# QMSR Changes and What to Expect: Internal Audits and Management Reviews Are No Longer Off-Limits Source: https://www.globalkeysolutions.net/media/qmsr-changes-and-what-to-expect-internal-audits-and-management-reviews-are-no-longer-off-limits Type: webinar Published: February 24, 2026 Updated: March 12, 2026 Authors: Zephaniah Odidika > The new QMSR removes FDA's hands-off policy on internal audits and management reviews. Learn what changed, why it matters, and how to prepare for inspections. --- ![Screenshot 2026-02-24 at 13.56.46.png](https://storage.googleapis.com/gks-blog-images/blog-images/41c4435ab6304743bf1cc1625066e246.png) # QMSR Changes and What to Expect: Internal Audits and Management Reviews Are No Longer Off-Limits **By George Kwiecinski, CEO & Founder, Global Key Solutions | February 2026** As of February 2, 2026, the FDA's new Quality Management System Regulation (QMSR) is officially in effect — and it represents one of the most significant shifts in medical device quality oversight in decades. In our latest **Warning Letter Wednesday** webinar, I sat down with **Daniel Barreto**, President and CEO of PharmQ Global, who brings over 40 years of combined FDA and regulatory experience, to break down what this means for the industry. Here are the key takeaways. --- ## What Is the QMSR, and Why Does It Matter? At its core, the QMSR harmonizes the FDA's Good Manufacturing Practices for medical devices with **ISO 13485:2016**, the international standard for medical device quality management systems. This alignment achieves three important goals: - It makes it easier for manufacturers to market products across multiple countries by aligning U.S. regulations with global standards - It promotes a risk-based approach to quality management - It reduces the need for duplicative quality systems for companies already compliant with ISO 13485 All of that sounds positive on the surface. But the regulation also introduces a fundamental change that every medical device company needs to understand — immediately. --- ## The Big Shift: From "Off-Limits" to "Fair Game" Under the old Quality System Regulation (21 CFR 820), the FDA had a longstanding policy of **not** routinely reviewing records generated for management reviews and internal audits. The reasoning was straightforward: the agency wanted to encourage companies to be candid and self-critical in their assessments without fear of immediate regulatory citation. **The new QMSR removes that exception entirely.** That means internal audit reports, management review meeting minutes, CAPA records tied to audits, and all related documentation are now fully accessible to FDA inspectors. As Dan put it during the webinar — what was previously considered off-limits is now fair game. --- ## Why Is the FDA Making This Change? The FDA wants to put more responsibility and accountability on companies for self-regulation. By reviewing these previously shielded records, inspectors will now be assessing: - Whether a company has an effective system for **self-detection** through internal audits - Whether it elevates issues appropriately to management - Whether it takes the right corrective and preventive actions - Whether it closes the corrective action loop with **verified effectiveness** In short, the FDA is forcing the regulated industry to prove that its self-regulation activities are genuine and effective — not just procedural box-checking. --- ## How FDA Inspections Will Change Dan highlighted a critical shift in inspection strategy that companies need to prepare for now. Previously, the typical first point of entry for an FDA inspection was: - OOS investigations - Nonconformance investigations - The CAPA program - Complaints - Change control Under the QMSR, Dan expects inspectors to **start** with: - Internal audits (both process and performance) - Supplier audits - Management reviews The traditional inspection areas will become a **second** point of entry rather than the starting point. This is a fundamental reordering of inspection priorities, and companies that aren't prepared will find themselves exposed quickly. --- ## The Legal Department's Role Will Expand One of the most practical points Dan raised is the increasing importance of legal involvement. Internal audits and management reviews are, by design, self-critical documents. They record weaknesses, nonconformances, and debates about resource allocation. In the hands of an FDA inspector, those documents can provide a direct roadmap to a company's biggest compliance gaps. That carries several implications: - Companies will need to consider **attorney-client privilege strategies** for particularly sensitive audits, especially those involving data integrity issues - Legal counsel should be involved in training teams to use precise, objective language in audit reports and meeting minutes — avoiding speculation, hyperbole, or inadvertent admissions - Every finding should