REGULATORY QMSR replaces 21 CFR Part 820 — is your quality system ready? Check your gaps free →
Enterprise-grade Security
No implementation required
GDPR & CCPA Compliant
REGULATORY UPDATES

Your Internal Audit Reports Are Now FDA Property

10 min read

Under the old QSR, Section 820.22 explicitly barred FDA from using your internal audit reports to assess compliance. You could write whatever you wanted in those reports. Inspectors couldn't touch them.[1]

That ended February 2, 2026, when QMSR replaced 21 CFR Part 820. The new rule aligns U.S. requirements with ISO 13485:2016, which has no audit records exemption. FDA inspectors can now request your internal audit reports, management review minutes, and supplier audit records during routine inspections.[2]

Feb 2026 QMSR effective date, replacing 21 CFR Part 820[2]
#1 CAPA: top 483 finding category in FY2025[3]
7382.850 FDA's new risk-based inspection program, replacing QSIT[4]

Most manufacturers know the QMSR happened. Fewer have actually gone back and looked at what's sitting in their audit files. If your reports were written assuming no inspector would ever read them, some of that language is going to be a problem.

What Section 820.22 Actually Protected

The exemption existed for a practical reason. FDA figured that if manufacturers thought their audit reports could be used against them, they'd water everything down. Nobody writes "our CAPA system is a mess" if an inspector might read it next quarter. Section 820.22 said audit results "shall be documented" but "shall not be used by or on behalf of FDA to determine compliance."[1]

And for a long time, that worked. Quality managers could be blunt. Your audit report could say that procedures weren't being followed, that training records had gaps, that a supplier was consistently shipping nonconforming product. That honesty was supposed to drive corrective action without creating regulatory exposure.

It also meant manufacturers could sit on findings indefinitely. Document the problem, close the report, never fix anything. FDA wouldn't know.

Scope note: The 820.22 exemption only applied to routine inspections. FDA could always access audit reports during for-cause investigations or recall inquiries. What QMSR changed is the routine inspection context.

What QMSR Changed (and Why)

The final rule was published February 2, 2024, with a two-year compliance window.[2] The whole point was harmonization with ISO 13485:2016. ISO 13485 requires internal audits (Clause 8.2.4) and management reviews (Clause 5.6), requires records of both, and says nothing about protecting those records from regulators.

Once you adopt a standard that treats audit records like any other QMS record, you can't keep a side exemption that says "except these ones." So 820.22 had to go.

FDA also killed QSIT, the subsystem-based inspection approach that investigators had used since 1999. The replacement, Compliance Program 7382.850, is risk-based.[4] Investigators follow the evidence of risk instead of walking a fixed checklist. Your internal audit reports are now one of the best maps they have for figuring out where to dig.

Say an inspector reads your 2024 audit report and sees you identified a chronic CAPA backlog. They check your current CAPA system and find the same backlog. The audit report itself becomes evidence that you knew about the problem and didn't fix it.

Three Categories Now Open to Inspection

It's not just internal audit reports. Three categories of records that were previously off-limits or rarely requested are now routine inspection evidence.

1. Internal Audit Reports

The obvious one. Inspectors will check whether your audit program covers the right clauses, whether findings are specific enough to act on, and whether the CAPAs that should have come out of those findings actually got done.[5]

A finding from 2023 that's still open in 2026 is bad. An audit program that never finds anything significant is worse, because it tells the inspector your audits aren't real. They don't want spotless reports. They want to see that you found problems and fixed them.

2. Management Review Minutes

ISO 13485 Clause 5.6 requires management review at planned intervals, with records maintained. The review must address specific inputs including audit results, customer feedback, process performance, and the status of CAPAs.[5]

At most companies, management reviews are attendance sheets with a paragraph of boilerplate. Under QMSR, they need to show that leadership engaged with quality data, made decisions, and committed resources. If your minutes don't reference audit trends or document specific action items with owners, an inspector is going to wonder whether the review actually happened or just got signed.

3. Supplier Audit Records

Supplier quality was the second most common area in FDA warning letters in FY2025.[3] Under QMSR (aligned with ISO 13485 Clause 7.4), your supplier audit records, findings, and corrective actions issued to suppliers are all reviewable. If you audited a critical component supplier two years ago, found incoming inspection failures, issued a CAR, and never followed up on the response, that trail is now visible to the investigator.

#1 CAPA violations: top source of 483 observations in FY2025[3]
#2 Supplier quality: second most common area cited in FDA warning letters[3]

What Inspectors Will Actually Look For

Under the old QSIT approach, investigators worked through a fixed checklist. Under 7382.850, they follow risk.[4] Your audit reports tell them where the risk is. Here's what they'll zero in on.

