How to Combine an MDR 2026/745 and an ISO 13485 Supplier Audit

Medical device companies rarely have the luxury of running “one audit for every requirement.” Supplier oversight is too important, too frequent, and too resource intensive. The smarter approach is to combine your supplier audit so it satisfies both:

• ISO 13485:2016 purchasing controls (how you qualify, monitor, and control suppliers), and
• EU MDR 2017/745 expectations (how your QMS ensures supplier and subcontractor control, and how you demonstrate that control to a Notified Body).

Done right, a combined audit reduces duplication, improves risk focus, and creates a stronger evidence trail for regulatory inspections.

This guide shows you how to plan, execute, and report a single supplier audit that works for both frameworks, without bloating the audit or missing critical compliance evidence.

Why a combined audit matters

Under EU MDR, supplier control is not optional “best practice.” It is explicitly tied to the manufacturer’s quality management system, including selection and control of suppliers and subcontractors.

In parallel, ISO 13485 requires risk-based supplier evaluation, re-evaluation, purchasing information controls, change communication requirements, and verification of purchased products.

The overlap is significant, but the emphasis differs:

• ISO 13485 focuses on how you control purchased products and outsourced processes through documented procedures and records.
• MDR focuses on proof that your QMS and technical documentation demonstrate control and that critical supplier activities do not compromise conformity, including the reality that Notified Bodies may audit supplier controls and supplier sites.

A combined audit lets you cover both without running two parallel programs.

What MDR and ISO 13485 expect from supplier control

MDR 2017/745: supplier control is embedded in QMS and conformity assessment

MDR requires the manufacturer’s QMS to cover resource management, including selection and control of suppliers and subcontractors.

In Notified Body audits, MDR also calls for:

• identifying relevant suppliers and subcontractors and considering whether they need to be specifically audited
• auditing purchasing controls (including verification of purchased devices) as part of QMS assessment
• auditing supplier processes when finished device conformity is significantly influenced by supplier activity and the manufacturer cannot demonstrate sufficient control
• unannounced audits that may include suppliers and subcontractors, where appropriate

So MDR pushes manufacturers to show they have real, demonstrable control over suppliers, not just paperwork.

ISO 13485: risk-based purchasing controls and evidence

ISO 13485 purchasing controls are widely operationalized through supplier evaluation, re-evaluation intervals, purchasing information controls, agreements, change notifications, and verification records.

The FDA’s MDSAP Purchasing Process audit model references ISO 13485 clauses that auditors commonly use to test supplier systems, including:

• supplier evaluation records and risk-based controls
• periodic re-evaluation
• purchasing information controls and written agreements requiring supplier change notification
• verification activities and maintained records

These are perfect anchors for a combined audit structure.

How to Conduct a Combined MDR and ISO 13485 Supplier Audit: A Practical Step by Step Guide

A common mistake is treating a supplier audit as only “checking the supplier.” A combined MDR + ISO 13485 supplier audit must do two things at once:

• Assess the supplier’s ability to meet requirements (quality, process control, traceability, validation, competence, etc.)
• Generate objective evidence that you control the supplier appropriately (qualification, monitoring, change control, acceptance, and risk management)

In practice, this means your audit plan should always map:

supplier processes → product risk → your controls → acceptance/verification → change control → records.

Step 1: Define scope using supplier criticality (risk-based segmentation)

Before you write a checklist, define the supplier category. This determines audit depth and frequency.

A practical segmentation model:

Category A: Critical suppliers / critical outsourced processes

Examples:

• sterilization providers
• contract manufacturers doing production steps affecting conformity
• suppliers of critical components (implant materials, drug-contact materials, safety-critical electronics)
• labs performing release testing

For these, you typically need:

• full system audit (QMS + process controls)
• stronger evidence of validation and traceability
• explicit change notification agreements
• tighter performance monitoring and escalation triggers

MDR supports heightened scrutiny where supplier activity significantly influences finished device conformity and especially where you cannot demonstrate sufficient control.

Category B: Key suppliers

Important but not typically life-sustaining to device conformity. Audit focus: consistent process controls, traceability where needed, incoming controls, and measurable performance.

Category C: Standard suppliers

Low risk, commodity inputs. Audit focus: qualification evidence, basic quality controls, and performance monitoring. On-site audits may not be necessary if objective evidence is strong.