be paired with a clear, well-documented record of corrective actions taken — **the narrative matters** Dan was careful to emphasize that the goal here isn't to hide noncompliance. It's about making space for candid internal assessments without creating unmanaged legal risk. Going forward, the collaboration between internal audit programs, management review activities, and legal departments will need to be much tighter than it's been. --- ## What You Should Do Right Now Based on Dan's recommendations and our analysis using **KeyPedia**, here are the priority actions every medical device company should be taking: ### Re-train Your Audit Personnel Internal auditors at the site level, global level, and external auditors all need to understand that their role carries significantly higher stakes under the QMSR. Their work product will be directly scrutinized by FDA inspectors — that changes the calculus entirely. ### Strengthen Your Audits, Don't Water Them Down The worst response to this change would be to conduct less rigorous internal audits just to avoid creating a paper trail. Think about it: an FDA investigator finding a significant issue that your internal audit missed is a far bigger problem than them seeing you found an issue and are actively fixing it. Self-awareness is a strength, not a liability. ### Focus on Closed-Loop Processes Your records should clearly demonstrate that findings were identified, corrections were made, and effectiveness was verified. The link between audit findings and your CAPA system needs to be airtight and well-documented. ### Integrate Quality Across the Entire Product Lifecycle Your QMS cannot live in a silo as a post-market function. The FDA is also scrutinizing QMS effectiveness during premarket submissions, and any disconnect between your premarket submission and your operational QMS is a significant red flag. ### Adopt a Data-Driven Quality Culture Don't wait for an inspector to ask for data. Proactively establish and monitor quality metrics that demonstrate the health of your QMS. Being able to walk an investigator through your data — and show them how you actually use it for continuous improvement — demonstrates a living, effective system. ### Master Risk Management Risk management is now a core part of the process under ISO 13485 alignment. Your ability to implement and demonstrate a risk-based approach will be closely evaluated, so this can't be an afterthought. --- ## These Areas Were Already Problem Spots Using **KeyPedia**, we analyzed historical FDA 483 observations and warning letters related to internal audits — and the findings are telling. Even *before* the QMSR gave inspectors full access, companies were already being cited for: - Insufficient documentation of audit findings - Lack of management review - Inadequate scope and frequency of audit programs - Failure to implement corrective actions - Failure to address systemic issues - Lack of auditor independence These were citations issued when the FDA had only **limited** visibility into audit programs. Now that inspectors will have full access, the bar will be significantly higher — and the consequences of deficiencies in these areas will be much more severe. We also looked at the top 20 CFR codes related to 21 CFR 820 in FDA inspections and found that many of the areas now opened up for deeper scrutiny under the QMSR were already among the most frequently cited predicate rules. The trend data suggests that device citations have been climbing steadily in recent years post-COVID, approaching the peak levels we saw around 2014–2015. --- ## The Bottom Line The most successful approach for future QMSR inspections is straightforward: build a genuine culture of quality. Your QMS should be a strategic asset that drives improvement and manages risk throughout the product lifecycle — not simply a regulatory burden to be managed. A well-documented internal audit that finds issues, coupled with a management review that actually addresses them, is strong evidence of a healthy and functioning quality management system. Companies that can demonstrate a proactive, data-driven, and integrated approach will be best positioned for successful inspection outcomes. Those that can't will find that the QMSR has given FDA inspectors a lot more low-hanging fruit to pick. --- *[](https://www.youtube.com/watch?v=3U0QIRHyZZg)* *This blog is based on Global Key Solutions' Warning Letter Wednesday webinar held on February 11, 2026 featuring Daniel Barreto of PharmQ Global. The presentation was developed using data and insights from KeyPedia, our AI-powered FDA regulatory intelligence platform.* *For more information, visit [globalkeysolutions.net](https://globalkeysolutions.net) or reach out at [hello@globalkeysolutions.net](mailto:hello@globalkeysolutions.net).* *Want to see how KeyPedia can help your team prepare for QMSR inspections? [Request a demo today.](https://globalkeysolutions.net)*