9807 - Continuous Monitoring Manual - EN PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 112

Doc 9807

Universal Security Audit Programme


Continuous Monitoring Manual

Second Edition, 2016

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION


Doc 9807
Universal Security Audit Programme
Continuous Monitoring Manual

Second Edition, 2016

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION


Published in separate English, Arabic, Chinese, French, Russian
and Spanish editions by the
INTERNATIONAL CIVIL AVIATION ORGANIZATION
999 Robert-Bourassa Boulevard, Montréal, Quebec, Canada H3C 5H7

For ordering information and for a complete listing of sales agents


and booksellers, please go to the ICAO website at www.icao.int

First edition, 2004


Second edition, 2016

Doc 9807, Universal Security Audit Programme Continuous Monitoring Manual


Order Number: 9807
ISBN 978-92-9258-039-1

© ICAO 2016

All rights reserved. No part of this publication may be reproduced, stored in a


retrieval system or transmitted in any form or by any means, without prior
permission in writing from the International Civil Aviation Organization.
AMENDMENTS

Amendments are announced in the supplements to the Products and


Services Catalogue; the Catalogue and its supplements are available
on the ICAO website at www.icao.int. The space below is provided to
keep a record of such amendments.

RECORD OF AMENDMENTS AND CORRIGENDA

AMENDMENTS CORRIGENDA

No. Date Entered by No. Date Entered by

(iii)
FOREWORD

This manual is the main reference document prepared in connection with the ICAO Universal Security Audit Programme
(USAP). It provides procedures, information and guidance on the management and conduct of programme activities
under the Continuous Monitoring Approach (CMA). USAP-CMA procedures have been developed for the
implementation of the CMA concept and methodology as part of the USAP. Within the USAP-CMA, standardized
processes and procedures have been established to ensure that activities are prepared, conducted and reported in a
systematic, consistent, objective and established manner.

The first edition of this manual, entitled Security Audit Reference Manual (Doc 9807), was developed as a result of
Assembly Resolution A33-1 of the 33rd Session of the ICAO Assembly (25 September to 5 October 2001) and the
decision of the ICAO Council to implement the mandatory USAP for the conduct of aviation security audits in all ICAO
Member States starting in November 2002. This second edition was developed for the transition of the USAP to a
continuous monitoring approach as directed under Assembly Resolution A38-15 — Consolidated statement of
continuing ICAO policies related to aviation security.

The primary objective of this manual is to assist both ICAO Member States and ICAO USAP-CMA audit teams by
explaining the concept, methodology, processes and procedures for preparing, conducting and reporting various audit
and monitoring activities under the USAP-CMA. This second edition is published under the authority of the Secretary
General and supersedes the first edition of this manual.

Comments on this manual would be appreciated from all ICAO Member States and interested parties. These comments
should be addressed to:

The Secretary General


International Civil Aviation Organization
999 Robert-Bourassa Boulevard
Montréal, Quebec
Canada H3C 5H7

_____________________

(v)
TABLE OF CONTENTS

Page

Glossary ....................................................................................................................................................... (ix)

Abbreviations…………………………………………………………………………………... ................ (ix)


Definitions……………………………………………………………………………………………………. (xi)

Chapter 1. Introduction ................................................................................................................................ 1-1

1.1 Purpose .......................................................................................................................................... 1-1


1.2 References ..................................................................................................................................... 1-1

Chapter 2. The ICAO Universal Security Audit Programme (USAP) ........................................................ 2-1

2.1 Background .................................................................................................................................... 2-1


2.2 Transition to a Continuous Monitoring Approach (CMA) ................................................................ 2-2
2.3 USAP-CMA principles .................................................................................................................... 2-3
2.4 Auditing principles .......................................................................................................................... 2-5
2.5 Critical elements (CEs) ................................................................................................................... 2-5
2.6 Audit areas ..................................................................................................................................... 2-7
2.7 USAP-CMA protocol questions (PQs) ............................................................................................ 2-8
2.8 State’s aviation security performance ............................................................................................. 2-9
2.9 Significant security concern (SSeC) ............................................................................................... 2-10
2.10 State aviation security activity questionnaire (SASAQ) .................................................................. 2-11
2.11 Compliance checklists (CCs) .......................................................................................................... 2-12

Chapter 3. The Continuous Monitoring Approach (CMA) ......................................................................... 3-1

3.1 USAP-CMA concept ....................................................................................................................... 3-1


3.2 USAP-CMA objective ..................................................................................................................... 3-2
3.3 USAP-CMA process ....................................................................................................................... 3-2
3.4 Determination of a State-specific USAP-CMA activity .................................................................... 3-3
3.5 Conduct of a State-specific USAP-CMA activity ............................................................................. 3-8
3.6 Identification and analysis of deficiencies ....................................................................................... 3-8
3.7 Measurement of the State’s aviation security performance ............................................................ 3-8
3.8 Provision of prioritized recommendations ....................................................................................... 3-9
3.9 Evaluation of State corrective actions to address deficiencies ....................................................... 3-9
3.10 Aviation security performance-related analysis .............................................................................. 3-9

Chapter 4. Programme management .......................................................................................................... 4-1

4.1 General........................................................................................................................................... 4-1


4.2 Roles and responsibilities of ICAO ................................................................................................. 4-1
4.3 Roles and responsibilities of Member States.................................................................................. 4-4
4.4 Roles and responsibilities of regional aviation security oversight organizations ............................. 4-8
4.5 Memorandum of Understanding (MoU) .......................................................................................... 4-8

(vii)
Universal Security Audit Programme
(viii) Continuous Monitoring Manual

4.6 Planning and scheduling ................................................................................................................ 4-9


4.7 Programme records ........................................................................................................................ 4-12
4.8 Programme quality management ................................................................................................... 4-12
4.9 Confidentiality ................................................................................................................................. 4-13
4.10 Language ....................................................................................................................................... 4-15
4.11 Resolution of disputes .................................................................................................................... 4-15

Chapter 5. USAP-CMA audit teams ............................................................................................................. 5-1

5.1 USAP-CMA audit team composition ............................................................................................... 5-1


5.2 Training and certification of auditors ............................................................................................... 5-2
5.3 Team leaders ................................................................................................................................. 5-2
5.4 Team members .............................................................................................................................. 5-4
5.5 Competencies ................................................................................................................................ 5-5
5.6 Code of Conduct ............................................................................................................................ 5-6

Chapter 6. USAP-CMA activity phases and procedures ........................................................................... 6-1

6.1 USAP-CMA activity phases ............................................................................................................ 6-1


6.2 Preparation phase .......................................................................................................................... 6-1
6.3 Conduct phase ............................................................................................................................... 6-5
6.4 Reporting phase ............................................................................................................................. 6-12

Appendix A. Generic Memorandum of Understanding (MoU) .................................................................. App A-1

Appendix B. Criteria for certification as an ICAO USAP-CMA auditor ..................................................... App B-1

Appendix C. Guidance for States on developing CAPs ............................................................................ App C-1

Appendix D. ICAO Code of Conduct for Auditors ..................................................................................... App D-1

______________________
GLOSSARY

ABBREVIATIONS

When the following abbreviations are used in this manual, they have the meanings indicated below:

ASA Aviation Security Audit Section


ASITF Advanced Security in the Field
AUI Response to acts of unlawful interference
BSITF Basic Security in the Field
C/ASA Chief, Aviation Security Audit Section
CAP Corrective action plan
CC Compliance checklist
CE Critical element
CGO Cargo, catering and mail security
CMA Continuous Monitoring Approach
DSA Daily subsistence allowance
EB Electronic Bulletin
EI Effective implementation
EID Estimated implementation date
FAL Security aspects of facilitation
ICAO International Civil Aviation Organization
IFS Aircraft and in-flight security
ISD-SEC Implementation Support and Development – Security Section
LEG Regulatory framework and the national civil aviation security system
LEI Lack of effective implementation
MoU Memorandum of Understanding
NC National Coordinator
NCASP National Civil Aviation Security Programme
NCASTP National Civil Aviation Security Training Programme
NQCP National Civil Aviation Security Quality Control Programme
OJT On-the-job training
OPS Airport operations
PAX Passenger and baggage security
PQ Protocol question
QCF Quality control functions
RO Regional Office
ROASF Regional Officer, Aviation Security and Facilitation
SARPs Standards and Recommended Practices
SASAQ State aviation security activity questionnaire
SSeC Significant security concern
SSG Secretariat Study Group
TCB Technical Cooperation Bureau
TL Team leader
TLO Technical Liaison Officer
TM Team member
TRG Training of aviation security personnel

(ix)
Universal Security Audit Programme
(x) Continuous Monitoring Manual

UIC Committee on Unlawful Interference


USAP Universal Security Audit Programme
USOAP Universal Safety Oversight Audit Programme
Glossary (xi)

DEFINITIONS

When the following terms are used in this manual, they have the meanings indicated below:

Adequate. The state of fulfilling minimal requirements: satisfactory; acceptable; sufficient.

Assessment. An appraisal of procedures or operations based largely on experience and professional judgement.

Audit area. One of nine audit areas pertaining to the USAP-CMA, i.e. regulatory framework and the national civil
aviation security system (LEG); training of aviation security personnel (TRG); quality control functions (QCF); airport
operations (OPS); aircraft and in-flight security (IFS); passenger and baggage security (PAX); cargo, catering and
mail security (CGO); response to acts of unlawful interference (AUI); and security aspects of facilitation (FAL).

Audited State. An ICAO Member State that is the subject of a USAP-CMA audit.

Certification. The process of determining that a person possesses the key competencies and personal attributes
required of an ICAO USAP-CMA auditor.

Compliance. The state of meeting the requirements of an ICAO Standard.

Compliance checklist (CC). A tool designed to assist the State in ascertaining the status of implementation of
Annex 17 SARPs and Annex 9 security-related provisions and in identifying any difference that may exist between
the national regulations and practices and the relevant provisions in Annex 17 and Annex 9 to the Chicago
Convention.

Corrective action plan (CAP). An action plan submitted to ICAO by an audited State, detailing the specific action that
the State proposes to take to correct deficiencies identified during the USAP-CMA audit.

Cost-recovery audit. A USAP-CMA audit for which the cost of transportation to and from the State, local transportation
and the daily subsistence allowance (DSA) of the ICAO audit team members (TMs) is covered by the State
requesting such an audit.

Critical elements (CEs). The building blocks, encompassing the whole spectrum of civil aviation security activities,
upon which an effective aviation security oversight system is based. The level of effective implementation (EI) of the
CEs is an indication of a State’s capability for aviation security oversight.

Deficiency. A condition where the State’s aviation security oversight system does not satisfactorily address a protocol
question (PQ) used to measure the EI of the CEs and the degree of compliance with Standards of Annex 17 or
security-related provisions of Annex 9. As a result, the status of the associated PQ is marked not satisfactory. One
or more related deficiencies may be grouped together to identify a finding.

Effective implementation (EI). A measure of a State’s aviation security oversight and compliance capabilities,
calculated for each CE, each audit area, each Annex 17 Standard and Annex 9 security-related provision or as an
overall value for all USAP-CMA PQs. The EI is expressed as a percentage. A higher EI indicates that a State’s
aviation security and oversight systems have a greater degree of compliance with ICAO security-related provisions.

Finding. A deficiency or a group of deficiencies generated in a USAP-CMA activity as a result of a lack of compliance
with Annex 17 Standards and/or security-related provisions of Annex 9, or a lack of application of ICAO guidance
material or good aviation security practices.

Mitigating measure. The implementation of defences or preventive controls to lower the severity and/or likelihood of a
threat’s projected consequence.
Universal Security Audit Programme
(xii) Continuous Monitoring Manual

National briefing. A meeting of the ICAO USAP-CMA audit team and representatives of the audited State at the
beginning of the USAP-CMA on-site audit, the purpose of which is to provide State authorities with information on
the USAP-CMA audit scope, processes and procedures.

Off-site activity. A USAP-CMA documentation-based audit of a State conducted by an ICAO USAP-CMA team leader
(TL) at ICAO Headquarters without an on-site visit to the State.

On-site activity. A USAP-CMA activity requiring a USAP-CMA audit team to travel to a State and conduct a USAP-CMA
on-site audit.

Oversight. The active control of the aviation industry and service providers by the appropriate authority for aviation
security or other relevant national-level entities, as designated by the State, to ensure that the State’s international
obligations and national requirements are met.

Post-audit debriefing. A meeting of the ICAO USAP-CMA audit team and representatives of the audited State at the
end of the USAP-CMA audit, the purpose of which is to provide State authorities with a briefing on the audit findings
and proposed recommendations to enable the State to begin development of its corrective action plan (CAP).

Procedure. A series of steps followed in a methodical manner to complete an activity or a process, describing what
should be done, when and by whom; where and how each step should be carried out; what information,
documentation and resources should be used; and how it should all be controlled.

Process. A set of interrelated or interacting activities that transforms inputs into outputs. Processes within an
organization or programme are generally planned and carried out under controlled conditions to add value.

Protocol question (PQ). The primary tool used in the USAP-CMA for assessing the level of implementation of CEs of a
State’s aviation security oversight system and the degree of a State’s compliance with Annex 17 Standards and
security-related provisions of Annex 9.

Recertification. The process whereby certified USAP-CMA auditors periodically undergo recurrent training and
demonstrate that they continue to possess the key competencies and personal attributes required of an ICAO
USAP-CMA auditor.

Scope. A set of PQs addressed and covered in a USAP-CMA activity.

Sensitive security information. Non-public information relating to capabilities and/or deficiencies of a State’s aviation
security and oversight systems.

Significant security concern (SSeC). Occurs when the appropriate authority responsible for aviation security in the
State permits aviation activities to continue, despite a lack of effective implementation (LEI) of the minimum security
requirements established by the State and by the provisions set forth in Annex 17 related to critical aviation security
controls, including, but not limited to, the screening and the protection from unauthorized interference of passengers,
cabin and hold baggage; the security of cargo and catering; access control to restricted and security-restricted
areas of airports; and the security of departing aircraft resulting in an immediate security risk to international civil
aviation.

SSeC Validation Committee. A high-level Secretariat Committee responsible for the review, confirmation and validation
of the SSeC and its resolution.
Glossary (xiii)

State aviation security activity questionnaire (SASAQ). A document that provides the USAP-CMA audit team with
information on the security organization of a Member State, identifying the departments, agencies and other
organizations of the State, both private and public, responsible for the implementation of various aspects of the
National Civil Aviation Security Programme (NCASP).

State’s aviation security performance. A State’s aviation security capability defined as the State’s level of
implementation of the CEs of an aviation security oversight system and the State’s degree of compliance with
Annex 17 Standards and security-related provisions of Annex 9.

State’s aviation security performance indicators. A set of parameters used for measuring a State’s aviation security
performance.

USAP-CMA audit. A USAP-CMA on-site or off-site activity during which ICAO conducts a systematic and objective
evaluation of a Member State’s aviation security and oversight systems to assess the level of implementation of the
CEs of a State’s aviation security oversight system and to determine the degree of compliance with Annex 17
Standards and security-related provisions of Annex 9, as well as associated procedures, guidance material and
security-related practices.

USAP-CMA audit activities. Those activities and procedures by which information is obtained to verify the audited
State’s level of implementation of the CEs of an aviation security oversight system and the degree of compliance
with Standards of Annex 17 and security-related provisions of Annex 9. Such activities may include, but are not
limited to, interviews, observations and the review of documents.

USAP-CMA audit report. A confidential formal report of a USAP-CMA activity containing full details of the findings and
recommendations.

USAP-CMA audit team briefing. An on-site pre-audit briefing provided to TMs by the TL, the purpose of which is to
provide information and instructions directly related to the conduct of an audit in a specific State.

USAP-CMA audit team leader. The individual designated by the Chief, Aviation Security Audit Section (C/ASA) to be
responsible for the preparation and conduct of a USAP-CMA activity, including the consolidation and completion of
the USAP-CMA audit report.

Verification. The independent review, examination, measurement, checking, observation and monitoring to establish
and document that products, processes, practices, services and documents conform to specified standards. This
includes evaluating the effectiveness of management systems.

Note.— Definitions of security-related terms applicable to the USAP-CMA activity process may be found in
Annex 17 — Security — Safeguarding International Civil Aviation Against Acts of Unlawful Interference, Annex 9 —
Facilitation, the Aviation Security Manual (Doc 8973 — Restricted) and the Aviation Security Oversight Manual — The
Establishment and Management of a State’s Aviation Security Oversight System (Doc 10047).

______________________
Chapter 1

INTRODUCTION

1.1 PURPOSE

1.1.1 The primary purpose of this manual is to describe the Universal Security Audit Programme Continuous
Monitoring Approach (USAP-CMA) and to provide guidance to ICAO Member States (hereinafter referred to as Member
States or States), recognized organizations, USAP-CMA audit team leaders (TLs) and audit team members (TMs) and
support staff involved in the planning, preparation, conduct and reporting of USAP-CMA activities.

1.1.2 It also provides information on the background and evolution of the USAP, along with an explanation of its
management and various components and standardized processes and procedures which ensure that USAP-CMA
activities are conducted in a systematic and consistent manner.

1.2 REFERENCES

1.2.1 The USAP-CMA references the Convention on International Civil Aviation (Doc 7300) (hereinafter referred
to as the Chicago Convention), ICAO Standards and Recommended Practices (SARPs) of Annex 17 — Security —
Safeguarding International Civil Aviation Against Acts of Unlawful Interference and security-related provisions of
Annex 9 — Facilitation to the Chicago Convention and related guidance material, including but not limited to:

a) Aviation Security Manual (Doc 8973 — Restricted); and

b) Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation
Security Oversight System (Doc 10047).

1.2.2 Together, these documents provide guidance material on how States can comply with the various SARPs
of Annex 17, as well as describe the requirements and guidelines for the establishment and management of an effective
aviation security and oversight systems by States. This implementation will be continuously monitored under the
USAP-CMA framework and verified during USAP-CMA activities.

1.2.3 In support of the Programme, ICAO has also developed training materials for regional USAP-CMA
seminars and USAP auditor training and certification courses.

Note.— The Products and Services Catalogue provides a complete list of ICAO guidance material available
to States to support the requirements of security-related provisions contained in the Annexes to the Chicago Convention.

______________________

1-1
Chapter 2

THE ICAO UNIVERSAL SECURITY


AUDIT PROGRAMME (USAP)

2.1 BACKGROUND

2.1.1 The 33rd Session of the ICAO Assembly, held in Montreal from 25 September to 5 October 2001, adopted
Resolution A33-1, Declaration on misuse of civil aircraft as weapons of destruction and other terrorist acts involving civil
aviation, which directed the Council and Secretary General to consider the establishment of an ICAO Universal Security
Audit Programme (USAP) relating to, inter alia, airport security arrangements and civil aviation security programmes.

