Compliance auditing is an essential function within aviation to ensure operational compliance, safety, and continuous improvement.
Aside from FAA & EASA as a source of regulatory requirements, Three primary aviation-focused frameworks (All with relevance in Aviation Ground Operations) are ISO (International Organization for Standardization), IATA (International Air Transport Association), and ICAO (International Civil Aviation Organization).
Note - A big difference between FAA, EASA and the above mentioned “3” is that FAA and EASA are mandated requirements whereas the other standards are essentially 1 step back in that they are not usually driven by regulatory obligations rather they are best practices.
Here we consider steps to enhance the effectiveness of aviation audits under ISO, IATA, and ICAO frameworks:
• Ensure appropriate & detailed implementation guidance, especially for ICAO SARPs, to facilitate more consistent compliance assessment.
• Ensure effective auditor training programs to enhance competencies required for navigating complex and changing aviation regulatory frameworks.
• Promote checklists across all aviation audits, enhancing clarity, efficiency, and comparability of audit results.
Integrity – In ISO audits—whether for Safety Management Systems (SMS), Quality (ISO 9001), Environment (ISO 14001), or Information Security (ISO 27001) underpins the credibility of findings.
• Auditors must adhere to ethical codes, disclose potential conflicts of interest, and ensure that all representations of audit results are factual and transparent.
• Diplomatically reject pressure from management or clients to modify or soften findings can compromise this principle.
Independence – Is particularly vital in internal audits where staff may audit areas they are familiar with or have worked in. ISO 19011 emphasizes that independence should be established in the selection of audit teams and planning activities.
Confidentiality – Given the proprietary nature of operational data, maintenance records, engineering drawings, cyber resilience reports, etc.
• Confidentiality is critical. It’s also relevant under EU GDPR obligations, especially when personal data is audited under ISO/IEC 27001 or 27701.
• Ensure controlled access to audit records and encrypted storage of sensitive findings.
Evidence-Based Evaluation – Factual and Verifiable - In Aviation Related ISO audits, objective evidence may include maintenance logs, risk registers, safety reports, training records, and system access logs.
• The principle ensures defensibility of findings and traceability for corrective actions.
• Ensure structured use of audit checklists aligned with ISO requirements.
Risk-Based Approach – ISO audits are expected to align with risk management principles. For example, ISO 9001 requires risk-based thinking in quality management.
• In practice, audits prioritize areas with high compliance impact, known deficiencies, or recent changes (e.g., after fleet expansion, outsourcing, or ERP upgrades).
• Pre-audit risk workshops or interviews to identify key concerns.
• Dynamic audit planning that adjusts in response to emerging operational risks.
Continuous Improvement – Beyond compliance, ISO audits should help organizations build resilience, improve safety culture, and refine processes.
• Continuous improvement is integral to ISO 9001, ISO 45001, and ISO 14001, and aligns with ICAO’s State Safety Program (SSP) framework.
• Use corrective action tracking systems that link findings with root cause analysis and effectiveness reviews.
Operational safety, standardization, consistent compliance with Standards and Recommended Practices (ISARPs), emphasis on risk management, and continuous safety improvement.
• Integrity in the context of IATA audits refers to the auditor’s adherence to ethical standards, unbiased reporting, and professional honesty in evaluating conformance with ISARPs.
• Auditors must report non-conformities objectively, regardless of external pressures.
• IATA mandates rigorous auditor qualification and calibration processes as well as Mandatory conflict of interest declarations and rotation of auditors across audit cycles.
Independence - Auditors are required to operate under a formal IATA accreditation system and cannot audit entities with which they have had prior commercial involvement. This is especially important when evaluating critical areas like aircraft handling, cargo operations, or flight operations under IOSA.
Confidentiality – Given the sensitive nature of airline operational data (e.g., manuals, flight data analysis systems, emergency response procedures), both ISAGO and OSA enforce strict confidentiality protocols. The audit data is shared with IATA and selected regulators under secure protocols.
