如何审核法律法规要求

-1-日期：2005年12月12日ISO9001审核实践组指南审核法律法规要求ISO9001:2000要求组织识别并控制适用于其产品（包括服务）的法律法规要求，而组织在其QMS内如何识别和控制这些要求则由组织自己决定。组织应当证实自己正确地识别了适用于其产品/服务的法律法规要求，而且这些要求可以获得并易于检索。审核员需要了解适用于受审核方QMS所涵盖产品/服务的通用及特定的法律法规要求。在审核准备阶段，审核组应当从内部或外部渠道获取法律法规要求的相关信息，这样可以使审核员对QMS在满足这些要求方面的适宜性进行判断。这些要求需要得到识别并整合到组织的资源管理和产品实现活动中。在审核阶段，审核组应：•确保组织有用于识别、保持和更新所有适用法律法规要求的方法•在监视“过程输出”与要求的符合性时，确保这些法律法规的要求被当作“过程输入”。•确保组织能够恰当地证实与标准和法律法规要求的符合性。•如果在审核时有证据表明组织遗漏了有关法律法规要求的特定信息，审核员应当开具不符合项。•如果直接识别出了与这些法律法规要求的不符合，审核员也应当开具不符合项。由于可能会产生责任问题，审核员应当避免声称什么样的法律法规要求适用于该组织的产品/服务，或者应当采用什么方法来满足这些要求。-2-只有识别出体系在与组织产品/服务相关的法律法规要求方面的缺陷或者直接违背法律法规要求的情况时，才应当开出不符合项。当然，如果审核时恰巧发现了与其他法律法规（如健康安全、环境等）要求的不符合，审核组不应当忽略这个事实。审核组应当及时向受审核方进行通报，在有要求时，也要向审核委托方通报。如果在审核之前、审核过程中或审核实施之后，审核员意识到有任何影响质量管理体系形象和可信性的故意的与法律的不符合（包括，比如，违反反不正当竞争法、违反劳动法、违反健康和安全或环境法规），那么应当以适宜的方式考虑这些不符合，并对其进一步调查。与监管部门的角色和行为不同，审核员应当评估质量管理体系在满足客户要求方面（明示或通常隐含）的有效性，并把评估结果报告给认证机构以便其采取适当的措施。-3-Date:12December2005ISO9001AuditingPracticesGroupGuidanceon:AuditingstatutoryandregulatoryrequirementsISO9001:2000requiresanorganizationtoidentifyandcontrolthestatutoryandregulatoryrequirementsapplicabletoitsproducts(includingservices).ItisuptotheorganizationhowtodothiswithinitsQMS.Theorganizationshoulddemonstratethatthestatutoryandregulatoryrequirementsapplicabletoitsproducts/serviceshavebeenproperlyidentified,areavailableandeasilyretrievable.Auditorsneedtobeawareofthegeneralandspecificstatutoryandregulatoryrequirementsapplicabletotheproducts/servicesincludedwithinthescopeoftheQMS.Duringtheauditpreparationphase,auditorsshouldobtainrelevantinformationfrominternalorexternalsourceswithrespecttothesestatutoryandregulatoryrequirements.ThiswillallowthemtomakeajudgmentonthesuitabilityoftheQMStoaddresssuchrequirements.Theserequirementsneedtobeidentifiedandintegratedintheresourcemanagementandproductrealizationactivitiesoftheorganization.Duringtheauditphase,auditorsshould:•ensurethattheorganizationhasamethodologyinplaceforidentifying,maintainingandupdatingallapplicablestatutoryandregulatoryrequirements;•ensurethatthesestatutoryandregulatoryrequirementsareutilizedas‘processinputs’whilemonitoring‘processoutputs’forcompliancewithrequirements;•ensurethatanyclaimedcompliancetostandards,statutoryandregulatoryrequirementsetc.areproperlydemonstratedbytheorganization;•ifevidenceisfound,duringtheaudit,thatspecificinformationregardingstatutoryandregulatoryrequirementshasnotbeentakenintoaccount,theauditorsshouldissueanonconformity;•auditorsshouldalsoissueanonconformityifanoncompliancewithsuchrequirementsisdirectlyidentified.Auditorsshouldavoidmakingstatementsaboutwhatstatutoryorregulatoryrequirementsareapplicabletotheproducts/servicesoftheorganization,oraboutmethodsofcompliance,becauseofthepossibilityofliability.Nonconformitiesshouldbeissuedonlyinsituationswhereidentificationhasbeenmadeofsystemdeficienciesorofdirectviolationsinrespectofstatutoryandregulatoryrequirementsapplyingtotheproducts/servicesoftheorganization.However,ifnonconformancewithotherkindsofstatutoryrequirements(e.g.healthandsafety,environment,etc.)isco-incidentally,detectedduringtheaudit,thisfactcannotbeignoredbytheaudits.Itshouldbereportedwithoutdelaytotheauditeeand,ifrequired,totheauditclient.-4-Ifauditorsbecomeawareofanydeliberatelegalnon-compliancethatcouldaffecttheimageandcredibilityoftheQMSbefore,during,oraftertheaudit(including,forexample,breachofantitrustlaw,labourlaw,healthandsafetyorenvironmentalregulations)thenthisshouldbetakenintoconsiderationandinvestigatedfurther,asappropriate.Apartfromtheregulatoryauthority’saction,itisfortheauditorstoassesstheeffectivenessoftheQMSinmeetingcustomerrequirements(statedorgenerallyimplied)andreportthistothecertification/registrationbodymanagementtotakeappropriateactions.