2.1.2 Pursuant to Assembly Resolution A33-1, a High-level, Ministerial Conference on Aviation Security was
convened in Montreal on 19 and 20 February 2002, with the objectives of preventing, combating and eradicating acts of
terrorism involving civil aviation and strengthening ICAO’s role in the adoption of security-related SARPs and the audit of
their implementation.

2.1.3 The Conference endorsed a global strategy for strengthening aviation security worldwide, adopted a
number of conclusions and recommendations, and issued a public declaration. A central element of the strategy was the
ICAO Aviation Security Plan of Action, which included, inter alia, the establishment of a comprehensive programme of
regular, mandatory, systematic and harmonized audits to be carried out by ICAO for the evaluation of aviation security in
all ICAO Member States.

2.1.4 Consistent with the outcomes of the 33rd Session of the Assembly and the High-level, Ministerial
Conference on Aviation Security, the Council, at its 166th Session, adopted the Aviation Security Plan of Action in
June 2002. Project 3 of the Plan of Action provided for the promotion of global aviation security through auditing of
Member States. Thus, the ICAO USAP was launched in November 2002. Subsequent sessions of the Council and the
Committee on Unlawful Interference (UIC) endorsed the audit methodology which was developed for the USAP in close
consultation with the Aviation Security Panel, including a model Memorandum of Understanding (MoU) between ICAO
and audited States, airport selection criteria, and certification criteria for auditors, and established a practice of regularly
monitoring the progress of the USAP through the review of progress reports prepared by the Secretariat.

2.1.5 Assembly Resolution A35-9, Consolidated statement of continuing ICAO policies related to the
safeguarding of international civil aviation against acts of unlawful interference, directed the Secretary General to
continue the USAP, comprising regular, mandatory, systematic and harmonized aviation security audits of all Member
States, with such audits conducted at both national and airport levels in order to evaluate the aviation security oversight
capabilities of States as well as the actual security measures in place at selected key airports.

2.1.6 From 2002 to 2007, 181 Member States benefited from ICAO audits under the first cycle of the USAP. The
objective of the Programme was to promote global aviation security through the auditing of Member States on a regular
basis to determine the status of implementation of ICAO security Standards. The USAP first-cycle audits were designed
to determine the degree of compliance of a State in implementing Annex 17 Standards and the extent to which a State's
implementation of its aviation security system is sustainable through the establishment of appropriate legislation and an
aviation security authority with inspection and enforcement capabilities. The USAP methodology provided for a
significant portion of the ICAO audit to be dedicated to making actual observations of security measures and procedures
at airports in situ, in order to have direct evidence of the degree of implementation of each Annex 17 Standard. This

2-1
Universal Security Audit Programme
2-2 Continuous Monitoring Manual

approach provided a comprehensive picture of the overall aviation security posture of States and resulted in
recommendations for improvement that could be directed at all facets of the aviation security systems of States.

2.1.7 In accordance with the programme of audit follow-up visits initiated in 2005, follow-up visits were
conducted to validate the implementation of the corrective action plans (CAPs) of States and to provide support to
States in remedying deficiencies identified during the USAP first-cycle audits. These visits were normally conducted in
the second year following the initial audit. The programme of audit follow-up visits, under which 172 Member States
received follow-up visits, was completed in 2009.

2.1.8 Recognizing that the USAP proved to be instrumental in identifying aviation security concerns and
providing recommendations for their resolution, the 36th Session of the Assembly, in Resolution A36-20, requested the
Council to ensure the continuation of the USAP following the initial cycle of audits at the end of 2007 focusing, wherever
possible, on a State’s capability to provide appropriate national oversight of its aviation security activities through the
effective implementation (EI) of the critical elements (CEs) of an aviation security oversight system and expanding future
audits to include relevant security-related provisions of Annex 9 — Facilitation to the Chicago Convention.

2.1.9 Aviation security audits under the second cycle of the USAP commenced in January 2008 and were
completed in June 2013. The objective of the USAP second-cycle audits was to promote global aviation security through
the auditing of Member States, on a regular basis, to determine their capability for aviation security oversight by
assessing the EI of the CEs of an aviation security oversight system and the status of States’ implementation of security-
related ICAO SARPs, associated procedures, guidance material and security-related practices. In total, audits of
177 ICAO Member States and one Special Administrative Region were conducted under the USAP second cycle, as
well as an assessment of the European Commission aviation security inspection system.

2.1.10 Detailed information on the results of the audits of the USAP first and second cycle is contained in the
supplementary document entitled Universal Security Audit Programme — Analysis of Audit Results, Fifth Edition — 2013.
This document is available through the USAP secure website: http://portallogin.icao.int.

2.2 TRANSITION TO A CONTINUOUS MONITORING APPROACH (CMA)

2.2.1 In order to prepare for the continuation of the USAP beyond 2013, the 37th Session of the Assembly
(Resolution A37-17, Appendix E refers) requested the Council to assess the feasibility of extending the Continuous
Monitoring Approach (CMA) being applied by the Universal Safety Oversight Audit Programme (USOAP) to the USAP
after the conclusion of the USAP second cycle of audits. Accordingly, the Council at its 187th Session, directed the
Secretary General to study the feasibility of applying a CMA to the USAP.

2.2.2 A study on the application of a CMA to the USAP was initiated by the Secretariat with a view to:

• adopting a more comprehensive and proactive approach which may allow for future audit activities to
be prioritized and better focused on identification of deficiencies in the aviation security systems of
Member States while maintaining the principle of universality;

• ensuring ongoing compliance of Member States with ICAO security-related provisions while assessing
the aviation security oversight capabilities of States; and

• making more effective and efficient use of the resources available to the Programme.

2.2.3 A Secretariat Study Group (SSG) was established in 2011 in order to assist the Secretariat in evaluating
this study and in considering options for the evolution and future direction of the USAP beyond the end of its second
cycle, in line with the Council’s decision. After considering a number of options for the evolution of the USAP, the SSG
Chapter 2. The ICAO Universal Security Audit Programme (USAP) 2-3

concluded that, in order to ensure efficiency, long-term sustainability and cost effectiveness of the USAP, the
Programme should move towards a CMA specific to aviation security, while incorporating risk-management elements.
The study also suggested that a transition period be established prior to launching the USAP-CMA and described the
necessary activities to be undertaken during this period to ensure a smooth transition. These recommendations were
presented to the Twenty-third Meeting of the Aviation Security Panel, which expressed support for the concept of a
USAP-CMA that combines continuous monitoring with a risk-based approach to aviation security auditing.

2.2.4 The High-Level Conference on Aviation Security convened in Montreal in September 2012 expressed
strong support for the transition of the USAP to a CMA that combines both continuous monitoring and risk-based
elements while maintaining the rigour of the audit process and methodology. It was widely recognized that the USAP is
an essential tool in enabling States to identify their own deficiencies and then implement corrective actions to address
those deficiencies either directly or through assistance provided by other States or organizations. The Conference also
supported the notion that the USAP-CMA should provide ICAO with the necessary flexibility in determining the type of
audit and monitoring activity appropriate for each State based on the status of its aviation security and oversight systems
and other risk indicators.

2.2.5 The Council, during its 197th Session, formally approved the USAP-CMA and the transition plan. This
decision was further endorsed by the 38th Session of the Assembly (Resolution A38-15, Appendix E refers).

2.2.6 The 1½-year transition to the USAP-CMA took place from July 2013 to December 2014, and the
USAP-CMA was fully launched on 1 January 2015, as scheduled and approved by the Council during its 197th Session.
The USAP-CMA transition plan included numerous tasks, such as:

a) development of a new USAP-CMA activity management and analysis software for aviation security
data collection, analysis and measurement while ensuring confidentiality of sensitive security
information;

b) development of the USAP-CMA methodology, protocol questions (PQs), tools, procedures and
supporting documentation;

c) training and certification/recertification of aviation security experts and existing USAP auditors for
participation in USAP-CMA on-site activities as TMs;

d) conduct of USAP-CMA regional seminars in all ICAO regions to familiarize Member States with the
USAP-CMA methodology, tools, procedures and processes;

e) conduct of USAP-CMA on-site test audits in selected States; and

f) development and expansion of agreements with relevant partners to foster coordination and
cooperation.

2.3 USAP–CMA PRINCIPLES

2.3.1 The principles of the USAP were first established at the inception of the Programme in 2002. Since that time,
these underlying principles have remained unchanged and valid, with the exception of the principle of confidentiality of audit
results. The principle of confidentiality has been modified for the second cycle of USAP audits and further modified for the
USAP-CMA, with the approval of the Council of ICAO. The USAP-CMA principles are listed below.
Universal Security Audit Programme
2-4 Continuous Monitoring Manual

2.3.2 Sovereignty. Every State has complete and exclusive sovereignty over the airspace above its territory.
Accordingly, ICAO fully respects a sovereign State’s responsibility and authority for oversight of aviation security,
including its decision-making powers with respect to implementing corrective actions related to identified deficiencies.

2.3.3 Universality. All Member States will be subject to continuous audit and monitoring activities by ICAO, in
accordance with the principles, methodology, processes and procedures established for conducting such activities, and
on the basis of the MoU signed between ICAO and each Member State, though the types and frequency of USAP-CMA
audit and monitoring activities undertaken for each Member State may differ.

2.3.4 Transparency of methodology. The USAP-CMA activity procedures and processes will be made
available to all Member States.

2.3.5 Timeliness. Results of USAP-CMA activities will be produced and submitted on a timely basis in
accordance with a predetermined schedule for their preparation and submission.

2.3.6 All-inclusiveness. The scope of the USAP-CMA includes Annex 17 Standards and security-related
provisions of Annex 9. It is expected to expand the scope of the USAP-CMA at appropriate times to include all
security-related provisions contained in other Annexes to the Chicago Convention, in order to ensure their effective
implementation in the civil aviation systems of Member States.

2.3.7 Consistency and objectivity. USAP-CMA activities will be conducted in a consistent and objective
manner. Standardization and uniformity in the scope, depth and quality of USAP-CMA activities will be assured through
training and certification of all auditors, the use of standardized PQs and the provision of relevant guidance material.

2.3.8 Fairness. USAP-CMA activities will be conducted in a manner such that Member States are given the
opportunity to monitor, comment on and respond to the USAP-CMA processes, but must do so within an established
time frame.

2.3.9 Quality. The quality of USAP-CMA activities will be ensured by assigning trained and certified auditors to
conduct USAP-CMA activities in accordance with widely recognized auditing concepts, as well as by implementing an
internal quality control system within the Aviation Security Audit Section (ASA) that continually monitors and evaluates
feedback received from USAP-CMA stakeholders to ensure their ongoing satisfaction.

2.3.10 Confidentiality. Sensitive security information collected as part of the USAP-CMA will be protected from
unauthorized disclosure. Accordingly, USAP-CMA audit reports will be confidential and will only be made available to the
audited State and ICAO staff on a need-to-know basis. However, in the interests of promoting global aviation security, a
limited level of disclosure will apply whereby charts depicting the level of implementation of the CEs of an aviation
security oversight system by a Member State and an indication of the degree of compliance by a Member State with
Annex 17 Standards, as well as information pertaining to the existence of unresolved significant security concerns
(SSeCs) in a Member State will be made available to all Member States on the USAP secure website.

Note.— The principle of confidentiality is described in detail in 4.9.


Chapter 2. The ICAO Universal Security Audit Programme (USAP) 2-5

2.4 AUDITING PRINCIPLES

2.4.1 The following auditing principles apply to USAP-CMA activities, in accordance with ISO 19011:2011 —
Guidelines for Auditing Management Systems.

a) Integrity: the foundation of professionalism. Auditors should: perform their work with honesty,
diligence, and responsibility; observe and comply with any applicable legal requirements; demonstrate
their competence while performing their work; perform their work in an impartial manner, i.e. remain
fair and unbiased in all their dealings; be sensitive to any influences that may be exerted on their
judgement while carrying out an audit.

b) Fair presentation: the obligation to report truthfully and accurately. Audit findings, audit conclusions
and audit reports should reflect truthfully and accurately the audit activities. Significant obstacles
encountered during the audit and unresolved diverging opinions between the audit team and the
auditee should be reported. The communication should be truthful, accurate, objective, timely, clear
and complete.

c) Due professional care: the application of diligence and judgement in auditing. Auditors should
exercise due care in accordance with the importance of the task they perform and the confidence
placed in them by Member States and other interested parties. An important factor in carrying out their
work with due professional care is having the ability to make reasoned judgements in all audit
situations.

d) Confidentiality: security of information. Auditors should exercise discretion in the use and protection
of information acquired in the course of their duties. Audit information should not be used
inappropriately for personal gain by the auditor, or in a manner detrimental to the legitimate interests
of the auditee. This concept includes the proper handling of sensitive or confidential information.

e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions.
Auditors should be independent of the activity being audited and should in all cases act in a manner
that is free from bias and conflict of interest. Auditors should maintain objectivity throughout the audit
process to ensure that the audit findings and conclusions are based only on the audit evidence.

f) Evidence-based approach: the rational method for reaching reliable and reproducible audit
conclusions in a systematic audit process. Audit evidence should be verifiable. It will in general be
based on samples of the information available, since an audit is conducted during a finite period of
time and with finite resources. An appropriate use of sampling should be applied, since this is closely
related to the confidence that can be placed in the audit conclusions.

2.5 CRITICAL ELEMENTS (CEs)

2.5.1 CEs are the main building blocks of a State’s aviation security oversight system required for the effective
implementation of security-related standards and associated procedures. Each Member State should address all CEs in
its efforts to establish and implement an effective aviation security oversight system that reflects the shared
responsibility of the State and the aviation community. CEs of an aviation security oversight system cover the whole
spectrum of civil aviation security activities. The level of implementation of the CEs is an indication of a State's capability
for aviation security oversight and compliance with security-related SARPs.
Universal Security Audit Programme
2-6 Continuous Monitoring Manual

2.5.2 ICAO has defined the following CEs of a State’s aviation security oversight system (see the Aviation
Security Oversight Manual — The Establishment and Management of a State’s Aviation Security Oversight System
(Doc 10047)):

CE-1. Primary aviation security legislation. The provision of a comprehensive and effective legislative
framework, consistent with the environment and complexity of the State’s civil aviation operations,
to effect the establishment and implementation of the State’s aviation security policies and
requirements in conformance with Annex 17 SARPs and security-related provisions contained in
other Annexes to the Chicago Convention.

CE-2. Aviation security programmes and regulations. The provision of necessary national-level
programmes and adequate regulations to address, at a minimum, national requirements
emanating from the primary aviation security legislation and providing for standardized
implementation procedures, equipment and infrastructures (including security management and
training systems) in conformance with Annex 17 SARPs and security-related provisions contained
in other Annexes to the Chicago Convention.

Note.— The term “regulations” is used in a generic sense to include policies, requirements,
rules, instructions, edicts, directives, orders, etc., that are enforceable in the State. The specific
status given to a regulation when it is applied within the State and the penalty assigned in the
event of non-compliance are internal matters subject to the discretion of individual States, taking
into account their responsibilities under the Chicago Convention.

CE-3. State appropriate authority for aviation security and its responsibilities. The designation of
an appropriate national authority for aviation security supported by appropriate technical and
non-technical staff and provided with adequate financial resources. The State appropriate
authority must have aviation security regulatory functions, objectives and policies. This element
also includes the definition and allocation of tasks and coordination of activities between
government agencies and airport-level entities concerned with or responsible for the
implementation of various aspects of the NCASP, as well as arranging for the supporting
resources and facilities required for aviation security to be available at airports serving civil
aviation.

CE-4. Personnel qualifications and training. The establishment of minimum knowledge and
experience requirements for the technical personnel performing aviation security oversight
functions and the provision of appropriate training to these personnel to maintain and enhance
their competence at the desired level. The training should include initial, on-the-job and recurrent
training. This element also includes the provision of training to entities involved in the
implementation of applicable aviation security requirements, measures and procedures.

Note.— The technical personnel may be from an organization engaged by the appropriate
authority to provide State oversight functions on its behalf.

CE-5. Provision of technical guidance, tools and security-critical information. The provision of
technical guidance (including processes and procedures), tools (including facilities and
equipment) and security-critical information, as applicable, to the technical personnel to enable
them to perform their aviation security oversight functions in accordance with established
requirements and in a standardized manner. This element also includes the provision of technical
guidance by the appropriate authority to entities responsible for the implementation of applicable
aviation security requirements, measures and procedures.
Chapter 2. The ICAO Universal Security Audit Programme (USAP) 2-7

CE-6. Certification and approval obligations. The implementation of processes and procedures to
ensure that personnel and entities performing an aviation security activity meet the established
requirements (such as certification systems for security screeners and aviation security
instructors, and a system to ensure that entities responsible for the implementation of security
measures and procedures have established security programmes consistent with all relevant
national requirements) before they are allowed to conduct the relevant activity.

CE-7. Quality control obligations. The implementation of processes, such as audits, inspections,
surveys and tests, to proactively ensure that entities authorized and/or approved to perform an
aviation security activity continue to meet the established requirements and operate at the level of
competency and security required by the State. This includes the monitoring of designated
personnel who perform security oversight functions on behalf of the appropriate authority.

CE-8. Resolution of security concerns. The implementation of processes and procedures to resolve
identified deficiencies impacting aviation security, which may have been residing in the aviation
security system and have been detected by the appropriate authority or other appropriate bodies.
This includes the ability to analyse security deficiencies, provide recommendations, support the
resolution of identified deficiencies by implementing follow-up procedures to validate the effective
implementation of corrective actions, as well as take enforcement action when appropriate.

2.5.3 CEs 1 through 5 (collectively known as “establishment CEs”) are mainly related to “establishment”, i.e. they
indicate that the addressed provision must be fully and effectively established within the State’s aviation security
oversight system. CEs 6 through 8 (collectively known as “implementation CEs”) are related to “implementation”,
i.e. they indicate that the addressed provision must be fully and effectively implemented within the State’s aviation
security oversight system.

