Yes, starting February 2, 2026, the FDA can review internal audits for medical device manufacturers. For pharmaceutical companies, the FDA maintains a policy of not reviewing internal quality assurance audit reports during routine inspections, though several critical exceptions exist where the FDA gains full access.
The Quality Management System Regulation (QMSR) eliminates the protection that medical device manufacturers previously enjoyed under 21 CFR 820.180(c). This regulation removes all exemptions for management review reports, internal quality audit reports, and supplier audit reports. Under the former Quality System Regulation (QSR), companies could refuse to show these documents during FDA inspections. That protection no longer exists for medical devices.
For pharmaceutical manufacturers operating under 21 CFR Parts 210 and 211, the FDA’s Compliance Policy Guide (CPG) Sec. 130.300 still provides some protection. However, this protection vanishes the moment the FDA launches a for-cause inspection, litigation, grand jury subpoena, or judicial search warrant.
According to FDA inspection data, over 60% of warning letters issued to medical device companies cite CAPA (Corrective and Preventive Action) failures—the exact issues internal audits are designed to identify and correct.
In this article, you will learn:
🔍 Which FDA regulations govern internal audit access and when your audits become exposed to inspectors
⚖️ How to use attorney-client privilege and work-product doctrine to shield sensitive audit findings from disclosure
đź“‹ The three specific scenarios where even pharmaceutical companies must hand over internal audit reports to the FDA
🛡️ Step-by-step strategies to document audits in ways that satisfy regulators without creating “inspection roadmaps”
❌ The common mistakes that companies make—like refusing to show any records—that result in brutal multi-day inspections and dozens of Form 483 observations
Understanding the Regulatory Framework for Internal Audits
Federal Regulations Governing Internal Audit Access
The FDA’s authority to access internal audits depends on what type of company you operate and what products you manufacture. Three main regulatory frameworks apply.
Medical Device Manufacturers (21 CFR Part 820/QMSR)
Medical device manufacturers face the most significant change in FDA access authority. The new QMSR published in the Federal Register on February 2, 2024 incorporates ISO 13485:2016 by reference. This means FDA inspectors now have the same access to internal records that European Notified Bodies and MDSAP (Medical Device Single Audit Program) auditors already receive.
| Document Type | Access Under Former QSR | Access Under QMSR (Feb 2, 2026) |
|---|---|---|
| Management Review Minutes | Exempt from inspection | Fully accessible to FDA |
| Internal Quality Audit Reports | Exempt from inspection | Fully accessible to FDA |
| Supplier Audit Reports | Exempt from inspection | Fully accessible to FDA |
| CAPA Records | Always accessible | Always accessible |
| Complaint Files | Always accessible | Always accessible |
The FDA’s formal response to industry comments explained that since manufacturers already provide these documents to other regulatory authorities, making them available to FDA inspectors creates no additional burden. Companies that sell products in multiple countries already maintain these records for auditors from Canada, Australia, Brazil, and Japan.
Pharmaceutical Manufacturers (21 CFR Parts 210 and 211)
The Current Good Manufacturing Practice (CGMP) regulations for finished pharmaceuticals take a different approach to internal audits. The FDA’s policy under CPG Sec. 130.300 states that during routine inspections, the agency “will not review or copy reports and records that result from audits and inspections of the written quality assurance program.”
However, this protection has critical limits. Any corrective action documentation resulting from an internal audit must be retained and made available to the FDA. If your internal audit finds a problem with a mixing step and you change your mixing time, all affected procedures and master production records must reflect those changes—and those records are fully accessible.
Clinical Trial Sponsors and Sites (21 CFR Parts 312 and 812)
Clinical trial audits operate under GCP (Good Clinical Practice) standards. The FDA performs BIMO (Bioresearch Monitoring) inspections that verify the reliability and integrity of clinical research data. During these inspections, the FDA examines:
- Trial Master Files (TMFs)
- Informed consent documentation
- Protocol deviation records
- Adverse event reports
- Source documentation verification
The Three Scenarios Where FDA Gains Full Access to Internal Audits
Even for pharmaceutical companies that retain some protection, there are three categories of circumstances where internal audit reports become fully accessible to the FDA.
