What is a “gap audit” in a Quality Management System?

A gap audit — sometimes called a readiness or pre-assessment audit — is an independent review of a Quality Management System (QMS) carried out before an organisation applies for ISO 13485 certification.
Its purpose is not to issue a certificate but to verify how well the organisation is prepared for the certification body’s audit.

A gap audit does not replace the routine internal audit.
Instead, it provides a one-off, comprehensive check of compliance with the MDR, IVDR and relevant standards.
It delivers the greatest value at the final stage of QMS implementation, when the organisation needs an independent confirmation that its documentation, procedures and staff awareness are complete and compliant.

Main objectives of a gap audit

A gap audit identifies weaknesses so they can be corrected before the certification audit. It helps to:

  • Assess conformity with ISO 13485 and the MDR / IVDR,
  • Detect areas that may trigger findings by a notified body,
  • Define corrective actions in advance,
  • Raise the organisation’s readiness for the external assessment,
  • Engage employees in the final QMS review before certification.

Why a gap audit matters for MDR compliance

Under the MDR, manufacturers must establish and maintain a QMS covering risk management, PMS, technical documentation and change control.
A gap audit checks whether critical areas — such as supplier oversight or post-market activities — have been fully integrated into the system.

Scope of a gap audit

The audit should cover everything the notified body will examine, with emphasis on:

  1. Completeness of QMS documentation and its alignment with ISO 13485,
  2. Design-, manufacturing- and validation processes,
  3. Risk-management practices (ISO 14971),
  4. Conformity-assessment files and PMS,
  5. Staff training and competence,
  6. Supplier and subcontractor control,
  7. Consistency between documented procedures and day-to-day practice.

Typical gap-audit workflow

A standard gap audit follows six steps:

  1. Define the scope and objectives,
  2. Review QMS documentation,
  3. Verify that processes follow the documented procedures,
  4. Evaluate implementation of regulatory and normative requirements,
  5. Report non-conformities and areas for improvement,
  6. Oversee corrective actions before the certification audit.

Reporting and documentation

Audit deliverables include:

  • ISO 13485- & MDR-aligned check-lists,
  • A register of non-conformities with their grading,
  • Recommended corrective actions,
  • A final conclusion on readiness for the external audit.

Management must approve the report, and corrective actions are tracked until fully implemented.

Timing and frequency

A gap audit is carried out once — immediately before certification.
Plan it early enough to allow corrective actions to be implemented and verified in real time.

Benefits to the organisation

A gap audit helps to:

  • Avoid non-conformities during certification,
  • Confirm QMS alignment with notified-body expectations,
  • Strengthen team engagement and clarify responsibilities,
  • Shorten overall certification-preparation time.

Common pitfalls and best practices

Frequent problems include:

  • Unprepared or insufficiently trained auditors,
  • Unclear or overly narrow audit scope,
  • Generic check-lists that miss critical requirements,
  • Too little time between the gap audit and certification,
  • Skipping the gap audit altogether, leading to major findings later.

Best practices: engage an external auditor experienced with certification bodies, use check-lists tailored to ISO 13485 and the MDR, and leave enough time to implement changes.

How Pure Clinical supports gap audits

Pure Clinical delivers a full gap-audit service for organisations implementing an ISO 13485- and MDR-compliant QMS:

  • Preparation of an audit plan matched to the device class,
  • Detailed analysis of processes, documents, and records,
  • Actionable recommendations and corrective-action plans,
  • Follow-up to confirm closure before the certification audit.

Our approach draws on practical experience, the latest notified-body requirements, and deep knowledge of the MDR and ISO 13485 — giving you confidence that certification will hold no unpleasant surprises.

FAQ

Can a pre-audit be used as an internal audit under ISO 13485?

No. A zero audit (pre-audit) does not replace internal audits required by ISO 13485, as it is conducted externally and focuses on readiness for certification rather than continuous internal conformity checks. Internal audits must be systematic, scheduled, and internally controlled.

What qualifications should a zero audit auditor have?

The auditor should have proven expertise in ISO 13485, MDR/IVDR, and auditing standards such as ISO 19011. Experience with notified body audits is highly beneficial, as it helps simulate actual certification scenarios and strengthen compliance insights.

Is a zero audit useful for Class I medical devices?

Yes. While Class I devices typically do not require notified body involvement, a zero audit can help mature the quality system, prepare for competent authority inspections, and support future expansions into higher-risk classifications.

How far in advance should a zero audit be conducted before certification?

It is advisable to perform a zero audit at least 6–8 weeks before the certification audit. This allows sufficient time to implement and verify corrective actions, collect supporting evidence, and improve readiness across all system areas.