2.6 AUDIT AREAS

The following nine audit areas have been identified as functional areas for the conduct of audits under the USAP-CMA:

1. Regulatory framework and the national civil aviation security system (LEG): the primary aviation
security legislative framework; national aviation security requirements and amendment procedures;
the National Civil Aviation Security Programme (NCASP); empowerment of national aviation security
inspectors, threat evaluation and risk assessment; international cooperation; the appropriate authority
for aviation security; allocation of tasks and coordination of activities;

2. Training of aviation security personnel (TRG): the National Civil Aviation Security Training
Programme (NCASTP); training of national aviation security inspectors and airport-level aviation
security personnel; certification of security screeners and aviation security instructors;

3. Quality control functions (QCF): the establishment and implementation of a National Civil Aviation
Security Quality Control Programme (NQCP) to determine compliance with and validate the
effectiveness of the NCASP and to ensure that sustainable and appropriate corrective actions are
implemented;

4. Airport operations (OPS): the airport aviation security organization and administration; the airport
security programme; the supporting resources and facilities for aviation security services; access
control and security control measures to the airside and security restricted areas of the airport;
Universal Security Audit Programme
2-8 Continuous Monitoring Manual

5. Aircraft and in-flight security (IFS): aircraft operator security programmes; aircraft protection and
in-flight security measures;

6. Passenger and baggage security (PAX): the measures and procedures for screening of originating
and transfer/transit passengers and their cabin/hold baggage;

7. Cargo, catering and mail security (CGO): the supply chain security process; the measures and
procedures for security controls of cargo, catering and mail;

8. Response to acts of unlawful interference (AUI): airport-level contingency plans; national- and
airport-level measures and procedures for the management of responses to acts of unlawful
interference; and

9. Security aspects of facilitation (FAL): the national air transport facilitation programme; coordination
between security and facilitation activities; security and inspection of travel documents; border control
measures and procedures.

2.7 USAP-CMA PROTOCOL QUESTIONS (PQs)

2.7.1 The USAP-CMA PQs serve as the primary tool for the conduct of USAP-CMA activities aimed at assessing
the level of implementation of the CEs of a State’s aviation security oversight system, as well as a State’s degree of
compliance with Annex 17 Standards and security-related provisions of Annex 9. The use of standardized PQs ensures
transparency, consistency, reliability and fairness of the audit process, as well as enhances confidence in audit results.

2.7.2 The USAP-CMA PQs are based on Annex 17 Standards, security-related provisions of Annex 9 and
associated ICAO guidance material. Each PQ refers to one Annex 17 Standard or Annex 9 security-related provision
and to one CE. The PQs are divided into the nine audit areas specific to each subject covered, as described in 2.6,
which assists in planning a USAP-CMA audit and facilitates effective allocation of tasks to USAP-CMA audit team
participants.

2.7.3 The USAP-CMA PQs cover all elements of a State’s aviation security and oversight systems which are
subject to audit and monitoring. Although the PQs serve as a checklist of items to be verified, the evidence required to
validate the answer to each PQ only serves as a guide to ensure that a minimum amount of information is consistently
verified in all States. While following the best international practices derived from the ICAO relevant guidance material in
terms of evidence for review/observation as an acceptable means of compliance, the USAP-CMA PQs are, at the same
time, sufficiently flexible to allow for the appropriate evaluation of other means of compliance based on the scope,
complexity and specifics of the aviation security activity in each State.

2.7.4 ASA amends and updates the USAP-CMA PQs on a periodic basis to reflect the latest changes in
Annex 17 Standards, security-related provisions of Annex 9 and related guidance material to include emerging issues in
civil aviation and to harmonize and improve PQ references and content. PQ amendments incorporate input from the
ICAO Aviation Security Panel, USAP mission TMs and external stakeholders.

2.7.5 States are encouraged to use the USAP-CMA PQs to perform self-assessments. As a priority, States may
conduct a self-assessment:

a) on PQs that were found not satisfactory in a previous USAP activity;

b) on new PQs introduced through the PQ amendment process — these PQs will have an undetermined
status until they are assessed through an appropriate type of USAP-CMA activity; or
Chapter 2. The ICAO Universal Security Audit Programme (USAP) 2-9

c) in case of any changes in their aviation security system, programmes, regulations and/or procedures
to determine whether these changes impact the status of any PQs.

2.7.6 The self-assessment is important for States in order to prepare for a USAP-CMA activity. Each PQ
includes information on ICAO references that helps identify a specific Annex 17 Standard or Annex 9 security-related
provision related to the PQ. Each PQ also includes guidance for review and examples of what the State needs to
establish and implement to comply with the ICAO provision outlined in the PQ; this is also an indication of the type of
evidence that the USAP-CMA audit team will be looking for during a USAP-CMA activity. The CE linked to each PQ is
also an indication for States — CEs 1 to 5 indicate that the State must establish the ICAO provision outlined in the PQ
and CEs 6 to 8 indicate that the State must implement the established provision.

2.7.7 As indicated above, USAP-CMA PQs also serve as a tool for States to conduct regular self-assessments in
order to actively monitor and report the health of their aviation security and oversight systems on a continuous basis.
States can use PQs to conduct scheduled internal audits of their aviation security and oversight systems. Thus, States
can actively monitor their own systems in a proactive manner to identify and resolve deficiencies.

Note.— The USAP-CMA PQs are available on the USAP secure website.

2.8 STATE’S AVIATION SECURITY PERFORMANCE

2.8.1 The State’s aviation security performance is defined as the State’s level of implementation of the CEs of an
aviation security oversight system and the State’s status of implementation of Annex 17 Standards and security-related
provisions of Annex 9, associated procedures, guidance material and security-related practices.

2.8.2 The EI is a measure of the State’s aviation security oversight and compliance capabilities. A higher EI
indicates that a State’s aviation security and oversight systems have a greater degree of compliance with ICAO
security-related provisions. The EI is calculated for any group of PQs, based on the following formula:

number of satisfactory PQs within the group


EI (%) = ——————————————————————————————————— x 100
number of satisfactory PQs + number of not satisfactory PQs within the group

2.8.3 Thus, the EI can be calculated for each CE, each audit area, each Annex 17 Standard or Annex 9
security-related provision and as an overall value for all USAP-CMA PQs. The USAP-CMA uses the following indicators
to measure the State’s aviation security performance:

a) Oversight Indicator — average EI of the eight CEs of a State’s aviation security oversight system;

b) Compliance Indicator — average EI of Annex 17 Standards and average EI of security-related


provisions of Annex 9; and

c) USAP-CMA PQ Indicator — EI of USAP-CMA PQs, i.e. the percentage of satisfactory USAP-CMA


PQs.

2.8.4 In addition to the EI, a lack of effective implementation (LEI) is also calculated for certain analyses. The LEI
is simply the inverse of the EI and is calculated as:

LEI (%) = 100 – EI (%)


Universal Security Audit Programme
2-10 Continuous Monitoring Manual

Note 1.— For the Compliance Indicator, the term “compliance” is used instead of EI. Thus, the State’s
Compliance Indicator is, in other words, the average compliance with Annex 17 Standards and the average compliance
with security-related provisions of Annex 9.

Note 2.— The Compliance Indicator provides only a picture of indicative compliance of the State with
Standards of Annex 17 and security-related provisions of Annex 9 derived from observations made at the time of the
USAP-CMA audit by the USAP-CMA audit team at the airport(s) selected for observation. It does not provide a definitive
measure of the State’s overall compliance with Standards of Annex 17 and security-related provisions of Annex 9.

2.8.5 Aviation security performance indicators provide a system of measurement to ICAO to assess the
oversight and compliance capabilities of States and serve as data trending charts to track and monitor any changes in
those capabilities.

2.9 SIGNIFICANT SECURITY CONCERN (SSeC)

2.9.1 Under the USAP second-cycle audit report production process, a final aviation security audit report was
forwarded to the audited State within 60 calendar days after the closing meeting of the audit. The State then had
60 calendar days to submit a CAP. However, USAP auditors sometimes encountered situations that revealed SSeCs
that might pose an immediate security risk to international civil aviation. In the absence of a mechanism to address
these SSeCs in a timely manner, corrective action might not have been taken by the audited State before the CAP was
submitted to ICAO approximately four months after the audit.

2.9.2 In June 2008, the ICAO Council considered a procedure, within the scope of Article 54 j) of the Chicago
Convention, that would enable disclosure of information regarding a State having significant compliance shortcomings
with respect to security-related SARPs, including failure to act in accordance with its security oversight obligations and
failure to carry out recommendations of the Council. The Council requested that issues related to the security risk
indicators and the concept of SSeC be referred to the Aviation Security Panel for discussion.

2.9.3 The Council, during its 187th Session, endorsed the Aviation Security Panel’s recommendation to establish
an SSG to review and develop the security risk indicators associated with the application of Article 54 j) to aviation
security and the definition of SSeC, including a mechanism to enable the rapid resolution of such concerns identified
under the USAP.

2.9.4 The Council, during its 189th Session, considered and approved the proposals of the SSG related to:

a) the security risk indicators:

1) failure or refusal to participate in significant aspects of the USAP audit process, including, but not
limited to, pre-audit, on-site and corrective action requirements;

2) failure to resolve critical security-related deficiencies identified in the USAP process;

3) level or nature of activity inconsistent with security oversight capability; and

4) security incidents linked to deficiencies in a State’s security oversight responsibilities and


obligations.
Chapter 2. The ICAO Universal Security Audit Programme (USAP) 2-11

b) the definition of SSeC:

“A significant security concern occurs when the appropriate authority responsible for aviation security
in the State permits aviation activities to continue, despite lack of effective implementation of the
minimum security requirements established by the State and by the provisions set forth in Annex 17 —
Security related to critical aviation security controls including, but not limited to, the screening and the
protection from unauthorized interference of passengers, cabin and hold baggage; the security of
cargo and catering; access control to restricted and security-restricted areas of airports; and the
security of departing aircraft resulting in an immediate security risk to international civil aviation.”

c) the associated mechanism to address SSeCs identified during a USAP audit in a timely manner. The
SSeC mechanism was further revised by the Council during its 208th Session based on the Aviation
Security Panel’s recommendation.

2.9.5 SSeC mechanism. An SSeC identified during the course of a USAP-CMA on-site activity will be described
to the audited State as a preliminary SSeC during the post-audit debriefing, at the conclusion of the audit. If the
preliminary SSeC is validated and confirmed by the SSeC Validation Committee at ICAO Headquarters, ICAO notifies
the audited State, within 15 calendar days following the post-audit debriefing, by providing the State with the SSeC
finding and recommendation. The State is then requested to implement, within 15 days following notification, immediate
corrective action to resolve or mitigate the SSeC and advise ICAO. If no corrective action to resolve or mitigate the
SSeC is implemented and provided to ICAO within the prescribed time frame, ICAO informs all Member States that an
SSeC has been identified and remains unresolved, by publishing an Electronic Bulletin (EB), which includes the name of
the State with an SSeC. In addition, the name of the State and the number of unresolved SSeCs are also posted on the
USAP secure website. Furthermore, if the SSeCs are not resolved within three months of being posted, ICAO identifies
on the USAP secure website the audit area(s) related to unresolved SSeCs.

2.9.6 The Council, during its 208th Session, endorsed the Aviation Security Panel’s recommendation, whereby
the ICAO Secretariat should include the name of States with SSeCs in the EB sent to all Member States, and should
identify through the USAP secure website the audit area(s) related to the SSeC(s) if these are not resolved within three
months of being posted.

2.9.7 ASA has developed internal procedures describing in detail the different phases of the SSeC mechanism,
including the identification, confirmation and resolution of SSeCs.

2.10 STATE AVIATION SECURITY ACTIVITY QUESTIONNAIRE (SASAQ)

2.10.1 The State aviation security activity questionnaire (SASAQ) is designed to collect comprehensive and
specific information on each State’s aviation security activities, including legislative, regulatory, organizational,
operational, technical and administrative details. Each State shall submit to ICAO, no later than 60 calendar days prior to
the start of a USAP-CMA activity, a completed SASAQ designed to provide ICAO with preliminary information
concerning the State’s aviation security and oversight systems.

2.10.2 States are required to update their SASAQ regularly in order to assist ASA in monitoring the level of
aviation security activities in States related to each audit area and in prioritizing and planning USAP-CMA activities.

2.10.3 ICAO will revise the SASAQ template periodically.


Universal Security Audit Programme
2-12 Continuous Monitoring Manual

2.10.4 The State Quality Control Activity Summary Form is an attachment to the SASAQ and has been created to
facilitate States in the provision of information regarding their oversight activities which will be used within the framework
of the USAP-CMA.

Note.— The SASAQ and the State Quality Control Activity Summary Form are available on the USAP
secure website.

2.11 COMPLIANCE CHECKLISTS (CCs)

2.11.1 States are required to complete and maintain up to date compliance checklists (CCs), which contain
information on the State’s compliance with Annex 17 SARPs and security-related provisions of Annex 9. The completion
of the CCs by Member States will:

a) provide authorized users with an overview of the level of implementation of relevant ICAO provisions;
and

b) enable Member States to identify any difference which may exist between their own practices and
those established by relevant ICAO Standards.

2.11.2 ICAO will revise the CCs template periodically subsequent to amendments to Annex 17 SARPs or to
security-related provisions of Annex 9.

Note.— The CCs are available on the USAP secure website.

______________________
Chapter 3

THE CONTINUOUS MONITORING APPROACH (CMA)

3.1 USAP-CMA CONCEPT

3.1.1 The USAP-CMA is designed to promote global aviation security through auditing and monitoring aviation
security performance of Member States on an ongoing basis.

3.1.2 The USAP-CMA is a shift from the traditional cyclical audit approach, which provides only a “snapshot” of a
State’s aviation security system at a given point in time, to a more continuous monitoring of a State’s oversight and
compliance capabilities. This enables ICAO to develop and maintain an ongoing, updated picture of the aviation security
situation in Member States.

3.1.3 The USAP-CMA incorporates a risk-based approach to auditing, by establishing the priorities and
frequency of audit and monitoring activities based on various key parameters reflecting the changes in the aviation
security situation in Member States, while taking into consideration any oversight activities and information provided by
regional regulatory/oversight bodies. This leads to a more efficient use of resources of both ICAO and the Member
States, thus ensuring long-term and cost-effective programme management for the Organization.

3.1.4 The USAP-CMA provides for a system that does not apply a one-size-fits-all approach to auditing. Rather,
the USAP-CMA incorporates a performance-based approach to auditing which enables increased flexibility in
determining the real needs of Member States and allows for a customized approach for each Member State. This is
achieved by proposing activities of different types and scope based on aviation security performance indicators of States,
which provide an indication of the level of security of the civil aviation system and the effectiveness of the aviation
security oversight system in place in Member States.

3.1.5 Under the USAP-CMA, the principle of universality is maintained as all Member States are subject to
continuous audit and monitoring activities by ICAO, in accordance with the principles, methodology, processes and
procedures established for conducting such activities, and on the basis of the MoU signed by ICAO and each Member
State. The priorities, frequency, type and scope of such activities will vary based on each Member State’s specific
circumstances.

3.1.6 The USAP-CMA forms an integral part of ICAO’s overall aviation security framework, which encompasses
policy, audits and assistance. The USAP-CMA generates up-to-date State-specific and regional data which provides
useful and critical information to facilitate the provision of targeted and tailored assistance to States, while also providing
valuable feedback to ICAO for the development of SARPs and guidance material. The USAP-CMA, therefore, is a key
driver for both the provision of effective assistance with a view to enabling States to improve their aviation security and
oversight systems in compliance with ICAO security-related SARPs, and for policy development.

3-1
Universal Security Audit Programme
3-2 Continuous Monitoring Manual

3.2 USAP-CMA OBJECTIVE

The objective of the USAP-CMA is to promote global aviation security through continuous auditing and monitoring the
aviation security performance of Member States. This objective is achieved by:

• regularly and continuously obtaining and analysing data on the aviation security performance of
Member States;

• identifying deficiencies in the overall aviation security performance of Member States and assessing
the risks associated with such deficiencies;

• providing prioritized recommendations to assist Member States in addressing identified deficiencies;

• evaluating and validating corrective actions taken by Member States; and

• re-assessing the aviation security performance of Member States in order to continuously enhance
their aviation security oversight and compliance capabilities.

3.3 USAP-CMA PROCESS

3.3.1 The USAP-CMA process consists of the following components:

a) determination of State-specific USAP-CMA activity;

b) conduct of State-specific USAP-CMA activity;

c) identification and analysis of deficiencies;

d) measurement of the State’s aviation security performance;

e) provision of prioritized recommendations; and

f) evaluation of State corrective actions to address deficiencies.

3.3.2 These components enable ICAO to continuously audit and monitor the aviation security performance of
Member States. Figure 3-1 shows the USAP-CMA process components.
Chapter 3. The Continuous Monitoring Approach (CMA) 3-3

Determine State-
specific USAP-CMA
activity

Evaluate State’s Conduct State-


corrective actions to specific USAP-CMA
address deficiencies activity

Provide prioritized Identify and analyse


recommendations deficiencies

Measure
State’s aviation
security
performance

Figure 3-1. USAP-CMA process components

3.4 DETERMINATION OF A STATE-SPECIFIC USAP-CMA ACTIVITY

3.4.1 The USAP-CMA takes into consideration the varying levels of development and maturity of aviation
security and oversight systems of Member States, and incorporates a variety of audit and monitoring activities tailored to
each Member State’s aviation security situation as part of the strategy for promoting the enhancement of global aviation
security on a continuous basis. The determination of a specific type of USAP-CMA activity for a given State will be made
by ASA using defined criteria based on:

a) the results of the previous USAP activity;

b) the State’s aviation security performance indicators, in particular the average EIs of establishment
CEs and implementation CEs;

c) updates on CAP implementation; and

d) updated information submitted by the State through the SASAQ.


Universal Security Audit Programme
3-4 Continuous Monitoring Manual

3.4.2 The USAP-CMA activities include:

a) documentation-based audits;

b) oversight-focused audits;

c) compliance-focused audits; and

d) other audit and monitoring activities.

Documentation-based audits

3.4.3 Documentation-based audits are conducted primarily by correspondence between ICAO Headquarters and
the States concerned and include increased requirements for submission of documentation by States. States identified
for documentation-based audits could still receive on-site audits, as appropriate. Any specific areas of concern are
identified and addressed either remotely from ICAO Headquarters or by means of a physical visit to the State concerned.
Documentation-based audits may identify potential SSeCs, requiring a USAP-CMA on-site audit.

