Internal Audits of Regulatory Requirements

How should internal auditors determine if their organization is conforming to regulatory requirements? Before answering this question, lets review the references to “regulatory” requirements in ISO 9001:2000:

0.1, Introduction – General: This International Standard can be used … to assess the organization’s ability to meet customer,regulatory, and the organization’s own requirements.

1.1, Scope – General: This International Standard specifies requirements for a quality management system where an organization … b) aims to enhance customer satisfaction through … and the assurance of conformity to customer and applicableregulatory requirements.  

1.2, Application: Where exclusions are made, claims of conformity to this International Standard are not acceptable, unless … and such exclusions do not affect the organization’s ability, or responsibility, to provide product that meets customer and applicableregulatory requirements.

5.1, Management Responsibility – Management Commitment: Top management shall provide evidence of its commitment … by: a) communicating to the organization the importance of meeting customer, as well as, statutory and regulatory requirements, …  

7.2.1, Determination of Requirements Related to the Product: The organization shall determine … c) statutory and regulatoryrequirements related to the product, and …

7.3.2, Design and Development Inputs: These inputs shall include … b) applicable statutory and regulatory requirements, …

What is the difference between “statutory” and “regulatory” requirements? A statute is a law enacted by the legislative branch of a government. A regulation is a rule or order issued by an executive authority or regulatory agency of a government that has the force of law.

If audits evaluate the conformity of a quality management system to the requirements of ISO 9001:2000, then clauses 5.1.a, 7.2.1.c, and 7.3.2.b indicate audits must also address statutory and regulatory requirements.

Among the regulation sources are the Food and Drug Administration (FDA), Federal Aviation Administration (FAA), Occupational Health and Safety Administration (OHSA), and Environmental Protection Agency (EPA). Requirement examples are: Safety-related, e.g., Federal Motor Vehicle Safety Standards; Environment-related, e.g., recycling permits for waste oil; and Medical-related, e.g., Quality System Regulation -Title 21 part 820 – Code of Federal Regulations.

Legal requirements are extremely important. If they are violated, your products could be recalled, fines levied, facilities closed, and criminal penalties imposed. Unfortunately, many auditors are unaware of these legal requirements. They may be the most important requirements to be met, yet many internal audits ignore them.

However, someone must know about these requirements, because clause 7.2.1.c requires the organization to determine them. Auditors must ask the appropriate people, “What regulatory requirements are applicable to our products and organization?”  And, it all begins with management, since clause 5.1.a states top management must communicate the importance of meeting these legal requirements.

Remember, we’re not just talking about federal regulations. There may also be state or local regulations that apply to your products. If your organization is involved with international business, there will be foreign laws and regulations to consider, as well as, the permits and clearances needed to import and export products.

Auditors should identify the statutory and regulatory requirements that are recognized by the organization. Then, find out how these requirements are addressed by the quality management system.