Scenario 1: For-Cause and Directed Inspections
| Trigger | FDA Response | Audit Access Level |
|---|---|---|
| Product recall | For-cause inspection | Full access to related audits |
| Consumer complaint pattern | Directed inspection | Full access to relevant audits |
| Outbreak investigation | Emergency inspection | Full access to all audits |
| Whistleblower report | For-cause inspection | Full access to implicated audits |
For-cause inspections are triggered when the FDA has reason to believe that a facility has quality problems. The routine inspection protections do not apply. The FDA may request—and is entitled to receive—any internal audit reports relevant to the investigation.
Example: A biologics manufacturer receives multiple complaints about particulate matter in injectable vials. The FDA initiates a for-cause inspection. The Quality Unit had previously identified particulate contamination concerns in an internal audit but failed to open a CAPA. The FDA requests all internal audit reports related to contamination control. The company must comply.
Scenario 2: Litigation and Legal Proceedings
When civil or criminal litigation begins, internal audits become discoverable. This includes:
- Grand jury subpoenas
- Discovery requests in civil litigation
- Department of Justice law enforcement activity
- Administrative regulatory actions
The FDA Regulatory Procedures Manual explains that DOJ attorneys coordinate with FDA personnel to gather evidence. When the government seeks civil or criminal penalties, your internal audit reports can—and will—be subpoenaed.
Scenario 3: Inspection Warrants and Search Warrants
When the FDA executes judicial search warrants, inspectors can access and copy any records authorized by the warrant. This typically happens when:
- A company refuses entry to FDA investigators
- Criminal activity is suspected
- Consent-based inspections have been obstructed
Important: FDA inspections are warrantless searches because pharmaceutical and medical device manufacturing are “pervasively and extensively regulated industries.” The FDA can enter during business hours without an invitation—and anything they find can be used against you.
Protecting Internal Audits: Legal Privilege Strategies
Attorney-Client Privilege
The attorney-client privilege protects communications between a company and its legal counsel when seeking legal advice. For internal audits to qualify for this protection, the audit must be conducted—or supervised—by attorneys for the purpose of providing legal advice.
The D.C. Circuit’s landmark decision in In re Kellogg Brown & Root, Inc. established the “significant purpose” test. If obtaining or providing legal advice was one of the significant purposes of the internal investigation, the attorney-client privilege applies—even if:
- The investigation was conducted by in-house counsel rather than outside lawyers
- Non-attorneys conducted interviews under attorney supervision
- The investigation was mandated by regulation rather than purely voluntary
Steps to establish attorney-client privilege:
- Have the General Counsel issue a written memo defining the scope and legal purpose of the audit
- Ensure attorneys supervise all audit activities and review findings
- Communicate to employees that interviews are confidential and for the purpose of legal advice
- Label audit reports as “Attorney-Client Privileged” or “Prepared at Direction of Counsel”
- Limit distribution to those with a need to know
Work-Product Doctrine
The work-product doctrine protects documents prepared “in anticipation of litigation.” This protection covers attorneys’ mental impressions, conclusions, opinions, and legal theories.
For work-product protection to apply, documents must have been created “because of” the prospect of litigation—not merely in the ordinary course of business. The Sixth Circuit recently reaffirmed that internal investigation documents are protected when the company reasonably anticipated legal or regulatory action.
| Protection Type | Requirements | Strength |
|---|---|---|
| Attorney-Client Privilege | Communication with counsel for legal advice | Strong—nearly absolute |
| Work-Product Doctrine | Created in anticipation of litigation | Moderate—can be overcome with showing of substantial need |
| Self-Critical Analysis Privilege | Candid self-evaluation for safety improvement | Weak—most courts reject or severely limit |
Self-Critical Analysis Privilege
The self-critical analysis privilege theoretically protects evaluative analyses that take a critical look at company products or processes. Courts created this privilege to encourage candid self-criticism without fear that honest assessments would become litigation roadmaps.
