Auditing statutory and
regulatory requirements
How do auditors ensure that organizations are taking regulatory requirements into account? gives this advice
ISO 9001 requires an organization to identify and control the statutory and regulatory requirements that are applicable to its products (including services). This could include legislation such as the Data Protection Act in the UK, regulations from the Food and Drug Administration in the US or consumer protection laws in Japan. As such requirements can vary immensely depending on an organization’s location and output, ISO 9001 does not specify exactly how an individual organization should achieve this within its quality management systems.
Each organization must, however, be able to demonstrate that the statutory and regulatory requirements applicable to its products and services have been properly identified, are available and easily retrievable. And auditors must be able to readily identify that this is being achieved.
Being aware
Auditors need to be aware of the general and specific statutory and regulatory requirements applicable to the products and services included within the scope of the quality management system. During the audit preparation phase, auditors should obtain relevant information from internal or external sources with respect to these statutory and regulatory requirements. This will allow them to make a judgment on the suitability of the quality management system to address such requirements. These requirements need to be identified and integrated in the resource management and product realization activities of the organization.
During the audit
When carrying out an audit, auditors must:
- ensure that the organization has a methodology in place for identifying, maintaining and updating all applicable statutory and regulatory requirements
- ensure that these statutory and regulatory requirements are utilized as ‘process inputs’ while monitoring ‘process outputs’ for compliance with requirements
- ensure that any claimed compliance to standards, statutory and regulatory requirements are properly demonstrated by the organization
During the audit, if any evidence is found that specific information regarding a statutory and regulatory requirement has not been taken into account, the auditor should issue a non-conformity. Auditors should also issue a non-conformity if a non-compliance with such requirements is directly identified.
Auditors should avoid making statements about what statutory or regulatory requirements are applicable to the products and services of the organization, or about methods of compliance, because of the possibility of liability.
Dealing with non-conformities
Non-conformities should be issued only in situations where identification has been made of system deficiencies or of direct violations in respect of statutory and regulatory requirements applying to the products and services of the organization. However, if non-conformance with other kinds of statutory requirements (such as health and safety and environment) is coincidentally, detected during the course of the audit, this cannot be ignored by the auditors. It should be reported without delay to the auditee and, if required, to the audit client.
If auditors become aware of any deliberate legal non-compliance that could affect the image and credibility of the quality management system before, during, or after the audit (including, for example, breach of antitrust law, labour law, health and safety or environmental regulations) then this should be taken into consideration and investigated further, as appropriate. Apart from the regulatory authority’s action, it is for the auditors to assess the effectiveness of the quality management system in meeting customer requirements (stated or generally implied) and report this to the certification body management to take appropriate actions.
With a plethora of statutory and regulatory requirements for numerous different products and services, it is important that organizations have a quality management system in place that ensures they are aware of their obligations. Equally important is auditors’ ability to rigorously evaluate the systems in place.
The ISO 9001 Auditing Practices Group is an informal group of quality management system experts, auditors and practitioners drawn from the ISO Technical Committee 176 quality management and quality assurance (ISO/TC 176) and the International Accreditation Forum. It has developed a number of guidance papers and presentations that contain explanations about the auditing of quality management systems. These reflect the process-based approach that is essential for auditing the requirements of ISO 9001.
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
- Corporate governance needs integrated management
- Integrating management systems at Software Box
- Integrating CSR: stakeholder engagement
- ISO 9004:2009 - towards sustained success
- Relearning the value of internal auditing
- Auditing statutory and regulatory requirements
This article is an edited version of ‘Auditing statutory and regulatory requirements’ from the website of the ISO 9001 Auditing Practices Group and is reproduced courtesy of ISO and the IAF. These papers were developed on current best practice and therefore have not been formally endorsed as IAF guidance or ISO TC176 interpretations. Follow the link for further information about the Auditing Practices Group.