Auditing Statutory and Regulatory Requirements

This article is based on an auditing guidance paperavailable at <>. ISO 9001:2000 requires an organization to identify and control the statutory and regulatory requirements applicable to its products (including services). It is up to the organization how to do this within its quality management system. The organization should demonstrate that the legal requirements applicable to its products / services have been properly identified, are available, and easily retrievable.

Auditors need to be aware of the statutory and regulatory requirements applicable to the products/ services included within the scope of the system. During the audit preparation phase, the audit team should obtain relevant information from internal or external sources with respect to these legal requirements. This will allow the auditors to make a judgment on the suitability of the system to address such requirements. These requirements need to be identified and integrated in the resource management and product realization activities of the organization.

During the audit phase, the audit team should:

  • ensure that the organization has a methodology in place for identifying, maintaining, and updating all applicable statutory and regulatory requirements
  • ensure that these statutory and regulatory requirements are utilized as ‘process inputs’ while monitoring ‘process outputs’ for compliance with requirements
  • ensure that any claimed compliance to standards, statutory, and regulatory requirements, etc. are properly demonstrated by the organization

If evidence is found during the audit that specific information regarding legal requirements has not been taken into account, the auditors should issue a nonconformity. The auditors should also issue a nonconformity if a noncompliance with such requirements is directly identified. Auditors should avoid making statements about what statutory or regulatory requirements are applicable to the products and services of the organization, or about methods of compliance, because of possible liability.

Nonconformities should be issued only in situations where identification has been made of system deficiencies or of direct violations in respect of statutory and regulatory requirements applying to the products / services of the organization.

However, if a noncompliance with other kinds of statutory requirements (e.g., health and safety, environment, etc.) is, co-incidentally, detected during the audit, this fact cannot be ignored by the audit team. It should be reported without delay to the auditee and, if required, to the audit client.

Note: The ISO 9001 Auditing Practices Group is an informal group of quality management system (QMS) experts, auditors, and practitioners drawn from ISO Technical Committee 176 and the International Accreditation Forum. It has developed a number of guidance papers and presentations that contain ideas, examples, and explanations about auditing. These documents reflect the process-based approach that is essential for auditing the requirements of ISO 9001:2000.

The guidance is primarily aimed at QMS auditors, consultants, and quality practitioners, but is not definitive. The papers and presentations reflect a number of different views in QMS auditing. As such, their content may not always be consistent. It is not intended for the guidance to be used as specified requirements, an industry benchmark, or as criteria that all QMS auditors, consultants, or practitioners have to follow.

The guidance documents are available at: <> and cover these individual topics:

  • The need for a 2-stage approach to auditing
  • Measuring QMS effectiveness and improvements
  • Identification of processes
  • Understanding the process approach
  • Determination of the “where appropriate” processes
  • Auditing the “where appropriate” requirements
  • Demonstrating conformity to the standard
  • Linking an audit of a particular task, activity or process to the overall system
  • Auditing continual improvement
  • Auditing a QMS which has minimum documentation
  • How to audit top management processes
  • The role and value of the audit checklist
  • Scope of ISO 9001:2000, Scope of quality management system and defining scope of certification
  • Value-added auditing
  • Auditing competence and the effectiveness of actions taken
  • Auditing statutory and regulatory requirements
  • Auditing the quality policy and quality objectives
  • Auditing ISO 9001, Clause 7.6, Control of monitoring and measuring devices
  • Making effective use of ISO 19011
  • Auditing customer feedback processes

All the documents are short 2 to 8 page Word documents, with the exception of one PowerPoint file consisting of 33 slides.

Feedback from users will be used by the ISO 9001 Auditing Practices Group to determine whether additional guidance documents should be developed, or if these current ones should be revised. Comments on the guidance can be sent to:<>.