Unannounced Audits: A Survival Guide for Quality Managers

August 16, 2020

Unannounced Audits_ A Survival Guide for Quality Managers

We’re in an industry that requires preparation. Unlike less regulated industries, there’s an expectation in the medical device industry around the possibility that an inspector or auditor can show up without notice and stop a business in its tracks.

That’s why, when the State of Medical Device Product Development and Quality Management Report was released, readers were surprised to discover most medical device companies wouldn’t be prepared in the event of an unannounced audit.

In particular, one of the most striking dividing lines between the prepared and unprepared was the use of best-in-class class-tools. Findings revealed that 40% of companies that invest in quality tools say they’re very confident they could pass a surprise audit; fewer than 20% of companies using legacy tools feel the same.

In this post, we’ll explore the possible ramifications of being caught unprepared for unannounced audits and inspections and actionable steps quality managers can take to not only survive these harrowing events, but thrive when it matters most.

FREE DOWNLOAD: Click here for our previously confidential FDA QSR + ISO 13485 Internal Audit Checklist.

What to expect with unannounced FDA inspections and audits

The stakes are high if caught unprepared during an audit. It can take months to recover. If remediation efforts require the help of outside consultants, costs and timelines can soar. Risks can be even greater for FDA inspections, which can carry punitive measures that range from citations and fines to product recalls and potentially even litigation.

FDA inspections

From 2007 to 2017, there was a 46% increase in the number of device inspections per year. With inspections on the rise, preparation becomes even more important.

If FDA finds a non-compliant process during an inspection—announced or unannounced—you will be issued a 483 Form.

A medical device facility may receive a 483 observation, FDA says:

When in the investigator’s judgment, conditions or practices observed would indicate that any food, drug, device or cosmetic has been adulterated or is being prepared, packed, or held under conditions whereby it may become adulterated or rendered injurious to health.

If you're the unlucky recipient of a 483 observation, you have 15 days to respond.

Depending on the severity of the noncompliance observed, a 483 observation can be escalated to a FDA warning letter. We’ve seen cases where companies invested millions of dollars in consulting services and spent months of unplanned project time to remediate FDA warning letter findings.

It pays to be prepared. Moreover, it pays to invest in tools that enable effective preparation.

Data-driven research from the 2020 Industry Benchmark Survey found that 50% of FDA device-surveillance inspections are the result of quality system failures. 

Correlating well with this is the fact that the same proportion, about 50%, of medical device companies are still using traditional paper or electronic document-based “paperless” systems to manage quality.


It’s important to adopt the best QMS software tools that have the guardrails in place to protect you in the event of an unannounced inspection; meaning you won’t always have time to duct-tape your legacy system tools before they walk through your door.

FDA has always carried out both announced and unannounced inspections for the medical device industry. If you’re manufacturing Class II or Class III devices, an FDA inspector will typically make announced visits to your facility every two years or more as standard practice.

If FDA has found issues in the past, however, or if your device is deemed high risk, inspectors may be more frequent guests of yours. FDA usually announces pre-approval and routine inspections five calendar days before conducting them.

Your company will need to account for those unannounced inspections, too. FDA only conducts quality system inspections on an unannounced basis. Additionally, FDA doesn’t pre-announce follow-up inspections and “for cause” inspections.

ISO Audits

In the past, auditing organizations and notified bodies would typically give advance notice of an upcoming audit. That’s since changed though and unexpected audits are now commonplace in the markets in which these organizations serve.

There are many differences between how FDA inspections and ISO audits are conducted, but the nature of the preparation rests on similar principles.

ISO 13485:2016 is a voluntary standard, not a regulation. To obtain ISO certification, a manufacturer's QMS will undergo a conformity assessment audit to determine whether ISO 13485 requirements have been met.

Third-party audits don’t have the same enforcement mechanisms that FDA inspections do. The relationship is reversed: you pay these organizations to conduct the audit so that you can obtain ISO certification.

ISO certifications are applicable in many regulatory regimes around the world, so it's extremely useful to have and maintain that certification.

Ensure quality procedures will pass QMS Inspection

Poor documentation of procedures is one of the biggest causes of regulatory citations from unannounced audits.

If your documentation isn’t in order, inspectors and auditors may become suspicious and start pulling at the proverbial thread to uncover potential issues that they have reason to suspect exist within your systems and processes.

When it comes to FDA inspections, the three most commonly cited sources of noncompliance include poorly documented procedures for corrective and preventive action (CAPA), complaint files, and medical device reporting (MDR).

CAPA procedures

FDA’s regulatory requirements for CAPA procedures can be found in 21 CFR 820.100(a), all corresponding activities of which must be documented.

A medical device company must clearly document and adhere to the corrective and preventive action procedures they’ve defined in order to quickly and efficiently respond to issues by launching a CAPA investigation into the matter.

In the event of an unannounced inspection it’s revealed your CAPA procedures have not been established or properly adhered to, there's a strong possibility you may receive a 483 Form, which could then turn into a warning letter. 

If this happens, there’s a good chance this won’t be your last surprise inspection for the foreseeable future.

Complaint file procedures

FDA requires all medical device manufacturers to maintain complaint files that include, according to 21 CFR 820.198, “procedures for receiving, reviewing, and evaluating complaints by a formally designated unit.” 

The purpose of complaint file procedures is threefold, in which manufacturers must:

  1. Process complaints in an efficient and standardized way.

  2. Document oral complaints as soon as you receive them.

  3. Evaluate complaints to determine whether or not you should report them.

Medical device companies are required to document their decision to either investigate or not investigate the issue and provide objective reasoning as to why. If an investigation is deemed necessary, the manufacturer must designate a person responsible for documenting and overseeing the complaint process.

