What Auditors Look for in an SMS Program

When auditors evaluate a Safety Management System in business aviation, they are not looking for paperwork alone. They are assessing whether safety is managed deliberately, consistently, and effectively across the organization. The focus is on how safety risks are identified, analyzed, controlled, monitored, and improved over time, using processes that align with regulatory expectations and actual operational practices.

What auditors look for in an SMS program can be summarized in one question: does the organization actively manage safety risk, or does it simply document it. This distinction becomes clear through evidence of leadership involvement, employee participation, decision making based on data, and continuous improvement. An SMS that exists only on paper is quickly exposed during an audit. One that is embedded in day to day operations is evident even before formal documentation is reviewed.

This article explains how auditors assess SMS programs in business aviation, what evidence they expect to see, where operators commonly fall short, and what effective SMS implementation looks like in practice across different regulatory environments.

What Is an SMS From an Auditor’s Perspective

A Safety Management System is a structured, organization wide approach to managing safety risk. Under FAA 14 CFR Part 5, SMS is built around four core components: Safety Policy, Safety Risk Management, Safety Assurance, and Safety Promotion. ICAO Annex 19 uses a similar framework and emphasizes continuous improvement and accountability.

From an auditor’s perspective, an SMS is not defined by the presence of manuals or forms. It is defined by how well the organization uses its processes to prevent accidents, manage hazards, and learn from normal operations. Auditors expect SMS elements to be integrated into operational decision making rather than isolated within a safety department.

This perspective applies whether SMS is mandated, voluntarily adopted, or implemented as part of a customer or industry standard.

Why Auditors Focus on SMS in Business Aviation

Business aviation operations vary widely in size, complexity, and mission profile. Unlike large airline operations, many business aviation organizations rely on small teams where individuals wear multiple hats. Auditors understand this context, but they still expect the SMS to function reliably regardless of scale.

SMS audits focus on whether the operator can:

• Identify hazards specific to its operation

• Assess and control risk before incidents occur

• Monitor safety performance over time

• Correct issues when controls fail

• Promote safety awareness and accountability

For Part 135 and Part 145 operators, these expectations are tied directly to regulatory compliance. For Part 91 operators, audits are often driven by customer requirements, insurance reviews, or alignment with standards such as IS-BAO. In all cases, auditors look for the same fundamental indicators of an effective SMS.

How Auditors Evaluate Safety Policy and Leadership Commitment

Auditors begin by assessing leadership commitment. This is usually evaluated through the safety policy, but it does not end there. A signed policy statement is necessary, but it is not sufficient.

Auditors look for evidence that:

• Accountable Executives understand their SMS responsibilities

• Safety objectives are defined and reviewed

• Roles and authorities are clearly assigned

• Safety decisions are supported by leadership even when operational pressure exists

Interviews often reveal whether leadership views SMS as a compliance requirement or as a management tool. When leadership cannot explain how safety objectives influence decisions, auditors typically identify this as a weakness.

What Auditors Expect to See in Hazard Identification

Effective hazard identification is central to SMS audits. Auditors review how hazards are reported, recorded, assessed, and tracked. They are particularly interested in whether reporting is accessible to all employees and whether reports lead to meaningful action.

Auditors typically examine:

• Hazard reporting processes and accessibility

• Volume and quality of hazard reports

• Timeliness of report review

• Evidence that reports result in risk assessments or mitigations

• Protection against punitive use of reports

A common internal link opportunity here is the concept discussed in What Makes a Good Hazard Report in Aviation. Auditors do not expect perfect reports, but they do expect consistent use of the system and thoughtful follow up.

How Risk Is Assessed and Controlled

Safety Risk Management is often where SMS programs struggle under audit. Auditors evaluate whether risk assessments are systematic, repeatable, and appropriate to the operation.

Key indicators include:

• Defined risk assessment criteria

• Consistent use of severity and likelihood definitions

• Documented risk acceptance authority

• Clear linkage between hazards, risk assessments, and controls

Auditors pay close attention to whether risk assessments are performed proactively or only after an event occurs. Overuse of low risk ratings without justification is a common audit finding. Another frequent issue is the absence of documented rationale for risk acceptance decisions.

Safety Assurance and Continuous Monitoring

Safety Assurance demonstrates whether the SMS actually works. Auditors review how the organization monitors safety performance and verifies that controls remain effective.

This includes:

• Internal audits and evaluations

• Tracking of findings and corrective actions

• Safety performance indicators and trends

• Management review processes

• Change management activities

Auditors look for closed loop processes. Identifying an issue is not enough. The organization must show how it corrected the issue, verified effectiveness, and updated procedures or training as needed. This concept aligns closely with topics discussed in How SMS Helps Identify Systemic Risk Patterns.

Safety Promotion and Organizational Engagement

Safety Promotion is often underestimated but closely examined during audits. Auditors assess whether personnel understand the SMS and their role within it.

Evidence typically includes:

• Initial and recurrent SMS training

• Safety communications and briefings

• Feedback provided to report submitters

• Visible reinforcement of safety expectations

Auditors frequently interview frontline personnel. If employees are unaware of reporting processes or unclear on how safety concerns are handled, it suggests that the SMS is not functioning as intended.

Common SMS Audit Findings and Misunderstandings

Several patterns appear consistently across SMS audits in business aviation.

Common findings include:

• SMS documentation that does not match actual practice

• Risk assessments completed as a formality

• Infrequent management reviews

• Limited employee participation in reporting

• Lack of follow through on corrective actions

A frequent misunderstanding is the belief that a small operation can rely on informal processes. While scalability is allowed, informality must still be structured and documented. Another misconception is that software alone satisfies SMS requirements. Auditors evaluate processes, not tools.

What “Good” Looks Like During an SMS Audit

An effective SMS is evident through consistency and integration. Auditors recognize a strong SMS when safety processes are part of routine operations rather than special events.

Characteristics of a well implemented SMS include:

• Hazards are reported without prompting

• Risk assessments inform operational decisions

• Safety data is reviewed regularly

• Corrective actions are tracked to completion

• Leadership discusses safety using real examples

In these organizations, audit interviews tend to confirm documentation rather than contradict it. This alignment is often noted positively in audit reports.

How Technology Supports SMS Audits

Technology does not replace SMS processes, but it can support consistency, traceability, and oversight. Auditors generally view modern SMS platforms favorably when they are used to support, not automate away, safety responsibility.

Effective use of technology can:

• Centralize hazard and risk data

• Improve visibility of trends

• Support timely reviews and approvals

• Maintain audit trails for decisions

• Reduce administrative burden

Auditors remain focused on outcomes. Technology is considered effective when it enables better safety management rather than simply producing reports.

Differences Across Part 91, 135, and 145 Operations

While audit principles remain consistent, expectations vary by regulatory context.

• Part 135 operators are audited against Part 5 requirements and operational risk controls.

• Part 145 repair stations are evaluated on maintenance related hazards, human factors, and quality integration.

• Part 91 operators are typically assessed against industry standards, customer expectations, or voluntary SMS commitments.

Understanding how SMS applies differently to Part 91, Part 135, and Part 145 operators helps organizations prepare for audits that reflect their specific operating environment.

Forward Looking Perspective on SMS Audits

SMS audits continue to evolve as regulators and customers place greater emphasis on data driven safety management. Auditors increasingly expect organizations to demonstrate learning, adaptation, and continuous improvement.

Operators that treat audits as an opportunity to validate and strengthen their SMS tend to gain long term value. Those that view audits as a documentation exercise often miss underlying weaknesses. A mature Safety Management System in business aviation is one that stands up to scrutiny because it reflects how the organization truly manages safety every day.