Legal Responsibilies of Auditors - Systems

Paul Simpson

Trusted Information Resource
#1
We've had a few discussions here on the cove about this. There is an article in the latest edition of Quality World *** DEAD LINK REMOVED ***
 
Last edited by a moderator:
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#2
Re: Legal Responsibility - Systems

Good article, Paul. One thing that really caught my attention:
Internal audits may be used to check compliance with procedures and that the organisation meets legal requirements. This is one way that organisations working to ISO 14001 or OHSAS 18001 satisfy the requirement for “evaluation of compliance”.
In my experience, most internal audit resources are not fully competent to perform "simple" conformance audits, much less regulatory compliance assessments.

Is your experience positive with management system internal auditors verifying legal compliance?
 

Paul Simpson

Trusted Information Resource
#3
Re: Legal Responsibility - Systems

... Is your experience positive with management system internal auditors verifying legal compliance?
Pretty much. Obviously the more complex the legal requirements the higher the level of technical knowledge the auditor needs.

Just as one example ... here in the UK we have to keep a record of all waste going off site to show it has been dealt with properly. It is a simple task to check that there are records for each pick up and that these records identify the correct information and are kept for 3 years.

Now the more complex stuff needs better technical knowledge but most auditors I know can do it! :agree1:
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#4
The link is dead. Just wondering if any further discussion of Legal Responsibilies of Auditors is in the wind?
 

Paul Simpson

Trusted Information Resource
#5
Thanks, Marc. The article is still available for members of the Institute - *****DEAD LINK REMOVED****.
 
Last edited by a moderator:
Q

qualityboi

#6
I have posted this before but it was the interpretation of Charles Cianfrani (excuse the spelling) who authored the ISO 9001:2001 explained, that communicated to me via email that auditors were responsible for auditing to legal requirements. I thought that was the most Bunk regarding auditing I ever heard. Those requirements could be limitless in my opinion, especially if you work in a company that has plants all over the world. I audit to the quality manual, ISO 9001, and whatever standard or procedure our company subscribes to, not laws. If I audit environmental and they have permit requirements then I audit to the permit requirement that I see they have in the area or process. That said I do not, and never will try to do diligence to audit against local and national laws, the thought of it in my opinion, is rediculous. You could then be responsible for auditing everthing from SOX, to labor laws, to electrical building codes etc.., there is no way you could hold an auditor responsible for every law, code and regulation in a process.
To a different point we did have one training class with one of our attorney's where the main point was to never state in an audit report key words, like "no process", "never", "no evidence"...and go to "not apparent", "not clear", and "lack or minimal evidence".
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#7
Earlier this week I fielded an inquiry about a matter that the person thought might be a Sarbanes Oxeley issue. I stressed that the auditing I do is not to be confused with that which would satisfy Sarbanes Oxeley, as such audits were done on accounting systems and needed specific competencies.

But that doesn't let me off the hook for auditing against safety and environmental laws, as I am the site internal auditor for those systems plus QMS, and now also Process Safety Management. I can't be expected to know and audit against details within the various laws, codes and regulations, especially in different states and countries.

However, I am responsible for verifying my organization has a functioning system in place that does identify the requirements, make plans and allocate for meeting them, executes defined processes to support the effort and self assesses for effectiveness. In other words, I am a management systems auditor and not an inspector.

That doesn't mean I can't or shouldn't call out something specific if I have the competencies to recognize it. If I see and recognize something like fall hazard or lockout tagout violation, I am arguably ethically required to report it to my organization for immediate action, and I should also pursue it as a question of how these requirements are being missed. ("Why does it take me to find and raise this issue - don't we know what we're supposed to do?") Ethically, IMO (not humble) I should do this whether or not I noticed it during an audit.

I can't find the reference now, but I remember having it drilled into me years ago that regulations were at the tippy-top of the document hierarchy. Even if that simply means their requirements never get nullified or diluted by lower level documentation, in my work I have always maintained they are "on the table" at all times.

Does this mean I am the site expert and authority on the subject? Certainly not, nor do I claim to be. It means that if I see something that I think is questionable based on my education, training and experience, I raise it with the site responsible person and area manager for his/her more expert review and disposition.

