Legal Compliance Audits

Time and again, complaints are heard that the legal regulations are becoming more numerous and more complex. This is probably partly justified, but above all the demands on the proof of compliance with the law have increased. Whereas until a few years ago general statements about compliance with the law were common, today customers, investors and the public expect confirmation of compliance with the law to be based on watertight facts.

In order to make the topic as practical and comprehensible as possible, the requirements and proven methods are described here using the example of environmental management according to ISO 14001, since this standard contains explicit and comparatively strict requirements.

certificate of compliance

The statements can be applied mutatis mutandis to all other areas where the topic of compliance is to be implemented and the procedure for ensuring compliance is to be tested. The statements can be applied mutatis mutandis to all other areas where the topic of legal compliance is to be implemented and the procedure for ensuring it is to be examined.

Legal Compliance Audit: Content and Scope

Since this is an audit, interviews are conducted with the responsible parties to review the implemented procedures and the evidence from practice. A legal compliance audit basically examines two aspects:

• Procedures (process) for identifying, evaluating, implementing and verifying those requirements that affect the company.
• Evidence on the basis of random checks of the legally compliant execution of activities or the design of the infrastructure, facilities, workplaces, products and possibly other areas.

In both cases, the aim is to check that the company-specific requirements and their practical implementation are up to date and effective. If, in addition, conformity with a management system standard is to be assessed, the audit criteria must be based on the standard requirements, which cannot be discussed further here.

The process to legal compliance

The Legal Compliance Audit examines the procedures for determining, evaluating, ensuring and documenting compliance with the law. The steps and interrelationships shown in Figure 1 have proven their worth.

Those who determine the relevant legal requirements (Figure 1, top left step) must filter out those laws, ordinances, directives and other decrees at the federal, cantonal and communal levels that actually affect their own company. In addition, the individual concrete requirements must be compiled, for example company-specific official requirements, discharge permits or target agreements. As soon as it is a question of legally compliant products, the regulations in the customers' countries must be taken into account, for example EU regulations.

At the same time, the responsibilities and procedures for implementing and ensuring compliance with the law must be regulated. The overall responsibility lies with the management, which delegates duties and tasks

Sophisticated and detailed

can. This is done in interaction with the identification of the relevant requirements, since, for example, duties such as the appointment of a dangerous goods safety adviser may affect the company.

Next, the detailed requirements such as legal articles must be assigned to the company-specific elements such as infrastructure, activities and products. Here, knowledge from the company (for example, type and performance of the heating) is combined with detailed legal requirements in order to answer the question "What must be observed and where? The regulations must be implemented (referred to as "process control" in standards), for example a disposal concept must be drawn up which ensures that waste is collected separately and disposed of correctly, that a waste list with the VeVA codes is kept and that waste is only handed over to disposal companies with an acceptance permit.

Documentation requirements

In Switzerland, the number of required verification documents and obligations is comparatively low. An overview of the valid permits as well as a measurement and control plan must be drawn up in order to periodically check and confirm compliance with the requirements.

Any deviations found must be rectified. If they are serious, the authority must be informed, which will set a deadline for rectification or order remediation, depending on the situation. This is done in the form of an order. It is important to note that a company can consider itself to be in compliance with the law if the competent authority has taken an official position on the deviation, i.e. if an order has been issued.

In order to be able to provide complete proof of legal compliance, the documentation (archiving) of records must be regulated, e.g. measurement and maintenance logs, control procedures, permits. In contrast to quality management, some documents, such as operating permits, must be stored for many decades. The documentation must ensure that there is an overall view of the detailed requirements, which confirms compliance with each relevant requirement or identifies open points. In order to close the management system loop, top management must assess legal compliance with an overall appraisal based on the detailed review and thus on data and facts. Only if this consistency is given can a reliable statement on legal compliance be made. The timeliness and effectiveness of the procedure must also be assessed in order to derive - where necessary - improvement measures.

If changes for the future become apparent (either through changes in the company, for example through the use of new technologies, or through changes in the legal requirements), a statement from the top management is already expected here as to how it assesses the effects on the company. Thus, the control loop starts anew by naming any additional requirements or potential for improvement in the procedure.

Audit Sampling: Selection and detailing

The defined procedure must be tested in practical implementation and in the necessary depth to determine the timeliness and effectiveness of the entire process. In order to determine suitable samples for the legal compliance audit, expertise is helpful,

•  to assess the relevance of legal requirements for the company to be audited, based on the significant decrees and on the activities, infrastructure or products concerned,

Checking topicality and effectiveness

•  to check typical industry-specific "stumbling blocks".

Individual examples have already been mentioned: probably every company generates waste and is responsible for its correct disposal. This is manageable if it is office waste (incl. electronic scrap from disused IT equipment), but it becomes more complex if chemicals have to be disposed of as hazardous waste with the corresponding consignment notes and if they are considered hazardous goods during transport and the transported quantities require an in-house or external hazardous goods officer. The example shows: In a legal compliance audit, the samples must be selected and reviewed with expertise. In terms of content, chart 2 shows two typical requirements for a gas heating system.

The amount of sampling depends on the complexity of the company and the number of different processes, plants, activities or products. The more diverse this is, the more details have to be checked. However, it will neither be feasible in terms of time nor make economic sense to check all requirements on site during the audit. This must be done under the responsibility of the company or the responsible supervisor.

Contribution to risk minimisation

In the legal compliance audit, however, care should be taken to ensure that the two elements of procedure and sampling are audited in a balanced manner, i.e. that both are given appropriate weight. The audit can certainly be designed in such a way that the audit of the legal compliance process and the sampling audit take place simultaneously and the questions complement each other on a case-by-case basis, so that, for example, on the basis of the ascertained concern by the DETEC Ordinance on Lists of Waste Movements, the existence and the up-to-dateness of the waste list are immediately checked. Whether this waste list is complete can then be determined during the site inspection. Conversely, the tour can be used to check whether all existing installations are covered by the legal register.

Conclusion: why a legal compliance audit?

In recent years, there has been a trend towards legal compliance audits. They are primarily requested by companies that want independent experts to provide a professional assessment of their approach to legal compliance or to clarify specific issues. It is important to emphasize that, unlike in other countries, these experts cannot issue a certificate of legal compliance due to the Swiss understanding of the law. Their findings relate to the approach and the samples tested, the timeliness and effectiveness of which they assess in order to determine their "suitability for ensuring compliance with the law". Legal compliance in Switzerland can only be determined by an authority. In this sense, legal compliance audits contribute to legal certainty and risk minimization by identifying and addressing potential problem points at an early stage - before deviations and rulings occur.