ISO 13485 internal audits with Claude: from weeks to one day
Run a clause-by-clause ISO 13485 internal audit with Claude in a day, not a month. Copy-paste prompts for document control, CAPA, training, supplier management, and the final audit report.
Internal audits are the work every medical device quality manager dreads. Two weeks of evening hours opening one SOP at a time, cross-referencing clauses in the standard, scrolling event records to find the ones that didn't close cleanly, sampling training acknowledgments by hand, and then writing it all up. The audit is supposed to be a check on the QMS. In practice, it's the QMS checking you.
It doesn't have to work that way anymore. Connect Claude to ArvoDocs once, and an internal audit that used to be a two-week slog turns into a one-day workshop. The auditor types prompts in plain English. Claude reads every relevant record, cross-references across modules, and writes the findings. The auditor reviews and signs. The QMS itself is unchanged — the audit just got done faster, and the work that historically didn't get done at all (the cross-record gap analysis) actually gets done now.
Here's exactly what that looks like, clause by clause, with the prompts you can paste verbatim.
The 30-second setup
Before any of this works, ArvoDocs and Claude need to know about each other.
- • In ArvoDocs, go to Settings → MCP integration. Click "Generate token." Choose Read-only for an audit (you want the auditor reading, not writing).
- • Paste the token into Claude Desktop's
claude_desktop_config.json. Or, for claude.ai web, paste the server URL into Settings → Connectors and log in. - • Open a fresh Claude conversation. Say "list the document templates in my tenant." If you see your templates come back, you're done.
Total time: under five minutes the first time, under thirty seconds every time after.
Clause 4.2.4 — Document control (the audit's first hour)
The auditor's opening clause. Every QMS audit starts here because every other clause depends on it. The traditional approach: open the standard, open the QMS, walk every controlled document. Half a day, minimum.
With Claude, it's one prompt.
"Audit our compliance with ISO 13485 clause 4.2.4 Control of Documents. List every SOP that defines our document control process. For each one, give me the effective version, the last review date, and whether a periodic review is overdue. Then walk every effective document in our tenant and flag any that references another document that isn't in its effective version, has been retired, or is missing."
That single prompt does three audit jobs at once: (1) identifies the procedures that govern the clause, (2) verifies the procedures themselves are under control, (3) runs the cross-reference check that finds obsolete-document citations — one of the most common ISO findings, and one virtually nobody does manually because it's a half-day of grep work. The auditor reviews the findings, accepts the ones that hold, signs in the UI.
Clause 6.2 — Training (the gap nobody finds in time)
When an SOP revises, the people who use it must train on the new revision. The training-gap finding is one of the most frequent ISO findings — because the data is messy and nobody walks every revision by hand.
"For every SOP revised in the last 12 months, list the people whose training assignments included that document. Tell me who has acknowledged the new revision and who is still on the previous version. Group by role."
You now have, in one paragraph, the exact gap list — names, documents, dates. The auditor's job becomes deciding what severity each gap warrants. The data-gathering took fifteen seconds.
Clause 7.4 — Supplier qualification
Critical suppliers have to be qualified, re-evaluated on a schedule, and tracked against the quality events they cause.
"List every supplier classified as Critical or High risk. For each one, tell me when they were last re-evaluated, when the next re-evaluation is due, and which quality events in the last 12 months are linked to them. Flag any Critical supplier that is overdue for re-evaluation — that's an audit finding."
Two minutes of work. Going to traditional sources to get the same answer would mean opening every supplier record, cross-referencing the events module, comparing dates against the calendar. Nobody does this thoroughly unless there's an audit imminent. With Claude, you do it quarterly.
Clause 8.2.2 — Complaint handling
"List every customer complaint opened in the last 18 months. For each, give me the open date, the close date, the time to close, the root-cause method used, and whether the complaint led to a CAPA or a regulatory report. Highlight any complaint that took more than 30 days to close and any that was closed without a documented root cause."
The "closed without root cause" filter is the high-yield finding here. It's almost impossible to surface by manual sampling, and it's exactly what a notified-body auditor will ask about.
Clause 8.5.2 — Corrective action (the biggest target)
CAPA is the clause that consumes the most audit time, because every quality manager has lived through a finding on their CAPA process. It's also where Claude is most useful.
"Walk every CAPA closed in the last 12 months. For each, check whether: (1) a root cause was documented; (2) the corrective action addressed the root cause and not just the symptom; (3) effectiveness verification was completed and signed; (4) the CAPA was closed within its target due date. List each CAPA and the cells that pass or fail. Total the failures."
One prompt. Every CAPA, every check, every result. Historically this is the kind of analysis that gets done halfway during audit prep because there isn't time. Now it gets done in two minutes, every quarter.
And then, the prompt that turns Claude from auditor-assistant into analyst:
"From the failed CAPAs above, identify any patterns. Same root cause across multiple events? Same equipment? Same supplier? Same product family? If you see a pattern, draft a meta-CAPA finding — a single quality event that documents the systemic issue and recommends a process change rather than another point fix."
