审核法律法规要求

- 1 - 日期：2005 年 12 月 12 日 ISO 9001 审核实践组指南 审核法律法规要求 ISO 9001:2000 要求组织识别并控制适用于其产品（包括服务）的法 律法规要求，而组织在其 QMS 内如何识别和控制这些要求则由组织自己 决定。 组织应当证实自己正确地识别了适用于其产品/服务的法律法规要 求，而且这些要求可以获得并易于检索。 审核员需要了解适用于受审核方QMS所涵盖产品/服务的通用及特定 的法律法规要求。在审核准备阶段，审核组应当从内部或外部渠道获取 法律法规要求的相关信息，这样可以使审核员对 QMS 在满足这些要求方 面的适宜性进行判断。这些要求需要得到识别并整合到组织的资源管理 和产品实现活动中。 在审核阶段，审核组应： • 确保组织有用于识别、保持和更新所有适用法律法规要求的方法 • 在监视“过程输出”与要求的符合性时，确保这些法律法规的要 求被当作“过程输入”。 • 确保组织能够恰当地证实与标准和法律法规要求的符合性。 • 如果在审核时有证据明组织遗漏了有关法律法规要求的特定信 息，审核员应当开具不符合项。 • 如果直接识别出了与这些法律法规要求的不符合，审核员也应当 开具不符合项。 由于可能会产生责任问题，审核员应当避免声称什么样的法律法规 要求适用于该组织的产品/服务，或者应当采用什么方法来满足这些要 求。 - 2 - 只有识别出体系在与组织产品/服务相关的法律法规要求方面的缺 陷或者直接违背法律法规要求的情况时，才应当开出不符合项。 当然，如果审核时恰巧发现了与其他法律法规（如健康安全、环境 等）要求的不符合，审核组不应当忽略这个事实。审核组应当及时向受 审核方进行通报，在有要求时，也要向审核委托方通报。 如果在审核之前、审核过程中或审核实施之后，审核员意识到有任 何影响质量管理体系形象和可信性的故意的与法律的不符合（包括，比 如，违反反不正当竞争法、违反劳动法、违反健康和安全或环境法规）， 那么应当以适宜的方式考虑这些不符合，并对其进一步调查。与监管部 门的角色和行为不同，审核员应当评估质量管理体系在满足客户要求方 面（明示或通常隐含）的有效性，并把评估结果给认证机构以便其 采取适当的措施。 - 3 - Date: 12 December 2005 ISO 9001 Auditing Practices Group Guidance on: Auditing statutory and regulatory requirements ISO 9001:2000 requires an organization to identify and control the statutory and regulatory requirements applicable to its products (including services). It is up to the organization how to do this within its QMS. The organization should demonstrate that the statutory and regulatory requirements applicable to its products / services have been properly identified, are available and easily retrievable. Auditors need to be aware of the general and specific statutory and regulatory requirements applicable to the products/ services included within the scope of the QMS. During the audit preparation phase, auditors should obtain relevant information from internal or external sources with respect to these statutory and regulatory requirements. This will allow them to make a judgment on the suitability of the QMS to address such requirements. These requirements need to be identified and integrated in the resource management and product realization activities of the organization. During the audit phase, auditors should: • ensure that the organization has a methodology in place for identifying, maintaining and updating all applicable statutory and regulatory requirements; • ensure that these statutory and regulatory requirements are utilized as ‘process inputs’ while monitoring ‘process outputs’ for compliance with requirements; • ensure that any claimed compliance to standards, statutory and regulatory requirements etc. are properly demonstrated by the organization; • if evidence is found, during the audit, that specific information regarding statutory and regulatory requirements has not been taken into account, the auditors should issue a nonconformity; • auditors should also issue a nonconformity if a non compliance with such requirements is directly identified. Auditors should avoid making statements about what statutory or regulatory requirements are applicable to the products / services of the organization, or about methods of compliance, because of the possibility of liability. Nonconformities should be issued only in situations where identification has been made of system deficiencies or of direct violations in respect of statutory and regulatory requirements applying to the products/ services of the organization. However, if nonconformance with other kinds of statutory requirements (e.g. health and safety, environment, etc.) is co-incidentally, detected during the audit, this fact cannot be ignored by the audits. It should be reported without delay to the auditee and, if required, to the audit client. - 4 - If auditors become aware of any deliberate legal non-compliance that could affect the image and credibility of the QMS before, during, or after the audit (including, for example, breach of antitrust law, labour law, health and safety or environmental regulations) then this should be taken into consideration and investigated further, as appropriate. Apart from the regulatory authority’s action, it is for the auditors to assess the effectiveness of the QMS in meeting customer requirements (stated or generally implied) and report this to the certification/registration body management to take appropriate actions.