However, this privilege has significant limitations:
- Most federal courts refuse to apply it to drug and medical device manufacturers
- Neither Congress nor the FDA has exempted product-safety analyses from public disclosure
- The Freedom of Information Act (FOIA) creates additional disclosure obligations
- Courts apply the privilege inconsistently on a case-by-case basis
Arizona is one of the few states that has codified a self-critical analysis privilege through legislation. Most states do not provide statutory protection.
Best Practices for Writing Audit Reports
Given FDA’s expanded access to internal audits, how you write your audit reports matters enormously. Quality professionals recommend specific documentation practices that satisfy regulatory requirements without creating unnecessary risk.
Do’s and Don’ts for Audit Documentation
Do’s:
- Stick to objective facts. Document what you observed, not what you think it means. “Temperature log showed reading of 28°C at 14:32” is better than “Temperature was dangerously high.”
- Reference specific regulatory clauses. Tie each finding to the applicable regulation or standard. This demonstrates systematic auditing and helps prioritize corrective actions.
- Use controlled templates. Structured templates ensure consistency and demonstrate that audits follow established procedures. Reference ISO 13485 clauses or 21 CFR sections in your template.
- Have multiple reviewers examine reports. Different perspectives from the management team help ensure documents are well-written and clear—especially to FDA inspectors.
- Document when areas were not covered. If you didn’t cover a topic, write a justification, indicate when it was last covered, and document when it will be covered in the future.
Don’ts:
- Don’t write inflammatory or opinionated statements. “Management doesn’t care about quality” creates liability. “No documented management review of quality metrics found” states a fact.
- Don’t hide problems from your own records. Companies that purposely avoid opening CAPAs from audits face worse consequences when FDA asks, “Why don’t you have any CAPAs from audits?”
- Don’t use vague language. “Things looked okay” tells no one anything. Specific observations support defensible positions.
- Don’t include personal attacks on employees. Focus on process failures, not people failures.
- Don’t delay corrective actions. An audit finding sitting without action for months raises questions about management commitment to quality.
What FDA Inspectors Actually Look For
The QSIT Inspection Model (Being Retired)
The FDA’s Quality System Inspection Technique (QSIT) has served as the inspection manual since 1996. It focuses on four major subsystems:
- Management Controls
- Design Controls
- Corrective and Preventive Actions (CAPA)
- Production and Process Controls
The QSIT will be officially withdrawn on February 2, 2026, when the QMSR becomes effective. The new inspection approach will emphasize risk-based, systems-level evaluation rather than checklist-based reviews.
How FDA Connects Audits to Other Records
Even when internal audit reports are exempt, FDA investigators can access the underlying issues through related records. Inspectors commonly ask:
| Inspector Request | What They’re Really Looking For |
|---|---|
| “May I see all CAPAs resulting from audits?” | Evidence that audits drive improvement |
| “What’s your threshold for taking corrective action?” | Whether you respond appropriately to problems |
| “May I see your procedure for management reviews?” | Whether leadership engages with quality data |
| “Could I have a copy of the agenda and attendees?” | Whether the right people participate |
| “Show me the scrap trend analysis from your last review” | Whether you’re tracking meaningful metrics |
One quality manager reported that when he refused to let an FDA inspector see management review minutes, the inspector conducted a “brutal 3-day inspection” with numerous 483 observations. Twelve months later, when the same inspector returned for a compliance follow-up and the manager agreed to share the documents, the inspector took it easy—almost showing the manager he could find problems if he wanted to, but chose not to because of cooperation.
Common Mistakes to Avoid
Mistake 1: Believing “The FDA Can’t See That”
The most dangerous phrase a quality professional can hear is “the FDA can’t see that.” This mentality fails every time. Here’s why:
- Inspectors can reach audit issues through CAPA requests
- Failing to open CAPAs from audits raises immediate red flags
- Evasiveness triggers more intensive scrutiny
- The protection only applies during routine inspections
Consequence: Companies that hide everything often face the worst inspection outcomes. Inspectors become suspicious and dig deeper.