3.4.4 The scope of documentation-based audits will include a tailored set of core PQs related to the
implementation of continuous processes within the State’s aviation security oversight system, such as amendment of
national aviation security requirements, coordination of aviation security activities at the national and airport levels,
training of aviation security personnel, certification and approval obligations, quality control activities and resolution of
security concerns. This set of PQs will be augmented by additional PQs based on previous USAP audit results of the
State, the updated CAP, new Annex provisions, the State quality control activity results derived from the State Quality
Control Activity Summary Form, any significant change in the State’s aviation security and oversight systems and acts of
unlawful interference in the State. Failure by the State to provide required documentation and information will make the
State ineligible for a documentation-based audit, and the State will be scheduled for a USAP-CMA on-site audit.

3.4.5 Documentation-based audits will primarily measure the State’s aviation security oversight system, while
also giving a strong indication of the State’s degree of regulatory compliance with Annex 17 Standards and
security-related provisions of Annex 9 to the Chicago Convention. Certain PQs related to the operational implementation
of security measures under Annex 17 and security-related provisions of Annex 9 will be marked as undetermined until
their status is assessed through a USAP-CMA on-site activity.

Oversight-focused audits

3.4.6 Oversight-focused audits are conducted by means of on-site audits similar to USAP second-cycle audits,
and include the review of national-level regulations and programmes, such as the NCASP, the NCASTP and the NQCP,
followed by spot checks conducted at the airport(s) selected for observation to verify the effectiveness of aviation
security requirements and measures on the ground. The scope of oversight-focused audits might be full, covering all
USAP-CMA audit areas, or partial, covering one or more audit areas, based on previous USAP audit results, as well as
on other information available to ICAO.
Chapter 3. The Continuous Monitoring Approach (CMA) 3-5

3.4.7 A fundamental component of oversight-focused audits is the review of the implementation of the State’s
NQCP, i.e. the evaluation of the effectiveness of the State’s quality control measures which may be defined as the
surveillance techniques and activities used by the State to assess its civil aviation security system and, whenever
required, to resolve identified deficiencies. This review is based on the assessment of three major issues related to the
implementation of the NQCP:

— the adequacy of compliance monitoring activities;

— the effectiveness of compliance monitoring activities; and

— the availability of national aviation security inspectors for compliance monitoring.

3.4.8 Adequacy of compliance monitoring activities. Standards 3.4.5 and 3.4.6 of Annex 17 require each
Contracting State to:

— ensure that the implementation of security measures is regularly subjected to verification of


compliance with the NCASP; and

— arrange for security audits, tests, surveys and inspections to be conducted on a regular basis, to verify
compliance with the NCASP and to provide for the rapid and effective rectification of any deficiencies.

3.4.9 To this end, the USAP-CMA audit should make an assessment of the frequency and scope of the State’s
monitoring activities. The frequency of national monitoring activities should be established in the NQCP. The verification
therefore should confirm if the NQCP does establish minimum frequencies for at least security audits and inspections.
The USAP-CMA audit should also assess if the monitoring activities carried out at the national level are sufficiently
frequent and if the priorities and frequency of national monitoring activities are determined on the basis of risk
assessment carried out by the relevant authorities, as required by Standard 3.4.5 of Annex 17.

3.4.10 It should be noted that there is no requirement to inspect every airport every year but, as a general rule,
one should consider that airports with an annual traffic volume of more than 10 million passengers should be subject to a
security audit covering all aviation security standards at least every 4 years. At airports with an annual traffic volume of
more than 2 million passengers, the minimum frequency for inspecting all sets of directly linked security measures in the
areas of airport security, aircraft security, passenger and cabin/hold baggage security and cargo/mail security should be
at least every 12 months, unless an audit has been carried out at the airport during that time. The frequency for
inspecting all security measures related to airport and in-flight supplies, staff recruitment and training and security
equipment may be determined based on a risk assessment. Where a State has no airport with an annual traffic volume
exceeding 2 million passengers, the above requirement should apply to the airport in the State with the greatest annual
traffic volume.

Note.— A set of directly linked security measures is a set of two or more requirements that impact on each
other so closely that achievement of the objective cannot be adequately assessed unless they are considered together.

3.4.11 The USAP-CMA audit should also assess if the monitoring activities carried out ensured a regular
monitoring of all airports and entities situated in the State. Therefore, the USAP-CMA audit should assess the scope of
the State’s monitoring activities and the deployment of a variety of quality control activities, as required by
Standard 3.4.6 of Annex 17. To this end, a representative sample of national quality control activity reports should be
analysed for the last two years. The verification should allow to establish if all security measures were monitored at least
once, if a suitable combination of compliance monitoring types (security audits, inspections and tests) were used and if
the minimum frequencies for security audits and inspections were met.
Universal Security Audit Programme
3-6 Continuous Monitoring Manual

3.4.12 Effectiveness of compliance monitoring activities. The USAP-CMA audit should assess if the common
methodology requirements are respected, if rapid and effective rectification of deficiencies takes place and if
enforcement powers are available and used whenever appropriate.

3.4.13 Regarding the common methodology, the verification of a representative sample of national quality control
activity reports should confirm that:

— a standardized approach was used for the conduct of audits, inspections and tests, which included
planning, preparation, on-site activity, the classification of findings, the debriefing and
reporting/recording, the correction process and monitoring;

— a systematic gathering of information by means of observations, interviews and review of documents


was employed;

— the compliance monitoring activities undertaken did include announced and unannounced activities;

— a harmonized classification system of compliance was used; and

— the quality control activity reports include elements such as the date and time of the activity, entity
monitored, type and scope of the activity, findings with the corresponding provisions of the NCASP,
classification of compliance, recommendations for remedial actions and time frame for correction,
where appropriate.

3.4.14 Regarding the rapid and effective rectification of deficiencies, the assessment of the selected sample of
national quality control activity reports should allow to confirm if rapid and effective rectification takes places. The
USAP-CMA audit should also verify if the appropriate authority systematically requires the submission of CAPs together
with a timeframe for implementation of the remedial actions and if it actively follows up on the rectification process. In
addition, the visit of the airport(s) selected for observation will confirm actual rectification to be verified in the field.

3.4.15 Regarding the enforcement powers, the USAP-CMA audit should establish if the appropriate authority has
been invested with enforcement powers, including the power to impose penalties, and also actually uses them whenever
appropriate. Samples of enforcement actions applied during the monitoring should be analysed. The audit should also
verify if a graduated and proportionate approach is established regarding deficiency correction activities and
enforcement measures, and if the national aviation security inspectors are provided with sufficient authority to obtain the
information necessary to carry out their tasks.

3.4.16 Availability of national aviation security inspectors for compliance monitoring activities. An
assessment of available human resources for national compliance monitoring activities needs to be conducted and should
include such factors as independence, competencies, initial, on-the-job and recurrent training. To this end, the frequency of
the different monitoring activities, their scope, as well as the number of follow-up activities should be analysed. An
insufficient number of monitoring activities is a clear indication that the available human resources are either insufficient or
used for purposes other than monitoring compliance. Hence, the number of national aviation security inspectors available,
and the actual number of hours spent monitoring compliance in the field, are two crucial elements.

3.4.17 The USAP-CMA audit will validate information obtained from the SASAQ on the number of airports in the
State serving civil aviation and their size in terms of passenger/cargo traffic, the number of national and foreign aircraft
operators providing service from the State, as well as the number of regulated agents, known consignors, known airport
and in-flight suppliers, as applicable. These figures will be used to establish if the man-days invested in national
monitoring activities reflect the number of airports, aircraft operators and entities to be monitored.
Chapter 3. The Continuous Monitoring Approach (CMA) 3-7

3.4.18 The verification of the effectiveness of national monitoring activities at the airport level should take place at
the airport(s) selected for observation. Prior to the verification, all national monitoring reports relating to the airport
should be carefully analysed to identify deficiencies previously detected and the status of deficiency rectification. The
on-site verification should then establish:

a) if deficiency rectification actually took place;

b) which areas were still deficient; and

c) if there are any other areas with shortcomings that were not identified in national quality control activity
reports.

Compliance-focused audits

3.4.19 Compliance-focused audits are conducted by means of on-site audits, similar to USAP second-cycle audits,
and include the review of national-level regulations and programmes, followed by more detailed observations of the
implementation of security measures by various airport-level entities at the airport(s) selected for observation to assess
the State’s compliance with relevant SARPs. These full-scale or partial audits will focus on a set of PQs related to CE-1
to CE-6 and include more observations of the implementation of security measures on the ground using CE-8-related
PQs. The status of the PQs related to CE-7 would be determined as satisfactory or not satisfactory based on the level
of maturity of the national quality control system.

Other audit and monitoring activities

3.4.20 Cost-recovery audits. USAP-CMA cost-recovery audits may be conducted at the request of a Member
State and will be accommodated as resources and time permit. The methodology for USAP-CMA cost-recovery audits
will be the same as for compliance-focused audits or oversight-focused audits, as applicable. However, ICAO identifies
the need for compliance-focused or oversight-focused audits and determines their scope, whereas the type, scope and
scheduling of any USAP-CMA cost-recovery audit will require agreement between ICAO and the State, and will be
assessed by ICAO on a case-by-case basis. The results of USAP-CMA cost-recovery audits will be treated in the same
manner as the results from regularly scheduled USAP-CMA activities, including the possibility of invoking the SSeC
mechanism.

3.4.21 Validation missions. ICAO will plan and conduct on-site validation missions to specifically assess and
validate corrective actions implemented by the State to resolve or mitigate SSeCs. A State may also request ICAO to
conduct an on-site cost-recovery validation mission to assess and validate the CAP implemented by the State to
address previously identified deficiencies. Such cost-recovery validation missions will be considered as USAP-CMA
cost-recovery audits with specific audit scope and will be accommodated as resources and time permit.

3.4.22 Referral for assistance. The experience of the first and second cycles of USAP audits has demonstrated
that a small number of States are not in a position to derive full benefit from an audit. Under the USAP-CMA, such States
will be referred to the Implementation Support and Development — Security Programme and the Technical Cooperation
Programme for needs assessment surveys and for subsequent determination and provision of appropriate assistance. ASA
will monitor such assistance activities in coordination with the Implementation Support and Development — Security
Section (ISD-SEC) to determine the appropriate timing for a USAP-CMA activity to be conducted in those States.
Universal Security Audit Programme
3-8 Continuous Monitoring Manual

3.5 CONDUCT OF A STATE-SPECIFIC USAP-CMA ACTIVITY

3.5.1 USAP-CMA activities are conducted based on available resources and in accordance with the roles,
responsibilities and procedures described throughout this manual. ASA conducts an appropriate type of USAP-CMA
(on-site or off-site) activity for States included in the annual schedule of USAP-CMA activities, as determined through the
planning and scheduling process described in 4.6.

3.5.2 The conduct of a State-specific USAP-CMA activity is a systematic and objective assessment of the
State’s aviation security and oversight systems, using USAP-CMA PQs, which allows ASA to collect and document
evidence presented and/or submitted by the State in support of the implementation of Annex 17 Standards and
security-related provisions of Annex 9, as well as the CEs of a State’s aviation security oversight system. The conduct of
a USAP-CMA activity serves as a data collection process necessary to evaluate the State’s aviation security
performance. The conduct phase of the USAP-CMA activity is described in detail in 6.3.

3.6 IDENTIFICATION AND ANALYSIS OF DEFICIENCIES

3.6.1 Analysis of data collected during the conduct of a USAP-CMA activity allows the identification of
deficiencies, if any, in the State’s aviation security performance, which adversely affect the State’s oversight and
compliance capabilities. Identified deficiencies are subjected to risk assessment in terms of their impact on the State’s
aviation security and oversight systems.

3.6.2 The USAP-CMA utilizes a classification system for USAP-CMA PQs, whereby each PQ is classified based
on its significance in terms of impact on aviation security. The purpose of the classification system is not to differentiate
between related Annex provisions in terms of their importance, but rather to provide States with a mechanism for
prioritizing their corrective actions to rectify identified deficiencies and allocate resources accordingly. The classification
system uses “Low”, “Medium”, “High” and “Very high” priorities for classifying USAP-CMA PQs.

3.6.3 The deficiencies identified following a State-specific USAP-CMA activity are prioritized on the basis of
associated PQs. The identified deficiencies are further subjected to analysis by ASA within the context of State-specific
audit results in terms of associated risks, which may entail upgrading or downgrading the priorities of certain deficiencies.

3.7 MEASUREMENT OF THE STATE’S AVIATION SECURITY PERFORMANCE

3.7.1 The final output of the State’s aviation security performance audit and monitoring process is the
measurement of the State’s aviation security performance indicators based on the analysis of data collected through the
USAP-CMA activity. By analysing all pertinent data derived from the USAP-CMA activity results, the State’s aviation
security performance is measured using the indicators defined in 2.8.

3.7.2 The State’s Oversight Indicator depicts the State’s overall level of implementation of the CEs of an aviation
security oversight system, while the State’s Compliance Indicator provides only a picture of indicative compliance of the
State with Annex 17 Standards and security-related provisions of Annex 9. The State’s USAP-CMA PQ Indicator
provides the percentage of PQs found satisfactory during the USAP-CMA activity.
Chapter 3. The Continuous Monitoring Approach (CMA) 3-9

3.8 PROVISION OF PRIORITIZED RECOMMENDATIONS

For each not satisfactory PQ, a recommendation is provided to the State for implementation in order to rectify the
identified deficiency related to that PQ. Under the USAP-CMA, the recommendations are prioritized based on the nature
of the deficiencies they address. This will provide States with a clear strategy to help prioritize their own corrective
actions and allocation of resources to best address identified deficiencies.

3.9 EVALUATION OF STATE CORRECTIVE ACTIONS TO ADDRESS DEFICIENCIES

3.9.1 In the event that action for improvement is recommended by ICAO following completion of a USAP-CMA
audit, the State is responsible for developing a CAP defining the corrective actions it plans to take to resolve any
deficiencies identified in its aviation security and oversight systems.

3.9.2 CAP review. The State’s CAP will be reviewed by an ASA TL who will provide feedback on the
acceptability of the CAP, as necessary. If any proposed corrective actions do not fully address the associated findings
and recommendations, the State will be notified accordingly and requested to resubmit its CAP.

3.9.3 CAP evaluation. The State’s CAP, including progress updates, will be evaluated by ASA to measure
(unvalidated) progress achieved by the State in the rectification of deficiencies identified by the USAP-CMA audit. Such
evaluations may result in updating the State’s USAP-CMA key parameters. States should continue sending information
to ASA on the progress made in the implementation of their CAPs.

3.9.4 CAP validation. The validation of progress made by the State in the implementation of its CAP to address
previously identified deficiencies will be included in the scope of the subsequent USAP-CMA activity for the State. ICAO
may opt to conduct an off-site validation at ICAO Headquarters, as part of the subsequent USAP-CMA off-site activity for
the State, which may typically address PQ findings associated with establishment CEs, provided that the State submits
sufficient and tangible evidence of their full implementation. Corrective actions related to PQ findings associated with
implementation CEs do not qualify for an off-site validation and must be assessed and validated on-site as part of the
subsequent USAP-CMA on-site activity for the State.

3.9.5 The results of subsequent USAP-CMA activities for the State, including changes in the SSeC status, if any,
will be reflected in the State’s aviation security performance indicators. Any such update will also result in updating the
State’s USAP-CMA key parameters. Continuous improvement in the State’s oversight and compliance capabilities is
measured through the monitoring of the State’s aviation security performance indicators.

3.10 AVIATION SECURITY PERFORMANCE-RELATED ANALYSIS

3.10.1 ASA uses a dedicated USAP-CMA activity management and analysis software for recording and analysing
the USAP-CMA activity results and for the production of USAP-CMA audit reports. The software allows continuous
monitoring and reporting of security-related information received from Member States through USAP-CMA activities,
including monitoring the aviation security performance indicators of States using basic quantitative data trending tools
that generate graphs or charts. This enhances the effectiveness and efficiency of the USAP-CMA in identifying
deficiencies and associated security risks.
Universal Security Audit Programme
3-10 Continuous Monitoring Manual

3.10.2 The software also facilitates the administration and management of USAP-CMA PQs and PQ findings. As
each PQ is associated with one CE and one Annex 17 Standard or one security-related provision of Annex 9, the
software allows the tracking of the status of implementation of the PQs and the analysis of not satisfactory PQs by CE or
by ICAO SARP. This allows ASA to conduct global, regional, sub-regional and State-specific analysis of USAP-CMA
activity results by any grouping of PQs, CEs or ICAO SARPs. Such analysis enables ICAO to identify common
deficiencies and define measures to assist its Member States.

______________________
Chapter 4

PROGRAMME MANAGEMENT

4.1 GENERAL

4.1.1 In order to effectively manage and ensure the success of the USAP-CMA, all components of the
programme, including roles and responsibilities of each entity, the required resources and procedures, are clearly
defined in this chapter.

4.1.2 The effective implementation of the USAP-CMA depends on partnerships, communication and exchange
of information between ICAO, Member States and regional organizations, who all have a specific, defined role.

4.1.3 Implemented within the USAP-CMA, ASA’s internal procedures provide the mechanisms to effectively
implement established processes, monitor and review the components of the USAP-CMA, determine the need for
corrective or preventive action and identify opportunities for improvement. It also allows ICAO to collect and analyse
data to measure the satisfaction level of stakeholders with the USAP-CMA and to take appropriate actions to improve
USAP-CMA processes, procedures and components.

Note.— The roles and responsibilities outlined in this chapter solely pertain to the USAP-CMA processes
and are not intended to provide a comprehensive description of roles and responsibilities of individuals, entities and
organizations beyond the scope of this manual and the USAP-CMA.

4.2 ROLES AND RESPONSIBILITIES OF ICAO

4.2.1 Within the scope of the USAP-CMA, the Secretary General of ICAO is the convening authority for
USAP-CMA activities in accordance with the annual activity plan.

4.2.2 The Chief, Aviation Security Audit Section (C/ASA), in coordination with other relevant sections and ICAO
Regional Offices (ROs), is responsible for the administration, implementation and management of the USAP-CMA on a
day-to-day basis and for approving all USAP-CMA audit reports.

