Auditing Statutory and Regulatory Requirements

The term ‘statutory and regulatory requirements’ has been used eleven times in the requirements of ISO 9001:2015 Standard. The question is, how the auditors need to consider the Statutory and Regulatory, when auditing ISO 9001, ISO 14001, ISO 45001, or other standards?

An organisation using any of the above as management system standard, must demonstrate its ability to comply with the statutory and regulatory requirements, which are applicable to its operation, products, or services within the scope of its management system. The statutory and regulatory requirements are specified in the clauses of these three management system standards:

ISO 9001:2015 (QMS): Clause 4.2, 5.1.2, 8.2.2,, 8.3.3, 8.4.2, 8.5.5

ISO 14001:2015 (EMS): Clause 4.2, 6.1.3, 9.1.2

ISO 45001:2018 (OHS): Clause 4.2, 5.2c, 5.4, 6.1.1, 6.1.5, 7.4.1, 7.4.3, 7.5.1, 8.1.2, 8.1.3,, 9.1.1, 9.1.2, 9.3.

Statutory and Regulatory requirements applicable to the business may vary from simplicity to a degree of complexity. Some industries, products and services are heavily regulated, while others have very few, if any, requirements. When auditing any management system requirements, the auditor needs to consider the relevant Statutory and Regulatory requirements applicable to the industry.

To complete an effective audit on Statutory and Regulatory Requirements, following recommendations may be considered:

1- Auditing conformity of a management system (such as QMS, EMS or OHS) requirements is different from verifying compliance to Statutory and Regulatory requirements. Auditors shall remember that Statutory and Regulatory requirements are not audited for compliance. The management system audit must focus on the organisation’s processes to determine, comply and evaluate those Statutory and Regulatory requirements. The organisation should have a process in place for:

a) Determining, updating, and maintaining all applicable statutory and regulatory requirements
b) Communicating relevant requirements within the organisation.
c) Considering the relevant requirements as an input to Risk Assessment, planning and  operation
d) Complying with all applicable requirement
e) Monitoring and evaluating compliance with statutory and regulatory requirements.

2- Auditors should avoid making any statements, suggestion, recommendation regarding compliance to statutory and regulatory requirements. This includes both audit report and verbal feedback during the audit. Any audit findings including non-conformities, shall refer to one of the above processes (a-e) and Management system standard clauses. Nonconformities should not be raised against the statutory and regulatory requirements. Such breaches or discrepancies with regulation can be raised as a failure in the system or process of the management system. The responsibility to demonstrate legal compliance resides in the organisation, not auditor or his/her report.

3- Auditors should study and obtain relevant statutory and regulatory requirements prior to the audit. These requirements defer from state to state, country to country and industry to industry.

4- Auditors will not be able to review all the applicable requirements and sampling would be inevitable, however auditors should take a risk-based approach and ensure that samples would represents all the requirement with a emphasise on higher risks.

5- Audit report normally includes a conclusion on the extent of management system conformity with the audit criteria. Audit report should also include (as referred in ISO 19011) a statement about the effectiveness of the management system in meeting its intended outcomes, and a summary on the organisation’s demonstration of its ability to consistently meet statutory and regulatory requirements.

Reference: ISO and IAF Guidance on Auditing Statutory and Regulatory Requirements- Edition 2 – 2021-06-07

-Learn more about the certification process: Certification Process.

-Training is an important asset to your business, visit our Training page.

-Request a quote for certification.