Your QMS Has Gaps. Who Will Find Them First?
Internal audit services for small medical device manufacturers, built around an 80/20 approach backed by regulatory data, not auditor preference.
QA/RA Solutions | Darrin Carlson, Founder & Principal darrin@qarasolutions.com
The audit you’ve been putting off could be the most important one you’ve ever done.
Let’s be honest, most internal audits are terrible.
Two-thirds of medical device companies treat them as check-the-box exercises. The audit gets scheduled. The report gets filed. But nothing really changes.
And when a regulator shows up, those same companies find out the hard way exactly what their internal audit missed.
Here’s what that looks like in practice:
- A Form 483 observation your auditor walked right past
- A remediation process that costs 10x what an effective audit would have
- Leadership asking why no one noticed this this sooner
The fear is real. And if you’ve ever been asked “are we ready for an inspection?” and felt your stomach drop, you already know it.
What it could look like instead.
Imagine walking into your next audit (FDA, Notified Body, MDSAP, ISO registrar) feeling confident about the outcome.
Not because you swept everything under the rug.
But because you already found the problems and are addressing them proactively.
- You know which parts of your QMS are solid
- Your CAPA log reflects real improvements, not compliance theater
- Leadership supports a culture of quality
That’s what a properly-conducted internal audit delivers.
What most companies try instead… and why it doesn’t work.
Option 1: Employees audit each other.
The most common approach. Also the most limited.
Your people know the internal procedures and follow them carefully. But they rarely ask whether the procedure itself is lacking, because that’s not their job, they weren’t trained for it, and nobody wants to find a problem they’ll have to fix themselves.
The result: an audit that confirms compliance with your own system, whether or not your system is any good. Maybe a few minor typos get corrected. Maybe.
Option 2: The same consultant every year.
Familiarity feels safe. But it’s also the enemy of real improvement.
The auditor who missed that big gap last year tends to miss it again this year. The same issues get carried forward. You’re not really being challenged. Instead, you’re getting too comfortable.
Option 3: Skip it and hope.
More common than anyone admits. Especially at small companies where the QA team is already stretched thin and the audit keeps getting bumped by 109 other things.
Until a regulator shows up. Then it’s a rush job.
There’s a different way to do this.
The vital few things most likely to get you in trouble with regulators are knowable in advance.
FDA publishes its Form 483 observations. The recall database is public. Notified Body audit findings and MDSAP nonconformities follow the same underlying risk logic. If you actually read that data (and organize it with 80/20 thinking) the picture becomes clear quickly.
Most internal audits don’t use any of that data. They use generic forms. They check boxes.
I use a risk-based methodology.
ISO 13485 requires a risk-based approach to QMS processes. Most auditors triage findings subjectively (major, minor, OFI) based on personal judgment and habit.
I don’t.
Every finding is evaluated against two objective criteria drawn from public regulatory data, giving an overall risk rating of high, moderate, or low that you can use to prioritize the most important improvements:
- Occurrence: How often does this type of issue appear in FDA Form 483 observations?
- Severity: Does this type of issue directly drive product recalls?
This is more objective than a subjective major/minor call. It lines up with how ISO 13485 expects you to think about risk. And it tells you exactly what a real regulator is most likely to care about when they show up.
I do my homework before day one.
Most auditors show up and start requesting records at random.
Not me.
I come in on day one with a strategy. I already know which risk areas are most relevant to your device type. I already know what’s been showing up in the field for products like yours. I’m not blindly pulling records to fill a checklist. I’m targeting the areas most likely to reveal something worth finding.
That’s part of what makes the sessions efficient. The groundwork is already done.
I also use AI more extensively than any auditor you’ve worked with.
This is more than a buzzword. It fundamentally changes what you get.
In our sessions: AI transcription runs throughout every call. That means our time together is a real back-and-forth. Not me asking you to scroll through documents while I type. You give me context. I ask targeted questions. The AI handles the notes so nothing gets lost and I can focus entirely on you.
In my document review: I use AI to triage and cross-reference your QMS documentation independently, between sessions. This lets me go significantly deeper than a conventional audit in less time, without pulling your team into the weeds. Issues I find in documents, I bring to you directly in our next session.
In the report: AI assists with drafting, so your report comes back faster and reads like something written for humans, not something to be filed and forgotten.
The result: more depth, less of your time, better output.
Your team doesn’t sit there watching me take notes. They don’t scroll on command. They show up, answer focused questions from an auditor who already did the homework, and leave. I do the rest.
“But I’m worried about…”
We’re already stretched thin. How much time will this realistically take?
Less than you’re used to. One recent client completed their full internal audit in under ten hours of total team time. The whole point of my approach is that I do the heavy lifting independently. Your team shows up for focused conversations, not marathon documentation sessions.
We’ve hired consultants before and they didn’t find much.