4.2.3 ASA is responsible for managing the overall development, implementation, maintenance and quality of the
USAP-CMA, including, but not limited to:

a) monitoring the State’s USAP-CMA key parameters to identify and prioritize appropriate USAP-CMA
activities;

b) developing and updating the annual schedule of USAP-CMA activities in coordination with ROs, which
includes the list of States to be subjected to USAP-CMA activities, the dates of USAP-CMA activities
and the composition of USAP-CMA audit teams;

c) providing timely notification to States regarding scheduled USAP-CMA activities and audit team
composition;

4-1
Universal Security Audit Programme
4-2 Continuous Monitoring Manual

d) providing guidance and information to States to prepare for the conduct of USAP-CMA activities;

e) ensuring coordination between States and ASA in a timely manner on all issues related to the
USAP-CMA, including facilitating the exchange of information and documents between the TL and the
National Coordinator (NC) and ensuring that all appropriate arrangements have been made for the
conduct of the USAP-CMA activity;

f) developing and conducting regional USAP-CMA seminars;

g) developing, conducting and overseeing USAP-CMA auditor training and certification courses;

h) selecting and assigning appropriately qualified TLs and TMs to conduct USAP-CMA on-site activities
in accordance with the qualification standards established in this manual and in coordination with the
respective ROs;

i) maintaining a roster of certified USAP-CMA auditors;

j) managing the conduct of USAP-CMA activities;

k) developing and implementing the tools and processes required for implementing USAP-CMA
components and conducting activities;

l) monitoring the progress of States in submitting and updating required information;

m) monitoring the status of findings and/or SSeCs;

n) assessing the acceptability of CAPs submitted by States;

o) assessing and monitoring corrective actions and mitigating measures proposed by States;

p) updating the State’s aviation security performance indicators;

q) developing and overseeing the implementation of information security instructions to protect sensitive
security information collected through the USAP-CMA activity process from unauthorized disclosure;

r) developing working papers and reports for the Assembly, the ICAO Council, the UIC and the Aviation
Security Panel on the implementation of the USAP-CMA and progress made in resolving identified
deficiencies, and improving the global EI of the eight CEs and the global compliance with Annex 17
Standards and security-related provisions of Annex 9 to the Chicago Convention; and

s) facilitating and coordinating support functions for all USAP-CMA activities and performing quality
control measures of all aspects of the USAP-CMA to ensure standardization, fairness and
transparency in the activities of the programme.

4.2.4 C/ASA monitors the conduct of all USAP-CMA tasks to ensure that they are carried out effectively and
identifies any required corrective or preventive actions.
Chapter 4. Programme management 4-3

Roles and responsibilities of other sections

4.2.5 Other sections within the ICAO Secretariat provide technical support to the USAP-CMA by:

a) providing input for the amendment of USAP-CMA PQs and the development of related guidance
material;

b) providing consultation for the review and confirmation of findings and SSeCs, when needed;

c) developing and maintaining the USAP-CMA software;

d) providing information to ASA regarding assistance projects and the readiness of States for
USAP-CMA activities; and

e) supporting training, seminars and activities related to the USAP-CMA.

Roles and responsibilities of the ICAO Technical Cooperation Bureau (TCB) and ROs

4.2.6 Member States have a responsibility under the Chicago Convention for the security of their aviation
industry, airspace and infrastructure. While the USAP-CMA assesses a State’s capability to oversee its aviation security
activities and determines its degree of compliance with the applicable SARPs, ICAO also has a mandate to assist States,
where possible, in establishing effective aviation security and oversight systems.

4.2.7 The ICAO Technical Cooperation Bureau (TCB) maintains prime responsibility for providing technical
assistance to States, when requested and as required. In addition, ISD-SEC may provide urgent immediate technical
assistance to States under the Implementation Support and Development – Security Programme. Finally, ASA, through
its auditors, may also provide on-site technical advice to States.

4.2.8 The ROs play an important role in assisting with the preparation and conduct of USAP-CMA activities,
facilitating effective communication between ICAO Headquarters and States and providing advice and assistance to
States, as required. The relevant Regional Officer, Aviation Security and Facilitation (ROASF) may, for example, assist a
State in resolving identified deficiencies where requested and coordinated through ICAO Headquarters, and assist with
the preparation and delivery of USAP-CMA training and certification courses and regional seminars. The key
responsibilities of the ROs within the USAP-CMA with respect to the States they are accredited to, include, but are not
limited to:

a) facilitating the exchange of information between ICAO Headquarters and States;

b) providing input to ASA on the selection and prioritization of USAP-CMA activities;

c) assisting in the coordination of the regional implementation of the USAP-CMA with ICAO
Headquarters;

d) instituting follow-up discussions with States on the development and implementation of their CAPs;
and

e) ensuring that corrective actions are taken by States in their regions in a timely manner.
Universal Security Audit Programme
4-4 Continuous Monitoring Manual

4.2.9 When practicable, ROASFs will be trained and subjected to the certification process as ICAO USAP-CMA
auditors. This will benefit the programme by ensuring the continuing availability of expertise within the regions. ROASFs
may participate in USAP-CMA audits as assigned and coordinate regional activities related to the USAP-CMA. However,
given the need to maintain a strict separation between ICAO’s audit and assistance activities and to prevent any
potential conflict of interests, ROASFs generally should not be involved in both audit and assistance activities for the
same States within their regions.

4.3 ROLES AND RESPONSIBILITIES OF MEMBER STATES

4.3.1 The success of the USAP-CMA depends on the cooperation of States and their participation in the
programme. Member States shall sign an MoU with ICAO to confirm their full support of and participation in the
USAP-CMA process by taking part in all USAP-CMA activities and by committing to provide information related to the
establishment and implementation of their aviation security and oversight systems, as requested by ICAO, and taking
into consideration the recommendations of the USAP-CMA audit report in the development of a State-specific CAP.

4.3.2 According to the MoU, States shall:

a) complete and maintain up to date the SASAQ and the CCs;

b) provide updates on the implementation of specific USAP-CMA PQs;

c) implement and provide updates and evidence related to the implementation of CAPs addressing not
satisfactory PQs;

d) take appropriate and timely action to resolve SSeCs; and

e) provide other relevant information, as requested by ICAO, such as national-level aviation security
legislation and airport-level aviation security procedures and practices.

4.3.3 Each Member State shall facilitate USAP-CMA on-site activities by accepting the dates and scope of
USAP-CMA activities and by:

a) making appropriate staff from its administration responsible for the regulation and oversight of aviation
security activities and matters related to facilitation, as well as relevant staff of airport operators, locally
based commercial air transport operators and any other entities responsible for the implementation of
aviation security measures available for interview by the USAP-CMA audit team;

b) making all relevant files, records and documentation of the appropriate authority for aviation security
and those of any other relevant entities responsible for aviation security and facilitation matters,
including national legislation, programmes and regulations related to aviation security and facilitation,
quality control activity records, airport-level programmes, procedures and internal quality control
activity records, available for review by the USAP-CMA audit team; and

c) providing the USAP-CMA audit team access to aerodrome facilities and restricted areas of the airport
for observation of aviation security measures implemented by all relevant entities.

4.3.4 The State should also facilitate the audit process by ensuring that the USAP-CMA audit team has a private
work space and access to electronic communications media such as the Internet.
Chapter 4. Programme management 4-5

Roles and responsibilities of National Coordinators (NCs)

4.3.5 In order to support the USAP-CMA and facilitate related activities, each State is responsible for designating
an NC to act as a primary point of contact for all USAP-CMA processes and activities on an ongoing basis. States are
responsible for providing ICAO with updates and information, through their NCs, upon request. Each State should advise
ICAO whenever there is a change in a designated NC. The NC is responsible for submitting, maintaining and/or
updating the information to be provided by the State to ASA on an ongoing basis, including, but not limited to:

a) PQ compliance status;

b) CAPs;

c) corrective actions taken by the State to resolve or mitigate SSeCs;

d) SASAQ;

e) CCs; and

f) other relevant information, as requested by ICAO.

4.3.6 The TL will work directly with the NC as designated by the Member State. The NC should be familiar with
all aspects of the national aviation security and oversight systems, including all programmes and requirements, and
knowledgeable about the airport(s) to be visited by the USAP-CMA audit team. The NC should also be knowledgeable
about the entities responsible for the implementation of the security-related provisions of Annex 9, as well as all
security-related operations (e.g. access control measures, screening procedures, cargo and mail, etc.).

4.3.7 The NC will be involved in every phase of the conduct of the USAP-CMA activity and will be kept informed
of the USAP-CMA audit team’s preliminary findings during daily meetings with the TL. The NC may be invited by the
USAP-CMA audit team to provide assistance and clarifications but should not seek to influence the audit’s outcome.

4.3.8 For facilitation purposes, the NC may decide to delegate some of his/her duties and tasks to a local and/or
airport representative (e.g. hotel reservations, escort of the USAP-CMA audit team, etc.). However, the overall
responsibility remains with the NC who is the main representative of the Member State for the purpose of the
USAP-CMA.

4.3.9 Prior to the USAP-CMA on-site activity, the NC will be required to:

a) act as the link between the Member State and both C/ASA and the TL;

b) ensure that the TL’s requests are fully understood and met;

c) inform and assist the USAP-CMA audit team with regard to the State’s entry requirements;

d) ensure the availability of a Technical Liaison Officer (TLO) (see the role of a TLO in 4.3.14 – 4.3.16)
for the purpose of answering any equipment-related questions;

e) adequately inform the airport authority and other entities to be involved in the USAP-CMA activity
(e.g. aircraft operators, cargo handlers, catering companies and/or immigration authorities, as
appropriate) about the USAP-CMA activity objectives, procedures, dates and schedule;
Universal Security Audit Programme
4-6 Continuous Monitoring Manual

f) organize appointments for the USAP-CMA audit team, including meetings with representatives of
organizations other than the appropriate authority for aviation security that have a direct role in either
oversight or implementation of the national aviation security system or implementation of the
security-related provisions of Annex 9;

g) ensure that all details of the USAP-CMA daily work plan (e.g. meetings and escorts) are arranged and
confirmed before the USAP-CMA audit team’s arrival;

h) provide the TL with adequate information, such as records of quality control activities, airport
diagrams, flight schedules, etc;

i) assist in making hotel reservations for the USAP-CMA audit team, as requested;

j) reserve meeting rooms for the national briefing and post-audit debriefing;

k) ensure coordination with the airport authority and other relevant entities with regard to completion of
the SASAQ and CCs;

l) ensure that the SASAQ and CCs are completed by the Member State and sent back to C/ASA along
with associated documentation in due time;

m) provide USAP-CMA audit team participants with airport identification cards and access permits, as
applicable;

n) ensure the availability of an appropriate escort at all times during visits to the airport(s) (escort(s)
should have adequate means of communication);

o) obtain protective clothing (e.g. high-visibility jackets) for USAP-CMA audit team participants according
to national regulations;

p) ensure that transportation is available for the duration of the USAP-CMA on-site audit; and

q) ensure that printing facilities are available to photocopy and print, as necessary, any documents the
USAP-CMA audit team might need.

4.3.10 During the USAP-CMA on-site activity, the NC will be required to:

a) facilitate the work of the USAP-CMA audit team (e.g. translation, interpretation and/or ensuring access
to all required documentation);

b) ensure that the airport authority and other entities involved in the USAP-CMA cooperate fully with the
USAP-CMA audit team;

c) escort the USAP-CMA audit team during the mission without interfering with its work and/or ensure
that appropriate escorts are available when the USAP-CMA audit team requires them; and

d) respond to the USAP-CMA audit team’s requests for clarification concerning information with respect
to the national/airport aviation security organization and security measures, practices and procedures.
Chapter 4. Programme management 4-7

4.3.11 The NC should be available at all times during the USAP-CMA on-site activity. He/she will be briefed daily
on the work and findings of the USAP-CMA audit team but will not attend any internal discussions of the USAP-CMA
audit team. As far as practicable, the TL and the NC will liaise closely to facilitate preparation for the USAP-CMA activity,
discussing any information related to the USAP-CMA PQs that may not be possible to be verified prior to the
USAP-CMA audit team’s arrival.

4.3.12 As far as possible, representatives from the USAP-CMA audit team will share a common language with the
audited State, airport authority, aircraft operators, regulated agents, etc., being interviewed. When necessary,
interpreters should be made available by the State for the duration of the USAP-CMA mission. Ideally, the interpreters
should have a basic knowledge of aviation security terminology.

4.3.13 After the USAP-CMA on-site activity, the NC should be available to clarify/confirm any information required
by the TL related to the USAP-CMA activity completed.

Roles and responsibilities of Technical Liaison Officers (TLOs)

4.3.14 The Member State should identify a TLO to act as the USAP-CMA on-site audit team’s point of contact for
all technical matters, such as to demonstrate to the USAP-CMA auditors technical procedures in place and provide
security equipment-related information. The State may appoint more than one TLO considering the field of expertise.
The technical component of the USAP-CMA on-site activity has the following objectives:

a) verify whether security equipment standards, which include equipment types, performance
capabilities, minimum detection settings, testing and agreed levels of performance, as well as
specifications of performance test pieces, have been adopted by the Member State and the audited
airport;

b) obtain evidence that these standards are in routine use, have been implemented in a manner that
complies with the national requirements, and are verified through the national quality control process;
and

c) check the evidence obtained by assessing particular pieces of equipment to ensure that they conform
to the requirements.

4.3.15 Prior to the USAP-CMA on-site activity, the TLO will be required to:

a) organize appointments for the USAP-CMA audit team with appropriate staff concerning technical
issues;

b) ensure coordination with the airport authority/appropriate authority with regard to the answers to the
SASAQ; and

c) ensure that persons (e.g. representatives of police, private security companies, etc.) to be met by the
USAP-CMA audit team are informed about the objectives and procedures of the USAP-CMA activity.

4.3.16 During the USAP-CMA on-site activity, the TLO will be required to:

a) organize a presentation of relevant documentation and items, such as routine test reports and test
pieces, for/review/observation by the USAP-CMA audit team;

b) facilitate the work of the USAP-CMA audit team (e.g. translation, etc.);
Universal Security Audit Programme
4-8 Continuous Monitoring Manual

c) escort the USAP-CMA audit team, as required, without interfering with its work;

d) clarify any questions the USAP-CMA audit team might have on the security screening equipment,
performance tests, etc; and

e) facilitate cooperation with the airport authority or other entities, as required.

4.3.17 The TLO should be available for the USAP-CMA audit team at all times during the USAP-CMA on-site
activity but will not be allowed to attend any internal discussions of the USAP-CMA audit team, such as its daily internal
debriefing. After the USAP-CMA on-site activity, the TLO should be available to clarify/confirm any information required
by the USAP-CMA activity TL concerning the equipment and security procedures at the audited airport.

4.4 ROLES AND RESPONSIBILITIES OF REGIONAL


AVIATION SECURITY OVERSIGHT ORGANIZATIONS

4.4.1 ICAO supports the establishment of regional aviation security oversight organizations performing aviation
security oversight-related activities on behalf of a group of Member States. Activities performed by such organizations
may include:

a) harmonization of legislation and regulations;

b) development of comprehensive and detailed procedures; and

c) selection and training of a regional core of qualified and experienced inspectors to perform a full range
of aviation security oversight activities on behalf of participating States.

4.4.2 If a regional aviation security oversight organization performs security-related activities on behalf of
Member States, ICAO, with the consent of participating States, may elect to enter into a working arrangement with this
organization to facilitate the monitoring of those States.

4.5 MEMORANDUM OF UNDERSTANDING (MoU)

4.5.1 An MoU signed between each Member State and ICAO establishes the official agreement outlining the
terms and responsibilities of the Member State and ICAO in the effective implementation and maintenance of the
USAP-CMA and conduct of USAP-CMA activities. The signed MoU represents the commitment of the Member State
concerned not only to participate in USAP-CMA activities but also to take into consideration the recommendations of the
USAP-CMA audit team in developing and implementing a State-specific CAP. The generic MoU, approved by the ICAO
Council, is set forth in Appendix A.

4.5.2 Prior to the conduct of a USAP-CMA activity, all ICAO Member States shall return to ICAO two signed
copies of the Model MoU approved by the Council (see Appendix A). These two copies will be countersigned by the
Secretary General of ICAO, and one signed copy will be returned to Member States. The Model MoU is available for
downloading on the ATB-USAP-MOU secure website at http://portallogin.icao.int/.
Chapter 4. Programme management 4-9

4.5.3 The signed MoU will confirm that the USAP-CMA activities will be conducted in accordance with the terms
specified in the MoU and on the basis of the criteria contained in this manual. No USAP-CMA activity will be undertaken
unless an appropriately signed MoU has been returned to ICAO and further countersigned by the Secretary General of
ICAO. Member States that do not sign and submit two signed copies of the MoU to ICAO shall be reported to the
ICAO Council. All other Member States shall also be informed of the State’s refusal to sign the MoU and participate in
the USAP-CMA.

4.6 PLANNING AND SCHEDULING

4.6.1 In accordance with the principle of universality, all Member States are subject to continuous audit and
monitoring activities by ICAO, though the priorities, frequency, type and scope of such activities vary based on each
Member State’s specific circumstances. Under the USAP-CMA, ASA uses defined criteria to select and prioritize States
for the conduct of the appropriate type of USAP-CMA activity. These activities, as defined in 3.4, are part of the strategy
for promoting the enhancement of global aviation security on a continuous basis.

4.6.2 ASA selects and prioritizes States for USAP-CMA activities through the planning and scheduling process.
The USAP-CMA annual activity plan is established in accordance with criteria that use the State’s USAP-CMA key
parameters. These parameters include various risk and performance indicators, as well as certain critical information,
impacting on the selection and prioritization of States for USAP-CMA activities. The State’s USAP-CMA key parameters
cover the following areas:

Risk information

• Level or nature of activity inconsistent with security oversight capability;

• Security incidents linked to deficiencies in a State’s security oversight responsibilities and obligations;

• State security record - acts of unlawful interference;

• Failure or refusal to participate in significant aspects of the USAP-CMA process, including, but not
limited to, preparation, conduct and reporting requirements;

• Failure to resolve the critical security-related deficiencies identified during the USAP-CMA activity,
such as SSeCs.

Performance information

• Results of the previous USAP activity;

• State Compliance Indicator;

• State Oversight Indicator;

• Existing or potential SSeCs;

• Level of acceptability of the State’s CAP;

• State’s CAP implementation progress.


Universal Security Audit Programme
4-10 Continuous Monitoring Manual

Critical information

• Number of airports in the State serving international civil aviation;

• Number of aircraft operators providing service from the State;

• Annual number of aircraft movements;

• Annual number of originating and transfer passengers;

• Annual volume of exported cargo and mail;

• Significant development in the State's aviation security and oversight systems;

• ICAO assistance activities in the State;

• Time elapsed since the last USAP activity.

Note.— Risk information should not be confused with threat and risk assessment, as described in the
Aviation Security Manual (Doc 8973 — Restricted), and is used for the purpose of determining the priorities in planning
and scheduling of USAP-CMA activities in conjunction with performance information and critical information.