Here's what it looks like: recently I raised a question of flammable lockers' compliance to NFPA 30. It was discovered during review that there were conflicting codes; the site eventually chose to go with the local versus federal code because it was stricter and more likely to get audited by code inspectors. Fine; the issue that I raised was resolved by the people who have the responsibility, authority and expertise to do so, yet the issue was resolved because I raised it as one during an internal audit.

Overkill? Maybe. But we in this facility are more compliant and perhaps safer than before, and I didn't go out on a limb to do my part.

Safety is everyone's job - mine too.
:2cents:
 

Paul Simpson

Trusted Information Resource
#8
I have posted this before but it was the interpretation of Charles Cianfrani (excuse the spelling) who authored the ISO 9001:2001 explained,....
Just a point of clarification he wasn't the author of ISO 9001 or any other ISO standard. The standards development relies on working groups and consensus.

... that communicated to me via email that auditors were responsible for auditing to legal requirements. I thought that was the most Bunk regarding auditing I ever heard.
If he meant that the management system should cover legal requirements as they apply to the product / service delivered then that is true. ISO 9001 requires that these requirements are taken into account for the design, development and manufacture / delivery of the product or service. So a classic example here in Europe is a lot of products are covered by what we call 'New Approach Directives' that place the onus on the supplier to ensure they comply with product health and safety standards. By extension that means that the auditor needs to understand enough about the legal obligations before they can be deemed competent to audit in the area.

Those requirements could be limitless in my opinion, especially if you work in a company that has plants all over the world. I audit to the quality manual, ISO 9001, and whatever standard or procedure our company subscribes to, not laws. If I audit environmental and they have permit requirements then I audit to the permit requirement that I see they have in the area or process. That said I do not, and never will try to do diligence to audit against local and national laws, the thought of it in my opinion, is rediculous. You could then be responsible for auditing everthing from SOX, to labor laws, to electrical building codes etc.., there is no way you could hold an auditor responsible for every law, code and regulation in a process.
If you restrict the legal requirements to those related to product (i.e. ignoring OSHA, Environmental, Finance etc.) then the list is much shorter but can still be extensive. I prefer to think of it this way - if you don't have any clue as to the implications of a design or manufacturing failure on the product in the field what are you doing auditing the company?


To a different point we did have one training class with one of our attorney's where the main point was to never state in an audit report key words, like "no process", "never", "no evidence"...and go to "not apparent", "not clear", and "lack or minimal evidence".
I can't comment on your legal advice :D
 
R

Richard Pike

#9
Re: Legal Responsibility - Systems

Good article, Paul. One thing that really caught my attention:
In my experience, most internal audit resources are not fully competent to perform "simple" conformance audits, much less regulatory compliance assessments.
They are not required to do so!!!!!!!! They are required to ensure that a system is in place which will ensure legal compliance.

No diff between not requiring an auditor to verify a product conforms to spec, they must ensure a system is in place that ensures compliance...

A full regulatory compliance assessment - is essentially "an inspection" coupled with a "technical review"and this must be done by a qualified "inspector" & "process specialist".

In this case this would undoubtedly be a person with a legal qualification and appropriate industry experience.
 
