We were cited in Mar 2013 ISO 13485 re-cert audit for a minor NC for not have done any Risk Assessment the previous year. Which I missed in my internal audit (no NC there). I did Risk Assessment by various processes for 1) contract review / processing orders, 2) Manufacturing, 3) Purchasing / Procurement of raw material, 4) M&M etc.. I then audited against the a)inputs, b)the assessments and c)the outputs. Ref ISO 14971. The assessments are on-going and I try to audit the previous assessment after I’ve completed the next scheduled one. The audits look appropriate to the plan but not locked in to which Risk Assessment to audit, only that 1 or 2 are scheduled in. I don’t lock myself in with Due Dates for auditing, only “periodic” throughout the year.