Recurring Findings

Same finding in 2022, 2023, 2024, and 2025? That's the single fastest way to get an investigator's attention. It tells them you keep identifying the problem and keep not fixing it. Document control and CAPA are already the top 483 categories. If either one shows up as a recurring audit finding across multiple cycles with no evidence of effective corrective action, expect the investigator to camp out in that area.

CAPA Linkage

Inspectors will trace the chain: audit finding to CAPA, CAPA to root cause, root cause to corrective action, corrective action to effectiveness check. Every break in that chain is a question they're going to ask you. A finding that never generated a CAPA needs a documented rationale. A CAPA with no effectiveness verification looks like you closed it on paper and moved on.

We've written separately about the CAPA patterns that trigger 483 observations. Worth reading before your next audit cycle.

Adequacy of Corrective Actions

Your audit found obsolete documents at six workstations, and the corrective action was "retrained one operator." That's not going to fly. Investigators assess whether the response matches the scope of the problem. Systemic finding, systemic fix. If the root cause is that your document control system doesn't reliably recall obsolete revisions, retraining one person doesn't address it.

Audit Program Coverage and Frequency

Your audit schedule needs to cover all ISO 13485 clauses over a defined cycle, with higher-risk processes audited more often. An investigator will notice if your schedule conveniently skips your CAPA system, or if certain processes haven't been touched in three years. They'll also notice if your audits only ever produce minor observations in areas that generate 483s across the industry. That pattern suggests the audits aren't probing deep enough.

Inspector Questions to Prepare For

  • "Walk me through how audit findings from your last internal audit cycle translated into CAPA actions."
  • "Show me three examples of CAPAs that originated from internal audit findings, including their effectiveness checks."
  • "Which processes have been audited in the last 12 months? What was the audit frequency basis for your higher-risk processes?"
  • "What did your last management review conclude about your internal audit program results?"
  • "Are there any audit findings from the past two years that remain open? What is the status?"

Writing Internal Audit Reports That Withstand Scrutiny

This is where the real work is. Go pull your last three internal audit reports and read them as if you were the inspector. If you see vague findings ("training needs improvement"), corrective actions that don't match the finding ("retrained staff"), or closure criteria you can't actually verify ("ongoing monitoring"), those need to be rewritten for any audits going forward.

The goal is not sanitized reports. An audit report from a complex manufacturing operation that only finds minor observations is suspicious. Inspectors know better. What holds up is specific findings paired with proportionate corrective actions that got completed and verified.

What Good Audit Findings Look Like

A good finding names the clause, cites the procedure, states what was observed, and references the evidence. It doesn't editorialize ("management doesn't care") or speculate about intent. You can still be honest about serious problems. The difference is between "CAPA system is broken" and "8 of 14 open CAPAs are past their target closure date with no documented extension." Both say the same thing. One gives the inspector a conclusion to use against you. The other gives them a fact to evaluate.

Practical Guidelines

Tie every finding to a specific clause, procedure, date, and document. "Systemic failure" and "complete breakdown" are conclusions, not observations. Stick to what you can prove.

Link every significant finding to a CAPA, or explain in writing why one wasn't needed (minor observation, immediate correction, etc.). An open finding from 2023 with no activity log and no CAPA looks like you just ignored it.

Be specific about corrective actions. "Updated procedure" is useless for verification. "Revised SOP-024 Rev 4 to include sample size requirements; effective MM/DD/YYYY; training completed for affected personnel by MM/DD/YYYY" can actually be checked.

Go past the symptom. "Three calibration records were missing" is an observation. Add what it suggests: "the calibration recall system may not be reliably identifying instruments due for calibration." That's what drives a meaningful corrective action instead of someone just filing the three missing records.

Practical Language Guide: Before and After

Specificity is the difference between a finding that creates regulatory risk and one that demonstrates competence. Same issue, two ways to write it.