That’s exactly why I built the 80/20 methodology. If an auditor isn’t finding anything, one of two things is true: your QMS is genuinely excellent, or they’re not looking in the right places. Real regulatory data tells me where to look. I also challenge the procedure itself, not just whether your team is following it.
My QMS documents are confidential. Is it safe to use AI tools with them?
Yes. I use AI tools with learning and data-retention features disabled. Your documentation is not used to train any model, retained by any third party, or shared outside the audit. Confidentiality is explicit in every engagement.
How it works.
1. Pre-audit research Before you send me a single document, I’ve already reviewed your device, your public-facing materials, your FDA registration and listing, and the adverse event and recall landscape for your product category. I come in with a strategy, not a blank checklist.
2. Documentation review You share your QMS documentation electronically. I review it independently (and thoroughly) on my time, not yours.
3. Audit sessions We meet virtually once per day over three to six weeks, depending on scope. Sessions are focused and efficient. AI transcription runs throughout. Most clients find them surprisingly low-friction.
4. Findings discussions Issues I identify during document review get surfaced in our sessions. You bring context. I bring the data. We resolve questions in real time.
5. Written audit report Delivered within one business day of the closing meeting. Includes findings, conclusions, a conformity statement, and risk-prioritized recommendations. Written to be acted on, not filed away.
What you walk away with.
- A complete internal audit against all applicable requirements — with every finding ranked by how much your regulators actually care about it
- A written audit report delivered within 1 business day, written for humans, not regulatory robots
- An outside perspective that challenges your procedures — not just whether your team is following them
- More of your team’s time back — because the heavy lifting happens without them in the room
What clients have said.
“Darrin’s meticulous approach and deep expertise were instrumental in navigating our challenges. Thanks to his intervention, we now have a clearer understanding of our internal processes and a robust framework for future growth.”
Jeremy Ward, Vice President of Operations, Enova Illumination
“The audit was completed in two sessions, totaling less than two hours of our team’s time. This modern approach significantly optimized the time our team spent on the audit. Darrin demonstrated a high level of professionalism and expertise in both ISO 13485:2016 and EU MDR.”
Juha Hämäläinen, Quality Manager, Thermidas Oy
“Working with Darrin was a breeze. He was able to perform the vast majority of the audit independently. His use of an AI software assistant during our calls made the process even smoother. He was able to focus on our discussion and not just note-taking.”
Michael Bocchinfuso, Director of Regulatory Compliance & Quality, Koios Medical
The Year-and-a-Day Guarantee
I know my approach is different. I know there’s always a cost to switching from whatever you’ve been doing.
So here’s how I remove that risk entirely.
If at any point within one year and one day after the audit closes you decide you didn’t get your money’s worth, for any reason, let me know and I’ll refund you in full.
No negotiation. No fine print.
That window exists for a reason: it gives you time for an external auditor, a Notified Body, or an FDA investigator to come in after me and see what I found, and what I didn’t. If they discover something blatant that I missed, that’s on me.
I stand behind this because I’m confident in the methodology. And I want the only decision you’re making here to be whether this is the right time, not whether it’s worth the risk.
Pricing
| Audit Scope | Price |
|---|---|
| ISO 13485:2016 — Full Internal Audit | $5,000 |
| + FDA CFR Title 21 / MDSAP | + $1,000 |
| + EU MDR 2017/745 | + $1,000 |
ISO 13485 is the foundation of every engagement. FDA/MDSAP and EU MDR coverage can be added independently or together.
A note on pricing: These rates have been increasing to meet demand, and I expect that to continue. What you see here is the current rate. It won’t stay here.
Here’s what it costs you not to do this.
Regulators don’t announce unannounced inspections. Notified Bodies schedule surveillance audits on their timeline, not yours. MDSAP covers five regulatory authorities in a single audit cycle.
The same data I use to prioritize findings is exactly what tells you where inspectors are trained to focus. The difference between a clean audit and a significant finding is almost never bad luck. It’s usually a gap that someone could have caught (and didn’t).
The cost of a Form 483 or a major Notified Body nonconformity isn’t just the remediation work. It’s also leadership scrutiny, follow-up inspections, potential consent decrees, shipment holds, CE mark jeopardy, and the time your team spends on it instead of everything else they were supposed to be doing.
Against that, a properly conducted internal audit is the cheapest insurance you’ll buy this year. And it’s the only one that comes with a full refund if it doesn’t deliver.
Ready to move forward?
The best next step is a short call with me.
I’ll want to learn about your QMS, your audit history, and what you’re trying to accomplish. That lets me scope the engagement properly and make sure we’re a good fit.
Email darrin@qarasolutions.com, or reply to this proposal directly.
Or just let me know how you’d like to proceed. We can sort the details from there.
QA/RA Solutions | darrin@qarasolutions.com