrective action trails and close them now.

Second, establish a documentation standard for internal audit reports that assumes FDA will review every one. This does not mean less candor. It means more rigor in connecting findings to actions to outcomes.

Third, evaluate your audit scheduling approach. If you are auditing on a calendar rather than based on risk data, you are operating an audit program that cannot justify its priorities under the new framework.

Fourth, integrate your internal audit findings with your CAPA, risk management, and management review processes. The evidence trail from finding to action to closure to management communication must be complete and traceable.

Fifth, assess whether your quality data infrastructure supports a risk-based, intelligence-driven audit program. If your audit findings live in one system, your CAPAs in another, your complaint data in a third, and your supplier performance in a fourth, you do not have the connected visibility that the new inspection framework demands.

Internal audits were never really internal. They were always a reflection of your quality system's health. The difference now is that the FDA can see that reflection too. Make sure it shows governance, not gaps.