Auditing the Auditors – How to Audit an EASA-GCAA Quality Assurance System

Presented by Steven Bentley CEO of Sofema Aviation Services Steve commenced his auditing activities in 1989, more than 30 years ago, and shares his learning experiences related to effective auditing.


This paper is intended to make you a better auditor – to understand how to determine in the most effective way the system deficiencies and to present these “findings” in the correct way.

There are several home truths and some quite surprising traps that otherwise experienced people fall into. Many people who perform audits look without seeing. Fortunately, it is not so difficult to deliver effective audit if you pay attention to several straight forward indicators.

By making every possible mistake an auditor can make in 30 years the opportunity to come out the other side as a more competent and effective auditor and to be able to share the best value auditing processes is something to share!

What Makes the Role of Quality Assurance “Somewhat” Unique?

EASA / GCAA and the JAA before them mandated that the QA auditor should be “Independent” from the Audit Process – This one step removed requirement is to require a fresh pair of eyes to perform the audit.

What is the Difference Between Quality Control & Quality Assurance?

I ask this question often and it is interesting how many different responses are received and how confused so many people are, people who we would normally expect would have a clearer understanding of roles and responsibilities.

Whilst Quality Assurance is independent and essentially looking at compliance the Quality Control role is embedded throughout the entire production process.

Think of Quality Control as the need to follow all the rules to deliver the production objectives in the best way. In terms of individual QC it depends where you are in the delivery process – For front line staff QC means following the rules. For Supervisors, it means mentoring and managing the delivery of the rules and for managers, it means “writing” the rules.

In terms of QC “ownership” actually the business area “owner” is responsible to deliver and self-regulate the Quality Control process. And not QA – think if QA is responsible there are no longer independent!

So please consider the following as a takeaway:

EASA / GCAA Quality Assurance is a SAFETY NET (If we use the Safety Net something has gone wrong)


Can QA & QC be combined in one Department?

This may seem a strange notion. However, some organisations combine the process and combine the quality process – Neat eh! All the Quality Story in one “pot” actually is a disaster. The role of the safety net blurs and roles and responsibilities become confused plus where is the independence.

So do we need a separate QC or not?

As mentioned above QC is the responsibility of the Business Area and ultimately the Nominated Person NP or Postholder PH – So if we have a group of persons who we can call Quality Controllers and they report to the business area directly all is good as we have a closed-loop – If QC reports to the QAM we have a confusion which is even potentially damaging to the business as it fundamentally undermines the business area.

Who is in Charge?

Absolutely not the QAM! Some organisations place the QAM in charge of the process and procedures believing in this way that the organisation will demonstrate compliance and minimise any findings.

For such companies there are 2 comments:

The first is that the business is about producing a cost-effective product in the most efficient way if you provide this task to the QAM then the focus changes and the focus moves from business benefit to compliance benefit.

The second comment is that we either have a conflict between QAM & Business Area or worse the QAM is taking control and undermining the Business Area Owner

So please consider the following as a takeaway:

EASA / GCAA Quality Assurance is a service provider of “conformity status” to the Leadership Team & should share an understanding of shortfalls & discrepancies and provide support to consider “possible solutions” but not to provide ownership of decisions which MUST sit with the Business Owner.

Delivering an Effective Quality Assurance System – Summary

1/ Quality Control is typically the responsibility of the individual post holders and business area owners.
2/ Quality Control is delivered through the development of regulatory compliant organisational processes and procedures which are followed by suitably trained and competent organisational staff.
3/ Independently all QC processes should be audited by the QA process.
4/ The organisation has an inherent obligation to ensure regulatory compliance and the Accountable Manager “AM” signs a statement accepting responsibility for the financing of the organisation to remain in compliance with all mentioned requirements.
5/ One of the many roles of the Post Holder is to protect the Accountable Manager by ensuring that all required compliances are satisfied in respect of the relevant business area.
6/ It is very healthy within the organisation to ensure that the Post Holder is able to deliver Regulatory Compliance Independently of the QAM.
7/ It is incumbent on the QAM to ensure any identified deficiencies are also brought to the attention of the Accountable Manager in the most appropriate way. (If necessary with the support of the PH / NP and Safety Manager.)
8/ The regulatory authority will perform “oversight” audits of the organisation, however, it should be understood that the purpose of these audits is entirely different from the needs of the organisation.
(The regulatory authority is of course not part of the organisations QC or QA process and independently assesses what they wish when they wish. It should also be said that lack of awareness not identified by the regulatory does not exonerate the organisation anyway from compliance.)

Once we accept the above we can focus on the importance of the CM/QM.

9/ To finish with the following comments:

a) The Business Area owner should ensure compliance and through QC activities identify and correct shortfalls.
b) If the QAM identifies organisation non-conformities there are potential business area exposures – it is more than FINDING “there is a problem” CORRECTIVE ACTION “problem fixed”.

i/ Why did the business owner not know about it?
ii/ Where is the deficiency (manpower / training / competence / process or procedures)?
iii/ Has the fix been implemented and validated by the business owner?

c) If QAM re-audits and the problem has not been addressed then the AM should be directly involving and taking strong actions.
d) If the CA finds a problem we have to understand how the Safety Net has failed and we are actually in a very bad place. We find ourselves questioning the effectiveness of the Quality Assurance System.

Now we understand the above we can audit the Organisations Quality System!

1/ The first question to ask is what findings have your organisation received from either regulatory auditors or other organisations (this could indeed include your organisation!)

i/ These findings carry significant weight as it is possible that there are systemic issues within the organisation which should be understood.

As an auditor, you should be very interested in understanding how the quality assurance system (the safety net) failed and how the business area created the issue in the first place.

This is the crux of an effective system – not that there are problems! Rather than the organisation is able to understand, address and mitigate its problems in the most effective way.

2/ The next question concerns the depth of findings during the delivery of the Organisations Quality Assurance Program – Pay particular attention and what you are looking for is effective identification and closure – look for any repeat or system issues which have not been addressed – look back over the last 2 years (going further back is not of so much value).
3/ Now to look at the size of the audit program – how many hours spent auditing? Consider if you do not look then you do not find. (This will also guide you when you take a look within a business area.)
4/ Next look at the Internal Reporting System – how effective is this process – how willing are the employees, in general, to engage with the Quality Assurance System.

Sofema Aviation Services ( and Sofema Online ( provide regulatory and vocational training compliant with EASA – FAA – GCAA – GCAA – OTAR. Please see the websites or email or