Step 2: Build one integrated audit criteria map

Use one audit plan with two columns of criteria:

Core supplier audit modules (works for MDR + ISO 13485)

• Supplier QMS governance
• Document and record control
• Training and competence
• Risk management and process control
• Purchasing and sub-supplier controls (yes, audit their upstream controls if relevant)
• Production controls and validation (special processes)
• Traceability and identification
• Nonconforming product and CAPA
• Change control and customer notification
• Inspection, test, and release evidence
• Data integrity and cybersecurity controls (if software/data is involved)
• Business continuity and supply assurance (important for MDR readiness and real-world resilience)

Where MDR adds emphasis

• proof that supplier control is part of your QMS and conformity assessment story
• supplier sites may be included in audits, including unannounced, where appropriate
• technical documentation must identify supplier/subcontractor sites performing design/manufacturing activities

Where ISO 13485 adds structure

• evaluation and re-evaluation records and intervals
• purchasing information control and agreements requiring change notification
• verification and acceptance records

This mapping becomes your “audit backbone.”

Step 3: Prepare the audit package (what to request in advance)

Send a pre-audit request list tailored to the supplier category. For critical suppliers, request at least:

Quality system and compliance documents

• quality manual or QMS overview
• certifications (ISO 13485, ISO 9001, etc.) if applicable
• organization chart, key roles, and training matrix
• document control procedure
• internal audit and management review summaries (high level)

Process control and validation

• process flow and control plans
• validation master plan (if applicable)
• special process validations (sterilization, welding, bonding, software, etc.)
• equipment calibration program and sample records

Traceability and production evidence

• batch record template / traveler
• traceability model (lot, serial, UDI-related where applicable)
• incoming inspection plan and sampling approach
• final inspection and release criteria

CAPA and complaint handling (supplier side)

• deviation/nonconformance procedure
• CAPA procedure
• examples of completed CAPAs (with sensitive info redacted)

Change control

• change control procedure
• customer notification requirements
• example change request package

Sub-supplier control (if the supplier outsources)

• approved supplier list for critical subcomponents or outsourced steps
• sub-supplier qualification method
• flowdown of requirements

This pre-work shortens the on-site time and increases audit depth.

Step 4: Run the combined audit using a process-based approach

A combined audit is most effective when it follows the product flow:

A. Opening meeting: confirm scope and “what could break”

• confirm what products/services the supplier provides
• confirm whether they are involved in design, manufacturing, testing, packaging, sterilization, or logistics
• ask: “What failures here could impact patient safety or regulatory conformity?”

This aligns with MDR’s focus on finished device conformity being influenced by supplier activity.

B. Verify your controls first (ISO 13485 anchor)

Before diving into supplier operations, confirm:

• you have supplier evaluation records
• re-evaluation is defined and performed at risk-based intervals
• purchasing requirements are defined before communication and agreements include change notification
• verification activities and records exist and match risk

Even though you are auditing the supplier, your audit report must support your compliance evidence.

C. Supplier QMS controls: can they consistently meet requirements?

Look for:

• controlled procedures and controlled forms
• training effectiveness (not just training records)
• internal audit coverage of critical processes
• management review action tracking

D. The core: process control and evidence

For each key process step, test:

• What is the specification?
• How is it controlled in real time?
• What inspection/verification exists?
• What happens when it fails?
• Can you trace output to inputs?

E. Special processes and validation (often the biggest risk)

If the supplier performs processes where output cannot be fully verified by subsequent inspection, you must confirm validation. This is a common failure area in supplier audits.

F. Change control: the make-or-break area

Change control is where supplier risk becomes MDR risk quickly.

Audit:

• how changes are initiated, assessed, approved
• whether customer approval is required
• how the supplier notifies customers about changes (this ties directly to ISO purchasing controls expectations around supplier notification)
• how changes affect validation, labeling, traceability, or regulatory commitments

G. Traceability: prove it in records, not in theory

Ask for a real lot/batch and trace it:

raw material certs → receiving → production → in-process inspections → final release If software is involved, verify version traceability.

H. CAPA and systemic improvement

Check whether problems result in:

• root cause analysis
• corrective action effectiveness checks
• trend analysis

This tells you whether the supplier will stabilize issues or repeat them.

