Auditor’s tricky balance between conformance and compliance
Management System Registrars have been advising their auditors to draw a fine line between conformance and compliance while auditing management systems. The auditors must not make a judgement call on any specific compliance issues, rather focus on the process to ensure compliance.
Product/Service related applicable statutory/regulatory requirements vary depending on the nature and complexity of the product/service. Such requirements could include API standards, ASTM standards, CGSB product/service related standards, ASME standards and product/service related CSA standards. The applicable environmental legal and other requirements could include federal, provincial, territorial, regional and civic requirements such as Canadian Environmental Protection Act, B.C./Alberta Environmental Management Act, B.C./Alberta Hazardous Waste Regulations, Metro Vancouver/Calgary/Edmonton Sewer Bylaw and City Bylaws. The applicable OHS legal requirements could include federal, provincial and territorial such as Canadian Occupational Health and Safety Regulations (COSH) , provincial WCB Act and OHS Regulations.
The auditor should not be making a judgement call on the application of given section or clauses of the applicable legal and other requirements. Such examples could include auditor making following comments:
- ISO 9001 Compliance Example-An auditor might write “The concrete products were found to be noncompliant with section 6.5 of CSA Standard A 23.1 due to inadequate and incomplete testing apparatus which required heating the product at a temperature of 50F per hour for 8 hours.” The auditor may not be competent to make these qualified statements. Instead, the auditor should state that the process to ensure compliance of the product with CSA Standard A 23.1 is inadequate and ineffective. The appropriate approach for external auditor is to rely on the documentation/records prepared by competent internal/external resource relevant to product compliance with applicable statutory and regulatory requirements, and review the documentation/ records process to ensure compliance.
- ISO 14001 Compliance Example-An auditor might write “The groundwater testing is not in compliance with EPA protocol exhibit A and Environment Canada Guidelines C.1 as the testing parameters and the methodology deviate from standard protocols.” The statement made by this auditor is risky as this auditor may not have adequate knowledge and experience in making these specific judgement calls. However, the auditor could review an environmental compliance audit report prepared by an competent internal/external resource that covered the groundwater testing, methodology and testing parameters, and make a judgement call on the reporting process and not its specific comments.
OHSAS 18001 Compliance Example-An auditor might write “The roll-over protection ” ROP on two compacters is not in compliance with CSA standards and workers OHS could be endangered”. or ” The risk assessments for confined space and in-house welding are not in compliance with applicable CSA standards and requirements of WCB OHS regulations”. The statements made by this auditor are risky as this auditor may not have adequate knowledge and experience in making these specific judgement calls. However, the auditor could review an OHS compliance audit report prepared by an competent internal/external resource that covered the subjects , and make a judgement call on the risk assessment process and assuring ROP process but not its specific comments.