Introduction

As a Notified Body auditor, I read a lot of internal audit reports. The good ones tell me the company is finding its own gaps before I ever walk in. The bad ones tell me the audit was done because MDR requires it — not because the company actually wanted to know what was wrong.

The difference between these two kinds of internal audits isn’t checklist length. It’s intent. A well-designed checklist forces honest conversations, surfaces uncomfortable findings, and challenges the comfortable assumption that “documented” equals “working.” A weak one just confirms what everyone already wanted to believe.

So, what should your MDR internal audit checklist actually include? Here’s what I’d be looking for if I were auditing your audit.

1. Organisational Structure and Legal Clarity

Before I look at anything else in an audit, I check one thing: does every process have a clearly assigned owner?

It sounds basic, but ownerless processes are the single most common source of organisational weakness I see — and they’re surprisingly frequent, even in companies that have invested heavily in their QMS. When a process doesn’t have a name attached to it, it doesn’t disappear. It falls into the gap between teams. Complaint handling technically exists, but no one is accountable for closing the loop. Supplier evaluation gets done every other year because everyone assumed someone else was tracking it. The risk file is updated reactively, because no single person owns keeping it current.

The standard items still need to be in place — legal status, ownership structure, reporting lines, roles and authorities, relationships with parent companies — but documentation alone isn’t what I’m verifying as an auditor. I’m verifying whether your structure actually produces accountability.

A few questions worth adding to your internal audit:

• For every key process in your QMS, can you name one person whose performance review reflects whether that process works?
• Are there processes that two teams claim to “share”? Shared ownership almost always means no real ownership.
• Look at procedures that haven’t been updated in over a year. The reason is rarely “we didn’t need to” — it’s usually that no one felt accountable enough to revisit them.

A clear organisational structure isn’t about having a polished org chart. It’s about making sure every responsibility lands on someone’s desk. When ownership is genuine, gaps surface early. When it’s diffuse, they surface during external audits — and by then, you’re explaining, not improving.

2. Independence and Impartiality

Independence isn’t just a policy on paper — it’s a structural decision baked into how the company is organised. And here’s one of the first things I check during an audit: does the same person manage both production and quality?

If the answer is yes, there’s a problem before I even open the documentation. Production and quality have fundamentally different incentives. Production wants to ship — to hit deadlines, fulfil orders, meet revenue targets. Quality has to be willing to stop shipments, reject batches, and delay launches when something isn’t right. When one person wears both hats, the system loses its ability to push back on itself. Quality decisions quietly become subordinate to production pressure — even when no one consciously means for that to happen.

This is one of the clearest examples of structural conflict of interest, and it’s particularly common in smaller manufacturers who consolidate roles to save costs. MDR doesn’t permit this consolidation for a reason: independence has to be designed into the org chart, not just claimed in a policy document.

Your internal audit should verify:

• Functional separation between production and quality, with reporting lines that don’t converge until they reach senior leadership
• Whether anyone signing off on quality decisions has direct accountability for production output or commercial targets
• Procedures to identify and manage emerging conflicts — not just existing ones, but those that arise as the company grows, restructures, or hires
• Documented evidence that decision-makers can refuse a release or escalate concerns without commercial pushback

Even perceived conflicts of interest matter under MDR. If a reasonable outsider would look at your structure and ask “how can this person possibly be independent?” — you have a finding waiting to happen, regardless of how that person behaves in practice.

The strongest companies I audit treat independence as an asset. They build it into hiring decisions, reporting structures, and incentive plans. The weakest treat it as a paragraph in a policy document and hope no one reads it too carefully.

3. Confidentiality and Information Control

Handling sensitive data requires strict control.

Your internal audit should confirm that confidentiality procedures are defined and implemented, access to information is restricted and controlled, personnel understand and comply with confidentiality obligations, and information is protected throughout all conformity assessment activities.

This is especially important for clinical and technical documentation.

4. Liability and Financial Stability

Financial robustness is often overlooked but it is essential.

Make sure your audit covers adequate liability insurance aligned with your activities, coverage that reflects the risk profile of your devices, availability of sufficient financial resources, and long-term operational sustainability.

This demonstrates reliability and trustworthiness as an organisation.

5. Quality Management System (QMS)

Your QMS is the backbone of MDR compliance — but as a Notified Body auditor, the question I keep returning to in every audit is this: does this QMS actually belong to the company, or to the consultant who built it?