I. Closing meeting: align on nonconformities and timelines

Make sure findings are:

• clearly evidence-based
• tied to requirements (ISO 13485 control points + MDR QMS expectations)
• prioritized by risk (critical/major/minor)

Step 5: Write one audit report that satisfies MDR and ISO 13485

A combined report should include:

1) Supplier profile and scope

• processes audited
• products/services covered
• sites included (important because MDR technical documentation must identify relevant sites, including suppliers and subcontractors where design/manufacturing occurs)

2) Audit criteria and references

List:

• ISO 13485 purchasing controls as applied (evaluation, re-evaluation, purchasing info, verification)
• MDR supplier control expectations under QMS and Notified Body audit logic (supplier controls, purchasing controls, supplier-site auditing triggers, unannounced audit possibility)

3) Findings grouped by risk and process

Example structure:

• Supplier governance and document control
• Production and process controls
• Validation and special processes
• Traceability
• Change control
• CAPA
• Sub-supplier control

4) Supplier performance summary

Include:

• delivery performance (OTIF)
• defect rates
• responsiveness
• history of changes and deviations

This supports ISO-style ongoing monitoring and re-evaluation expectations.

5) Conclusion and approval status

Clear outcome:

• Approved / Conditionally approved / Not approved
• next audit frequency (risk-based)
• required CAPAs and due dates

A combined audit checklist you can reuse (high-impact questions)

Use these questions to ensure you’re covering both MDR and ISO 13485 expectations:

Supplier evaluation and control (your side)

• Do we have documented supplier evaluation and approval evidence?
• Is re-evaluation performed at defined, risk-based intervals?
• Do we have defined purchasing requirements and verification activities with records?

Contract and quality agreement

• Is there a written agreement that requires supplier notification of changes?
• Does it define deviation handling, traceability, record retention, audit rights, and sub-supplier controls?

Process control and validation

• Are key processes controlled with defined acceptance criteria?
• Are special processes validated and periodically reviewed?

Traceability and record integrity

• Can the supplier demonstrate traceability from the released product back to raw materials and process records?
• Are records legible, attributable, contemporaneous, original, accurate (ALCOA-style principles)?

Sub-supplier controls

• Does the supplier control its critical sub-suppliers and outsourced steps?
• Are sub-supplier changes visible to you?

MDR readiness signals

• If a Notified Body asked tomorrow, could you demonstrate sufficient supplier control?
• Could your supplier site be included in surveillance or unannounced audits if needed?

As part of strengthening your supplier oversight strategy, our guide Things to Check Before Signing with a New Manufacturer outlines the critical quality, compliance, and risk factors to evaluate before entering into any new supplier agreement.

Common pitfalls when combining MDR and ISO 13485 supplier audits

Even with a well structured audit plan, certain recurring mistakes can weaken the effectiveness of a combined MDR and ISO 13485 supplier audit and expose your organization to unnecessary regulatory and compliance risk.

• Treating the audit as a “supplier-only” exercise Your combined audit must also prove your purchasing controls and monitoring system are effective.
• Weak change control and weak notification requirements This is one of the fastest ways to fall out of compliance because changes can invalidate assumptions in technical documentation and validation.
• Not aligning audit depth with supplier risk MDR explicitly supports deeper supplier auditing when finished device conformity is significantly influenced by supplier activity and control is insufficient.
• Reporting without clear objective evidence Combined audits must be inspection-ready. Vague findings do not help you during a Notified Body or authority review.

For a deeper understanding of how to confirm the validity of a supplier’s certification, read our guide on How to Verify an ISO Certified Company: Practical Verification Steps.

AMREP : Smarter Supplier Audits for Stronger Regulatory Control

A combined MDR 2017/745 and ISO 13485 supplier audit is not about making audits longer. It is about making them smarter:

• Define supplier criticality and scope based on risk
• Audit the supplier’s capability and your control of the supplier
• Focus on change control, validation, traceability, and verification evidence
• Produce one report that clearly demonstrates compliance under both frameworks

When you do this consistently, your supplier program becomes a compliance asset, not a firefighting function.

At AMREP Inspect, our Supplier and Production Audit Services are designed to help medical device manufacturers implement structured, risk based audit programs aligned with both MDR and ISO 13485 requirements. From critical supplier assessments to comprehensive audit reporting and corrective action follow up, we ensure that supplier oversight is not only compliant, but strategically resilient.

In an increasingly regulated and scrutinized environment, strong supplier audits are no longer optional. They are the foundation of regulatory confidence, product integrity, and long term operational stability.