MDSAP Internal Audit Program example wanted




I am preparing the annual audit program. In preparation for MDSAP in 2018 I wanted to creat an audit program which is aligned with MDSAP requirements. My approach is alwas to have an effective and efficient audit program. But starting with my general approach (very good established) plus adding regulatory requirments according MDSAP will be not efficient. Also using the MDSAP 94 task from MDSAP seems not to be efficient.

Has anyody a best practice how to establish an internal audit program for MDSAP efficient an deffective? I don't want to add too much additonal ressources for internal auditing.

Looking forward for your ideas.

Kind regards,



Super Moderator
Your internal audit system should, as the standard indicates, "determine whether the quality system ... conforms to [the standard and applicable regulatory requirements] ... [and] is effectively implemented and maintained. The MDSAP audit, as I understand, will just take all the country-specific requirements into consideration as part of their audit.

The internal audit should already be considering your compliance to the applicable regulatory requirements so I'm not sure there should be all that much difference with your internal audit program when you transition to an MDSAP compliance audit.

That's my take. I hope others will weigh in with their thoughts.

Mark Meer

Trusted Information Resource
Have you taken a look at the MDSAP Audit Procedures and Forms available on the FDA website?

This might be a good starting point.

Has anyody a best practice how to establish an internal audit program for MDSAP efficient an deffective? I don't want to add too much additonal ressources for internal auditing

Always remember that your internal audit program should have value to you. It should NOT be just a compliance exercise.

When planning your program, ask yourself: will this help drive improvement? In otherwords, is it effective at spotting non-conformances and opportunities for improvement?



Starting to get Involved
Great question - I am still looking for good resources. I have been involved with a number MDSAP internal audits and seen a sample of reports from different AOs. It is still unclear on the best approach. When I took Oriel Stat A Matrix MDSAP IA training they didn't provide any templates for IAs and said to use whatever the organization currently used for ISO13485. I have seen the following:
  • Audit Plan and report aligned to ISO 13485 with no mention of MDSAP chapters. Registration and Adverse Reporting were added as sections to audit
  • Audit Plan and report listing MDSAP chapters and associated ISO clauses and chapter tasks, no mention of organizations sub-processes or activities aligned to the MDSAP chapter sections.
  • Audit Plan and report listing MDSAP Chapters and identifying the organizations' sub-processes that align to the MDSAP chapters. These were aligned with the corresponding ISO sections and the chapter tasks were also identified. - I agreed with this one the most.
  • I have seen reports that summarize the conclusions from each chapter audited and includes lists of documents/records reviewed and auditees
  • I have seen reports that have a top level summary, findings and then all the audit data was retained in a checklist that followed the chapter tasks.
(important to note that all above samples were found acceptable by the the AOs.)

The challenge I have encountered is to ensure alignment with the ISO standards (as has been the typical process audit approach) while also ensuring the all the MDSAP tasks have been addressed. It is also challenging if the organization plans to spread out the audits over the year rather than perform a full process audit. The biggest obstacle I have found is making sure that the documentation (for multiple partial audits) can easily show that all chapters/tasks and ISO clauses have been audited at least once during the year.

Moving forward I am planning to identify the organizations' defined processes and where they best fit in the 7 MDSAP Chapter processes. From there I will plan based on the chapter processes and identify the ISO clauses and tasks that apply. I will likely create a matrix to summarize and track the audits, tasks, clauses and processes audited for easy traceability.

Unfortunately I haven't found any "best practices" guidelines or templates. Mine are improving but not ready to share yet. I'd love to hear what others have found helpful. Beyond the documentation you want to make sure the audit is value added, deep enough to clearly evaluate the processes and identify and gaps of nonconformity. Good luck.

Top Bottom