IEP Auditor Training: Gold Aviation SMS Training

1

IEP Foundation & Regulatory Basis

Purpose, objectives, and who oversees the program

▼

The Internal Evaluation Program (IEP) provides the procedural guidance for auditing Gold Aviation Services' Safety Management System. While the SMS Manual establishes the regulatory requirements under 14 CFR Part 5, AC 120-92B, and ICAO standards, the IEP Manual specifies how audits are actually planned, executed, reported, and followed up.

Important distinction: FAA-required CASS (Continuous Analysis and Surveillance System) activities for maintenance are managed separately under the FAA-approved maintenance program. The IEP addresses SMS-driven internal audits and vendor oversight. Although the two programs are linked, and IEP findings often feed into the broader CASS picture, they remain distinct programs with different regulatory origins.

The IEP exists to:

Ensure compliance with regulatory and internal safety requirements
Verify the effectiveness of implemented safety risk controls
Identify and correct gaps in safety performance before incidents occur
Support oversight of internal operations and contracted organizations
Promote continual improvement of the SMS
Provide senior management with data for accountability and informed decisions

Every IEP audit ultimately evaluates SMS implementation against ICAO's four foundational elements:

Documentation: are policies, procedures, and records current?
Monitoring: is safety performance data being collected on an ongoing basis?
Measuring: are Safety Performance Indicators (SPIs) tracked effectively?
Analysis: do audit results and data actually inform risk management decisions?

IEP oversight responsibilities:

Accountable Executive (AE): overall authority and approval of the IEP
Director of Safety (DOS): manages the IEP, administers the annual audit plan, oversees corrective action closure
Audit Team Leads: assigned by the DOS; must complete Auditor Training before conducting audits independently
Department Managers: ensure corrective actions in their area are implemented on schedule

14 CFR Part 5 AC 120-92B ICAO Annex 19 IEP Rev-1 §1.1–1.4

2

Audit Scope & Schedule

What gets audited, and how often

▼

The IEP covers ten distinct areas on a rolling 12-month cycle. These areas include SMS training and ERP training, safety performance indicators, risk controls (MOC and FRAT), the safety reporting system, contractor oversight, safety governance, evaluation of the four SMS components, operational departments, and compliance monitoring.

Audits run on a rolling 12-month cycle:

Area	Frequency
SMS Training and ERP Training	Annually
Safety Performance Indicators (SPIs)	Quarterly
Risk Controls (MOC, FRAT)	Semi-Annually
SMS Reporting System	Quarterly
Contractor Safety Oversight	Annually
Safety Review Board Meetings	Quarterly
Evaluation of SMS Elements (4 components)	Annually
CASS Audits	Quarterly (June & December)
FBO Usage and Fueling	Annually
FRAT (completion, scoring accuracy)	Semi-Annually
Training Records	Annually
Scheduling & Fatigue Risk Management	Semi-Annually
Follow-up of Audit Findings	Ongoing

Each calendar year, the Director of Safety develops an Annual Audit Plan with input from senior management. This plan outlines which areas will be audited and when. The plan is presented to the Accountable Executive for approval before the start of each calendar year.

Special and ad-hoc audits may be initiated at any time in response to significant safety events, changes in operations or organizational structure, findings from external audits or inspections, or requests from senior management or the Accountable Executive.

As an auditor, you should understand not only what you are auditing but also why that area appears on the schedule at that frequency.

AC 120-59 AC 120-92B §5.4 IEP Rev-1 §2.1-2.5

3

The Four-Stage Audit Methodology

Planning, Execution, Reporting, Follow-Up

▼

Every IEP audit follows the same four-stage structure. This methodology ensures consistency, objectivity, and comprehensive coverage regardless of who is conducting the audit or which area is being reviewed.

Stage 1 – Planning: Risk-based focus areas are identified using safety data, hazard reports from the SAG, and prior audit findings. The annual audit schedule defines when each area will be reviewed.

Stage 2 – Execution: Standardized checklists and templates are used to ensure consistency. Objective evidence is gathered through interviews, record reviews, and direct observation. This is the core data-gathering phase of the audit.

Stage 3 – Reporting: Findings are documented in the SMS system. A risk assessment is completed for each finding, and corrective actions are issued where needed. Clear, factual reporting is essential so that findings can be understood and acted upon by others.