Mistake 2: Not Opening CAPAs from Audit Findings
Some companies purposely avoid opening CAPAs from audits to prevent FDA access to related documentation. This creates a much bigger problem: the FDA will ask why you have no CAPAs from audits or management reviews.
Consequence: This demonstrates that either (a) your audits never find anything worth correcting, or (b) you’re not taking corrective action on known problems. Both answers damage credibility.
Mistake 3: Writing Inflammatory Audit Reports
Internal audits should encourage candid self-assessment. But stating opinions rather than facts creates liability. “The cleaning validation is completely inadequate and shows management’s disregard for patient safety” is an opinion. “Cleaning validation documentation for Equipment #12 was not available for review” is a fact.
Consequence: Inflammatory statements become plaintiff exhibits in product liability cases and FDA enforcement actions.
Mistake 4: Relying Solely on Self-Critical Analysis Privilege
Many companies assume their internal audits are automatically protected by the self-critical analysis privilege. This privilege has been severely limited or rejected by most courts.
Consequence: Documents you thought were privileged become accessible during litigation discovery.
Mistake 5: Failing to Connect Audit Findings to Risk Management
FDA inspectors look for correlation among CAPA, complaint handling, non-conformance, and audit procedures. They want to see that linked procedures “talk to each other” and that risk management informs decision-making.
Consequence: Disconnected systems suggest the company doesn’t understand its own quality risks.
Industry-Specific Considerations
Medical Device Companies
Medical device manufacturers face the most significant change under the QMSR effective February 2, 2026. Companies must prepare for FDA review of:
- All management review records including meeting minutes, decisions, and action items
- All internal audit records including findings and methodologies
- All supplier audit records including reports, corrective actions, and evaluations
Industry attorneys warn that internal audits may be “some of the first things that the FDA may ask about when they walk in the door.”
Pharmaceutical Manufacturers
Pharmaceutical companies retain CPG 130.300 protection during routine inspections, but must understand that:
- For-cause inspections eliminate this protection
- Litigation discovery eliminates this protection
- Corrective action documentation from audits is always accessible
- Grand jury subpoenas override all routine protections
FDA can request written certification that audits have been implemented, performed, and documented, and that required corrective action has been undertaken.
Clinical Trial Sponsors
Clinical trial sponsors must maintain comprehensive audit trails and be prepared for BIMO inspections that verify:
- Protocol compliance
- Data integrity
- Informed consent documentation
- Adverse event reporting
- Investigational product accountability
Internal audits at clinical sites evaluate adherence to clinical protocol, regulatory and ethical standards, and data integrity.
Food Facilities
Food manufacturing facilities face routine and targeted inspections under the FDA Food Safety Modernization Act (FSMA). Domestic high-risk facilities must be inspected at least once every three years; non-high-risk facilities every five years.
Internal audits help identify compliance gaps before FDA investigators arrive. Audit findings that lead to recalls or corrective actions become accessible during follow-up inspections.
Biologics Manufacturers
Biologics drug product inspections follow the compliance program guidance that includes review of:
- Product recall records
- Product deviation reports
- Complaints and out-of-specification results
- Rejects and failure investigations
The FDA’s biologics inspection approach requires verification that the firm “routinely reviews records pertinent to the manufacture of lots or units prior to their release or distribution.”
State-Specific Nuances
California
California’s Confidentiality of Medical Information Act (CMIA) defines strict requirements for medical information confidentiality. However, the CMIA allows “private or public body responsible for licensing or accrediting” a healthcare provider to review medical information—though disclosure is limited to “review” and no patient-identified information may be removed.
California has also enacted CCPA cybersecurity audit regulations requiring annual cybersecurity audits for certain businesses, effective January 1, 2026.
Texas
Texas maintains the Texas Internal Auditing Act requiring state agencies to implement internal auditing programs. Internal audit reports submitted to the State Auditor’s Office “are presumed to be public information unless they are specifically marked as confidential.”
New York
New York’s internal control standards for state government require systems to prevent loss of funds, establish standards of performance, ensure compliance with laws, and preserve integrity. The Public Authorities Law § 2932 requires covered authorities to determine whether internal audit functions are needed based on risk exposure.