4.6.3 In applying the above criteria, certain operational and technical factors influence the selection and
scheduling process, such as:

a) regional balance in terms of the percentage of States audited within each ICAO region;

b) aviation security concerns and other information made known by ROs, other ICAO sections or the
States to be audited;

c) State requests to be audited;

d) information shared by recognized international organizations;

e) geographical proximity and ease of transportation between States;

f) the availability of USAP-CMA TLs and TMs;

g) field security status reports from the office of the United Nations Department of Safety and Security;
and

h) the activity schedule of the ICAO USOAP-CMA and the audit schedules of other regional aviation
security audit programmes.

4.6.4 States’ USAP-CMA key parameters will be monitored and analysed on an ongoing basis by ASA, and the
priorities and frequency of USAP-CMA audit and monitoring activities for each State will be determined accordingly.

4.6.5 If a regional entity is empowered by a group of States with legal authority and responsibility to regulate
and/or oversee aviation security activities in those States, ICAO, with the consent of those States, may elect to enter into
a working arrangement with this regulatory and/or oversight entity to facilitate the monitoring of aviation security
oversight and compliance capabilities of the States Members of the regional group.
Chapter 4. Programme management 4-11

4.6.6 ICAO publishes an annual schedule of USAP-CMA activities, identifying the States that will receive
USAP-CMA on-site and off-site activities. The annual schedule and its amendments are provided to States via EBs
posted on the ICAO-NET and the USAP secure website.

4.6.7 In addition to USAP-CMA activities in the periodic schedule, ICAO will consider specific requests from
States for cost-recovery audits. The type, scope and scheduling of any such cost-recovery audit shall require
agreement between ICAO and the State, and will be assessed by ICAO on a case-by-case basis. The methodology
for conducting USAP-CMA cost-recovery audits will be the same as for compliance-focused audits or oversight-
focused audits, as applicable. The results of these cost-recovery audits will be treated in the same manner as the
results from regularly scheduled USAP-CMA activities. States requesting cost-recovery audits will be expected to
provide logistical assistance in making travel arrangements for the USAP-CMA audit team participants and to cover
all travel-related costs, local transportation and the daily subsistence allowance (DSA). For regularly scheduled
USAP-CMA on-site audits, ICAO will be responsible for the cost of transportation to and from the State, as well as for
the DSA of all USAP-CMA audit team participants.

Note.— The DSA is based on rates established by the United Nations and includes accommodation, meals
and incidental expenses.

4.6.8 ICAO will notify selected States at least 120 calendar days prior to the scheduled USAP-CMA activity
through a State notification letter signed by the Secretary General of ICAO providing the name(s) of the airport(s)
selected for observation, if applicable. States are required to acknowledge receipt of the State notification letter and
confirm their acceptance of the USAP-CMA activity within 30 days after receipt of the notification letter.

4.6.9 According to the MoU, Member States are urged to accept scheduled USAP-CMA activities without any
changes, unless there are compelling reasons not to do so. However, should changes be required, adjustments may be
made to the programme schedule to ensure the overall effectiveness and efficiency of the USAP-CMA.

4.6.10 If a State needs to make any changes to the programme schedule, the State is required to advise ICAO of
its inability to accept a scheduled activity as soon as possible after ICAO publishes an annual schedule of USAP-CMA
activities and, in any event, within 30 days after receipt of the State notification letter. In addition, the State shall clearly
indicate the compelling reasons for not accepting or postponing the USAP-CMA activity as initially scheduled.

4.6.11 USAP-CMA activity deferrals are strongly discouraged as they have an adverse impact on the overall
schedule of USAP-CMA activities and cause considerable difficulty for ICAO and other Member States affected by the
schedule change. A request for deferral should be addressed to the Secretary General and should be signed by the
designated appropriate authority of the State or his/her designee, clearly stating the compelling reason for not accepting
the USAP-CMA activity as scheduled.

4.6.12 Although everything possible will be done to maintain the activity schedule, changes to activity dates may
occur for reasons beyond ICAO’s control. Additionally, once a TL and TMs are assigned to an activity, all efforts will be
made to avoid changes to the composition of the USAP-CMA audit team, specifically the TL.

4.6.13 ICAO will submit requests for the release of short-term seconded auditors by States at least 90 days
before the start of the USAP-CMA on-site activity. In order to facilitate planning and scheduling, all auditors will be
requested to provide their non-availability dates as early as possible.
Universal Security Audit Programme
4-12 Continuous Monitoring Manual

4.7 PROGRAMME RECORDS

4.7.1 All supporting documentation, correspondence, notes, records and other information relating to
USAP-CMA activities are obtained, managed and filed by ASA through an established and controlled system.

4.7.2 At the end of each mission, all TMs shall submit all supporting documentation and notes from the mission
to the TL. TMs shall also ensure that at the end of the mission and before their departure, all information in electronic
format is deleted from their computers.

4.7.3 TMs are responsible for their own material until it is given to the TL. The TL is also responsible for his/her
notes and materials from the USAP-CMA activity, and for those handed over by TMs, as applicable, until they are
submitted to ASA.

4.7.4 At the end of the mission, the TL shall submit the following documents and records to ASA (preferably an
electronic version) for processing and filing according to established procedures:

a) PQ Worksheets duly completed by the TL and TMs;

b) draft preliminary findings and recommendations;

c) draft preliminary SSeCs, if applicable;

d) supporting evidence and documentation submitted by the State, including primary aviation security
legislation, programmes and regulations; and

e) any other relevant documents used in the preparation and conduct of the USAP-CMA activity.

4.7.5 ASA maintains supporting documentation, notes and records pertaining to USAP-CMA activities for a
minimum of five years. USAP-CMA activities reports are retained electronically for an indefinite period.

4.8 PROGRAMME QUALITY MANAGEMENT

4.8.1 An internal quality assurance process has been established and implemented within ASA to ensure
standardization, consistency and confidence of delivery of all aspects of USAP-CMA activities, including their
preparation, conduct and reporting. The process encompasses the review of auditing standards and procedures and the
guidelines for their application during USAP-CMA activities, as well as a quality control review of all written materials
produced by ASA.

4.8.2 ASA monitors the level of satisfaction of Member States that receive USAP-CMA activities through a State
USAP-CMA activity feedback form that allows States to provide comments, complaints and suggestions for improvement
regarding the planning, coordination, conduct and reporting of the USAP-CMA activity they have received. The TL shall
provide a confidential State USAP-CMA activity feedback form to the State NC at the end of the USAP-CMA activity,
requesting the State to complete and return it to C/ASA.

4.8.3 ASA also obtains feedback on USAP-CMA activities through the TL and TM mission reports, which provide
comments and information on the conduct of USAP-CMA activities from preparation to conduct and assist ASA in
improving USAP-CMA procedures and processes.

4.8.4 ASA maintains a record of all State, TL and TM feedback forms, related recommendations and actions
taken by ASA to address issues and concerns.
Chapter 4. Programme management 4-13

4.9 CONFIDENTIALITY

4.9.1 In recognition of the special sensitivity of information related to aviation security, the USAP, from its
inception, adopted the principle of confidentiality. In practice, this means that audit reports receive a security
classification and are subjected to rigorous physical controls by ICAO. In accordance with established guidelines for the
protection of sensitive security information, audit reports are strictly protected from release to any entity other than the
appropriate authority for aviation security of the audited States and those with an operational need to know within ICAO,
while the names of the States and airports audited are released to all Member States on a regular basis. All other
records, notes and documents collected during, or related to an audit, remain confidential between the audited State and
ICAO. In keeping with the principle of confidentiality, the 36th Session of the ICAO Assembly (Assembly Resolution
A36-20, Appendix E refers) encouraged all States to share their audit reports and information on a bilateral or
multilateral basis in order to promote mutual confidence in the level of aviation security between States. Assembly
Resolution A36-20 has been reinforced with the inclusion of Recommended Practice 2.4.5 in Annex 17, whereby each
Contracting State should share, as appropriate, and consistent with its sovereignty, the results of the audit carried out by
ICAO and the corrective actions taken by the audited State, if requested by another State. To facilitate the exchange of
information, ICAO regularly issues an audit activity report to Member States advising of States audited and airports
visited under the programme.

4.9.2 The 36th Session of the Assembly also directed the Council to consider the introduction of a limited level of
disclosure with respect to aviation security audit results, balancing the need for States to be aware of unresolved
security concerns with the need to keep sensitive security information out of the public realm. Accordingly, the Council
approved, in June 2008, a proposal to introduce a limited level of disclosure with respect to USAP second-cycle audit
results, whereby a graphical representation depicting the level of implementation of the CEs of an aviation security
oversight system for each audited State was posted on the USAP secure website.

4.9.3 The principle of confidentiality continues to apply to the USAP-CMA, as amended by the Council and
based on the generic MoU between ICAO and a Member State regarding the USAP-CMA approved by the Council. The
confidentiality principle stipulates that sensitive security information collected as part of the USAP-CMA will be protected
from unauthorized disclosure. Accordingly, USAP-CMA audit reports are confidential and are only made available to the
audited State and ICAO staff on a need-to-know basis. However, in the interest of promoting global aviation security, a
limited level of disclosure applies whereby charts depicting the level of implementation of the CEs of an aviation security
oversight system by a Member State and the indicative degree of compliance by a Member State with Annex 17
Standards, as well as information pertaining to the existence of unresolved SSeCs in a Member State, are made
available to all Member States on the USAP secure website. States can then take specific actions as they deem
appropriate, such as:

a) request a copy of the relevant ICAO USAP-CMA audit report from the State in question, on the basis
of which further action/decisions may be initiated on a bilateral basis;

b) engage in consultations to assist the State in question in improving its security measures;

c) instruct their aircraft operators to take extra precautions and/or apply additional security measures
regarding flights to/from the State in question; and

d) request additional security measures to be implemented by the State in question with respect to
specific flights.

4.9.4 All security-related information collected or generated during the USAP-CMA activity or as part of the
USAP-CMA process, including answers to the SASAQ, CCs, PQ Worksheets filled in by the USAP-CMA audit team,
auditor notes, and copies of the USAP-CMA audit reports will be marked as “sensitive security information”, stored and
safeguarded at ICAO Headquarters with an appropriate level of protection in accordance with internal procedures
developed by ASA for the protection of audit-related sensitive security information. Such information will be made
Universal Security Audit Programme
4-14 Continuous Monitoring Manual

available only to the Member State concerned and to those within ICAO with an operational need to know, and then only
when it has been determined by C/ASA that the individual has a specific need to know the information in order to
perform his/her duties with respect to the USAP-CMA activities. When the sensitive security information is not being
reviewed, it will be protected against unauthorized access by securing the information in an approved container or
secure database, access to which is strictly limited. A list of persons provided access to the documents will be
maintained. Sensitive security information will not be reproduced except for the functioning of the USAP-CMA, and then
only as authorized by C/ASA. Copies will be numbered and accounted for.

4.9.5 The State USAP-CMA file, to be kept at ICAO Headquarters, will include, but may not be limited to, the
following documents:

a) completed SASAQ and associated documents;

b) completed CCs;

c) preliminary list of findings and recommendations made by the USAP-CMA audit team;

d) State’s USAP-CMA key parameters;

e) State USAP-CMA audit report;

f) CAP submitted by the State (if required), including feedback by ASA;

g) any other audit documents, such as PQ Worksheets and notes made by the auditors; and

h) national- and airport-level documentation collected during the USAP-CMA audit as evidence.

4.9.6 All material used or generated during the USAP-CMA on-site activity shall remain confidential, including
personal notes and draft reports prepared by the USAP-CMA audit team. All sensitive audit documents are considered
the property of ICAO and shall be returned to ICAO upon completion of the USAP-CMA on-site activity. USAP-CMA
audit team participants are to maintain strict confidentiality in respect of audit-related information and in particular the
content of audit reports. TMs shall not:

a) leave printed or handwritten notes behind when performing on-site activities and must dispose of them
appropriately;

b) make personal copies of any documents provided to them by the State, nor share any information
contained therein with any person other than the TL, TMs, State officials and counterparts concerned,
and then only to facilitate the USAP-CMA activity;

c) be allowed to keep any handwritten or electronic documents concerning the audit performed and are
prohibited from using any information gained during the USAP-CMA activity for their own and/or
national purposes.

4.9.7 In this respect, as with other issues relating to confidentiality of USAP-CMA activities, TMs should adhere
to The ICAO Service Code (Doc 7350/9), Staff Regulation 1.8, which states that:

Staff members shall exercise the utmost discretion in regard to all matters of official business. They shall
not communicate to any person any information known to them by reason of their official position which
has not been made public, except in the course of their duties or by authorization of the Secretary General.
They shall not at any time use such information to private advantage. These obligations do not cease upon
separation from service.
Chapter 4. Programme management 4-15

4.9.8 The ICAO Service Code (Doc 7350/9), Staff Regulation 1.4 states that:

Staff members shall conduct themselves at all times in a manner befitting their status as international civil
servants.

This is binding for all TMs with respect to all their assignments as USAP-CMA activity TMs, and is applicable to all
information received in any form as a result of their association with the USAP-CMA.

4.9.9 Information regarding a refusal by a State to undergo a USAP-CMA audit, a deferral of the USAP-CMA
audit, or a refusal to comply with the terms of the relevant MoU, is not treated as confidential.

4.10 LANGUAGE

4.10.1 USAP-CMA activities will be conducted in English, French or Spanish. Member States shall indicate which
of these languages they wish to be used for the conduct of the scheduled USAP-CMA activities and for communicating
with ASA.

4.10.2 In the case of USAP-CMA on-site activities, if the ICAO working language of the State is one of the
remaining three ICAO working languages (Russian, Arabic or Chinese), every effort will be made to ensure that at least
one TM participating in the activity has command of the ICAO working language of the State concerned.

4.10.3 USAP-CMA activities in Member States whose language is not one of the ICAO working languages may
be conducted with the assistance of an interpreter.

Note.— Use of interpreters in the USAP-CMA on-site activity with the purpose of facilitating
communications between the State and the USAP-CMA audit team is at the discretion of the State.

4.10.4 Interpretation and translation support during the conduct of USAP-CMA on-site activities shall be provided
by Member States.

4.10.5 To facilitate timely and effective review, any documentation submitted by a State to ASA, including primary
aviation security legislation, programmes and regulations, should be in one of the ICAO working languages, but
preferably in the language of the USAP-CMA activity.

4.10.6 The USAP-CMA activity report will be forwarded to the State in the ICAO working language selected by the
State for the conduct of the USAP-CMA activity. If the ICAO working language of the State is Russian, Arabic or Chinese,
the USAP-CMA activity report will be translated into the corresponding ICAO working language of the State, and
additional time will be allocated, as required.

4.11 RESOLUTION OF DISPUTES

4.11.1 In performing duties related to the USAP-CMA, all assigned personnel shall aim to prevent disputes by
working closely with their State counterparts as transparently and fairly as possible.

4.11.2 Disputes may arise during a USAP-CMA activity process. For example, there could be a dispute between
TMs, or a dispute between the audited State and the USAP-CMA audit team concerning the:

a) adherence to the USAP-CMA procedures;


Universal Security Audit Programme
4-16 Continuous Monitoring Manual

b) findings in the post-audit debrief and/or USAP-CMA audit report; and/or

c) recommendations in the USAP-CMA audit report, whether as a result of the interpretation of Annex 17
Standards or security-related provisions of Annex 9, or otherwise.

4.11.3 In the case of a dispute within a USAP-CMA audit team, the TL has veto power to resolve the
disagreement. If necessary, an incident report outlining the circumstances of the dispute may be attached to the TL
and/or TM mission report that is forwarded to C/ASA.

4.11.4 In the case of a dispute between the audit team and the audited State at any stage of the USAP-CMA
process that cannot be resolved by the assigned personnel, the dispute shall be reported to C/ASA, who will work to
facilitate an amicable resolution, failing which the issue may be referred to an appropriate authority within ICAO for
consideration and resolution.

4.11.5 In any case where the audited State proposes not to implement a recommendation because it disagrees
with the findings of the USAP-CMA audit team or the interpretation of the Annex 17 Standards or security-related
provisions of Annex 9 by the USAP-CMA audit team, it will cooperate with ICAO to resolve that disagreement.

4.11.6 In all cases, audited States are given an opportunity to submit comments and feedback on the report. The
audit report may be revised as a result of this feedback.

______________________
Chapter 5

USAP-CMA AUDIT TEAMS

5.1 USAP-CMA AUDIT TEAM COMPOSITION

5.1.1 USAP-CMA audit teams are assigned by C/ASA and consist of a TL and a number of TMs, as required,
covering the scope of the USAP-CMA activity to be conducted. USAP-CMA on-site audit teams normally consist of a TL
and three TMs and may be augmented or reduced depending on the scope of the USAP-CMA activity and the
complexity of civil aviation operations in the State. USAP-CMA off-site audit teams consist of a TL only.

5.1.2 USAP-CMA audit teams will be assigned for each USAP-CMA activity, and although the same auditors
may be involved in multi-State missions, the audit team structure may change for each activity. The USAP-CMA audit
team will be comprised to ensure that both a high level of expertise is available, and the requirements of objectivity and
fair geographical representation are met. Prior to the commencement of a USAP-CMA activity, the State will be advised
of the USAP-CMA audit team’s composition in sufficient time to have the opportunity to provide any desired feedback to
ICAO and to be able to facilitate applications for visas and other administrative matters.

5.1.3 With the exception of the TL, the USAP-CMA activity TMs will remain employees of their nominating
Member State. As such, it is necessary for each TM to look to his/her own insurance arrangements to ensure adequate
medical coverage while participating in a USAP-CMA activity.

5.1.4 During their period of service on a USAP-CMA assignment, all TMs are considered as international officials
working under the auspices of ICAO and representing only ICAO for the entire duration of the USAP-CMA activity. They
must clearly understand that they are not, in any sense, serving as representatives of a national government. All TMs
are entitled to privileges and immunities granted to ICAO staff on mission and are subject to The ICAO Service Code
(Doc 7350/9). Each TM will be required to sign the ICAO Code of Conduct Form for Auditors set forth in Appendix D,
which defines the responsibilities, including, but not limited to, confidentiality requirements undertaken by any person
participating in a USAP-CMA audit team.

5.1.5 The minimum qualifications and experience requirements to be met for certification as a USAP-CMA
auditor, along with the requirements for maintaining certification, are set forth in Appendix B. No individual may
participate as a TL or a TM in a USAP-CMA activity unless they have met these specific requirements.

