Whether your company is targeting certification in ISO 9001, 14001 or ISO 45001, once every year, an ISO certified auditor will visit your site to conduct an audit and ensure your company meets the requirements of the standard. Audit preparation is key to success, as is having the right technology to support you. With these in place, the ISO audit need not be a daunting experience. In this interview, Lynn Schouw, legal compliance auditor and management system trainer takes us through two key questions you’ll be asked during an audit and how to prepare for them.
Two key questions you must be ready to answer during an ISO audit?
- Have you identified the hazards related to your activities that pose risks to: the company; quality of the product; health and safety of employees and others; the environment?
- Which law applies to each of these risks?
You’ve got to know the legal obligations in order to put the correct measures in place – so when you identify the risk, you also need to know which law applies, and the minimum requirements to comply with that law. The standard also requires you to have this information documented - to clearly show you understand your risk and have identified the applicable legislation.
Who in the company needs access to the legislation related to these risks?
All employees with a responsibility to manage risks must have access to the legislation, but in particular, all of management. The auditors will focus on determining whether management understands and knows how to identify the legislation, that they have an obligation to comply with.
What’s the best way to keep track of applicable legislation?
To my knowledge, a legal register is the only way to both identify the legislation that is applicable to your risk, and to link the risk to the legislation. It demonstrates to the auditor that you have identified your risk, and that you’re fully aware of the laws applicable to each.
How specific should you be when linking legislation to risk. Can it be done at Act level?
Within pieces of law, there are a lot of different requirements – so different sections will apply to different activities and different risks. For example, out of a piece of legislation, there might only be two sections that apply to a particular activity like ‘working at heights’. If you simply link the entire legislation, the auditor will ask you to identify the specific section that applies to this risk. Sections from another Regulation might be associated with that risk too, and those would also need to be identified and linked to the risk - so it’s really important that linking is done at section level.
What are the consequences if you don’t link a risk to specific sections?
The auditor will tell you that you haven’t adequately identified the legislation applicable to the risk. You therefore don’t have the information you need to mitigate that risk, and you’ll get a finding. Before you can get your ISO certification, all findings need to be closed out, and you are usually given 90 days to do so.
Is the auditor interested in legal updates?
Absolutely, change is a vital component of the requirement of the standard so you must have access to any changes to the law. In addition, management are required on an annual or 6 months basis to assess business performance. One of the mandatory items for discussion at this meeting is legislation change and how that could affect the business.
How do businesses keep track of changes to legislation without an automated system?
From what I’ve seen in the past, businesses would use a spreadsheet to manage applicable legislation and update it once a year before the auditors were due to arrive. Any changes made to the register would then be sent to a point of contact who would disseminate the changes and report them to senior management. The big problem with this is that it’s far too re-active. If changes have occurred to legislation months prior, businesses could face fines for not meeting certain deadlines. For this reason alone, more and more companies are going the online, automated route.
When the auditor comes knocking, it's far better to be on the front foot - ready to provide documented evidence to show you understand your risk and can identify the related legislation. As Lynn pointed out, this used to be a very manual process - one that didn't guarantee accurate results or peace of mind for top management. Now, thanks to Legal Tech and companies like Libryo, a solution is available. Read more about Libryo's tech solution and Lynn Schouw below:
About Libryo's automated, online legal registers
The Libryo Platform offers an online, fully automated legal register solution that makes it much easier for companies to know their law. The Libryo Platform identifies only the sections of law applicable to an operation - filtering out the noise and enabling easy linking of risk to legislation. The Libryo Platform is always updated and users are notified when anything changes - so companies are kept in the know and can avoid nasty non-compliance fines or damage to reputation. With Libryo, any number of users from senior management to compliance professionals can assess the legislation, all at the same time, online.
About Lynn Schouw
Lynn has completed hundreds of hours of management system and legal compliance auditing and training. She assists with the implementation of integrated environmental, occupational health and safety and quality management systems (aligned to the ISO management system standards), and conducts audits of those systems. Lynn also conducts legal compliance audits and assists with the integration of operational risk assessments with the applicable legal themes and legal obligations.