Internal Audit (Compliance Monitoring Audit)

An internal audit in the EASA regulatory context is the primary tool of the Compliance Monitoring Function (CMF) — the independent monitoring mechanism that forms one of the core elements of every approved organization's Management System under Commission Regulation (EU) No 965/2012 (Part-ORO), Commission Regulation (EU) No 1178/2011 (Part-ORA), and Commission Regulation (EU) 2017/363 (Part-CAMO). For Part-145 maintenance organizations, the equivalent provision is 145.A.65(c), which requires an independent quality system including audits. The underlying methodology framework recognized by EASA AMC/GM is ISO 19011:2018 (Guidelines for auditing management systems), which defines the principles of audit integrity, fair presentation, due professional care, confidentiality, independence, and evidence-based approach that structure a compliant internal audit program.

The audit program is the multi-year rolling schedule that ensures every area subject to the organization's approval is audited at a frequency commensurate with risk. AMC1 to ORO.GEN.200(a)(6) requires that the program is structured so that all applicable areas are covered at least once every 24 months. In practice, higher-risk areas — flight operations, instructor standardization, training record management, airworthiness control — are typically audited annually or more frequently, while lower-risk administrative areas may be scheduled on the 24-month cycle. The program must be documented, approved by the Accountable Manager, and kept current as regulatory requirements, approved procedures, and organizational structures change. A program that was designed three years ago and not updated since the organization obtained additional course approvals or opened a new base is a Management System finding.

Audit types used within the compliance monitoring program include: process audits (examining whether a defined process is being followed as documented — for example, whether student progress checks are being conducted at the stages specified in the approved training programme and whether records are completed correctly); product audits (examining the output of a process — for example, reviewing a sample of completed training records or maintenance releases to verify they are accurate and compliant); and system audits (assessing whether the organization's Management System as a whole is functioning as intended). Most internal audit programs in ATOs and CAMOs combine all three types, with process and product audits predominating at the operational level and system audits conducted at defined intervals to assess CMF effectiveness.

Audit independence is the structural requirement most commonly compromised in practice. AMC1 to ORA.GEN.200(a)(6) and the equivalent provisions for other approval types state explicitly that the auditor must not audit their own area of work — the principle that no one can objectively assess their own performance. For large organizations this is addressed through an internal audit team with differentiated portfolios. For small ATOs and CAMOs — where the CMM may simultaneously hold another operational role — the standard approach is to contract qualified external auditors for the areas where internal independence cannot be achieved. External auditors used for this purpose must themselves be qualified: EASA AMC/GM does not mandate a specific auditor qualification but requires demonstrated competence, which in practice means relevant regulatory knowledge, audit methodology training, and documented experience. Many organizations require external auditors to hold, or be working towards, an aviation auditor qualification such as those offered by the Civil Aviation Authority (CAA), the German Aerospace Center (DLR) audit training programmes, or equivalent national-level courses.

Findings from internal audits are classified identically to Competent Authority findings: Level 1 (significant non-compliance posing a safety risk — requires immediate corrective action); Level 2 (any other non-compliance — response within 90 days under AMC1 ORO.GEN.150); and Observation (a potential non-compliance or a situation that, while not yet non-compliant, warrants monitoring). Each finding initiates a Corrective Action Plan (CAP) workflow. The CMM is responsible for tracking all open findings to verified closure and reporting the compliance status — including finding counts by classification, age, and area — to the Accountable Manager at defined intervals. The relationship between internal audit and the safety audit within the SMS Safety Assurance function (ORO.GEN.200(a)(3)) is distinct: safety audits focus on whether safety risk controls remain effective, while compliance monitoring audits focus on regulatory conformance. In practice the two programs overlap considerably and are often coordinated by the same individual, but they serve different regulatory functions and should be documented separately.

Under FAA regulations, 14 CFR Part 5 SMS (effective March 9, 2018 for Part 121 air carriers under 14 CFR § 5.1) requires a Safety Assurance function (§ 5.71) that includes continuous monitoring of the performance and effectiveness of safety risk controls — functionally analogous to the EASA internal audit program for SMS elements. For Part 145 repair stations, § 145.211 requires a quality control system that includes audits; FAA AC 145-9A (Quality Management System Guidance for Aviation Maintenance Organizations) provides guidance aligned with AS9110 / ISO 9001 quality system frameworks. For Part 141 flight schools, there is no direct FAA equivalent to the EASA CMF audit program requirement — the chief instructor's quality oversight under § 141.85 is the closest analogue, though it lacks the independence and program structure mandated under EASA.

The distinction between auditing documentation and auditing practice is the most consequential quality dimension of an internal audit program, and the one most frequently cited in EASA standardization inspection reports as a systemic weakness. A documentation audit can confirm that a manual says the right thing, that a form was completed, and that a record was filed. It cannot confirm that the procedure described in the manual is what actually happens on the flight line or in the simulator bay. Practice-level auditing requires direct observation, structured interviews with operational staff, and cross-referencing of multiple data sources — for example, comparing FTD session records against instructor scheduling logs against student performance data to verify consistency. When an NAA oversight inspection identifies a non-compliance that the organization's internal audit program did not find, the most common explanation is not that the program missed the area, but that the audit of that area was conducted as a records review without any verification of actual practice.

The escalation pathway for repeat findings is a specific Management System requirement that many small and medium organizations handle poorly. When a finding recurs across consecutive audit cycles — the same non-compliance in the same area — AMC1 to ORO.GEN.200 requires the Management System to treat this as a systemic failure requiring escalation beyond standard CAP processing. In practice this means formal reporting to the Accountable Manager, a structured root cause review of why previous corrective actions were ineffective, and in some cases notification to the Competent Authority. Organizations that handle repeat findings through the same CAP workflow as first-time findings without escalation are demonstrating Management System ineffectiveness — which is itself auditable under the requirement for the CMF to monitor its own performance (the audit-of-the-audit concept, sometimes called second-order compliance monitoring).

Aviatize's compliance and auditing module manages the internal audit program end-to-end: program planning (multi-year schedule with regulatory reference mapping, assigned auditors, and due dates), audit execution (structured checklists linked to specific regulatory requirements and approved procedures, with prompts for observation, interview, and record review elements), finding recording (Level 1 / Level 2 / Observation classification, with automatic timeline enforcement for CAP initiation), and program completion tracking. The CMM has a live dashboard showing scheduled vs completed audits, overdue audits, and program coverage rate — the metrics that demonstrate to the Accountable Manager and the Competent Authority that the program is being executed rather than planned and deferred. Auditor independence is enforced at the assignment level: the system prevents assigning an auditor to an area they manage and flags any assignment that would breach the independence requirement.

For the practice-level audit quality problem, Aviatize structures audit checklists to include evidence type requirements alongside each checklist item — distinguishing document review items from interview items from observation items — so that audits that complete only the document review elements are visibly incomplete in the record, rather than appearing identical to a fully conducted audit. Follow-up audit scheduling is linked directly to CAP closure: when a corrective action plan includes a verification audit, Aviatize automatically creates the corresponding audit task in the program at the specified verification date. The safety management module shares the finding and corrective action data layer with compliance and auditing, so that findings with both compliance and safety dimensions are handled through a single workflow rather than duplicated across separate systems, and the KPI reporting and dashboards module surfaces repeat-finding metrics — count of findings recurring across consecutive audit cycles by area and regulatory reference — as a standing indicator on the Accountable Manager's compliance health dashboard.