Auditing Legal Requirements

Part of audit planning is determining the audit criteria, in other words, the policies, procedures, and requirements used as the reference for comparing audit evidence.

The primary types of requirements are:

1. Customer, as expressed in orders and contracts
2. Company, as found in policies and procedures
3. Standard, such as ISO 9001:2000
4. Legal, as defined in statutes and regulations

Unfortunately, legal requirements are often ignored during internal audits. And, that omission would be a nonconformity.

ISO 9001:2000, clause 7.2.1.c states that organizations must determine statutory and regulatory requirements for their products. In addition, clause 7.3.2.b requires design inputs to include applicable statutory and regulatory requirements.

According to clause 5.1.a, top management must communicate the importance of meeting customer, as well as, statutory and regulatory requirements. The legal requirements in this context are quality and product-related, not health, safety, or environment-related.

Auditors must first identify the applicable legal requirements for the area to be audited. Ask the legal staff, contract group, and audited area itself about any process or product legal requirements. According to ISO 9001:2000, the requirements should have been identified.

For the organization to meet the legal requirements, they must have access to the statutes and regulations. Ensure they are available for reference.

If the applicable legal requirements have been determined by the organization, see how they monitor for any new or changed legal requirements. Then ask for evidence that the organization is conforming to the requirements.

If there is proof legal requirements are not being considered, then issue a nonconformity report. Or, if there is evidence that the organization is in violation of a legal requirement, then issue a nonconformity report.

For more information on auditing legal requirements and other quality subjects, go to the ISO 9001 Auditing Practices web site.