What Level 1 Internal Audit Maturity Looks Like in Medical Device Organizations
Recognize internal audit maturity level 1 indicators in your medical device QMS. Ad hoc audits, weak follow-through, and regulatory exposure explained.
Your notified body issues four major nonconformities. Your internal audit program — which audited the same process areas in the past twelve months — found zero. Not "found fewer." Zero. The auditor asks to see your internal audit reports. They're one-page checklists with yes/no checkmarks and no narrative findings. She writes a fifth nonconformity: the audit program itself.
This is Level 1. Not an organization that lacks an audit program — that would be a different problem entirely. Level 1 is an organization that has one and derives almost no value from it. The program exists to satisfy a regulatory requirement, and that is all it does. It does not protect the organization. It does not generate intelligence. It does not find the problems that matter. It finds the problems that are easy to find and misses the ones that external auditors will not.
The Wake-Up Call Nobody Wants
The scenario above is not hypothetical. It plays out in medical device companies every year. The internal audit program covers every quality system element on the annual schedule. Every audit is completed. Every report is filed. And then an FDA investigator or notified body auditor walks in and finds significant systemic issues that the internal program never touched.
The gap is not about competence or effort. It is about methodology. Level 1 audit programs ask a fundamentally limited question: does this documentation exist? They never ask the question that matters: does this process work? A one-page checklist cannot evaluate whether the CAPA process actually prevents recurrence, whether the complaint handling process actually identifies reportable events, or whether the design control process actually catches design deficiencies before they reach production. It can only confirm that procedures are written, records are filed, and signatures are present.
When your internal audits and your external audits are finding completely different things, the internal program is not functioning as a self-assessment mechanism. It is functioning as a filing exercise.
What the Audits Look Like From the Inside
Level 1 audits follow a predictable pattern. The auditor — usually one of one or two people in the quality department who have attended a lead auditor course at some point — receives an assignment. She pulls the checklist for that quality system element. The checklist mirrors the clause structure of ISO 13485 or the subsection structure of 21 CFR Part 820. She schedules time with the process owner. They sit in a conference room. She works through the checklist line by line. Does procedure X exist? Yes. Can you show me a record of Y? Here it is. Was training completed for Z? Let me check — yes, here is the training record.
The entire interaction takes two to three hours. The report takes thirty minutes to write because there is little to write — a list of items checked, a few minor observations about expired training records or missing signatures, and a conclusion that the process area is generally compliant. The report is reviewed, approved, filed, and forgotten until the next management review meeting, where it appears as a line item in a summary table.
Nothing in this process evaluates effectiveness. Nothing traces a work product from beginning to end to see if the process actually produces the intended outcome. Nothing compares what the procedure says should happen against what actually happens on the production floor, in the design review, or in the complaint investigation. The audit confirms the existence of a quality system. It does not test whether that system functions.
The Auditor Independence Problem
In many Level 1 organizations, auditor independence is a fiction maintained on paper. The quality department is small — sometimes two or three people. The same person who manages the CAPA process audits the CAPA process, or at best, the person who sits ten feet away and collaborated on the procedure does. The regulation requires that auditors not audit their own work, and technically the assignment avoids a direct conflict. But the practical independence needed to find real problems — the willingness to challenge a colleague's process, to document findings that reflect poorly on the department, to dig into areas where the answers might be uncomfortable — is absent.
Some organizations address this by bringing in cross-functional auditors from engineering or operations. But at Level 1, these auditors have minimal training, no calibration against experienced auditors, and no methodology beyond the checklist. They audit politely, find nothing significant, and return to their primary responsibilities relieved that the obligation is fulfilled.
FDA investigators and notified body auditors examine auditor qualification records routinely. When they find a single auditor conducting all audits with no evidence of ongoing competency development, no independence verification mechanism, and no peer calibration, the finding writes itself before the inspector finishes reviewing the records.
When Findings Go Nowhere
The most damaging characteristic of Level 1 is not what audits fail to find — it is what happens to the findings they do produce. At Level 1, the path from audit finding to corrective action is broken. Findings are documented in the audit report. The report is filed. The finding may or may not be entered into the CAPA system. If it is, the CAPA may or may not be completed. If it is completed, nobody verifies whether the corrective action was effective. The finding reappears in the next audit cycle. And the one after that.
This pattern creates a specific and severe regulatory vulnerability. When an FDA investigator reviews three years of internal audit reports and sees the same finding documented repeatedly without resolution, the investigator is not looking at an audit finding anymore. She is looking at evidence that the corrective action process under 21 CFR 820.90 is ineffective — which is a far more significant problem than the original finding. Recurring unresolved audit findings are one of the strongest signals investigators use to assess whether a quality system is actually functioning or merely documented.
EU MDR Annex IX Section 3.3 expects that the quality management system includes provisions for corrective actions and that audit findings drive meaningful response. A Level 1 program that documents findings without resolving them fails this expectation visibly and repeatedly.
No Metrics, No Visibility, No Learning
Level 1 programs generate no audit program metrics. Management review receives a list: twelve audits scheduled, ten completed, eight findings identified. There is no trend analysis showing whether finding rates are rising or falling. No comparison across audit cycles showing whether corrective actions reduced findings in subsequent audits. No correlation analysis comparing internal findings against external audit results. No measurement of audit program effectiveness.
Without metrics, the organization cannot learn from its own audit data. It cannot identify which process areas consistently generate findings. It cannot determine whether the audit program is improving or deteriorating. It cannot demonstrate to regulators that the program drives continuous improvement. The audit program operates in a data vacuum, producing individual reports that are never aggregated, never analyzed, and never used to improve either the quality system or the audit program itself.
The Path Forward Starts With Honesty
Recognizing Level 1 is not comfortable, but it is necessary. The indicators are clear: audits scheduled without risk-based rationale, auditors qualified on paper but not in practice, methodology limited to checklist compliance verification, findings that recur without resolution, no program metrics, and a persistent gap between what internal audits find and what external auditors find.
The path from Level 1 to Level 2 is well-defined. It requires establishing a structured audit procedure, formalizing auditor qualification criteria, implementing finding classification with defined organizational responses, creating a reliable link between audit findings and the CAPA system, and beginning to track basic program metrics. None of this is technically difficult. All of it requires the organizational admission that the current program is not working — and the commitment to build one that does.
Internal Audit CMM
8 dimensions · 5 levels · 8 deliverables