Preparing for an Annex IX Audit: What to Have Ready

What an Annex IX audit is actually checking

An Annex IX audit under MDR is a QMS audit — the Notified Body is assessing whether your quality management system is functioning as described, producing the records it should, and demonstrably covering the devices it supports. The audit scope is broader than most first-time applicants expect. It is not just a check that your procedures exist. It is a check that those procedures are implemented, that people follow them, and that the system generates appropriate outputs.

The audit will typically cover: QMS scope and procedures, design and development controls, risk management, clinical evaluation process, PMS and vigilance, complaint handling, CAPA, supplier management, and management review. The depth of review varies by device class and the auditor's assessment of risk, but no area is off limits. Going in without having reviewed your own system against all of these is a common mistake.

Design review records

Design review is one of the areas most likely to generate findings if records are not well-organised. Annex IX auditors look at design review as evidence that development was controlled — that decisions were made deliberately, challenges were identified, and the outputs were assessed against the inputs.

What they want to see: documented review meetings with attendance records, identified review inputs and outputs, explicit identification of problems found and how they were resolved, traceability between design review outputs and subsequent verification and validation activities. What they often find instead: informal notes, undated records, reviews that appear to have been written after the fact, or a single "design review" document that was clearly not produced during development.

If your design review records are sparse, the time to address this is before the audit — through a structured retrospective that reconstructs the decisions made during development, documented in a way that the auditor can follow. Auditors understand that development is messy; what they don't accept is no record of it.

CAPA completeness

CAPA records are almost always reviewed during an Annex IX audit. The auditor is looking at a sample of your CAPA records to assess whether the process produces meaningful root cause analysis and effective corrective actions.

The most common finding: CAPA records that describe what happened and what was done, but not why. Root cause analysis is documented as a conclusion — "the procedure was not followed" — rather than a structured investigation into why the procedure was not followed. A second common pattern: CAPAs that were opened, received an initial entry, and then show no follow-up activity for months. Open CAPAs with stale activity logs signal that the process is not actively managed.

Before an audit, review your open CAPA log. Any CAPA that hasn't had documented activity in 90 days should be either escalated or closed with a documented rationale. Any CAPA record that lacks a root cause analysis should be completed before the audit rather than during it.

Management review evidence

Management review under ISO 13485 is a formal process, not an informal discussion. The records need to show that management reviewed specific inputs (QMS performance data, audit results, complaints, regulatory changes, resource adequacy) and produced specific outputs (decisions and actions). Auditors check management review records carefully because the quality of those records reflects whether leadership is actually engaged with the QMS.

What generates findings: management review minutes that are too brief to show what was actually discussed, missing inputs (a management review that doesn't address complaint trends or internal audit results), and outputs that are vague ("continue to monitor" is not an action). Specific decisions with assigned owners and timelines are what the record should contain.

One detail that catches people: the management review must address adequacy and suitability of the QMS, not just performance against targets. If every metric is green and the review simply notes that, without anyone asking whether the system is still fit for purpose given changes in the regulatory environment or business context, that's a gap.

The technical documentation connection

Annex IX auditors will typically select one or more devices for technical documentation review during the audit. The audit is not just a QMS audit — it is a QMS-plus-technical-file audit. Which devices get selected is often not known in advance, so the expectation is that technical documentation for all devices in scope is in order, not just the flagships.

Before the audit, run your own readiness check on each device's technical documentation: is the risk management file current? Is the GSPR checklist complete and traceable? Has the biological evaluation been reviewed since the last design change? Is the clinical evaluation current against the PMCF plan schedule? Finding gaps in technical documentation during an audit is more serious than finding process gaps — it suggests the device should not be on the market in its current state.

The day of the audit

A few practical points that experienced teams emphasise: have a single point of contact who knows the QMS and where all records live. Auditors should not be waiting while someone searches for a document. Stage your records — know in advance where your most recent management review, your CAPA log, your design review records, and your technical files are, and have someone available to retrieve them quickly. Do not volunteer information about open problems before the auditor asks — answer questions fully and accurately, but let the auditor drive the scope.

If an auditor raises a finding, acknowledge it clearly. Attempting to argue away a legitimate observation creates a worse impression than the observation itself. Note it, understand it, and address it in your response.