Medical device companies will soon face hard audits

Why audits are getting tougher (and no, it’s not just the auditor’s espresso)

1) QMSR is a real deadline, not a motivational poster

The QMSR final rule was published in 2024 with a compliance date two years later, making February 2, 2026 the moment the FDA expects
firms to meet the new framework. In plain English: you’ll still be responsible for FDA requirements, but the backbone of your quality management system
will look a lot more like ISO 13485 than the old-style “Part 820-only” world.

For companies that already run ISO 13485 well, this can be a relieffewer parallel systems, less duplicate evidence, and a clearer story across global
regulators. For companies that “have a certificate” but don’t really live the system day-to-day, QMSR can expose the gap between paper compliance
and operational reality.

2) Inspections are increasingly structured and risk-based

FDA device inspections have long been guided by structured techniques (like QSIT) that steer investigators toward the quality subsystems most tied to
patient safety and product performance. The practical implication: auditors won’t just wander your facility collecting interesting facts like a museum
docent. They will follow a logic trailcomplaints to CAPA, CAPA to process controls, process controls to validation, validation to training and change
control, and back again.

The “hard audit” feeling often comes from how fast that trail gets specific: “Show me the last three nonconformances for this line.” “Now show me the
training record for the person who closed them.” “Now show me the risk file impact and whether labeling or IFU changes were evaluated.” That’s not
nitpicking; that’s traceability.

3) More enforcement signals are public, searchable, and trendable

One reason audits feel tougher is that they’re not isolated events anymore. FDA posts inspection-related reference information (including how inspection
observations are summarized across fiscal years) and explains what forms like the FDA 483 represent. This makes common failure modes easier to spot
for regulators, competitors, and yes, your future acquirer doing diligence.

4) MDSAP and “audit once, answer to several regulators” raises the bar

The Medical Device Single Audit Program (MDSAP) allows a recognized auditing organization to conduct a single regulatory audit that can
satisfy requirements of multiple participating authorities. Translation: a strong audit can reduce duplication, but a weak audit performance can echo
across jurisdictions. Even if you’re not in MDSAP, its process maturity influences what “good” looks likeespecially for global manufacturers trying to
streamline audits without lowering standards.

What “hard audits” actually look like in 2026 and beyond

A hard audit is not necessarily an unfair audit. It’s usually an audit where the auditor expects your system to behave like a system: connected,
measurable, and able to prove control using evidencenot enthusiasm.

Design controls that don’t stop at the PowerPoint

If you build medical devices (including software-driven products), design controls are where auditors go when they want to understand whether your
development process reliably produces safe, effective products. “Hard” questions tend to include:

• Traceability: Can you trace user needs → design inputs → outputs → verification/validation → risk controls?
• Change control: When requirements changed, did your risk analysis and validation plan change too?
• Design transfer: Did manufacturing and suppliers receive controlled specs and acceptance criteriaor a hopeful email?

A common audit stumble is the “two-worlds problem”: R&D has a modern toolchain, manufacturing has a separate document universe, and the risk file
lives somewhere between a spreadsheet and a prayer. QMSR-aligned expectations reward integration.

CAPA that is more than “retrain the operator”

Corrective and preventive action is where auditors look for proof that you learn from problems instead of collecting them like souvenir magnets.
Retraining is sometimes appropriate, but if it’s your default corrective action, auditors may suspect you’re treating symptoms rather than causes.

Strong CAPA evidence usually includes: clear problem statements, risk-based prioritization, verified root cause methods, containment actions, corrective
actions linked to root cause, effectiveness checks, and closure criteria that aren’t just “time passed and nobody complained.”

Complaint handling that connects to risk and reporting

Complaints are not just customer service tickets. Auditors often test whether your complaint handling system:

• Properly investigates and documents outcomes, including device history review and (when appropriate) returned product evaluation
• Trends issues and feeds CAPA when patterns emerge
• Evaluates whether events trigger additional regulatory obligations (for example, reporting frameworks and field actions)

The hardest part is consistency: two similar complaints shouldn’t lead to wildly different investigation depth unless there’s a documented reason.

Supplier controls that match modern supply chains

Device companies rarely manufacture every component themselves. That’s fineuntil supplier controls are treated like a spreadsheet exercise.
Hard-audit supplier questions include:

• How do you qualify and monitor suppliers (not just once, but over time)?
• What happens when a supplier changes a process, a material, or a test method?
• Do you have objective acceptance criteria for incoming inspection and supplier COAs?
• Can you show supplier performance metrics and actions taken when performance dips?

