Internal Audits - Closing Audit Deficiency Reports (ISO 13485)



I currently close out my audit deficiency reports using this criteria

One month
Two months
Three months

In my internal auditing I have come across one non conformance which I think will take more than three months to close out. I was wondering if anyone has put a deadline of 6 months on a audit deficiency checklist and if this had any impact on improvement? The reason being the long deadline is I will need to set up various meetings and obtain new contracts to close this deficiency out. I cannot see anything in the 13485 standard to state that you cannot close out audit deficiency reports in less than three months.


Mark Meer

Trusted Information Resource
Correct. There is nothing in ISO 13485 that requires any sort of time frame. ...nor should there be.

Unless you have a good reason for those categories, I'd suggest you reconsider your framework to allow for more flexibility.

In my opinion, it is better to keep time frame goals to the realm of general Quality Objectives, and allow your system the flexibility to handle issues on a case-by-case basis.
That is not to say you can't/shouldn't specify targets for each case. ...I just wouldn't limit yourself to the timeframes you give.

The reality is, you can never know how long issues will take to resolve. Sometimes it's an iterative process. Sometimes it involves redesign, re-validation, or a major process overhaul... It's not unusual for it to take months, or even years, to fully implement a corrective action.

Last edited:


Thank you this is what I am thinking of revising my audit deficiencies to

One Month
Three Months
Six Months


Mark Meer

Trusted Information Resource
Ok. ...but I still suggest that you're unnecessarily constraining yourself.

Granted, if it's only for internal audits, and you don't foresee anything major, this may work fine.

However, if it extends to external audits, and dealing with regulatory agencies (e.g. FDA) comes into play, even a 6-month window might not be sufficient to close audit findings...

Best of luck!

Sidney Vianna

Post Responsibly
The reason being the long deadline is I will need to set up various meetings and obtain new contracts to close this deficiency out.

I agree with Mark. Too many times organizations devise procedures that artificially constrain themselves. Closure of corrective action requests is something that should only happen when there is evidence of implementation and effectiveness of the actions taken. ISO has the following advice on the issue:

Closing nonconformities
As nonconformities tend to be individual in their nature, a variety of methods or activities may be used to demonstrate the effectiveness of actions taken. For example, some will require direct examination on site (which may require the need for additional site visits), while others may be closed-off remotely (by review of submitted documentary evidence).

Before deciding to agree to close a nonconformity, an auditor should review what the organization did in respect of containment, correction, cause analysis and corrective action results. The auditor needs to ensure that there is objective evidence (including supporting documentation) to demonstrate that the described corrective action has been fully implemented and is effective in preventing the nonconformity from re-occurring. Only once the situation is satisfactory, should the nonconformity be closed.

In my experience, the best systems that I have seen had a flexible deadline for implementation of corrective actions. The deadline being "negotiated" between quality (who obviously want the issue resolved ASAP) and the process owner responsible for devising and implementing the corrective action (who normally wants as much time as possible). Certainly, if you work in a regulated sector, representatives from regulators, e.g., the FDA might not "like" open NC's for a "long time", but serious and competent regulators must know that, as Mark mentioned, sometimes the nature of the problem will demand long term corrective action. As long as you can demonstrate effective containment and correction and you can also show oversight over the long term fix, regulators should be ok.
Top Bottom