What Statutory & Regulatory Requirements can an ISO 9001 internal auditor audit

[Silent_observer]

Referring to the Statutory & regulatory requirements of ISO 9001:2008, How far can an Internal Auditor go to check if the Statutory and Regulatory requiements are fulfilled. Is it sufficient if the external agencies certify the organization for these Regulatory requirements or do the Internal Auditor also check records for the same??Please explain to me with an example.

Also please suggest if we need to consider departments like : Finance/Excise in Internal Audit scope.

 

[Colin]

When referring to statutory and regulatory requirements in ISO 9001, they are limited to those related to the product being provided to the customer - not all statutory and regulatory requirements applicable to the company e.g. health & safety, etc.

Clause 5.1 a) mentions that part of management commitment is to ensure that these requirements are communicated so it would be reasonable to ask for evidence that they are known.

Clause 7.2.1 c) requires any statutory and regulatory requirements related to the product to be determined so again, you could reasonably ask what they are.

These requirements change depending upon which country you are in e.g. in the UK it is a requirement for electrical installation contractors to comply with a particular British Standard (BS 7671).

As for the finance department, ISO 9001 does not directly concern itself with the finance department.

 

[harry]

Welcome to the Cove.

So far as ISO 9001 is concerned, you need to consider only statutory and regulatory requirements related to the product you manufactured. Lets say you manufacture electrical cables to both JIS and VDE standards, you are to ensure that you have 'current' and correct (cable size, type, etc) product certification for both. And that's what auditors should check.

Financial and excise aspects are normally taken care of in financial audits because those are the auditors who have knowledge and expertise to audit that area.

A good post to read is this.

 

[DannyK]

In some jurisdictions, it is a requirement to have a license in order to drive a fork lift. An auditor can raise a finding if the company does not have licensed fork lift drivers.

 

[samsung]

Welcome to the Cove.
So far as ISO 9001 is concerned, you need to consider only statutory and regulatory requirements related to the product you manufactured. Lets say you manufacture electrical cables to both JIS and VDE standards, you are to ensure that you have 'current' and correct (cable size, type, etc) product certification for both. And that's what auditors should check.

Financial and excise aspects are normally taken care of in financial audits because those are the auditors who have knowledge and expertise to audit that area.

The new version (ISO 9001: 2008) now specifies "statutory and regulatory requirements related applicable to the product" and hence the change from "related" to "applicable" shifts from determining legal requirements that are merely associated with the product to those that are relevant and can be applied to the product.

Hence the departments dealing with Excise, VAT or other taxation, should also be covered under QMS & regularly audited by Internal / External auditors since they invariably form part of the customer related processes.

 

[samsung]

Referring to the Statutory & regulatory requirements of ISO 9001:2008, How far can an Internal Auditor go to check if the Statutory and Regulatory requirements are fulfilled. Is it sufficient if the external agencies certify the organization for these Regulatory requirements or do the Internal Auditor also check records for the same??Please explain to me with an example.

Also please suggest if we need to consider departments like : Finance/Excise in Internal Audit scope.

Yes, the Internal Auditors can and 'must' conduct in depth audit of the legal requirements you are referring to and those applicable & relevant to your product. The post linked to by Harry explains it in much detail. As an example, suppose your product needs to be stamped by the national standardization body (e.g. an 'ISI' mark is mandatory for all safety /electrical appliances), the auditor will ascertain whether you have obtained a valid permit for stamping from the regulatory authority. Further, the permit may specify various conditions which you may need to comply at specified intervals, e.g.; testing of raw or finished ingredients, calibration, process validation, preservation of product, packaging, relevant data monitoring & recording etc. etc. The auditor will (& should) verify if those conditions are being fulfilled or not. S/he may also conduct a test by himself or may get it conducted in his/ her presence.

Not paying due attention to Statutory & Regulatory requirements is, in my opinion, one of the biggest business risks to which any QMS must cater for.

Hope this helps.

 

[harry]

The new version (ISO 9001: 2008) now specifies "statutory and regulatory requirements related applicable to the product" and hence the change from "related" to "applicable" shifts from determining legal requirements that are merely associated with the product to those that are relevant and can be applied to the product.

Hence the departments dealing with Excise, VAT or other taxation, should also be covered under QMS & regularly audited by Internal / External auditors since they invariably form part of the customer related processes.

Cannot agree with you on some of these. Are these your personal interpretation or can you cite a source of authority? As far as I know, the change in this section is merely for clarification. There are no new requirements.

If you include taxation and excise, what about health and safety? If health and safety can be taken care of by other management systems, then similarly, tax and excise can.

One reference you can use is: Auditing Statutory and Regulatory requirements

Basically, you can audit whatever you want for your own system or include whatever you want. For me, I would organize a bit. Quality related into QMS, Health & safety into HSE system and tax and financial related into finance. The last two are legal requirements and will automatically receive better attention.

One last word, common sense should prevail.

 

[DrM2u]

In some jurisdictions, it is a requirement to have a license in order to drive a fork lift. An auditor can raise a finding if the company does not have licensed fork lift drivers.

I've done this before ... I think I wrote it under 6.2 Training. I also wrote findings against regular verification/certification of cranes (6.3 Infrastructure) where there were applicable state regulatory requirements. I accepted UL, CE & ISO 17025 accreditations from third parties if those were required for the product or by the customer. Of course, I was in no position to perform a UL or CE audit to verify compliance in lieu of a certificate but it wasn't my job as an ISO 9001 auditor to do that anyway. That's my .

 

[DrM2u]

Cannot agree with you on some of these. Are these your personal interpretation or can you cite a source of authority? As far as I know, the change in this section is merely for clarification. There are no new requirements.

If you include taxation and excise, what about health and safety? If health and safety can be taken care of by other management systems, then similarly, tax and excise can.

One reference you can use is: Auditing Statutory and Regulatory requirements

Basically, you can audit whatever you want for your own system or include whatever you want. For me, I would organize a bit. Quality related into QMS, Health & safety into HSE system and tax and financial related into finance. The last two are legal requirements and will automatically receive better attention.

One last word, common sense should prevail.

Yes and no ... I agree that all these requirements should not be comingled into an audit in order to ensure clearliness of scope and effectiveness of the audit. However compliance with applicable regulations should still be verified. As an ISO 9001 auditor I probably would not have the qualifications to conduct a financial or HSE audit. But, since these are applicable regulations in some states, countries or parts of the world, I can ask to see evidence that such audits or assesments have taken place and, if applicable, corrective actions were taken for any findings. I won't need to see and understand the details of a financial audit report but the availability of a report and records of any required actions should be enough evidence of compliance. And that's another .

 

[Sidney Vianna]

As an ISO 9001 auditor I probably would not have the qualifications to conduct a financial or HSE audit. But, since these are applicable regulations in some states, countries or parts of the world, I can ask to see evidence that such audits or assesments have taken place and, if applicable, corrective actions were taken for any findings. I won't need to see and understand the details of a financial audit report but the availability of a report and records of any required actions should be enough evidence of compliance. And that's another .

Sorry, but I don't agree. As a QMS internal auditor, one must stay within the boundaries of the assignment. As you mentioned yourself, a typical QMS internal auditor is not competent to delve into legal requirements in many areas.

To ascertain that a report and records exist (even if totally inadequate) does not add much to the organization, does it?

Let's also remember that an internal auditor is not responsible to determine if an organization's products comply with legal requirements. S/he should be assessing if the system provides for that, focusing on the product design/engineering processes.