Preparing for FDA Inspections: A Practical Guide
Before the Inspection
- Conduct mock FDA inspections. Simulate real-life inspection experiences to assess preparedness and highlight gaps requiring immediate correction.
- Organize documentation. Have all records organized and accessible with a designated location where FDA will review and copy documents.
- Review latest guidance documents. FDA expectations evolve. Current compliance program guidance and inspection procedures should be understood by all quality personnel.
- Develop a good relationship with FDA counsel. Working with experienced regulatory counsel before inspections occur helps companies understand their rights and obligations.
During the Inspection
When FDA inspectors arrive, they will present credentials and a Notice of Inspection (FDA Form 482). Best practices include:
| Action | Purpose |
|---|---|
| Verify inspector credentials | Confirm authority and scope |
| Clarify inspection scope | Understand what areas will be reviewed |
| Assign an escort | Maintain awareness of inspector activities |
| Log all questions and responses | Create accurate record of inspection |
| Answer questions with facts | Avoid speculation or opinions |
| Communicate with team in real-time | Keep appropriate personnel informed |
After the Inspection
The FDA classifies each inspection into one of three categories:
- No Action Indicated (NAI):Â No objectionable conditions found
- Voluntary Action Indicated (VAI):Â Objectionable conditions found but no regulatory action recommended
- Official Action Indicated (OAI):Â Regulatory or administrative actions will be recommended
If you receive a Form 483, respond within 15 working days with a written response addressing corrective actions.
Pros and Cons of the New FDA Access Rules
Pros of FDA Access to Internal Audits
- Harmonization with international standards. Medical device companies already provide these documents to other regulatory authorities. Single documentation systems reduce administrative burden.
- Encourages proactive quality management. When audits are inspection-ready, companies maintain higher day-to-day standards.
- Eliminates hide-and-seek mentality. Companies no longer waste resources trying to hide problems from regulators while addressing them internally.
- FDA can assess corrective action effectiveness. Inspectors can verify that companies actually address audit findings rather than just documenting problems.
- Levels the playing field. Companies selling globally already disclose these records; domestic-only manufacturers gain no unfair advantage.
Cons of FDA Access to Internal Audits
- Chilling effect on candid assessments. Quality professionals may become reluctant to report “dirty laundry” in documents available to regulators.
- Audits shift from learning tools to inspection roadmaps. Internal audits may no longer encourage the candid self-improvement they were designed to foster.
- Increased documentation burden. Audit reports must be written with FDA review in mind, requiring additional training and care.
- Potential liability exposure. Candid audit findings can become evidence in product liability litigation and enforcement actions.
- Behavior changes may undermine quality culture. If people don’t feel safe being honest, internal audits may stop finding weaknesses early.
Real-World Scenarios
Scenario A: Medical Device Company Post-QMSR
Situation: A medical device manufacturer’s internal audit identifies inadequate software validation for a SaMD (Software as a Medical Device) product. The audit report documents the finding with specific references to ISO 62304 gaps.
| Audit Finding | CAPA Response | FDA Inspection Outcome |
|---|---|---|
| Software validation gaps documented | CAPA opened, root cause analysis performed, validation completed | FDA reviews audit, sees timely CAPA, confirms effectiveness, NAI classification |
Key takeaway: When the company treats audit findings seriously and documents thorough corrective actions, FDA access to the audit report supports a favorable inspection outcome.
Scenario B: Pharmaceutical Company For-Cause Inspection
Situation: A pharmaceutical company receives multiple complaints about off-color tablets. The FDA initiates a for-cause inspection. An internal audit six months earlier had identified environmental monitoring gaps in the coating area.
| Audit Finding | Company Action | FDA Inspection Outcome |
|---|---|---|
| Environmental monitoring gaps identified | No CAPA opened; finding noted but not acted upon | FDA requests internal audits under for-cause authority, discovers unaddressed finding, OAI classification with warning letter |
Key takeaway: CPG 130.300 protection does not apply during for-cause inspections. Unaddressed audit findings become evidence of systematic compliance failures.
