Auditing the System, Not Just the Symptoms: Understanding Internal vs. External Quality Assurance Audits in Airport SMS

Audits aren’t exactly anyone’s idea of a good time. They conjure images of clipboards, binders, and a few nervous glances around the table. But when done right, audits are far more than an administrative requirement, they’re a window into how effectively your airport’s Safety Management System (SMS) is actually functioning.

Under Transport Canada’s requirements, certified airports must conduct periodic audits to ensure that their SMS, including all its supporting processes, continues to comply with regulations and operates as intended. Yet the “how” of that auditing process can differ significantly between organizations, often depending on size, resources, and the culture around continuous improvement.

Let’s unpack the differences between system-wide audits and component or interval-based audits, and explore whether airports should rely on internal auditors, external reviewers, or a combination of both.

1. System-Wide vs. Interval-Based Audits

A system audit is a comprehensive review of your entire SMS and Quality Assurance (QA) program. It examines the processes, documents, and records to ensure all the elements align — not only with regulatory expectations but also with operational reality. This type of audit is typically completed every three years.

Pros:

• Provides a holistic picture of compliance and effectiveness.

• Highlights systemic issues that might otherwise go unnoticed.

• Serves as a “reset” opportunity for management to recalibrate objectives and priorities.

Cons:

• Resource-intensive and time-consuming.

• Can feel overwhelming for smaller airports.

• Risks becoming a “check-the-box” exercise if not coupled with smaller, more frequent audits.

On the other hand, interval-based audits, as should be defined in your Airport Operations Manual (AOM), break the process into manageable pieces. For instance, you might audit wildlife management in Q1, emergency planning in Q2, and TP312 in Q3 — spreading the workload and maintaining a rolling assurance cycle.

Pros:

• Easier to schedule and resource.

• Keeps safety assurance active year-round.

• Allows for quicker detection and correction of nonconformities.

Cons:

• May lose sight of system-wide trends if not integrated properly.

• Can lead to inconsistent documentation or missed linkages between processes.

Some airports find that a hybrid model works best, conducting smaller audits throughout the year, with a full system review every three years to tie it all together.

2. Internal vs. External Auditors — or Both?

This is the question most executives ask once the topic of audits arises: Should we use our own people or bring in an outside party?

Internal Auditors
Trained internal auditors have the advantage of knowing your organization, its culture, and its nuances. They’re best positioned to spot practical issues that might not be obvious to outsiders.

Pros:

• Familiarity with local context and processes.

• Builds internal capability and accountability.

• Encourages employee engagement and ownership of safety culture.

Cons:

• Potential for bias or “friendly findings.”

• May overlook deeper systemic gaps due to familiarity.

• Requires consistent training and refresher courses to stay sharp.

External Auditors
External reviewers - whether consultants, peer airports, or third-party experts - can bring fresh eyes, objectivity, and experience from across the industry.

Pros:

• Objective and impartial.

• Provide benchmarking opportunities and external best practices.

• Enhance credibility with regulators, insurance providers, and stakeholders.

Cons:

• Costlier than in-house audits.

• May have less familiarity with the local operating environment.

• May recommend generic “best practices” that don’t fit smaller airports.

The Best of Both Worlds:
Some organizations opt for a blended model — training internal auditors to handle the bulk of periodic audits, while engaging a third-party every few years to conduct the full system-wide review. This not only balances objectivity and practicality but also ensures continuity of knowledge and progressive improvement between audits.

3. What Executives Should Care About

As an airport executive, you may not be directly involved in audit planning or execution, but the findings ultimately reflect on leadership. Here are key questions to ask your team:

• Do we have a defined audit schedule, and is it being followed?

• Are our internal auditors trained and independent of the areas they audit?

• How do we track and close findings?

• When was our last full system audit, and what did it reveal about our culture and compliance?

• When was the last time we had an external set of eyes review our SMS or AOM?

Remember - audits are not about catching people out. They’re about learning, improving, and validating that your processes are working as intended.

Final Thoughts

Whether you choose an internal, external, or combined approach, the key is to make auditing a continuous conversation, not a once-every-three-years event.

A strong audit program doesn’t just prove compliance - it builds confidence, resilience, and trust in your organization’s ability to manage safety proactively.

And if your internal team could use a refresher or formal certification, now’s the perfect time to get them trained.

Join us December 1–2 for our Internal Auditor course, where we’ll equip participants with the tools and techniques to audit effectively, objectively, and confidently.