Risky Language (Old Approach) Defensible Language (QMSR-Ready)
"CAPA system is broken. No one is following the procedure." "Review of CAPA log (QSYS-CAPA-2025) identified 8 of 14 open CAPAs past their target closure date with no documented extension approval. CAPA-SOP-003 Section 4.2 requires documented justification and management approval for extensions."
"Training records are a disaster. Half the team is out of compliance." "Training matrix review identified 6 of 12 production personnel lack documented completion of SOP-MFG-017 Rev 3 (effective March 1, 2025). Affected personnel are performing tasks covered by this procedure. Ref: ISO 13485 Clause 6.2, SOP-HR-002 Section 3.1."
"Supplier XYZ is totally unacceptable. Quality has been terrible for years." "Supplier audit report AU-2024-014 (Supplier: [Name]) identified three nonconformances related to incoming inspection sampling. Corrective action request CAR-2024-022 was issued December 2024. As of this audit date, CAR-2024-022 response is overdue. Ref: QMSR Clause 7.4.3, Supplier Quality Agreement Section 5.2."
"Management doesn't care about quality. Issues are never escalated." "Management review minutes for Q3 and Q4 2025 (MR-2025-03, MR-2025-04) do not include discussion of internal audit results as required by ISO 13485 Clause 5.6.2(d). Audit summary report AU-2025-Q3 was completed prior to both reviews."
"Document control is completely out of control. Nobody knows what version they're using." "Three of six work instructions reviewed on the production floor were found to be superseded versions (WI-012 Rev 2 in use; Rev 4 current; WI-019 Rev 1 in use; Rev 3 current; WI-031 Rev 5 in use; Rev 6 current). Document control procedure SOP-DC-001 Section 2.4 requires removal of obsolete documents from points of use."

Every defensible version above follows the same pattern: what was found, where, which requirement, what evidence. No opinions about intent. No extrapolation beyond what was observed.

What About Existing Audit Reports?

Don't rewrite old reports. Altering records is far worse than having unflattering ones. What you can do is make sure every historical finding has a documented response. Got a 2023 finding with no CAPA and no rationale for why one wasn't needed? Open a retrospective assessment now. Document where things stand. Create an action plan if the issue is still relevant.

Inspectors don't expect a clean record. If your audit history shows you finding issues and fixing them, that's a strong position regardless of how many findings there are.

Your Audit Program Structure Matters Too

Beyond report language, the program itself needs to hold up. You need a written schedule covering all ISO 13485 clauses over a defined cycle, with risk-based frequency and auditor competency records on file. And you need a process for escalating significant findings to management that doesn't rely on informal hallway conversations.

If you're not sure where the gaps are, a gap assessment against ISO 13485 will map your actual documentation to the standard's requirements and show you exactly which sections need work before your next inspection.

Before Your Next Inspection

  • Review the last two years of internal audit reports for open findings with no documented CAPA or rationale for not opening one.
  • Check management review minutes: do they reference audit results? Do they document decisions and resource commitments?
  • Verify supplier audit corrective action requests are tracked and followed up. Overdue responses need documented escalation.
  • Rewrite your internal audit finding template if current language relies on characterization rather than evidence. Confirm your audit schedule covers all ISO 13485 clauses and that higher-risk processes have appropriate frequency.

Most of the QMSR changes are forward-looking. This one isn't. Everything you documented before February 2026 is now potentially inspection evidence. If your 2023 audit report says "CAPA backlog exceeds 90 days for 40% of open items" and your 2026 CAPA log shows the same problem, the inspector doesn't need to find the issue themselves.

References

  1. U.S. Food and Drug Administration. 21 CFR Part 820 — Quality System Regulation (archived). Section 820.22: "Audit results shall not be used by or on behalf of FDA to determine compliance."
  2. U.S. Food and Drug Administration. Quality Management System Regulation; Final Rule. Federal Register, February 2, 2024. Effective date: February 2, 2026.
  3. U.S. Food and Drug Administration. FDA Medical Device Enforcement Actions — FY2025 483 Observation Data. Top observation categories: CAPA (#1), Design Controls (#2), Complaint Handling (#3).
  4. U.S. Food and Drug Administration. Compliance Program Guidance Manual 7382.850 — Inspection of Medical Device Manufacturers. Replaces QSIT (Quality System Inspection Technique) with risk-based inspection framework.
  5. ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 5.6 (Management review), Clause 7.4 (Purchasing), Clause 8.2.4 (Internal audit). International Organization for Standardization, Geneva.

How We Built Aligntra Around This Problem

This is the exact problem we designed Aligntra to catch. The platform runs clause-by-clause analysis against ISO 13485 and QMSR requirements, and it flags the patterns inspectors look for: recurring findings paired with weak corrective actions, management review records that lack substance, supplier audit trails where the CAR response was accepted but never verified.

Every finding links to the exact page and paragraph in your source document. Not a summary, not a general reference. The actual location, so you can see what an inspector would see. A typical QMS document takes about 4 minutes to analyze, which means you can run your full audit program through it in an afternoon and know where the problems are before anyone from FDA shows up.

If you want to see what it catches in your documents, the 14-day trial is free and doesn't require a sales call.

Know Where You Stand Before Inspectors Arrive

Upload your QMS documents. Get clause-by-clause findings with evidence linked to exact page locations. Hours, not weeks.

Start Free Trial