Scenario C: Privileged Internal Investigation
Situation: A biologics manufacturer’s General Counsel initiates an attorney-supervised investigation after receiving whistleblower allegations about data integrity. The investigation is documented as privileged attorney work product prepared in anticipation of litigation.
| Investigation Element | Privilege Protection | Accessibility |
|---|---|---|
| Attorney memo defining scope | Attorney-client privilege | Protected |
| Interview notes under attorney supervision | Attorney-client privilege | Protected |
| Factual findings memorandum | Work-product doctrine | Protected (absent substantial need) |
| Corrective action implementation records | Not privileged | Fully accessible to FDA |
Key takeaway: While the investigation itself may be privileged, corrective actions taken as a result remain accessible. The Sixth Circuit’s FirstEnergy decision reaffirms these protections when counsel is retained to provide legal advice in anticipation of litigation.
FAQs
Can the FDA review internal audit reports during a routine inspection of my medical device company?
Yes. As of February 2, 2026, the QMSR eliminates exemptions for internal audit reports. FDA inspectors have full access to management reviews, quality audits, and supplier audits during medical device inspections.
Can the FDA review my pharmaceutical company’s internal audit reports?
No (during routine inspections). CPG Sec. 130.300 protects pharmaceutical audit reports during routine inspections. However, this protection does not apply during for-cause inspections, litigation, or when executing judicial warrants.
Does the FDA have access to corrective actions resulting from internal audits?
Yes. Even when audit reports are protected, all corrective action documentation must be retained and is fully accessible to FDA inspectors during any inspection type.
Can I refuse to show the FDA my internal audit reports?
No (for medical devices after QMSR). Conditionally yes (for pharmaceuticals during routine inspections). For medical devices, refusal may constitute obstruction. For pharmaceuticals, you may politely inform the inspector of CPG 130.300.
Will attorney-client privilege protect my internal audits from FDA disclosure?
Potentially yes. If audits are conducted under attorney supervision for the purpose of legal advice, privilege may apply. The “significant purpose” test requires that obtaining legal advice was one significant purpose of the audit.
Does work-product doctrine protect internal audit documents?
Potentially yes. Documents prepared “in anticipation of litigation” may qualify. However, documents prepared in the ordinary course of business—regardless of legal involvement—typically do not receive protection.
Will the self-critical analysis privilege protect my internal audits?
Unlikely. Most federal courts severely limit or reject this privilege for regulated industries. Neither Congress nor FDA has exempted product-safety analyses from disclosure requirements.
Can the FDA use my internal audit findings against me in enforcement actions?
Yes. Any documents the FDA obtains during inspections can be used in warning letters, consent decrees, seizures, injunctions, and criminal prosecutions.
Should I stop documenting audit findings to avoid FDA scrutiny?
No. Failure to conduct meaningful audits or document findings violates quality system requirements. Companies without documented CAPAs from audits face worse inspection outcomes than those who find and fix problems.
Does my ISO 13485 certification mean I comply with FDA requirements?
No. FDA does not recognize ISO 13485 certification as equivalent to FDA QSR/QMSR compliance. ISO certification does not satisfy FDA regulatory requirements for market access.
Can FDA inspectors ask about findings from our ISO audits?
Yes. While the formal ISO audit report may not be specifically requested, FDA inspectors can ask about observations noted during any third-party audit and what corrective actions were taken.
How far back can the FDA request internal audit records?
It varies. Record retention requirements depend on the regulation. Medical device manufacturers must retain records for the expected life of the device but not less than two years from commercial distribution.
What happens if my internal audit finds no problems?
Document it carefully. Audits that consistently find no issues may indicate the audit program lacks rigor. Document the scope, methodology, and specific items reviewed to support the conclusion.
Can I limit what my auditors put in writing?
To a point. You can train auditors to document objective facts rather than opinions. However, deliberately omitting findings to avoid documentation creates greater compliance risk than transparent documentation.
Should I involve legal counsel in routine internal audits?
It depends. For routine quality audits, attorney involvement may not be practical or necessary. For investigations into potential violations or when litigation is anticipated, attorney supervision strengthens privilege claims.