Unannounced audits are a key element of post-certification surveillance for medical devices under European regulations (MDR 2017/745 and IVDR 2017/746). As a notified body, GMED regularly publishes information to clarify the expectations and obligations of manufacturers. A Q&A published in June 2025 answers the main questions manufacturers may have regarding unannounced audits.

1. What is an unannounced audit?

An unannounced audit is an inspection carried out without prior notice by the notified body (NB) at the manufacturer’s site or at those of critical subcontractors/suppliers. Unlike scheduled certification-cycle audits, the goal is to observe real-time processes and ensure that the devices conform to technical documentation and applicable regulatory requirements. It is an additional, product-focused audit.

2. What are the regulatory requirements?

Regulations (EU) 2017/745 and 2017/746 require unannounced audits. The NB must perform at least one every five years following initial CE certification. Additional audits may be triggered by surveillance activities, vigilance reports, or identified non-conformities. Audits can take place at the manufacturer or at critical subcontractor/supplier sites.

3. What are the stages of the unannounced audit process?

Three main phases:

• Preparation: device selection, test and protocol definition, site selection.
• On-site audit: sampling of finished or semi-finished products, testing on-site or in an independent lab, verification of traceability.
• Post-audit: issuance of the audit report with test results and non-conformities, communication of lab results, and manufacturer’s obligation to address identified issues.

4. What are Manufacturer responsibilities ?

Manufacturers must facilitate access and cooperation at all sites, inform the NB of any site closures, prepare staff and partners for audits, maintain a compliant and updated Quality Management System (QMS), and promptly address any non-conformities.

5. How to prepare effectively ?

• Update contracts to allow NB access to subcontractor sites.
• Train personnel on audit procedures.
• Keep technical documentation and traceability records accessible and current.
• Establish an internal procedure to alert stakeholders immediately when the audit team arrives.

6. What impact do unannounced audits have on certification?

Major or critical non-conformities can lead to restriction, suspension, or withdrawal of the device’s CE certificate. The NB may also issue recommendations to strengthen the QMS or post-market surveillance. Certification maintenance depends on prompt corrective action.

7. What is Audit frequency ?

One unannounced audit is required at least every five years per CE certificate, but the frequency may increase for high-risk devices, recurring non-conformities, or vigilance reports.

8. Are subcontractors and suppliers involved?

Yes, unannounced audits may include these parties if they are critical to manufacture. The manufacturer must contractually ensure their cooperation.

Non-conformities at these sites are the manufacturer’s responsibility.

9. What is Required documentation during audits ?

Manufacturers must make available:

• Updated QMS documentation
• Technical files of concerned devices
• Traceability records (batches, materials, controls)
• Reports from PMS, vigilance activities, and corrective actions
  

10. What are Best practices to reduce audit risks ?

• Maintain regulatory watch and up-to-date documentation
• Involve the Person Responsible for Regulatory Compliance in audit preparation
• Conduct regular internal audits to anticipate issues
• Continuously train personnel on regulatory and audit procedures

To go further:

• Source document: GMED – Q&A Unannounced Audits, June 2025
• Regulation (EU) 2017/745 – MDR
• GMED Q&A on certification