5.1.6 ASA maintains a roster of certified auditors. The members of each USAP-CMA audit team are selected
from this roster based on their availability, up-to-date training status and currency to conduct USAP-CMA activities. The
roster of certified auditors provides information on the qualifications, roles (as TM or TL), languages and any special
skills, knowledge or abilities possessed by each auditor. It also tracks the records of their initial, on-the-job and recurrent
training and the USAP activities carried out by each auditor. Such records will facilitate the assignment of auditors and
help determine recurrent training requirements. The geographical location of each auditor is also indicated to facilitate
planning and scheduling and to minimize travel costs for each on-site activity.

5.1.7 On occasion, ICAO may wish to include observers in the USAP-CMA on-site activity. Such observers do not
participate in the USAP-CMA activity in an official capacity as TMs and shall only observe the interaction of other TMs with
State counterparts. If ICAO wishes to include an observer, the State must be notified before the start of the on-site activity
and must agree with the participation of the observer. Non-ICAO observers are not privy to the State’s confidential
information and are not entitled to any privileges and immunities granted to staff representing ICAO while on mission.

5-1
Universal Security Audit Programme
5-2 Continuous Monitoring Manual

5.2 TRAINING AND CERTIFICATION OF AUDITORS

5.2.1 Assessment of the implementation of the CEs of a State’s aviation security oversight system, Annex 17
Standards and security-related provisions of Annex 9 to the Chicago Convention requires an understanding of how each
CE or ICAO provision may be implemented. USAP-CMA auditors are required to undergo training in order to standardize
the working methodology used for achieving the programme’s goals, and to obtain the information and documentation
required to be fully conversant with the programme. To ensure commonality of purpose among USAP-CMA auditors,
each aviation security expert nominated by a State is required to successfully complete training and certification prior to
any assignment as a USAP-CMA TM.

5.2.2 USAP-CMA training procedures define and establish the criteria related to the acceptable qualifications of
auditors, based on a combination of their education, work experience, technical background and training. ASA conducts
and oversees USAP-CMA auditor training and certification. Each aviation security expert nominated by a State will be
required to successfully complete both training and certification prior to any assignment as a USAP-CMA activity TM.

5.2.3 The objective of the USAP-CMA auditor training and certification course is to provide the participants with
a thorough knowledge and understanding of the methodology, tools and techniques used by ASA for the conduct of
activities under the ICAO USAP-CMA. A candidate who meets the basic minimum qualifications for a USAP-CMA
auditor may be nominated to undergo the ICAO USAP-CMA auditor training and certification process. The description of
the USAP-CMA auditor training and certification course, including the prerequisites for participation and criteria for initial
certification, is set forth in Appendix B of this manual.

5.2.4 Auditors who have successfully completed the USAP-CMA Auditor Training and Certification Course receive
on-the-job training (OJT) during the USAP-CMA on-site activity from a USAP-CMA activity TL who evaluates the auditor’s
performance, competency and ability to conduct assigned tasks, and reports the OJT results to C/ASA. The TL makes a
recommendation to C/ASA regarding the auditor’s readiness to participate in future USAP-CMA activities as a TM.

5.2.5 C/ASA reviews the auditor’s input to the activity results along with the TL’s report and decides on the
auditor’s participation in future USAP-CMA activities as a TM. C/ASA approves auditors who have successfully
completed all required training and adds them to the roster of certified auditors. Training, certification and OJT records
are considered in future decisions about assignment of TMs to USAP-CMA activities.

5.2.6 ASA maintains a consolidated, current list of certified USAP-CMA auditors. This list contains records of
initial and recurrent training, ICAO USAP-CMA activities performed, and any special skills, knowledge or abilities with
respect to each certified auditor. Such records facilitate the assignment of auditors and help determine recurrent training
and recertification requirements. Information related to the maintenance of certification as a USAP-CMA auditor is
included in Appendix B.

5.3 TEAM LEADERS

5.3.1 C/ASA will appoint a USAP-CMA activity TL for each USAP-CMA activity. A USAP-CMA activity TL must
be an ASA staff member, whether on a long- or short-term contract. C/ASA will take into consideration the qualifications,
language abilities, experience and relations with other TMs when assigning a TL for a USAP-CMA activity.
Chapter 5. USAP-CMA audit teams 5-3

5.3.2 The USAP-CMA activity TL assumes responsibility for all phases of the assigned USAP-CMA activity:
preparation, conduct and reporting, in accordance with guidance and instructions provided by ASA, including those
found in this manual. In addition to specific tasks assigned by C/ASA, a USAP-CMA activity TL’s responsibilities include:

a) preparing for the USAP-CMA activity and coordinating related details with ASA and the State NC on
matters related to the conduct of the USAP-CMA activity;

b) preparing the State-specific USAP-CMA audit plan for USAP-CMA on-site activities;

c) communicating with the State regarding technical, administrative and logistical issues;

d) liaising with ROs or regional civil aviation organizations, if required;

e) communicating with and informing assigned TMs regarding the preparation phase and other pertinent
information;

f) conducting a USAP-CMA on-site audit team briefing for the TMs prior to the national briefing with the
State appropriate authority;

g) conducting a national briefing and a post-audit debriefing with the State appropriate authority;

h) conducting a daily debriefing with the NC during the conduct of the USAP-CMA activity to share
results of the audit to date;

i) conducting a daily meeting with the USAP-CMA on-site audit team to discuss the day’s activities, to
identify additional needs, and to prepare for the forthcoming day;

j) immediately notifying C/ASA of any serious concerns encountered during the USAP-CMA activity,
such as potential SSeCs;

k) collecting and consolidating TMs’ input for preparation of the USAP-CMA activity results and the draft
preliminary findings and recommendations;

l) ensuring the quality of TMs’ input and collected evidence;

m) ensuring the accuracy and quality of the contents of the draft preliminary findings and
recommendations;

n) managing the USAP-CMA audit team’s workload and progress to accomplish the activity;

o) providing leadership, guidance and support to TMs at all times during the USAP-CMA on-site activity;

p) ensuring that the USAP-CMA audit team follows the USAP-CMA procedures and the ICAO Code of
Conduct for Auditors (Appendix D);

q) collecting all evidence, contributions, notes, information, documents and forms from TMs and
submitting them to ASA;

r) developing and submitting to C/ASA the draft USAP-CMA audit report in compliance with the
established timelines and requirements of ASA;
Universal Security Audit Programme
5-4 Continuous Monitoring Manual

s) providing ASA with additional information and clarification during the report production phase, as
required;

t) preparing the TL’s mission report;

u) evaluating the performance and abilities of TMs and providing a completed evaluation form to C/ASA
for each TM;

v) providing OJT to TLs and TMs in training;

w) submitting to C/ASA all confidential documents and notes collected during the USAP-CMA activity
process; and

x) participating in USAP-CMA auditor training and certification courses as an instructor.

5.3.3 Each TL is also assigned to cover one (or more) of the audit areas within the scope of the USAP-CMA on-site
activity, except in cases where the size and complexity of the State requires a large audit team and a dedicated TL.

5.4 TEAM MEMBERS

5.4.1 USAP-CMA activity TMs are assigned to a specific activity by C/ASA and are responsible to the
USAP-CMA activity TL. TMs are selected from the roster of certified auditors available to C/ASA.

5.4.2 As representatives of ICAO, TMs are required to be free from bias and influences that could affect their
objectivity as USAP-CMA activity TMs. They must maintain independence from the audited State. They must always
remain within the scope of the USAP-CMA activity, display integrity, exercise objectivity and remain alert to any
indication of evidence that may have an adverse impact on the activity result. TMs are to cooperate and comply with the
TL’s requirements and instructions and to carry out their assigned duties with objectivity, confidentiality, and in an ethical
manner. They must act in accordance with the ICAO Code of Conduct for Auditors (Appendix D) at all times. They must
also be guided by the auditing principles described in 2.4.

5.4.3 In addition to the specific tasks assigned by C/ASA or the USAP-CMA activity TL, the USAP-CMA on-site
audit TM’s responsibilities include:

a) communicating and clarifying USAP-CMA activity requirements;

b) planning and carrying out assigned responsibilities effectively and efficiently;

c) collecting, assessing and submitting evidence;

d) documenting all findings and observations;

e) coordinating with and assisting other TMs;

f) completing PQ Worksheets in their assigned audit areas and determining the status of those PQs;

g) participating in, and contributing to, all briefings and meetings, including the daily presentation of work
progress made in the various audit areas;

h) providing input to the draft preliminary findings and recommendations;


Chapter 5. USAP-CMA audit teams 5-5

i) submitting all evidence, contributions, notes, information, documents and forms by the deadlines
specified by the TL at the conclusion of the activity, in accordance with the requirements of ASA;

j) submitting to ASA, through the USAP-CMA activity TL, all confidential documents and notes pertaining
to the activity;

k) submitting to C/ASA, through the USAP-CMA activity TL, a TM mission report;

l) cooperating with and assisting the USAP-CMA activity TL at all times during the preparation, conduct
and completion of the USAP-CMA activity; and

m) responding to ASA’s queries during the report production process.

5.4.4 Although the TL is responsible overall for ensuring that tasks are completed at the appropriate time during
the activity, all TMs must be vigilant and support the TL and each other in achieving the goals and objectives of
USAP-CMA activities.

5.5 COMPETENCIES

5.5.1 TLs and TMs shall possess the competencies required for conducting USAP-CMA activities, performing
related tasks and applying USAP-CMA tools and procedures. Required competencies shall include:

a) applying auditing principles and techniques;

b) performing TL and TM responsibilities and functions;

c) complying with USAP-CMA procedures and completing PQ Worksheets and mission report forms
related to the conduct of USAP-CMA audits;

d) identifying and generating findings; and

e) identifying and reporting SSeCs.

5.5.2 TMs are expected to have:

a) recent work experience with an appropriate authority as an inspector in any one of the following audit
areas pertaining to USAP-CMA:

1) OPS;

2) IFS;

3) PAX; and

4) CGO.
Universal Security Audit Programme
5-6 Continuous Monitoring Manual

b) working knowledge of the Chicago Convention and thorough knowledge of the ICAO documents used
in conducting the USAP-CMA activities, such as the current editions of:

1) Annex 17 — Security;

2) Annex 9 — Facilitation;

3) Aviation Security Manual (Doc 8973 — Restricted);

4) Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation
Security Oversight System (Doc 10047); and

5) this manual.

c) working knowledge and experience related to aviation security legislation, programmes and
regulations, and familiarity with internationally recognized regulatory systems;

d) command of written and spoken English, French or Spanish;

e) ability to write clearly and concisely; and

f) ability to use office automation equipment and contemporary computer software.

5.5.3 It is desirable for TMs to have the following:

a) knowledge of ICAO’s organization, functions and activities;

b) aviation industry experience, such as with an airport or aircraft operator; and

c) knowledge of one of the other working languages of ICAO (Russian, Arabic or Chinese).

5.6 CODE OF CONDUCT

5.6.1 All USAP-CMA auditors that participate in on-site activities, regardless of their role, are expected to
maintain the highest standards of ethical and professional conduct, thus contributing to the effective completion of a
USAP-CMA on-site activity. Their relationship with representatives of the audited State should be characterized by
respect and professionalism.

5.6.2 The ICAO Code of Conduct for Auditors (Appendix D) defines the responsibilities of any person assigned
to a USAP-CMA on-site audit team. It provides TMs with guidelines regarding their behaviour during and after a
USAP-CMA on-site activity, such as the need for auditors to act fairly, avoid testing security measures, show respect for
safety requirements, wear appropriate identification badges and maintain the confidentiality of the audit results.

5.6.3 USAP-CMA auditors should approach officials in the State undergoing the audit in a spirit of cooperation
that conveys mutual concern about the potential threats to civil aviation and a desire to observe, learn, share information
and work together in enhancing aviation security. USAP-CMA auditors should be sensitive to the State’s concerns,
needs and resources available, and should present and conduct themselves at all times in a manner befitting their role
as representatives of ICAO.
Chapter 5. USAP-CMA audit teams 5-7

5.6.4 USAP-CMA auditors should at all times observe the laws, customs, and except in rare circumstances, the
social norms of the host country. Alleged offensive language, gestures or other distasteful actions toward the local
population may result in an investigation and, if substantiated, possible ineligibility to continue as a USAP-CMA auditor.
USAP-CMA auditors should be sensitive to any differences in status or rank and conduct themselves accordingly. Courtesy
and diplomacy are not merely helpful qualities to the successful attainment of the USAP’s goals — they are essential.

5.6.5 For safety reasons, USAP-CMA auditors should not draw undue attention to themselves and should blend
into the local environment as much as possible. They should not engage in loud conversations or flaunt their citizenship
unnecessarily through their dress, actions or words. It is imperative that USAP-CMA auditors never discuss their official
business in public areas, while on public transportation, or with those who do not have an official need to know.

5.6.6 USAP-CMA auditors must become as familiar as possible with the State to be visited. This includes
information concerning the language, basic history and geography, social customs and current political climate. Prior
coordination with the TL to confirm the proposed itinerary, passport and visa requirements, inoculations and similar
administrative details is essential.

5.6.7 Climate permitting, USAP-CMA auditors should conduct their official business in appropriate business
attire. The TL should provide guidance on appropriate dress for the culture and climate of the State to be visited. In most
cases, appropriate dress will be the business attire normally worn in the international community. In some locations,
however, traditional business attire may be less formal or otherwise different.

5.6.8 Prior to departure, the USAP-CMA auditors should become thoroughly familiar with the information
regarding general security conditions at the locations to be visited. Where applicable, the local United Nations Security
Coordinator should be contacted to arrange an on-site briefing at the start of the audit mission.

5.6.9 A prerequisite for official travel by United Nations system personnel is successful completion of all required
training, including Basic Security in the Field (BSITF) on-line training for all official travel and Advanced Security in the Field
(ASITF) on-line training for official travel to any field location. All USAP-CMA auditors are required to successfully complete
the BSITF and ASITF training courses and provide ICAO with a copy of their printed course certificates. BSITF and ASITF
certificates are valid for three years, at which point USAP-CMA auditors must follow the courses again to recertify.

5.6.10 USAP-CMA TMs will be briefed by the TL on security conditions in the State to be audited and are
expected to act on this information while also adhering to any requirements set forth by the State.

5.6.11 USAP-CMA TMs must adhere to the itinerary provided by the TL and be on time for all meetings or
appointments made by the State. Any sightseeing, shopping, personal visits or other unofficial activities that occur at the
expense of the USAP’s objectives will not be tolerated.

5.6.12 As a member of an audit team tasked with conducting the USAP-CMA activity, each USAP-CMA auditor is
expected to participate in the audit to his/her fullest ability.

5.6.13 Each TM is responsible for documenting all information gathered through the review of documents,
interview of relevant personnel and observation of measures and procedures by completing an electronic version of
PQ Worksheets. Information gathered and documented during an audit should represent the TM’s most conscientious
effort at objectivity, thoroughness and good judgement.

______________________
Chapter 6

USAP-CMA ACTIVITY PHASES AND PROCEDURES

6.1 USAP-CMA ACTIVITY PHASES

The USAP-CMA activity is divided into the following three phases:

a) preparation phase;

b) conduct phase; and

c) reporting phase.

6.2 PREPARATION PHASE

6.2.1 The USAP-CMA activity preparation phase starts when the ICAO Member State is formally notified of the
conduct of a USAP-CMA activity by means of a letter signed by the ICAO Secretary General, at least 120 calendar days
prior to the commencement of the planned USAP-CMA activity. The accredited ICAO RO is informed of the formal
notification of a USAP-CMA activity and may be requested to follow up the initiative with the State. The notification letter
specifies the dates and the type of planned USAP-CMA activity (on-site, i.e. oversight/compliance-focused audit,
including the name(s) of the airport(s) selected for observation, or off-site, i.e. documentation-based audit). The
USAP-CMA activity preparation phase concludes with the USAP-CMA audit team briefing prior to the opening national
briefing with the State’s authorities, in the case of a USAP-CMA on-site activity, or on the starting date specified in the
ICAO letter of notification, in the case of a USAP-CMA off-site activity.

6.2.2 The Member State is urged to give full support to ICAO by accepting the USAP-CMA activity as scheduled
by ICAO by confirming, as soon as possible, the acceptability of the dates of the proposed USAP-CMA activity. In the
notification letter, the Member State is also requested to submit to ICAO:

a) no later than 60 calendar days prior to the start of the USAP-CMA activity, the duly completed SASAQ
designed to provide ICAO with preliminary information concerning the State’s aviation security and
oversight systems, including the duly completed State Quality Control Activity Summary Form and the
schedule of quality control activities for the previous calendar year and for the current year;

b) the duly completed CCs, reflecting State’s compliance with the SARPs of Annex 17 and
security-related provisions of Annex 9 to the Chicago Convention;

c) the updated CAP, reflecting the progress made by the State in the implementation of corrective
actions since the last USAP audit and addressing the status of not satisfactory PQs; and

d) appropriate documentation that will assist in the preparation of the USAP-CMA activity, such as the
State’s primary aviation security legislation, national-level aviation security programmes and
regulations, and airport-level aviation security programmes and procedures.

6-1
Universal Security Audit Programme
6-2 Continuous Monitoring Manual

Note.— The scope of documentation to be completed and submitted by the State may vary depending on
the type of USAP-CMA activity, which will be clearly described in the notification letter to the State.

6.2.3 If available, the State’s primary aviation security legislation, specific aviation security regulations and
national-level programmes, such as the NCASP, the NCASTP and the NQCP, should be provided at the same time as
the SASAQ and CCs. This documentation should be provided in one of the official ICAO languages and preferably in the
working language of the planned USAP-CMA activity. The provision of such documentation will also allow the
USAP-CMA audit team to prepare and validate information prior to the conduct phase of the USAP-CMA activity.

6.2.4 C/ASA appoints a TL for each USAP-CMA activity at least six months prior to the commencement of the
USAP-CMA activity. The TL is an ICAO staff member who is responsible for the:

a) preparation, conduct and reporting of the assigned USAP-CMA activity in accordance with guidance
and instructions developed by ICAO; and

b) provision of leadership and guidance to TMs in the case of a USAP-CMA on-site activity.

6.2.5 C/ASA also assigns TMs for a USAP-CMA on-site activity shortly after the appointment of the TL, normally
three to six months prior to the commencement of a USAP-CMA activity. TMs are selected from the roster of
ICAO-certified USAP-CMA auditors taking into consideration the geographical region, their area of expertise and the
language of the USAP-CMA activity. The audit team size depends on the type and scope of the USAP-CMA activity, as
well as the complexity of civil aviation activities in the State.