Process validation and “prove it works” documentation

When processes can’t be fully verified by inspection (common in sterilization, molding, bonding, packaging integrity, or complex automated assembly),
auditors expect solid validation evidence and ongoing control. The “hard” part isn’t that validation is requiredit’s that validation must stay current
through changes in equipment, software, materials, suppliers, and operators.

Document control that’s actually controlling documents

In hard audits, document control failures rarely look dramatic. They look boringand that’s why they’re dangerous. Examples:

• Obsolete work instructions still posted at the line
• Unapproved forms in use because “the new one wasn’t ready”
• Training not linked to revised procedures
• Records missing signatures, dates, or clear review evidence

Auditors love document control because it’s the front door to everything else. If your front door squeaks, they assume the basement is haunted.

QMSR + ISO 13485: what changes in practice

The QMSR approach largely incorporates ISO 13485:2016 by reference while adding clarifications and expectations so the ISO framework fits cleanly within
U.S. regulatory requirements. That means a company can’t treat ISO as a separate “certification track” and FDA as a separate “inspection track” forever.
Over time, the winning strategy becomes: one coherent system, proven with evidence, mapped to all applicable requirements.

The biggest mindset shift: “quality system” becomes “quality management system”

Words matter because they shape behavior. A “quality system” can feel like a binder of procedures. A “quality management system” implies leadership,
resourcing, risk-based planning, and continual improvement. Hard audits often assess whether leadership involvement is real:

• Are management reviews happening on schedule, with meaningful inputs and actions?
• Do quality metrics reflect process health (not just “number of SOPs updated”)?
• Is there evidence of escalation and decision-making when risk increases?

Audit evidence becomes more standardized

ISO-style audits often rely on consistent “show me” evidence: objectives, procedures, records, and outputs. Under QMSR, firms should expect less tolerance
for fuzzy explanations unsupported by controlled records. The story must be repeatable: if two auditors ask the same question a month apart, the evidence
should tell the same truth.

Six practical ways to prepare before the next audit wave hits

1) Build a QMSR gap map that a tired auditor could follow

Don’t just map “old Part 820 clause to new clause.” Map your actual processes to requirements. Show where evidence lives. If your system is
digital, document ownership, workflows, and version control. If it’s hybrid, document how you prevent “two sources of truth” problems.

2) Create “audit evidence packs” for high-risk processes

Evidence packs are curated sets of records that demonstrate control end-to-end. Examples:

• CAPA pack: top CAPAs, root cause evidence, effectiveness checks, linked complaints/nonconformances, and risk impact
• Design pack: DHF highlights, trace matrix, V&V summary, cybersecurity/testing summary (if relevant), change history
• Supplier pack: qualification, quality agreement, key supplier metrics, recent SCARs, change notifications and impact assessments

This doesn’t hide problems. It prevents “death by scavenger hunt,” which is where otherwise-good companies look chaotic under audit pressure.

3) Train for interviews like you train for surgery: calm, prepared, and within scope

Auditors often interview because interviews reveal whether the process is real. Train teams to:

• Answer only what’s asked, then offer evidence
• Use controlled records (not memory) when possible
• Escalate appropriately if unsure (“Let me bring in the process owner”)

4) Treat internal audits like rehearsal, not theater

A “pass” internal audit that never finds meaningful issues is not a flexit’s a warning sign. Strong internal audits mirror external style: sampling,
traceability, and follow-the-thread testing. If you’re global, consider using MDSAP-style structure even outside formal MDSAP participation; it tends to
drive more disciplined evidence collection.

5) Pressure-test your 483 response process

If an inspection results in an FDA 483, the clock starts ticking. Many industry playbooks emphasize the importance of responding quickly and thoroughly,
often within a short business-day window, with clear corrective action plans and evidence. “Hard audits” increasingly reward companies that can respond
with speed and substanceroot cause work, containment actions, and realistic timelines.

6) Make risk management visible across the lifecycle

Risk isn’t a one-time document. Hard audits test whether risk management influences decisions across development, production, postmarket surveillance,
and changes. The practical question auditors ask is: “If risk went up, would your system noticeand would it react?”

Mini case examples: how “normal” gaps become hard-audit findings

Case 1: The SaMD startup with fast releases and slow documentation

A software-focused device company runs weekly releases, but its validation summary reports are quarterly and its risk file updates are “planned.”
During audit sampling, the auditor picks a recent change that touched a clinical workflow. The team can describe the change clearlygreat!but can’t
show controlled evidence that:

• requirements were updated and reviewed,
• verification/validation was executed under controlled protocols,
• risk controls were assessed for impact,
• training/labeling implications were evaluated.

