Level 1 vs Level 2 Audit Findings: What They Really Mean for Aviation – guest article by Florin Necula, PhD

By Florin Necula, PhD | Maintenance Manager & Licensed Aircraft Engineer
Jul 3rd, 2025

Abstract

In civil aviation, audit findings serve not only as indicators of regulatory compliance but also as reflections of organisational resilience and the maturity of oversight systems. This article analyses the classifications, meaning, and implications of audit findings under EASA and UK CAA frameworks. It explores when findings should be raised, the limits of Acceptable Means of Compliance (AMC), and the reciprocal responsibilities of both the approved organisation and the competent authority. Particular attention is given to systemic issues across the industry and their implications for State safety oversight.

1. Introduction

In aviation, where precision and accountability are essential to operational safety, regulatory audits play an important role. They assess whether approved organisations – such as Part-145 maintenance providers—comply with applicable legal requirements governing safety, airworthiness and operational control. The audit finding, a formal outcome of this oversight process, is more than an administrative entry; it is a regulatory marker with operational, legal and reputational implications.

Beyond the organisation itself, recurring findings across the sector may reflect weaknesses within the competent authority’s own oversight system, particularly in interpretation, standardisation, or enforcement strategy (ICAO, 2017; EASA, 2023). This article explores the meaning and context of findings, including the responsibilities they place not just on industry actors, but on regulators themselves.

2. Classifying Audit Findings: Level 1 and Level 2

Regulatory findings are categorised according to their severity and their potential impact on aviation safety. The EASA and UK CAA definitions (EASA, 2022; CAA, 2020) are aligned under common principles:

Level 1 Finding:

A significant non-compliance that has an immediate or serious impact on safety. It may result from:

• Systemic failure of the organisation’s management system

• Use of unapproved procedures

• Absence or falsification of required records

• Denial of access to competent authorities

These findings may lead to suspension or revocation of approval unless immediate corrective action is taken.

Level 2 Finding:

A non-compliance that does not immediately compromise safety but could degrade safety standards if left unaddressed. These include procedural weaknesses, document discrepancies, or incomplete training records. Repeated Level 2 findings may escalate to Level 1.

3. When Should a Finding Be Raised?

It is essential to distinguish between regulatory non-compliance and minor operational anomalies. A regulatory audit should not aim to penalise imperfection but to identify genuine, safety-relevant deviations from established requirements. Findings – especially Level 2 – should only be raised when:

• There is a clear breach of an Implementing Rule or Basic Regulation;

• The issue presents a real or latent safety risk if left unaddressed;

• The organisation’s process controls or compliance monitoring system are demonstrably inadequate;

• The issue is repeatable or systemic rather than an isolated, one-off occurrence.

It has been noticed in practice sometimes the issuance of Level 2 findings that do not represent actual non-compliances, but rather reflect subjective interpretations, minor clerical issues or deviation from preferred styles. While such issues may merit discussion or informal observations, elevating them to the level of formal findings without clear legal or safety justification introduces significant dysfunction.

The Root Cause Dilemma

When a finding lacks substantive grounding in regulation or operational risk, it becomes extremely difficult—or practically impossible—for the organisation to identify a meaningful root cause. Root Cause Analysis (RCA), by definition, seeks to uncover the underlying conditions that allowed a deviation to occur. However, if the finding itself is vague or disputable:

• RCA becomes speculative or forced, disconnected from factual causality;

• Corrective action becomes symbolic rather than strategic;

• The organisation may be compelled to implement unnecessary changes to procedures, documentation or internal processes – simply to comply with audit expectations.

This often leads to a bureaucratic domino effect, where procedural revisions and document inflation increase without delivering tangible safety improvements. Over time, such a pattern risks:

• Diluting the focus of compliance monitoring systems;

• Eroding engagement among frontline personnel;

• Fostering a culture of compliance theatre, rather than authentic risk management.

“Compliance-driven bureaucracy, born of ill-defined findings, erodes organisational agility and fosters a culture of proceduralism—not safety” (Dekker, 2014; Reason, 1997).

In essence, unjustified findings can inadvertently devalue the audit process, undermining the spirit of risk-based oversight and the efficiency of Safety Management Systems (SMS) (ICAO, 2021).

4. AMC, GM and the Law: Clarifying the Basis for Findings

This issue is further compounded when findings are based not on binding regulations but on perceived deviations from AMC or internal expectations. While AMC and GM provide clarity, they are not enforceable per se. Treating any divergence from them as non-compliance risks introducing non-legal enforcement, confusing the boundaries between regulatory requirements and best practice guidance.

• AMC and GM are non-binding; they illustrate one way to comply with the Implementing Rules (IR) or Basic Regulation (BR).

• Organisations may deviate from AMC if they demonstrate an equivalent level of safety through alternative means.

• Findings cannot be raised against AMC or GM alone; only a breach of IR or BR justifies enforcement.

Authorities must assess whether a legal obligation has been breached, not simply whether the recommended method has been followed (EASA, 2022).

5. Legal Implications: Civil and Criminal Dimensions

Findings also carry legal weight. In civil litigation, unresolved findings can be used as evidence of negligence or organisational failure to exercise due diligence, especially in the event of an aircraft incident or maintenance-related defect (ICAO, 2021).

