Auditing Statutory and regulatory requirements

ISO 9001 requires an organization to identify and control the statutory and regulatory requirements applicable to its products and services.

It is up to the organization to determine what is required within its QMS.

The organization should demonstrate that the statutory and regulatory requirements applicable to its products and services have been properly identified, are available and easily retrievable.

Auditors need to be aware of the general and specific statutory and regulatory requirements applicable to the products and services included within the scope of the QMS.

During the audit preparation phase, auditors should obtain relevant information from internal or external sources with respect to these statutory and regulatory requirements.

This will allow them to make a judgment on the suitability of the QMS to address such requirements.

These requirements need to be identified and integrated in the resource management and product realization, or service provision, activities of the organization.

During the audit phase, auditors should:

• ·        ensure that the organization has a methodology in place for identifying, maintaining and updating all applicable statutory and regulatory requirements;
• ensure that these statutory and regulatory requirements are utilized as ‘process inputs’ while monitoring ‘process outputs’ for compliance with requirements;
• ensure that any claimed compliance to standards, statutory and regulatory requirements etc. are properly demonstrated by the organization;
• if evidence is found during the audit that specific information regarding statutory and regulatory requirements has not been taken into account, the auditors should issue a nonconformity;
• auditors should issue a nonconformity if a non-compliance with such requirements is identified.

To avoid the possibility of liability, auditors should not make statements regarding statutory and regulatory compliance, or make any comprehensive identification of specific statutory or regulatory requirements applicable to the products and services of the organization.

Nonconformities should be issued only in situations where identification has been made of system deficiencies or of direct violations in respect of statutory and regulatory requirements applying to the products and services of the organization.

However, if nonconformity to other kinds of statutory requirements (e.g. health and safety, environment, etc.) is coincidentally detected during the audit, this fact cannot be ignored by the auditors.

It should be reported without delay to the auditee and, if required, to the audit client.

If auditors become aware of any deliberate legal noncompliance that could affect the image and credibility of the QMS before, during, or after the audit (including, for example, breach of antitrust law, labour law, health and safety or environmental regulations) then this should be taken into consideration and investigated further, as appropriate.

Apart from the regulatory authority’s action, it is for the auditors to assess the effectiveness of the QMS in meeting customer requirements (stated or generally implied) and report this to the certification and registration body management to take appropriate actions.