Result: not “you ship too fast,” but “you can’t prove control over changes that affect safety/performance.” That’s the hard-audit difference.

Case 2: The contract manufacturer with a validation that aged out

A manufacturing site validated a bonding process years ago. Since then, it swapped a fixture, changed a supplier lot, and updated a software patch on the
machine controller. None of the changes were evaluated through a robust validation impact assessment. The product still “looks fine,” but the auditor
sees a pattern: changes happened without a disciplined evaluation of whether the process remains capable.

Result: the audit finding isn’t about one bad batch. It’s about an unstable control strategyexactly what quality regulations are designed to prevent.

Case 3: The complaint trend that didn’t escalate soon enough

Complaints arrive slowlyone every few weeksabout a device alarm that’s “confusing.” Each complaint is closed with “user error.” Months later, the
trend becomes undeniable, and a CAPA is opened. Under audit, the question becomes: why didn’t trending, risk review, or usability evaluation trigger
earlier? Hard audits often treat delayed escalation as a system weakness, not an individual mistake.

The real takeaway: hard audits reward boring excellence

The companies that do best under tough audits aren’t magical. They’re boring in the best way:

• They keep records complete and current.
• They connect complaints to CAPA to risk decisions.
• They validate processes and re-evaluate when changes happen.
• They treat suppliers like extensions of their process, not vendors in a spreadsheet.
• They run internal audits that actually test the system.

In 2026, “we meant well” won’t compete with “here’s the evidence.”

Experiences from the field (composite stories teams commonly report) an extra

When people say audits are getting harder, they often mean the experience has changed. Here are five composite “audit room moments” that quality
and regulatory teams frequently describe as the new normalpresented as anonymized, blended scenarios to capture patterns without exposing anyone’s
confidential details.

Scene 1: The auditor who follows the thread (and never loses it)

The audit starts friendly: introductions, scope, agenda. Then the auditor asks for a single complaint recordjust one. Everyone relaxes. Easy.
But the follow-up questions keep coming: show the investigation, then the product history, then the risk file reference, then the labeling assessment,
then the CAPA link, then the effectiveness check, then the management review minutes where the trend was discussed. Nothing is unreasonable; it’s just
relentless in a polite, professional way. Teams often report this is where “hard audit” becomes real: you can’t compartmentalize. The system has to
connect.

Scene 2: The quiet document control trap

A line operator pulls up the work instruction on a shared drive. The auditor asks, “How do you know this is the current revision?” The operator shrugs:
“It’s the one we use.” The quality lead jumps in, confident the controlled version existssomewhere. Ten minutes later, the room is comparing filenames:
“Final_v7,” “Final_FINAL,” and “NewFinalForRealThisTime.” Teams often say the most painful findings aren’t dramatic failures; they’re small control gaps
that suggest bigger ones.

Scene 3: The CAPA that looked good until the effectiveness check

The CAPA file is beautifully written. Root cause analysis includes diagrams. Corrective actions are listed with owners and dates. The auditor nodsthen
asks, “How did you confirm the fix worked?” The team points to “no further complaints.” The auditor asks about complaint volume, detection lag, and the
possibility that the same issue could still exist unnoticed. Suddenly, the room realizes: an effectiveness check needs a measurable plan, not hope.
Teams often describe this moment as the one that changes their CAPA culture for good.

Scene 4: The supplier change that “shouldn’t matter”

Purchasing switched to an equivalent material supplier due to lead times. The spec was similar, and incoming inspection passed. Under audit, the
question becomes: was equivalence evaluated for its impact on device performance, biocompatibility, sterilization compatibility, or shelf life?
People often report that “supply chain decisions” now get audited like “quality decisions”because, functionally, they are.

Scene 5: The best kind of hard auditwhere the system holds up

Not every hard audit ends in pain. Teams also describe a surprisingly satisfying experience when the system performs: requests are logged, evidence is
produced quickly, answers stay consistent, and leadership can explain quality metrics without reading off a slide. The auditor still probes deeply, but
the organization doesn’t scramble. That’s the punchline of modern auditing: the audit doesn’t get easier; your system gets stronger. When it does, the
same “hard” questions become an opportunity to show controlcalmly, clearly, and with receipts.