Stage 4 – Follow-Up: The responsible manager implements corrective actions. The Director of Safety verifies effectiveness before closure is documented in the SMS system. This stage closes the loop and confirms that the identified issue has been resolved.

Why this matters: This four-stage process is not bureaucracy. It is what makes audit findings defensible, comparable across cycles, and traceable through to closure. A finding that skips documented planning and execution evidence is much harder to defend if questioned by the FAA or in an external audit.

AC 120-92B IEP Rev-1 §3.1–3.2 14 CFR Part 5

4

Findings Classification & Risk Assessment

How findings get their risk level, and why it matters

▼

Every audit finding gets a risk assessment: the same likelihood × severity logic used in Gold Aviation's Safety Risk Management (SRM) process for hazard reports. This is what connects IEP audit findings into the same SRM pipeline as voluntary safety reports.

LOW

MEDIUM

HIGH

SERIOUS

Risk levels assigned during the Reporting stage, driving CAPA priority and timeline

The risk level assigned to a finding directly drives:

CAPA priority: higher-risk findings get faster-tracked corrective action timelines
Escalation: Serious/High findings are reported to the Safety Review Board regardless of normal reporting cycle
Closure verification rigor: the DOS verifies effectiveness of corrective actions, with higher scrutiny for higher-risk findings

Auditor judgment matters here. The same underlying issue (for example, an outdated checklist) could be rated Low if it is only a wording inconsistency, or High if it means a required step is being skipped in actual operations. Your responsibility is to describe what you observed clearly enough that the risk assessment reflects the real operational impact.

14 CFR §5.51–5.55 AC 120-92B IEP Rev-1 §3.1.3

5

CASS & Compliance Monitoring

How IEP findings connect to the broader compliance picture

▼

Gold Aviation Services' compliance monitoring draws from both internal and external sources. IEP audits are one important piece of a larger picture that also includes the Continuous Analysis and Surveillance System (CASS).

Internal sources include IEP audit checklists, reviews of manuals for currency and accuracy, Safety Review Board oversight of findings and SPI trends, and CASS quarterly and biannual reviews of maintenance compliance.

External sources include FAA SAS Portal findings, third-party operator ratings, and FSDO surveillance activities. These are reviewed by the DOS and fed into the IEP CAPA process for tracking and closure.

Vendor oversight: Vendor self-audits (such as Form 411) may be accepted as part of contractor oversight. However, Gold Aviation Services retains overall oversight responsibility. A vendor's self-reported compliance does not close the loop on its own. This is why the Approved Vendor List tracks the last audit date and result independently.

When you identify a finding during an IEP audit, consider whether it also has implications for CASS. Flagging these connections helps avoid duplicate work and ensures proper triage.

AC 120-92B IEP Rev-1 §2.1.10 14 CFR Part 135

6

Documentation, Training & Continuous Improvement

Your obligations as an auditor, and how the program improves itself

▼

Auditor training requirements: All IEP auditors must complete this Auditor Training module before conducting audits independently. Refresher training is required every 24 months. If you are auditing a vendor, you must also demonstrate understanding of the applicable 14 CFR Part 135 and Part 145 requirements for that vendor's scope of work.

Documentation and records:

All audits, findings, and corrective actions are documented in the SMS system
Records are retained for a minimum of five (5) years
Summary reports are presented at Safety Review Board meetings
Corrective action status is tracked through the CAPA process and reported to the Accountable Executive at each Safety Review Board

Continuous improvement:

The DOS conducts an annual IEP Effectiveness Review
The audit schedule and checklists are revised based on findings, safety data, and regulatory changes
Lessons learned are shared with affected departments during SMS promotion activities
The DOS presents IEP effectiveness findings to the Accountable Executive as part of the annual SMS review

Your role in continuous improvement: If a checklist item does not make sense for the area you are auditing, or if a finding reveals a gap the checklist did not anticipate, that feedback is valuable. Note it and share it: this is exactly the type of input the annual IEP Effectiveness Review is designed to capture.

14 CFR Part 5 AC 120-92B IEP Rev-1 §4.1–4.3

IEP Auditor Training
Internal Evaluation Program

Knowledge Check

IEP Auditor TrainingInternal Evaluation Program

Knowledge Check

IEP Auditor Training
Internal Evaluation Program