This is one of the most uncomfortable patterns I see in the field. A QMS that has been entirely outsourced to an external consultant — and never absorbed into the company’s culture — looks complete on paper, but it breaks down the moment you talk to anyone outside the quality team. Engineers don’t recognise the procedures. Sales doesn’t know how complaints flow. Management reviews read like a consultant’s report rather than leadership’s actual decisions.

A QMS isn’t a deliverable handed over at the end of a contract. It’s how a company operates. So when your internal audit checks the standard items — QMS is established, document control is effective, CAPAs are closed, management reviews are conducted — push one layer deeper:

• Ask three employees outside the QA team to describe one core process from your QMS in their own words. If they can’t, the system isn’t yet owned internally.
• Read the tone of your management review minutes. If they sound like an external party wrote them, that’s a signal worth investigating.
• Compare procedure ownership on paper against who actually performs the work day-to-day. Misalignment here is a finding waiting to happen.

A QMS that exists only inside binders and consultant deliverables doesn’t protect your patients or your business. The strongest systems I encounter in audits — the ones that fly through with minimal findings — feel embedded. People talk about their procedures naturally, without checking a document first. That’s what a real QMS looks like.

6. Internal Audit System Effectiveness

When I review a company’s internal audit reports during my own audit, two patterns immediately tell me whether the process is real or performative — and neither has to do with whether procedures exist on paper.

The first is the format of the report itself. If your audit checklist is filled in by hand — pen-and-paper entries on a printed form — I start questioning when this audit actually happened. Mature internal audit systems use electronic tools that timestamp entries, track auditor identity, and create an immutable record. Handwritten forms can be filled in the morning before my arrival just as easily as during the actual audit. They’re not necessarily wrong, but they signal a system that hasn’t been built for accountability.

The second is what the report finds. If I see entries like “Document reviewed, no findings” repeated across multiple sections — or worse, an entire audit report with zero findings — I get genuinely concerned. A thorough internal audit always surfaces something: a process that could be improved, a procedure slightly out of date, a training record that’s hard to locate. No findings doesn’t mean a perfect QMS. It means the audit either didn’t go deep enough, or the auditor wasn’t comfortable writing what they actually saw.

A meaningful audit report looks like this on paper:

• Specific evidence reviewed (record numbers, document versions, sample sizes)
• A clear distinction between what was checked and what was concluded
• A spread of findings — some minor improvements, some clarifications, occasionally something more significant
• Honest language. “Adequate” and “appropriate” repeated everywhere is itself a red flag.

Internal audits aren’t dress rehearsals for external ones. They’re the company’s chance to find its own gaps in private. If your internal audits keep coming back perfectly clean while your external audits keep flagging issues, the question isn’t whether your QMS has problems — it’s whether your internal audit system is honest enough to find them.

7. Personnel Competence and Objectivity

Competent and objective personnel are essential for a reliable internal audit.

Your checklist should verify that personnel qualifications and experience are documented, sufficient resources are available for all activities, training programs are implemented and continuously updated, and responsibilities and authority levels are clearly defined.

In addition, the auditor must be independent and able to make unbiased decisions based on evidence.

If you choose to outsource your internal audit, this can be a highly effective approach. However, it is critical to ensure that the same person or organisation is not providing consultancy services to you at the same time. This creates a conflict of interest and may lead to serious findings related to impartiality.

Selecting an auditor who is both competent and truly independent is key to maintaining credibility and passing notified body assessments.

Conclusion

After years on the Notified Body side, here’s the pattern I see most clearly: the companies that struggle in external audits aren’t usually the ones missing documents. They’re the ones whose documents exist but don’t reflect how the company actually works.

A real internal audit doesn’t try to make your QMS look good. It tries to make your QMS actually work — which is harder, less comfortable, and infinitely more valuable. Every gap your internal audit surfaces is a gap you don’t have to explain to me later.

If you build your checklist around honest questions instead of reassuring answers, the rest takes care of itself. External audits stop being a stress test and start becoming a confirmation of what you already knew.

At B+ Solutions, this is the perspective we bring to every engagement — informed by direct Notified Body experience, structured around what auditors actually look for, and focused on systems that work in practice, not just on paper.

If that’s the kind of audit-readiness you’re building toward, let’s talk.