This is what notified body inspectors mean when they ask "what trends are you seeing?" Identifying patterns across dozens of records is hard for humans and easy for LLMs. You finally have the answer to the question that used to make the room go quiet.
Clause 8.4 — Data analysis (management review prep)
"Build a management review brief for the last quarter. Include: number of CAPAs opened and closed by template, time-to-close trend, customer complaints by product line, supplier nonconformances by risk class, documents past periodic review, and training completion rates. Flag any metric that has materially worsened versus the previous quarter."
Management review is the meeting where the QMS gets evaluated. The slide deck for it usually consumes a full day of the quality manager's time the week before. With this prompt, the data prep is sixty seconds; the quality manager's day goes back to writing the narrative — which is what should have been the work all along.
The audit report itself
"Draft the internal audit report from the findings we collected today. Cover: scope, methodology, clauses audited, records sampled, findings classified by severity (Major / Minor / OFI), and recommended actions. Use the structure of our internal audit report SOP — find it first if you need to."
Claude pulls the audit-report SOP from your QMS, uses it as the structural template, and fills the body from the findings the conversation has already generated. The auditor reviews, edits, approves in the UI with a re-authenticated signature. The report that historically takes a day takes half an hour.
What this looks like in calendar time
- • Day 1, 9–12: Clauses 4.2.4, 4.2.5, 6.2 — document control, records, training. Three prompts. Three hours including review.
- • Day 1, 1–5: Clauses 7.4, 8.2.2, 8.5.2 — suppliers, complaints, CAPA. Four prompts. The meatiest half of the audit, done in an afternoon.
- • Day 2, 9–11: Stakeholder interviews on the findings Claude surfaced. Interviews take their full time — but the questions are written and the evidence is already in hand.
- • Day 2, 11–3: Draft, review, and sign the report.
Two days instead of two weeks. And the findings are better, because the cross-record analysis that nobody had time for before now happens by default.
The line we hold
Claude doesn't sign the report. Doesn't approve the findings. Doesn't close the CAPAs. Every regulated state transition is a human in the UI with password re-authentication, per 21 CFR Part 11 and ISO 13485 clause 4.1.6. The MCP integration is structured so this line is enforced by design — the tools that would let an AI cross it aren't exposed to it.
You get the leverage of an AI that's read every record in your QMS and can summarize across it instantly. You keep the auditor's independence and judgment where they belong: with the auditor.
Run your next ISO 13485 internal audit in a day.
Free Starter plan, ISO 13485 compliance pack in one click, and AI integration included on every plan — connect Claude, ChatGPT, or Gemini in five minutes.
Start free →Frequently asked questions
How does Claude help with an ISO 13485 internal audit?
Once Claude is connected to your QMS through the Model Context Protocol (MCP), it can read every document, quality event, training record, and supplier file in your tenant on demand. The auditor types a one-sentence prompt — for example, 'walk every CAPA closed in the last 12 months and tell me which closed without a documented root cause' — and Claude returns the data with links back to every source record. The cross-record traversal work that used to take days happens in seconds.
Can AI replace an internal auditor for ISO 13485?
No — and ISO 19011 wouldn't let it. Auditor competence, independence, and judgment are foundational to a valid audit. Claude handles the parts that scale poorly with people: pulling every relevant SOP for a clause, cross-referencing records across modules, summarizing 18 months of CAPAs in a paragraph. The judgment about whether something is a minor nonconformity, a major, or an opportunity for improvement stays with the auditor. Think of Claude as the world's fastest junior auditor.
Is using AI on regulated quality records compliant with ISO 13485 and 21 CFR Part 11?
Yes, when the boundary is preserved. ArvoDocs' MCP server lets Claude read records and draft new ones, but the regulated state transitions — signing, approving, rejecting, making documents effective — are deliberately not exposed via MCP. Those still require a human in the UI with password re-authentication. Every MCP call lands in your tenant's tamper-evident audit trail with the user, tool, and timestamp. If your notified body asks 'what did the AI do,' you can answer it precisely.
Which ISO 13485 clauses get the most leverage from Claude?
The clauses that require cross-record traversal: 4.2.4 (document control), 4.2.5 (records), 6.2 (training), 7.4 (purchasing / supplier qualification), 8.2.2 (complaint handling), 8.5.2 (corrective action), 8.5.3 (preventive action), and 8.4 (data analysis / management review). All of them involve pulling records across multiple modules and checking they reference each other correctly — exactly the work AI is good at.
How long does an ISO 13485 internal audit take with Claude vs without?
Without AI, a thorough clause-by-clause internal audit on a 50-person medical device company is two to four weeks of a quality manager's calendar time. With Claude connected to your QMS, the data-gathering and cross-referencing phase compresses to a few hours per clause cluster — about one day end-to-end for the data work. The stakeholder interviews still take their full time, but you walk in with the questions already written. Net: a two-day audit instead of a two-week one.