There are many aviation audit checklists available online.
While these checklists offer many specific tasks you need to perform, few checklists offer a broad overview of things that airports, airlines, and other aviation service providers should do to augment audit performance.
The purpose of aviation safety management systems (SMS) is to continuously improve safety performance while also improving the business' operational processes. This continuous improvement is expected to be realized by:
Aviation SMS audits assure the accountable manager that the SMS is implemented properly and functioning as designed. However, other stakeholders are interested in assuring themselves that your company has a compliant SMS. These stakeholders may include:
The aviation audit checklist items below are items you probably won’t see in standard checklists but will prove indispensable in audit preparation for your aviation safety management system (SMS).
Consider using these audit checklist items in conjunction with more itemized checklists offered by your oversight agency.
Below are 10 things to do before aviation SMS audits.
It looks very bad when an auditor shows up and hits you with findings that you also received in previous audits. Even if other areas of your safety management system are shining, repeat audit findings will overshadow everything else. Not only is it an avoidable finding, but it hurts goodwill with oversight agencies.
When you know that auditors are coming to inspect your organization, the first thing you need to do is review your last audit and establish:
Ensuring that, at the very least, your organization has addressed these points will be the top priority in preparing for the new audit.
Performing an internal SMS audit is not only a good idea, but it's also necessary. This audit should:
Internal audits are test runs. They allow you to evaluate your SMS risk management processes with standards similar to those outlined by your impending audit protocols. Moreover, internal audits give all employees in your company a chance to practice their jobs in a compliant way (if they already aren’t doing so).
Ideally, it has been a while since your last audit. If this is the case, your Hazard Register probably needs some organization and/or cleanup. What does this look like?
Auditors are going to inspect your hazard register and ask questions, especially if you are expected to have a mature SMS. For operators in Phase I, II, or III, your hazard register may not be under much scrutiny. This will also hold true for corporate operators (GA), FBOs, and smaller aviation maintenance organizations. The rule of thumb is that the more complex your operation, the more scrutiny auditors will invest in our hazard register.
Another rule of thumb is that the more advanced your SMS maturation level, the higher level of scrutiny you should expect on your hazard register. For example, if you are in Phase 4 of your SMS implementation, or Stage 3 IS-BAO, then you are advised to have hazard documentation and be able to demonstrate safety performance monitoring and measurement of your top hazards.
Another tip related to your hazard register is to be prepared to show your safety objectives and key performance indicators (KPIs) or you may know them as safety performance indicators (SPIs). Your safety objectives should correlate with your KPIs, of which your top hazards should also be listed as your KPIs.
Having top hazards (which will be your KPIs), updated risk controls and updated hazards will greatly improve your chances of no audit findings regarding your Safety Risk Management processes.
Moreover, cleaning up your Hazard Register gives you an opportunity to review your SMS program's hazards and controls, and better answer questions elsewhere in the safety program.
Much like cleaning up your Hazard Register, you should clean up the documentation of any reported safety issues that were neglected and not properly closed. What do we mean by this? For example, Joe Wrenchfoot submitted a safety report about an employee not following prescribed maintenance procedures. During the initial investigation, it was discovered that the employee had followed the procedures, but Joe was distracted and didn't see the entire process, and missed a step. The safety team saw this as a non-issue and forgot to complete the documentation because the risk was acceptable. Their SMS processes didn't have alerts to notify the safety team of the open safety report, so the report just "hung out" in the SMS database.
This is a common scenario in spreadsheets and even SMS databases that do have automated alerts.
Joe's safety report is just an example. There may be many other reasons why you might have safety issues still open and hanging around in your SMS database or spreadsheet – maybe:
Whatever the reason, having issues or CPAs that are neglected and apparently abandoned for many months will reflect very poorly upon your aviation SMS record-keeping practices. SMS documentation requirements can be very complex and time-consuming to fulfill properly.
Neglected or poorly documented safety reports are a big red flag for auditors. As auditors uncover these loose ends, these abandoned safety issues may lead to much greater scrutiny of your SMS, which can in turn lead to more audit findings.
To avoid this, you need to work diligently to close those neglected issues and CPAs by whatever means are efficient and compliant.
In addition to cleaning up abandoned safety issues, you also need to ensure that by the time of the audit, there should be no overdue issues unless there is a valid reason behind the delay. For example, there may be safety reports that require manual revisions that must be approved by the regulatory authority. As you know, things move very slowly at the CAA and months may pass before the manual revision is reviewed, accepted, and implemented.
While having overdue reported issues isn’t as egregious as abandoned, incomplete safety reports, it’s still better not to have them.