Thread starter Similar threads Forum Replies Date
J EC Certification transfer from CMO to Legal Manufacturer Possible? CE Marking (Conformité Européene) / CB Scheme 0
C ISO 14001:2015 6.1.3 Compliance Obligations - Legal requirements monitoring ISO 14001:2015 Specific Discussions 0
J How to keep MDD certificate valid when legal manufacturer has liquidity problem EU Medical Device Regulations 0
T Quality auditor legal right to see Board meeting minutes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
supadrai Remote Opportunity - Large Scale Glove Factory QMS / RA / Legal Job Openings, Consulting and Employment Opportunities 0
G Launching a Legal Manufacturer (Dos and Donts) EU Medical Device Regulations 1
V UDI - OEM or OBL / Legal Manufacturer Responsibility CE Marking (Conformité Européene) / CB Scheme 0
D Relabelling a component that will be sold as a spare part - Do I become legal manufacturer? EU Medical Device Regulations 2
K Legal manufacturer vs Actual manufacturer EU Medical Device Regulations 4
I Is the contract mfg. mentioned in legal manufacturer EC certificate? CE Marking (Conformité Européene) / CB Scheme 4
A Legal Manufacturer Medical device US Food and Drug Administration (FDA) 2
Q Legal Manufacturer OTC Drug Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
A Legal Manufacturer of a medical device Vs Legal Manufacturer of MDSW EU Medical Device Regulations 8
N Address of Legal Manufacturing Site in ISO 13485 certificates? ISO 13485:2016 - Medical Device Quality Management Systems 1
A Donating sterilizing gel - Is it legal in Europe? EU Medical Device Regulations 1
A MDR Article 22 applicability - Legal manufacturer EU Medical Device Regulations 8
Q Legal Manufacturing Address Change – multiple registrations at same address 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
J Complaints and not the legal manufacturer? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 20
Ronen E Legal counselling and Medical Devices Regulatory Affairs Other Medical Device Regulations World-Wide 2
A What if Contract Manufacturers does not have an ISO 13485 certificate? Where will the NB audit take place, at legal mfg. site or contract mfg. site? Other Medical Device Regulations World-Wide 3
G QMS requirements for legal manufacturer when outsourcing manufacturing process Other Medical Device Regulations World-Wide 25
G ISO 9001 Legal Compliance and Legal Register Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Sidney Vianna Interesting Discussion Legal compliance as part of ISO 45001 accredited certification. Major OSHA penalties in the USA. Occupational Health & Safety Management Standards 15
S Necessity of Legal Register to conform to ISO 9001, ISO 14001, IATF 16949 ISO 14001:2015 Specific Discussions 6
M End of Life or Device transfer regulations for Legal Manufacturer Other Medical Device Regulations World-Wide 1
S Legal Manufacturer FDA Reporting Obligations for Using New Contract Sterilization Site Other Medical Device Regulations World-Wide 0
R In this type of Legal Manufacturer-CMO arrangement, what happens to the DHR? ISO 13485:2016 - Medical Device Quality Management Systems 1
J What are a Taiwanese Medical device subcontractor's legal responsibilities with Taiwan regulations? Other Medical Device Regulations World-Wide 3
B Interesting Discussion The legal aspects of Customer Specific Requirements (Contract Law). IATF 16949 - Automotive Quality Systems Standard 12
D EU MDR - Contract Manufacturer vs Legal Manufacturer EU Medical Device Regulations 4
C Legal or Regulatory Requirements as identified in our Environmental Aspects ISO 14001:2015 Specific Discussions 9
A Risks and Opportunities associated to Legal Compliance - 6.1.3 ISO 14001:2015 Specific Discussions 4
C Legal requirement for same indications as in Country of Origin Other Medical Device Regulations World-Wide 4
B Quality Policy does not include a commitment to comply with legal requirements Quality Management System (QMS) Manuals 5
J Medical Devices sourced from Contract Manufacturers - Who is the legal manufacturer? EU Medical Device Regulations 13
amjadrana Legal Representation in Canada (Medical Devices) Canada Medical Device Regulations 1
R Is it legal to attend a trade show while you have a 510(k) application pending? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
M Bankrupt Legal Manufacturer and Its Products EU Medical Device Regulations 8
H Who is the Legal / Labeled Manufacturer? (Contract Manufacturers shipping to the EU) ISO 13485:2016 - Medical Device Quality Management Systems 1
L ISO 14001:2004 - Legal and Other Requirements ISO 14001:2015 Specific Discussions 4
B List of Legislation - Legal Register for ISO14001 ISO 14001:2015 Specific Discussions 3
A Is the Labour Code one of the legal requirements of ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
S Definition Legal Hold Notice - What is a Legal Hold Notice? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
B Taiwan Medical Device registration - Production or legal office Other Medical Device Regulations World-Wide 6
K ISO 9001:2015 and its Legal Ramifications ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
S What is the Legal Limits of Fungi in Poultry Feed Food Safety - ISO 22000, HACCP (21 CFR 120) 2
R Legal Register - Does anyone have an example of a legal register? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
somashekar Applying legal requirements in hazardous waste management. Miscellaneous Environmental Standards and EMS Related Discussions 1
A Active Implantable Medical Devices - Legal Traceability Requirements ISO 13485:2016 - Medical Device Quality Management Systems 7
O Medical Devices - Legal Manufacturer and Real Manufacturer EU Medical Device Regulations 5

Similar threads

Top Bottom