ISO 9001 and Legal Requirements

Transcription

1 SAATCA 14 th Annual Convention August 2011 Auditing in a Regulatory Environment ISO 9001 and Legal Requirements Wendy da Cruz dacruz@mweb.co.za

2 Background With only rare exceptions, modern management system standards all include a component related to applicable legislation. ISO 9001 is no exception

3 Background Although Management System certification does NOT, per se, certificate legal compliance of the certificated organization, it does communicate to the general public that: processes in place that include managing legal compliance they have evaluated their legal status and have actions in place to address any non-compliances that they are committed to legal compliance.

4 Background One of the challenges of conducting Management System audits is to determine the appropriate extent and depth of auditing the legal compliance component. ISO 9001 is no exception

5 ISO 9001 versus ISO 9004 This paper examines two components: The specific requirements from ISO 9001: 2008 and their application during both certification management system and audits and internal audits. ISO 9004: 2009 (SANS 9001: 2010) Managing for the sustained success of an organization A quality management approach.

6 From ISO 9001: 2008 Introduction 0.1 General This International Standard can be used by internal and external parties, including certification bodies, to assess the organization's ability to meet customer, statutory and regulatory requirements applicable to the product, and the organization's own requirements. NOTE 2 Statutory and regulatory requirements can be expressed as legal requirements.

7 From ISO 9001: Scope 1.1 General This International Standard specifies requirements for a quality management system where an organization a) needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements

8 From ISO 9001: Application Where exclusions are made, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organisation's ability, or responsibility, to provide product that meets customer and applicable statutory and regulatory requirements.

9 From ISO TC 176 Audit Practice Group standards/quality_management/more_resources_9000.htm

10

11 How should we prepare for the audit? Auditors need to be aware of the general and specific statutory and regulatory requirements applicable to the products/ services included within the scope of the QMS. This implies knowing the SCOPE of the QMS

12 How should we prepare for the audit? During the audit preparation phase, auditors should: Obtain relevant information from internal or external sources with respect to the statutory and regulatory applicable to the products/ services included within the scope of the QMS This will allow auditors to make a judgment on the suitability of the QMS to address such requirements These requirements need to be identified and integrated in the resource management and product realization activities of the organization

13 What should we audit? Ensure that the organization has a methodology in place for identifying, maintaining and updating all applicable statutory and regulatory requirements Ensure that these statutory and regulatory requirements are utilized as process inputs while monitoring process outputs for compliance with requirements Ensure that any claimed compliance to standards, statutory and regulatory requirements etc. are properly demonstrated by the organization

14 What should we report? If evidence is found, during the audit, that specific information regarding statutory and regulatory requirements has not been taken into account, the auditors should issue a nonconformity A auditors should also issue a nonconformity if a non compliance with such requirements is directly identified Auditors should avoid making statements about what statutory or regulatory requirements are applicable to the products / services of the organization, or about methods of compliance, because of the possibility of liability

15 What should we report? Nonconformities should be issued only in situations where identification has been made of system deficiencies or of direct violations in respect of statutory and regulatory requirements applying to the products/ services of the organization. However, if nonconformance with other kinds of statutory requirements (e.g. health and safety, environment, etc.) is co-incidentally, detected during the audit, this fact cannot be ignored by the audits. It should be reported without delay to the auditee and, if required, to the audit client.

16 ISO 9004: 2009 Title: Managing for the sustained success of an organisation

17 From ISO 9004: 2009 Scope: This International Standard provides guidance to organizations to support the achievement of sustained success by a quality management approach. It is applicable to any organization, regardless of size, type and activity. This International Standard is not intended for certification, regulatory or contractual use.

18 From ISO 9004: Work environment At the same time, the organization should ensure that its work environment complies with applicable statutory and regulatory requirements and addresses applicable standards (such as those for environmental and occupational health and safety management). 7.2 Process planning and control In the planning and control of processes, consideration should be given to: statutory and regulatory requirements,

19 From ISO 9004: Process planning and control In the planning and control of processes, consideration should be given to: statutory and regulatory requirements, 8.2 Monitoring Top management should establish and maintain processes for monitoring the organization's environment, and for collecting and managing the information that is necessary for anticipating current and expected changes in statutory and regulatory requirements,

20 From ISO 9004: Key performance indicators In selecting the KPIs, the organization should ensure that they provide information that is measurable, accurate and reliable, and usable to implement corrective actions when performance is not in conformity with objectives or to improve process efficiency and effectiveness. Such information should take into account statutory and regulatory requirements, where applicable.

21 From ISO 9004: Analysis Top management should analyse information gathered from monitoring the organization's environment, identify risks and opportunities, and establish plans to manage them. The analysis of the information gathered should enable factual decisions to be made on strategy and policy issues such as changes that can be expected in statutory and regulatory requirements, or labour markets and other resources, which would affect the organization.