Companies should ensure their complaint file procedures are properly documented and comply with FDA quality system regulations. In the event of an unannounced inspection, these procedures are highly prone to close analysis by an inspector.

Medical device reporting procedures

FDA requires manufacturers to maintain systems for identifying events that require medical device reporting, document a formal review process, and communicate reports to stakeholders.

Your documented medical device reporting procedures must be in compliance with FDA regulations found in 21 CFR 803.17, which lists four types of documentation manufacturers must submit in a medical device report:

  • Information that was evaluated to determine if an event was reportable;

  • All medical device reports and information submitted to manufacturers and/or us;

  • Any information that was evaluated for the purpose of preparing the submission of annual reports; and

  • Systems that ensure access to information that facilitates timely followup and inspection by us.

If MDR procedures are found to be noncompliant following an FDA inspection, your company may be subject to 483 observations or other disciplinary actions.

Leverage document management tools

Controlling and managing documentation of your procedures is critically important in the medical device industry. If you’re relying on legacy tools to manage your quality processes, you could be inadvertently exposing your product and business to serious risks that would otherwise be nonexistent with purpose-built tools.

It’s important to choose a quality management solution that is built to enable and protect your medical device company. Modernized QMS tools like Greenlight Guru offer medical device specific quality management workflows that make documentation a nearly hands-off task. 

With Greenlight Guru’s document management software, medical device teams can:

  • Determine which stakeholders need to sign off on new or changed documents.

  • Control and document revisions, including e-signatures and watermarks.

  • Assign permissions to the people who need access—and only them.

By managing your documents electronically through an automated system, you can refocus efforts into enhancing your quality procedures instead of double- and triple-checking which file folder they’re located in and if it’s up to date. 

When an inspector or auditor asks for a specific document, you can retrieve it upon request and rest assured knowing that it’s the most updated version, complete with the necessary signatures of approval.

3 steps to prepare for unannounced audits/inspections

FDA requires medical device companies to perform internal audits regularly.

The quality of preparation for that internal audit, how it’s conducted, and its takeaways can vary widely based on how the company structures these reviews. 

With the right plan, however, you can audit your own systems and processes much more efficiently than an FDA inspector or auditor could; not to mention, you’ll give yourself the peace of mind knowing you’ll be prepared once they do come knocking.

#1: View your processes through lens of an inspector or auditor

After spending so much time working inside your own facility and developing your medical device processes, you’ve likely become overly familiar with your entire system. Aspects that may have once stood out to you may have already began to fade into background noise.

Ask yourself this: what do our processes look like to someone who’s unfamiliar with them?

Because of their training and inherent lack of familiarity with your organization, an auditor or inspector will not have the same assumptions or knowledge base you do. Before you conduct an internal audit, step back and view your processes through their lens.

Review your documents and procedures as if you were reading it for the first time. Read it aloud if it means slowing down and carefully looking at each word and its meaning. Don’t assume anything. Check and recheck that each referenced resource is accessible and every implication is understood.

At the very least, and perhaps most important of all, critique how your processes look and function in relation to how you’ve defined the procedures in your QMS. What's documented in your quality system and what exists in real life should be in sync.

One tip you can use to enhance the results of your internal audits is to leverage the public database of warning letter reports published by FDA. Search for medical devices similar to your own and ask yourself whether an inspector would find similar flaws in your related processes.

#2: Conduct the internal audit

Armed with an outsider’s perspective, you can conduct a comprehensive and effective internal audit.

Consider implementing these three best practices for your own internal quality audits:

  1. Document your internal audit process, including the scope of the relevant regulations and which ones apply.

  2. Plan ahead so that you aren’t bound to hiring outside consultants.

  3. Treat your internal audits like opportunities, rather than compliance requirements.

These steps are important precisely because the role of an auditor or FDA inspector only goes so far. If you find issues, remediation is your responsibility.

#3: Leverage audit management tools

Conducting an internal audit can be intimidating—but it doesn’t have to be.

Audit management software built for medical device companies simplifies the internal and external audit experience. Greenlight Guru’s medical device QMS enables you to:

  • Plan audits in advance and set notifications.

  • Assign audits tasks and track progress.

  • Ensure your QMS is fully traceable and fully auditable.

Our eQMS solution offers purpose-built workflows for audit management that enable rigorous internal examination so that you can audit yourself better than anyone else can. Teams have full visibility into each document and every procedure, making it easy to establish a policy that everyone can follow in the event of an unannounced audit.

FREE DOWNLOAD: Click here for our previously confidential FDA QSR + ISO 13485 Internal Audit Checklist.

Stay ahead of auditors and your competition

Medical device leaders understand the importance of preparation and their position in the market speaks for how it pays off.

Findings from the 2020 industry benchmark survey found that the majority (55%) of respondents from competitive market-leading companies believed it would take a week or less to prepare for an audit. In comparison, only 38% of noncompetitive organizations could say the same.

If you want to join the ranks of industry market leaders and ensure audit preparation to stay ahead of regulators and competitors, adopting modern technology to enable you is key. Greenlight Guru is here to help. Get your free demo of our QMS software today →

Looking for an all-in-one QMS solution to advance the success of your in-market devices that can integrate your post-market activities with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →


Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.

FDA QSR & ISO 13485:2016 QMS Internal Audit Checklist
Download Now
FDA QSR & ISO 134852016 QMS Internal Audit Checklist - Slide-in Cover
Search Results for:
    Load More Results