Determining legal requirements in auditing

The world of auditing is evolving as it seeks to relate and address current international standards with business or economic, technological, societal and environmental issues happening globally today. 

The provision and implementation of international standards, particularly those of ISO, are there to assist in building resistance and resilience in how these issues affect the world, for countries and their people, organisations and businesses, and the environment and its biodiversity. 

Auditing with a criteria 

Unfortunately, as these issues continue to occur, raising uncertainties, so it is with the audit profession and the auditing of ISO management systems. For example: determining the audit criteria ie which requirements are applicable; technique ie, onsite, remote or hybrid; technology ie, type, availability and know-how; and inter-related management systems. 

Auditing can be a bit challenging when determining the criteria to be used as a reference against evidence gathering and objectivity.  

No matter what our personal perception may be of gathering objective evidence, it is vital that an auditor be guided by the basic rules and requirements of each management system while conducting an audit, from beginning to end.

For the audit criteria, conditions may need to include or involve legal requirements depending on the ISO management standard being audited. A clear example of this would be the precise observance of legal requirements in ISO 45001:2018 Occupational health and safety management systems – Requirements with guidance for use. 

The interweave of legislation and ISO management standards 

Fundamentally, an ISO management system as an international standard (according to the IEC), is a document that has been developed through the consensus of experts from many countries and is approved and published by a globally recognised body, in this case, ISO/IEC. It comprises rules, guidelines, processes or characteristics that allow users to achieve the same outcome time and time again. 

Since the content of most international standards are originally from a number of sources, including existing national standards and contributions from experts and representatives from many countries, it is crucial to note that some elements of an ISO management system currently include existing parts of national and regional laws and policies.  

Two such examples are ISO 45000 and ISO 14000: Environmental management, which are embedded within some national and regional regulations. 

Consistently meeting requirements and addressing future needs and expectations poses a challenge for organisations. In an increasingly dynamic and complex environment, to achieve the same outcome time and time again, an organisation might find it necessary to adopt various forms of improvement in addition to correction and continual improvement, such as breakthrough change, innovation, and re-organisation. 

Auditing and compliance in an ISO management system 

Often, we skip or misconstrue the objectives of the contents of the ISO international standard that does not include requirements specific to other management systems, though elements from other management systems can be aligned or integrated. 

This usually occurs when auditors skilled in more than one management system unwittingly borrow a specific requirement from another standard that has no direct relevance or application to the system under audit. This also raises issues of non-conformance for the client that does not fall under mandatory requirements of that particularly standard. 

It would be unwise to assume that the absence of the specific elements for legal requirement in a management system automatically means that it is unnecessary to comply with applicable legislation – either state law or regulation. 

As an auditor, it is essential to bear in mind that, in the absence of specific steps to determine the exact processes, ISO 19011:2018 Guidelines for auditing management systems sets out basic elements to assist in auditing compliance within a management system.  

According to the ISO/IEC: “Guides may contain elements that are considered mandatory. These elements will be identified by using the word ‘shall’. When these elements exist…, they are mandatory… Statements that are only for guidance are identified by the use of the word ‘should’.” 

In the introductions to both ISO 9001:2015 and ISO 14001:2015, it also clearly states that where these words are used, they indicate the following meaning: 

Although the language used in each of the management standards may differ, it implies the need of a legal requirement through the use of the term ‘shall’ or ‘compliance’. 

Auditors and observance of compliance 

No matter what our personal perception may be of gathering objective evidence, it is vital that an auditor be guided by the basic rules and requirements of each management system while conducting an audit, from beginning to end. 

Therefore, an awareness of laws and regulations applicable to the location of the auditee would go the extra mile to assist auditors, including inspectors of government agencies. This would help in the identification, evaluation and management of processes under legal and regulatory requirements within the auditee’s organisation. It would also prevent the issuing of a non-conformance on requirement that ought not to be raised in the first instance.