What it really means to be "audit-ready" when you're on the market

July 6, 2026 ░░░░░░

What it really means to be audit-ready post-market

For some medical device companies, audit-ready is a stage that arrives after a lot of frantic, pre-audit work. An inspection or notified body audit is scheduled, and the next two weeks turn into a sprint to assemble records, chase signatures, and reconcile the complaint log against the list of open corrective and preventive actions (CAPAs). The spreadsheets come out. Someone rebuilds a post-market surveillance summary from three different places because no single version is current.

But if readiness only exists in the weeks before an inspection, then the quality system was never actually ready.

Here's a better way to think about it: audit-ready is how the system should run day to day. A post-market quality management system either produces traceable, connected records as part of normal work, or it produces gaps someone has to fix later on.

Why QMSR makes daily readiness non-negotiable

The Quality Management System Regulation (QMSR) took effect Feb. 2, 2026, replacing the Quality System Regulation (QSR) that governed device manufacturers for decades. And the change has reshaped how inspections work.

When the FDA retired the Quality System Inspection Technique (QSIT), the document that structured inspections under the old regulation, they put out a new compliance program to take its place. Under the new program, an investigator may pull records across subsystems like complaints, CAPA, medical device reporting, and risk management to test real-world effectiveness. Investigators may ask a team to show how it updated its risk file after a specific complaint, or how it justified the residual risk that remained.

Additionally, exemptions that kept internal audit reports, supplier audit reports, and management review records out of FDA's reach are gone. Those records are now subject to inspection. An internal audit that exists mainly to satisfy 21 CFR Part 820 on paper is no longer enough, because the investigator can read it and compare what it claims against what the live system shows.

What audit-ready looks like in daily work

Continual readiness is not an abstract concept. It shows up as a handful of habits that leave a traceable record behind every time the team does day-to-day work.

Take complaints, for example. Under 21 CFR Part 820.198 and ISO 13485 Clause 8.2, every complaint has to be received, evaluated, and resolved, with a documented justification even when the team decides not to investigate. Readiness means each complaint links forward to its reportability decision and, when one is warranted, to the CAPA it triggers. A control number ties the complaint to the evaluation to the CAPA, so the whole sequence reads as one record. When that system is in place, it creates a complete chain an investigator can easily understand and follow.

CAPA works the same way. A corrective action that closes with a documented root cause, a completed action, and verified effectiveness, all traced back to the complaint or nonconformance that opened it, is an audit-ready record by default. The metric that signals health here is the share of CAPAs closed effectively rather than simply closing them to meet a due date. Teams that are able to show their CAPA program is effective with accurate verification of effectiveness (VoE) checks rarely get surprised during an inspection.

Risk management is where daily discipline pays off most under QMSR. Risk files have to stay current and reflect real product performance, not sit frozen at the state they held at launch. When a complaint shows a failure mode the team had rated as unlikely, the risk file should be updated that week, with a traceable line running from the post-market surveillance data to the risk file to the original design controls. That single connected thread answers two questions investigators often ask: show me how you updated your risk file after this complaint, and show me how you justified the residual risk.

Where readiness breaks down

When the complaint log lives in one spreadsheet, CAPAs in another tool, and the risk file in a static document, the records exist but the links between them are lost. Audit prep becomes reconciliation work that might include matching complaint IDs to CAPA numbers by hand, confirming that the risk file reflects the last six months of field data, and rebuilding a surveillance summary that no system maintains on its own. Each audit costs weeks because the connecting work was deferred rather than done immediately.

Deferred risk updates create a larger problem. A team that hasn't touched its risk file since clearance can't justify residual risk on the spot, and risk-based sampling is designed to identify that. An investigator who pulls a recent complaint and asks to trace it into the risk file is testing the link between two tools, which is precisely where disconnected systems come apart.

The common objection is that the team will tighten everything up before the audit, but that logic underestimates the cost of cleanup. Work before an inspection takes longer than upkeep would have, and it carries more risk because it happens under deadline pressure.

Three audits in six weeks: the MediBeacon example

MediBeacon, a medical device company developing fluorescent tracer agents and transdermal measurement systems, faced a stretch that would strain any quality team. In a six-week span the company went through an internal audit, then a stage one audit under the EU Medical Device Regulation with its notified body, then a combined audit covering ISO 13485 surveillance, Medical Device Single Audit Program (MDSAP) surveillance, and EU Medical Device Regulation certification. The company passed all of them with zero major findings.

What made that possible was not a heroic prep effort. It was the fact that document control, training, supplier records, CAPAs, nonconformances, and customer feedback all lived in Greenlight Guru's connected eQMS.

Kallen Withers, the project leader who has run MediBeacon's quality system for years, could pull any record or procedure in real time and take auditors through a CAPA workflow live, moving from the source complaint to the action taken to the documented root cause. Auditors consistently noted how easy it was to reference linked documentation and records.

Building readiness in before the date is set

The teams that breeze through audits are not working harder during audit week. They moved the effort upstream, into the daily and weekly habits that keep complaints linked to their outcomes, CAPAs closed with traceability intact, and risk files current with real field data. By the time a date lands on the calendar, there's nothing to assemble, because the system already tells the story an investigator wants to read.

That shift is harder to make when the quality system spreads across spreadsheets and disconnected tools, and far easier when the records connect by design.

Keep reading

If you are building out your audit-readiness process, these related guides go deeper on the specific components:

BONUS RESOURCE: Click here to download the post-market maturity curve guide.

Greenlight Guru's eQMS was built for medical device teams to keep those links intact as a byproduct of normal work, so post-market readiness holds steady between inspections instead of spiking before each one.

If you're ready to see what that looks like in practice, get your free demo of Greenlight Guru today.

Etienne Nichols is the Head of Industry Insights & Education at Greenlight Guru. As a Mechanical Engineer and Medical Device Guru, he specializes in simplifying complex ideas, teaching system integration, and connecting industry leaders. While hosting the Global Medical Device Podcast, Etienne has led over 200...

BONUS RESOURCE:
Post-market maturity curve guide
Download now
What comes after launch ebook cover
Search Results for:
    Load More Results