Much ado about nothing? Or a wake-up call for medical device manufacturers? As the FDA's new Quality Management System Regulation (QMSR) approaches its effective date of February 2, 2026, one change sparking heated debate is the agency's expanded access to internal audit reports and management reviews. While these have long been fair game under existing regulations, FDA policy historically shielded them from routine inspections. Now, with QMSR harmonizing the Quality System Regulation (QSR) with ISO 13485:2016, that discretion ends – and the implications could pack more punch than many realize.

Let's be clear: FDA investigators have never truly needed your audit reports or management reviews to spot noncompliance. A deep dive into your procedures, data, and records has always sufficed to uncover QSR deviations. Historically, FDA-483 observations related to audits were narrow, focusing on missing audits or procedural gaps, comprising just 5.8% of findings in recent fiscal years. Management reviews do not register in the top 10 observations. Warning Letters rarely stemmed from these alone – unless paired with repeat offenses. Instead, the heavy hitters have been CAPA (Corrective and Preventive Action) failures, accounting for about 25% of observations and providing solid grounds for enforcement.

So, why the fuss over this shift?

The FDA doesn't demand perfection; it expects a robust system that identifies, prevents, and corrects quality issues – with "identification" at the core. Under QMSR, exposing audit reports lets investigators scrutinize your program's effectiveness head-on. No longer limited to SOP reviews or indirect glimpses via nonconformances and CAPAs, they can now cross-check audit comprehensiveness against their own findings. They'll probe risk assessments for audit observations and evaluate your responses (or lack thereof) based on that risk.

Management reviews face similar exposure. The QSR and QMSR emphasize executive accountability, but past inspections relied on procedural evidence and certifications. Now, with access to meeting minutes, FDA can verify what was actually presented – proving management knew about QMS health and performance. This erodes "plausible deniability" and reveals whether reviews are substantive or superficial box-checking.

Imagine future FDA-483 observations like these (fictional but plausible):

• 
  

  Internal audits overlooked failures in the XXX process 120 days prior to multiple nonconformances and CAPAs triggered by XYZ issues.

• Audit findings rated as "minor" prompted no CAPA, yet pre-audit nonconformances showed XXX events leading to XYZ lot failures.

• Management review ignored an adverse trend in late MDR (Medical Device Reporting) by the Quality unit, with no CAPA initiated.

• Failed process validations were flagged in the XYZ management review, including requests for validation engineering resources. As of XXX, no resources were allocated, and three protocols have failed since.

Such pointed citations could elevate once-mild observations to Warning Letter material, directly tying deficiencies to audit rigor, oversight lapses, and executive inaction.

What should you do to prepare?

• Audit your audit program: Scrutinize how findings are risk-ranked and actioned. Ensure decisions are defensible, consistent, and documented transparently.

• Build auditor competencies: Train teams not just in auditing but in articulating findings and risks clearly – anticipate investigator scrutiny.

• Align audits with metrics: Cross-reference audit results against quality data to avoid discrepancies, like glowing audit scores amid troubling trends.

• Refine management reviews: Assess frequency – annual reviews won't cut it under enforcement like Warning Letters or Consent Decrees. Aim for timely reflections of QMS status.

• Elevate input quality: Guarantee data fed into reviews is comprehensive, actionable, and quality-focused, not diluted fluff.

• Reinforce executive buy-in: Reeducate leaders on their liabilities; require their review and sign-off on agendas and minutes.

• Track follow-through: Maintain meticulous records of post-review actions to prove commitment to continuous improvement.

  
  

As we edge closer to QMSR implementation, recent FDA webinars and guidance (e.g., the 2024 final rule and 2025 transition resources) underscore a focus on risk-based approaches and ISO alignment. Industry groups like AdvaMed have voiced concerns, but the agency maintains this enhances oversight without overreach. I'm intrigued to see how it plays out – are you ready?