Under UK law, particularly the Corporate Manslaughter and Corporate Homicide Act 2007, organisations may be held criminally liable if gross failures in safety management lead to fatalities. A history of unresolved or repeated findings could be interpreted as evidence of gross negligence or reckless disregard for regulatory duties.

6. Findings and Safety Culture

From an organisational perspective, the way findings are received and acted upon reflects the maturity of the safety culture. According to ICAO’s Safety Management Manual (Doc 9859), audit findings are vital inputs into the SMS feedback loop.

• A defensive reaction or an attempt to deflect responsibility signals a compliance-based culture, not a safety-oriented one.

• Transparent handling, thorough root cause analysis and engagement with frontline staff demonstrate a learning organisation.

7. Implications for the Competent Authority

While findings are directed at organisations, they also have implications for regulatory authorities. When similar findings emerge across multiple organisations, the root cause may lie not in operator error, but in:

• Ambiguous or outdated AMC/GM

• Inconsistent inspector interpretation or guidance

• Lack of calibration or standardisation across regulatory personnel

• Flawed risk-based oversight models

“Systemic trends in findings are not just a reflection of industry gaps; they mirror weaknesses in regulatory governance.” (ICAO, 2017)

If accepted/ approved persons (e.g. Accountable Managers, Nominated Persons) are later found deficient, this also questions the competence of the approval process itself. Therefore, the issuance of a finding can be a dual reflection – on both the organisation and the authority responsible for its oversight.

8. Comparative Analysis of Key Concepts

Finding vs Observation

• Definition & Purpose:
  Finding: Formal documented conclusion of regulatory non-compliance.
  Observation: Noted concern or improvement opportunity without direct breach.

• Regulatory Status:
  Finding: Legally binding and enforceable.
  Observation: Advisory and non-binding.

• Corrective Action Requirement:
  Finding: Mandatory CAPA.
  Observation: Optional but encouraged.

• Escalation Risk:
  Observation may escalate to Finding if repeated or unaddressed.

AMC/GM vs Law (IR/BR)

• Definition & Purpose:
  AMC/GM: Guidance on how to comply.
  Law (IR/BR): Actual enforceable requirement (e.g. Part-145.A.70).

• Regulatory Status:
  AMC/GM: Deviation allowed with justification.
  Law: Mandatory compliance.

• Corrective Action Requirement:
  No findings issued solely for AMC deviations—must breach the law.

• Escalation Risk:
  Breach of law triggers findings and potential enforcement action.

Regulator vs Organisation

• Definition & Purpose:
  Regulator: Provides oversight, standardisation, and enforcement.
  Organisation: Maintains compliance, effective control systems, and airworthiness.

• Regulatory Status:
  Roles defined in ICAO Annex 19, EU 2018/1139, Part-145.

• Corrective Action Requirement:
  Regulator: Must initiate findings when warranted.
  Organisation: Must respond effectively.

• Escalation Risk:
  Failures in either side can compromise the safety system and trigger international scrutiny.

9. Conclusion

Audit findings in aviation are not simply compliance tools – they are systemic signals. For approved organisations, they are opportunities to investigate, improve and demonstrate safety ownership. For competent authorities, they serve as metrics of interpretive clarity, consistency and oversight maturity.

A transparent, evidence-based approach to findings fosters not only regulatory alignment, but also a shared responsibility for safety across the aviation ecosystem.

In high-reliability systems, reasonable findings are not failures – they are catalysts for resilience.

References

• Civil Aviation Authority (UK). (2020). CAP 1454: Guidance for Part-145 and other maintenance organisations on compliance monitoring. Retrieved from:
  https://publicapps.caa.co.uk/modalapplication.aspx?appid=11&mode=detail&id=9917

• European Union Aviation Safety Agency (EASA). (2022). Part-145 Regulation and AMC/GM. Retrieved from:
  https://www.easa.europa.eu/en/document-library/regulations

• International Civil Aviation Organization (ICAO). (2021). Doc 9859: Safety Management Manual (4th Ed.). ICAO.

• ICAO. (2017). Doc 9734A: Safety Oversight Manual – Systematic Approach to Safety Oversight. ICAO.

• UK Parliament. (2007). Corporate Manslaughter and Corporate Homicide Act 2007. Retrieved from:
  https://www.legislation.gov.uk/ukpga/2007/19/contents

• Reason, J. (1997). Managing the Risks of Organizational Accidents. Ashgate.

• Dekker, S. (2014). Just Culture: Restoring Trust and Accountability in Your Organization. CRC Press.

• European Union. (2018). Regulation (EU) 2018/1139 on common rules in civil aviation and establishing EASA. Retrieved from:
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1139

Tags:

Dr. Florin Necula, guest article, Civil and Criminal Dimensions, Legal Implications, Basis for Findings, Root Cause Dilemma, Level 2 Finding, Level 1 Finding, Licensed Aircraft Engineer, Aircraft Engineer, aviation, Maintenance Manager, Sofema Aviation Services (SAS), Sofema Online (SOL), UK CAA, Audit Findings, Acceptable means of compliance (AMC), Part 145, EASA