Auditing Legal Requirements

Part of planning an internal audit is determining the audit criteria, in other words, the policies, procedures, and requirements used as the reference for comparing audit evidence.

Primary Requirement Types

The four primary types of requirements can be grouped as:

1. Legal, as defined in statutes and regulations
2. Organization, as found in policies and procedures
3. Customer, as expressed in orders and contracts
4. Standard, such as ISO 9001:2008

The requirement types can be remembered using the term LOCS: Legal, Organization,Customer, and Standard . The evidence categories can be recalled by the term DORS:Documents, Observations, Records, and Statements.

Unfortunately, legal requirements are often ignored during internal audits. And, that omission would be viewed as a nonconformity.

ISO 9001 on Legal Requirements

ISO 9001:2008, clause 7.2.1.c, states that organizations must determine the statutory and regulatory requirements for their products and services. And, clause 7.3.2.b requires that Design Inputs include the applicable statutory and regulatory requirements.

According to clause 5.1.a, top management must communicate the importance of meeting customer, as well as, statutory and regulatory requirements. Of course, legal requirements in this context are quality and product-related requirements, not health, safety, or environmental requirements.

A Note in clause 4.1 states that even if your organization outsources a process, it will still be responsible for conforming to all customer, statutory, and regulatory requirements.

Auditing Legal Requirements

You must first identify the applicable legal requirements for the area to be audited. Ask the legal staff, contract group, and audited area itself about any process or product legal requirements.

For the organization to meet the legal requirements, they must have access to the statutes and regulations. Ensure the applicable requirements are easily available for reference.

If the legal requirements have been determined by the organization, see how they monitor for any new or changed legal requirements. Then, ask for evidence that the organization is conforming to the requirements.

If there is proof that legal requirements are not being considered, then issue a nonconformity report. If there is evidence the organization is in violation of an applicable legal requirement, then issue a nonconformity report.

If you coincidently detect noncompliance with non-quality legal requirement, e.g., a health, safety, or environmental requirement, it cannot be ignored – the auditee must be informed.

According to the ISO 9001 Auditing Practices web site, auditors should avoid commenting on the legal requirements for the products and services of an organization, or compliance methods, due to liability concerns.