I am in an ISO 13485:2016 audit by a leading registrar.
For our internal audits, we have identified 14 processes that were all completed in one year but come year 2020, the pandemic, it was not possible to complete all 14 so we put a risk-based approach and identified High, Medium and Low Risk. All the High's would be audited every year; medium would be covered once in two years; while the low risk ones to be covered once in three years.
The auditor is not agreeing with this risk based approach and insisting that all the 14 processes must be completed every year to pass the yearly surveillance audits. Is this true? I feel it is incorrect but would like to hear from you guys.
For our internal audits, we have identified 14 processes that were all completed in one year but come year 2020, the pandemic, it was not possible to complete all 14 so we put a risk-based approach and identified High, Medium and Low Risk. All the High's would be audited every year; medium would be covered once in two years; while the low risk ones to be covered once in three years.
The auditor is not agreeing with this risk based approach and insisting that all the 14 processes must be completed every year to pass the yearly surveillance audits. Is this true? I feel it is incorrect but would like to hear from you guys.