• All IATA auditors are bound by confidentiality agreements.
• Audited entities retain rights over the release of detailed audit reports unless governed by bilateral regulatory data-sharing agreements.
Evidence-Based Evaluation – Audit conclusions must be drawn from objective, verifiable data—never assumptions or unverifiable claims.
Application in ISAGO & IOSA - Auditors validate conformity by:
• Reviewing documentation (SOPs, training records, maintenance logs).
• Conducting structured interviews with operational staff.
• Observing operations in real-time (e.g., baggage loading, ramp procedures, cockpit briefings).
Note - Both programs prohibit reliance on hearsay or undocumented policies
• ISAGO/IOSA utilize detailed checklists with objective evidence fields.
• Non-conformities must be supported by specific references to ISARP clauses and corroborated by one or more types of evidence.
Risk-Based Application in ISAGO & IOSA - While the audits are conformance-based, risk-based thinking influences:
• Audit scope planning (e.g., aircraft turnaround vs. cargo acceptance).
• Determining follow-up focus based on previous non-conformities or reported incidents.
• Identification of systemic weaknesses that expose operational risk.
• Integrate audit planning with SMS hazard identification outputs.
• Use safety performance indicators (SPIs) to guide audit sampling and deeper investigations.
Continuous Improvement – Application in ISAGO & IOSA - Both programs are structured as recurring audits, with IOSA operating on a biennial cycle and ISAGO on a triennial basis. The expectation is that operators and providers demonstrate clear progress in:
• Closing non-conformities.
• Embedding preventive actions within management systems.
Strengthening SMS and QMS integration.
ICAO SARPs – Annex 1 to Annex 19 define high-level requirements designed to ensure global harmonization of civil aviation standards. However, SARPs are intentionally broad, allowing individual States to adopt and implement them through their own legal and regulatory systems.
• This flexibility, while beneficial for global applicability, creates ambiguity for operators seeking to implement and audit compliance without clear technical or procedural benchmarks. For example:
>> Annex 19 (Safety Management) requires a Safety Management System (SMS), but does not provide comprehensive guidance on performance metrics, audit processes, or specific compliance checklists.
>> Annex 6 (Operation of Aircraft) outlines operational requirements, but lacks detailed means for verifying conformance through internal audits or third-party assessments.
ICAO Auditing Principles - Transparency, systematic approach, adherence to ICAO Standards and Recommended Practices (SARPs), safety oversight at the state level, and evidence-based performance assessments.
Important Note - ICAO does not publish a dedicated audit standard like ISO 19011; thus, many of its audit principles are implied through the USOAP CMA Manual (Doc 9735).
Integrity – State Accountability and Factual Disclosure - The principle is closely tied to a State’s willingness to self-report deficiencies, accept findings, and develop corrective action plans (CAPs) transparently.
Independence – Structural and Functional Separation - Independence in ICAO audits refers to the separation between regulatory oversight and service provision functions within a State.
Evidence-Based Evaluation – Documented Compliance with SARPs - The Protocol Question (PQ) framework under USOAP requires States to demonstrate conformance with each SARP through legislation, regulations, procedures, personnel qualifications, and implementation records.
• The audit process follows a systematic review methodology rooted in documentation review, staff interviews, and field visits.
Risk-Based Approach – Prioritized Surveillance and Oversight - The USOAP Continuous Monitoring Approach (CMA) uses a risk-based model to determine audit frequency, scope, and follow-up priorities.
Application in ICAO Audits: ICAO prioritizes audits based on multiple risk indicators, including:
• International activity level (traffic volume).
• Complexity of aviation operations.
• Previous EI scores and unresolved safety concerns (USCs).
This risk-based model influences not only the ICAO audit planning cycle but also encourages States to implement risk-based surveillance within their own CAA structures, especially under SSP mandates.
Sofema Aviation Services & Sofema Online offers classroom, webinar & online training across multiple aviation disciplines including Ground Operations – Please see the websites or email team@sassofia.com.