There are two simple ways to address overdue safety issues:
Having all safety reports completed on time and documented is best practiced on a regular basis. Note here that "completed documentation" is part of the risk management process. An issue should not be considered complete until the documentation is complete.
This is a very valid point that I must make at least four times each year to safety managers. Over and over again, a different safety manager will come to me and ask: "Why can't I complete documenting my safety report in the SMS database after I closed it?" By now, most of you know that we provide an SMS database to aviation service providers on a worldwide basis. This is why I get to hear this same story, over and over again. My response is always: documentation is part of the risk management process. If the documentation is incomplete, then the safety report is not complete and should not be closed.
This is not a big deal to half of these safety managers after they understand the logic. They simply change the status of their safety report back to "In Progress" and finish the documentation. However, the other half became frustrated and realized that if they re-opened the safety report, the safety report would not be considered completed on time. Which is the truth! When documentation is incomplete, safety reports should not be closed simply to "play the stats game" and make the risk management team appear more responsive than what is truly happening.
This is the beauty of having an SMS database versus using spreadsheets. If you want an honest accounting of what is transpiring in your SMS, the SMS affords the most accurate picture for:
It is much more difficult to "juke the stats" using an SMS database. If you are not familiar with "juking the stats," this term was coined by the television series "The Wire."
If your safety culture prefers to "juke the stats," then you may not want an SMS database that accurately tracks your risk management activities. If I were the accountable executive, I would want the assurance that my safety team is honest and accurately reporting what is happening in the trenches and not putting on a show to make the safety team or the company appear to be better than what they truly are.
We've beaten this enough, but the basic fact is that for most SMS in the earlier stages of implementation, things fall through the cracks. Audits allow you to correct this and you should not be afraid to show your SMS processes for what they are. When risk management processes are not perfect, an audit helps guide the operator toward compliance.
Employees absolutely need to be notified of an impending audit, including:
Notifying and preparing employees is an often overlooked or undervalued step in preparing for audits. It can do wonders for making your SMS human element perform (or at least appear to behave) cohesively.
While we are speaking about "training employees" on how to behave during an audit, we should not neglect to coach the accountable executive and upper management. Knowing what to say is as important as knowing not what to say. There are SMS consultants who specialize in preparing accountable executives for audits. I don't have any more to say about this.
Updating safety policies is probably the most over-stressed area of audit preparation. It's usually a mainstay of most audit checklists. Granted, it is an important element of audit preparation. However, updating policies should be considered of equal importance as other, previously mentioned activities.
Reviewing safety policy is simply a matter of:
This should be the extent of reviewing safety policy, though you may also double-check safety policy compliance requirements as well. When safety policies are updated, make sure that the safety policy has been reviewed and dated by the accountable executive. I've seen a few audit findings of this nature... not many, but it does happen that there is no documentation that the accountable executive had actually reviewed the updated safety policy.
Simply put, you should take a random sample of reported safety issues and inspect them. This sample should include:
The inspection should force you to:
Organizing documentation and safety data into easy-to-navigate categories will make your auditor's job a whole lot easier and will demonstrate that your SMS is “on top of it.” Things like:
A best practice is to organize them in the order you can expect your SMS auditor to follow through with his/her SMS audit checklist. If your auditors prefer a “binder” you should do that. If your oversight agency is more “modern” and is comfortable navigating this documentation in a digital format, this will require less work on your end.
There are a few auditors who will refuse to view SMS documentation in electronic formats, such as Excel reports or logging in directly to your SMS database. They will make you kill a few trees and print out piles of documentation. This is senseless to many of us, but there are reasons. The most obvious reason is that the auditor came to your operation to audit your SMS documentation and risk management processes. The auditor did not come to learn about your SMS database or how to find risk controls buried in a software program. They may feel uncomfortable, like a fish out of water, sitting in front of a strange computer screen looking at a strange SMS database. This uncomfortable position leaves them feeling vulnerable and takes away some of their "power." Before the auditor comes, you may ask what types of SMS performance monitoring documentation they wish to review and the format they prefer.
The relationship you establish with your auditor is extremely important. Subordination and pandering can give the impression that you are either hiding something or that the aviation SMS is not performing well.
Your auditor is there to help you and work with you. However, auditors can only do that if they are confident in the SMS's performance and have strong reasons for the actions they have taken in the documented risk management activities. Remember, you should NOT depend on your inspector for answers to regulatory questions – this is a common pitfall.
YOU should interpret regulatory requirements and count on your auditor to put you back on track if your interpretation is off balance. This is the kind of collaborative, cordial relationship that pleases auditors and benefits your aviation SMS.
You may find these two resources valuable for audit preparation.
Last updated September 2024.