Medical device manufacturers are often failing to conduct effective internal quality audits under the US Food and Drug Administration’s Quality Management System Regulation (QMSR), according to an FDA official who says weak auditing practices are emerging as a recurring inspection finding.
The agency’s Karen Cruz-Arenas said many MedTech companies are treating internal audits as a basic compliance exercise instead of using them to identify systemic risks and quality problems before agency investigators arrive to conduct an inspection.
In general, “internal audits are not being conducted,” said Cruz-Arenas, a Senior Operations Officer in the Office of Medical Device and Radiological Health Inspectorate (OMDRHI), within the FDA’s Office of Inspections and Investigations (OII).
Her comments came on May 6 at FMMC’s Florida Medical Device Symposium while discussing observations issued by FDA investigators during facility inspections performed between Feb. 2 and March 31. (Related Story: “FDA Unveils Top 5 QMSR Inspection Findings as MedTech Firms Adjust to New Rule,” QualityHub, May 12, 2026.)
Cruz-Arenas said investigators frequently encounter companies relying on simplistic checklist-style quality audits that merely confirm the existence of procedures and records.
“A company will check off, ‘Do I have this procedure? Check. Do I have a document that shows that it was implemented? Check. And they keep going down the list – check, check, check, check,” she said at the symposium, where she took part in an “FDA Super Session” moderated by QualityHub Corporate VP Sean Boyd.
While Cruz-Arenas acknowledged that such reviews can help verify that documentation exists, she said manufacturers must move beyond paperwork and adopt a deeper, risk-based internal audit process aligned with FDA inspection methods.
“You do want to look at [whether] the procedure reflects what the regulation requires,” she said. “But what we want you to add now is this layer of the risk-based” inspectional approach outlined by the agency in its Compliance Program Manual for the Inspection of Medical Device Manufacturers, or CPM 7382.850. (Related Story: “Takeaways From FDA’s Retooled Compliance Manual for MedTech Inspections,” QualityHub, March 27, 2026.)
As FDA investigators continue evaluating industry compliance with the agency’s new quality system requirements – which place greater emphasis on risk management and proactive quality oversight – Cruz-Arenas said firms would be wise to model their internal audit programs after FDA inspection techniques to improve readiness and reduce compliance gaps.
“Make sure you start doing these internal audits similarly to how we’re conducting the inspections,” she said.
“If you have an internal audit that hasn’t found any deficiencies, it doesn’t necessarily mean that your process is A-OK and your Quality Management System is good to go.” – Karen Cruz-Arenas
Cruz-Arenas further said when companies conduct internal audits “the same way the FDA is conducting the inspections,” they can uncover deficiencies so investigators don’t. “You want to be able to identify the issues internally before we do,” she said.
The FDA official also warned that quality audits that produce no findings may actually indicate that the audit process itself is unsuccessful rather than evidence that a company’s quality system is functioning properly.
“If you have an internal audit that hasn’t found any deficiencies, it doesn’t necessarily mean that your process is A-OK and your Quality Management System is good to go,” Cruz-Arenas said. “It’s more than likely the result of an ineffective internal audit.”
She urged manufacturers to ensure internal auditors are properly trained and capable of following quality issues through underlying data and corrective actions.
“Have the internal auditors look at the data, look for those signals,” Cruz-Arenas said. “What are the issues that you’re seeing, and are you actually addressing them properly? And then follow that thread.”