6.2.6 The State to be audited will be provided with the name(s) of the assigned TL and TMs approximately two
months prior to any scheduled USAP-CMA activity and will have the opportunity to provide any desired feedback to
ICAO. Any concerns the State may have regarding the composition of the USAP-CMA audit team may be raised and will
be considered by C/ASA. The final composition of the USAP-CMA audit team will be provided to the State prior to any
scheduled on-site activity in sufficient time to enable it to facilitate applications for visas and other administrative matters.
Auditors nominated for participation in the USAP-CMA activity will receive a clear mandate and credentials letter from
ICAO in order to act as representatives of ICAO for the purpose of the USAP-CMA activity.

6.2.7 Once the TL has been appointed by C/ASA, he/she will contact the NC appointed by the Member State to
coordinate the preparation of the USAP-CMA activity. The TL will work directly with the NC who will represent the
interests of the Member State for the purpose of the USAP-CMA activity.

6.2.8 Prior to the commencement of a USAP-CMA activity, the TL will conduct a review of the information
provided in the SASAQ, CCs and updated CAP, as completed by the State, as well as previous USAP audit results and
any documentation provided by the State. Differences filed by the State with respect to Annex 17 SARPs and
security-related provisions of Annex 9 will also be reviewed at this time. This information will be confirmed or updated
during the course of the USAP-CMA activity using the CCs that contain information on the State’s compliance with
Annex 17 SARPs and security-related provisions of Annex 9, which the Member State shall complete and maintain up to
date in accordance with the MoU. It should be noted, however, that the filing of a difference by a State with respect to
any particular SARP will not preclude the possibility of an audit finding and recommendation being made with regard to
the SARP concerned.

6.2.9 One of the objectives of the USAP-CMA activity preparation phase is to define the scope of the activity in
terms of applicable USAP-CMA PQs to be addressed during the USAP-CMA activity. The type and scope of a
USAP-CMA on-site audit, as well as the complexity of civil aviation activities in the State, define the amount of work to
be performed on-site, which determines the size of the USAP-CMA audit team and the duration of the USAP-CMA
activity. The TL confirms the scope and number of days scheduled for the USAP-CMA on-site audit to ensure that the
assigned audit team will be able to accomplish the activity’s goals. If required, the TL may request C/ASA for
adjustments to the duration of the activity or assignment of additional TMs.
Chapter 6. USAP-CMA activity phases and procedures 6-3

6.2.10 The TL determines the scope of the USAP-CMA activity in the form of a set of USAP-CMA PQs and
forwards it to the NC, normally one month prior to the commencement of the USAP-CMA activity, for coordination with
the State’s relevant national- and airport-level entities. These PQs may include, but are not necessarily limited to:

a) PQs relating to processes that States should continuously implement;

b) new PQs added since the previous USAP audit of the State, such as PQs relating to new Standards of
Annex 17 or security-related provisions of Annex 9;

c) not satisfactory PQs from the previous USAP audit of the State;

d) not applicable PQs from the previous USAP audit of the State to confirm/update the current status of
those PQs; and

e) any PQs relating to information obtained from other sources that might indicate a change in the State’s
USAP-CMA key parameters.

Note 1.— States may request ICAO to modify the scope of a USAP-CMA activity only in extreme
circumstances and by providing ICAO with a valid justification.

Note 2.— For USAP-CMA off-site activities, the status of certain PQs related to operational implementation
of various security measures will be marked as undetermined. The status of such PQs will be assessed during
USAP-CMA on-site activities.

6.2.11 For USAP-CMA off-site activities, the TL forwards the scope of the USAP-CMA activity to the NC in the
form of USAP-CMA PQ Worksheets. The NC coordinates with the State’s relevant national- and airport-level entities the
completion of PQ Worksheets within the established scope of the USAP-CMA activity and their subsequent submission
to the TL. The evaluation of completed PQ Worksheets will be conducted by the TL during the conduct phase of the
USAP-CMA off-site activity.

6.2.12 For USAP-CMA on-site activities, a State-specific audit plan will be developed by the TL based on the
defined scope of the USAP-CMA activity and forwarded to the NC for coordination with State authorities prior to the
commencement of the USAP-CMA activity. The TL also forwards the State-specific audit plan to all assigned TMs for
information to assist them in preparing for the USAP-CMA on-site activity. The purpose of the State-specific audit plan is
to outline in detail the proposed schedule of on-site activities (daily work plan), such as meetings, briefings and visits to
concerned authorities, facilities and aviation security service providers, as well as to provide the State with the
necessary administrative information related to the conduct of the USAP-CMA on-site activity. Last-minute modifications
to the State-specific audit plan may occur, in which case the TL will inform the State authorities as soon as practicable.
The daily work plan is submitted to the State for its consideration and agreement. It is approved during the national
briefing with the State’s authorities.

6.2.13 The State-specific USAP-CMA audit plan will include the following information:

a) general information, such as:

• MoU signature date and audit period;

• national briefing and post-audit debriefing venue, date and time;

• contact details of the appropriate authority and the NC;

• objective and scope of the audit (audit areas to be considered);


Universal Security Audit Programme
6-4 Continuous Monitoring Manual

• language to be used for the conduct of the audit and for the audit report; and

• checklist of documents submitted by the State;

b) TMs’ names and assigned audit areas;

c) daily work plan;

d) list of entities to be visited under each audit area; and

e) logistics and miscellaneous, such as:

• travel itineraries for the TL and all TMs;

• visa information;

• health information;

• security information;

• hotel reservations;

• ICAO DSA and hotel portion; and

• other useful travel tips (departure taxes, local currency and exchange rate to USD, time
difference, etc.).

6.2.14 The TL coordinates with the NC any visits by the USAP-CMA audit team to industry or service providers.
The State is responsible for arranging and coordinating domestic travel and for covering related transportation costs.
The NC will be the USAP-CMA audit team’s primary point of contact for all meetings and visits during audit activities.
The NC will be involved and informed at every phase of the audit but should not seek to influence the audit results. The
NC’s assistance and comments may be sought by the USAP-CMA audit team.

6.2.15 The TL, in coordination with the NC, shall determine the requirements for language interpretation services,
if required, the provision of which is the State’s responsibility.

6.2.16 The TL will meet with TMs for a USAP-CMA on-site audit team briefing one day prior to the
commencement of the USAP-CMA activity. The objective of the briefing is to build team synergy, provide further
familiarization to TMs on the processes and tools of the USAP-CMA activity and ensure that all TMs are aware of
pertinent information. The USAP-CMA audit team will discuss the USAP-CMA audit, review the completed SASAQ and
CCs and develop a list of questions and/or identify additional information required by the USAP-CMA audit team. In
addition to determining points of specific focus to be addressed with the Member State, the USAP-CMA audit team will
review the State-specific USAP-CMA audit plan and daily schedule of audit activities (daily work plan).

6.2.17 The following elements should be addressed by the TL during the USAP-CMA on-site audit team briefing:

a) welcome all TMs and make introductions;

b) describe objectives and methodology of the USAP-CMA activity;

c) confirm domestic arrangements, including accommodation and transportation details;


Chapter 6. USAP-CMA activity phases and procedures 6-5

d) provide copies of the ICAO Code of Conduct for Auditors (Appendix D) to each TM, and ensure that all
TMs read and sign the cover sheet and return it to the TL;

e) reinforce the ICAO Code of Conduct for Auditors, including the confidentiality requirements relating to
audit results and documents, and the policy of not accepting gifts;

f) provide guidelines on dealing with State counterparts and external entities (such as media, reporters
and labour unions);

g) distribute all available documents to the audit team (completed SASAQ, CCs, documentation provided
by the State, USAP-CMA audit plan, PQ Worksheets, mission reports, etc.);

h) review the State-specific audit plan, scheduled daily work plan and any ad hoc arrangements
(e.g. transportation);

i) review audit areas assigned to each TM;

j) review the completed SASAQ and CCs;

k) confirm work methods to be used during the audit, as well as the tasks, responsibilities and
deliverables of TL and TMs; and

l) clarify and confirm deadlines for the completion of individual contributions and submission of
completed PQ Worksheets to the TL.

6.3 CONDUCT PHASE

6.3.1 During this phase, a USAP-CMA audit team visits the State for the selected USAP-CMA on-site activity
within the determined scope and:

a) conducts a systematic and objective assessment of the State’s aviation security oversight system and
the State’s compliance with Annex 17 Standards and security-related provisions of Annex 9 using
USAP-CMA PQs, and recommends the issuance of any findings and/or SSeCs to address identified
deficiencies;

b) collects and records any evidence provided by the State regarding the implementation of CAPs and
the actions taken to resolve any pre-existing findings; and

c) informs the State of the outcome of the USAP-CMA audit during the post-audit debriefing between the
USAP-CMA audit team and State authorities.

6.3.2 The State should:

a) ensure that State representatives, counterparts and staff members implicated in the conduct of the
USAP-CMA audit are available for interviews and discussions with the USAP-CMA audit team;

b) make the evidence, information and documentation requested by the USAP-CMA audit team readily
available and submit these to the audit team in a timely manner;

c) facilitate and arrange visits to industry and/or service providers;


Universal Security Audit Programme
6-6 Continuous Monitoring Manual

d) provide a suitable working environment for the USAP-CMA audit team; and

e) arrange daily transportation and administrative support, as required.

6.3.3 The conduct of the USAP-CMA on-site audit will be focused on the systematic gathering of information by
means of observation, interviews and review of documents, whenever possible. All activities undertaken by the
USAP-CMA audit team will be transparent and conducted only with the approval of the State. At no time will the
USAP-CMA audit team engage in activities that could be perceived as covert efforts to test or penetrate security
operations.

6.3.4 For USAP-CMA off-site activities, as mentioned in 6.2.11, the TL submits a set of USAP-CMA
PQ Worksheets within the defined scope of the USAP-CMA activity to the NC for coordination with the State’s relevant
national- and airport-level entities for self-assessment and subsequent return to the TL. The TL evaluates the State’s
answers in those PQ Worksheets received from the NC in conjunction with the documents and evidence submitted by
the State that support the implementation of selected PQs, including, but not limited to, the updated CAP and associated
evidence, the SASAQ, CCs and other documentation submitted by the State. The TL may request the NC to provide
other relevant or necessary documentation related to the scope of the USAP-CMA activity, as applicable. The TL may
request additional information and/or clarification from the State and may interview relevant personnel via telephone or
other means. The NC should facilitate this process and communicate with the TL in a timely manner and provide all
required information and documentation.

National briefing

6.3.5 The USAP-CMA audit TL will conduct a national briefing on the first day of the USAP-CMA on-site audit,
which should be scheduled in advance and included in the State-specific audit plan. The purpose of the briefing is to:

a) introduce the USAP-CMA audit team;

b) brief the appropriate authority and senior officials of the State hosting the audit on the USAP-CMA
methodology, processes, procedures and scope of the USAP-CMA audit;

c) provide an overview of the USAP-CMA audit team’s activities at the airport(s) selected for observation,
including the manner in which the collection of information surrounding the security controls and
measures will occur;

d) finalize and confirm audit plan arrangements and organizational aspects related to the USAP-CMA
audit; and

e) gather additional information, if necessary.

6.3.6 The national briefing may be co-chaired by the senior executive of the State, who may also wish to provide
information and/or a briefing to the USAP-CMA audit team. TMs should also attend the national briefing.

6.3.7 During the national briefing, the TL should:

a) thank representatives of the State and other aviation security stakeholders for their cooperation;

b) introduce him/herself and the TMs, citing their qualifications and background;

c) reiterate the language to be used during the USAP-CMA audit, and notify participants of any special
language skills among the USAP-CMA audit TMs;
Chapter 6. USAP-CMA activity phases and procedures 6-7

d) explain the objective of the USAP-CMA;

e) review the MoU signed between ICAO and the State, specifically objectives and principles of the
USAP-CMA audit (responsibilities and duties of the State and the USAP-CMA audit team);

f) describe the USAP-CMA audit process and methods of gathering information (e.g. observation,
discussion, review of documents) during the audit and the scope of the audit;

g) briefly present and confirm the State-specific audit plan and schedule of activities, and adjust if
required;

h) outline the concluding phase of the USAP-CMA audit, including the presentation of the preliminary list
of findings and recommendations at the post-audit debriefing, and confirm the arrangements for the
debriefing (participants, location, date and time);

i) explain the reporting system, including the USAP-CMA audit report and the CAP based on the
USAP-CMA audit findings and recommendations;

j) confirm the name of the official designated by the State to receive the USAP-CMA audit report;

k) review and clarify, if necessary, the answers provided by the State to the SASAQ and CCs;

l) request and clarify additional information pertaining to Annex 17, security-related provisions of
Annex 9 and the SASAQ, as appropriate;

m) provide an overview of the USAP-CMA audit team’s understanding of the aviation security
organization and responsibilities for implementing security measures at the airport(s) selected for
observation, when necessary;

n) note any special comments or concerns of the State with regard to the conduct of the audit or areas to
be observed;

o) confirm the location of the USAP-CMA audit team facilities;

p) confirm the identity of the official USAP-CMA audit team escorts and the means of communication
between the audit team and its escorts (e.g. mobile telephones);

q) confirm the schedule of the flights selected in the audit plan for observation to determine the timing for
observing airport security operations; and

r) reinforce confidentiality provisions concerning any information or documents received by the


USAP-CMA audit team.

Note.— Any clarification on answers provided in the SASAQ that could be done on site should not be
sought during the national briefing, but should be directly observed by the USAP-CMA audit team instead. If no
clarification can be obtained from observation, then the answer should be sought in cooperation with the NC.
Universal Security Audit Programme
6-8 Continuous Monitoring Manual

Conduct of the on-site audit

6.3.8 During the conduct of the USAP-CMA on-site audit, the USAP-CMA audit team will assess the level of
implementation of the CEs of an aviation security oversight system and the degree of compliance of the State with
Annex 17 Standards and security-related provisions of Annex 9. If the USAP-CMA audit team perceives deficiencies in
the implementation of the aviation security oversight system or lack of compliance with ICAO SARPs, the audit team will
attempt to identify the reasons and will seek to assist the State in achieving the recommended improvements.

6.3.9 The on-site gathering of evidence should be systematic and objective, using the State-specific PQs. All
audit findings should be recorded in a preliminary list of findings and recommendations in a clear, concise manner and
supported by evidence, with reference made to the relevant CEs of an aviation security oversight system as well as the
relevant ICAO SARPs and PQs.

6.3.10 The USAP-CMA audit team, under the leadership of the TL, collects evidence and information by
examining records, reviewing documentation and relevant material, observing the implementation of security measures
and conducting interviews. Depending on the scope of the USAP-CMA audit, the USAP-CMA audit team will review the
State's legislative and regulatory provisions, the implementation of relevant ICAO SARPs, the application of guidance
material and relevant security-related practices in use in the aviation industry. The State should provide the appropriate
evidence in order to fulfil the requirements of the USAP-CMA audit being conducted. The TL provides the State with a
deadline for providing evidence to be considered during the USAP-CMA on-site audit.

6.3.11 The USAP-CMA audit will also be based in part on observing security measures and practices in effect at
the airport(s) selected for observation. During such visits, observation of operational measures and procedures of
selected aircraft operators, cargo agents, mail authorities, catering companies, etc., will be undertaken as necessary to
establish compliance with Annex 17 Standards and security-related provisions of Annex 9. By checking records, not only
in the State but also in the industry, and by looking into how the industry conducts its business in areas related to the
audit, the USAP-CMA audit team is able to assess whether Annex 17 Standards and security-related provisions of
Annex 9 are being implemented effectively.

6.3.12 Specific observations should include the following information: the place, company or authority visited; job
titles of people met or spoken to; notes on the procedures observed; and notes on any deficiencies seen in those
procedures in reference to the specific Annex 17 Standard or relevant security-related provision of Annex 9.

6.3.13 Industry visits should be conducted in the company of the appropriate authority representatives and on the
basis of the State-specific audit plan already agreed upon for the USAP-CMA on-site activity. These visits are used to
determine the State’s aviation security oversight capabilities or its implementation of the CAP or mitigating measures.
Security concerns that may be identified during these visits can only be identified as a finding or an SSeC in regard to
the State aviation security system and not in regard to the industry or service providers.

6.3.14 The audited State will determine the type of escort to be provided to the USAP-CMA audit team during the
audit. The TL and TMs will be issued with airport identification badges that should be displayed in a visible place, as
mandated by the national requirements. In the event of an emergency (e.g. hijacking, bomb threat, aircraft accident, etc.),
the USAP-CMA audit will be suspended upon request of the audited State. In this case, arrangements should be made
as soon as possible to resume or reschedule the USAP-CMA audit.

6.3.15 The USAP-CMA audit team may encounter situations during on-site activities that reveal an SSeC,
resulting in an immediate security risk to international civil aviation. The mechanism established to address such SSeCs
as a priority is described in 2.9. As soon as a preliminary SSeC is identified, the TL, after coordination with C/ASA,
brings it to the attention of the State to allow the State to initiate corrective action immediately. The TL provides all
relevant information on the preliminary SSeC to C/ASA. At this point, the identification of an SSeC is considered
preliminary until it is validated and confirmed by the SSeC Validation Committee.
Chapter 6. USAP-CMA activity phases and procedures 6-9

6.3.16 During the USAP-CMA on-site audit process, the USAP-CMA audit team must conduct an internal meeting
on a daily basis to:

a) discuss the day’s activities and findings and review the audit team’s daily progress;

b) address and resolve potential issues and delays encountered during daily tasks;

c) identify areas of concern, including potential SSeCs;

d) identify any part of the USAP-CMA PQs that has not been addressed;

e) determine required changes in the work plan, if any;

f) coordinate common areas;

g) discuss the next day’s activities;

h) identify any information that must be collected or clarified; and

i) enhance team coordination and support.

6.3.17 The TL will meet with the NC on a daily basis to inform him/her of the preliminary findings and deficiencies
identified during the ongoing audit with the objective of providing preliminary recommendations for corrective action,
facilitating the post-audit debriefing, and to discuss any changes in the audit plan or new requests for meetings and/or
documents.

6.3.18 Audits may result in raising the awareness and interest of several aviation bodies, some of which may
request interviews with the USAP-CMA audit team. Interviews with organizations other than the State, such as the
media, labour unions or other interested bodies, shall not be conducted under any circumstances by the USAP-CMA
audit team.

6.3.19 In assessing the State’s level of implementation of the CEs of an aviation security oversight system and
determining the degree of compliance with Annex 17 Standards and security-related provisions of Annex 9, USAP-CMA
auditors will be guided by the verification process described in the USAP-CMA PQs. Although several PQs may have
been reviewed during the preparation phase of the USAP-CMA activity, the status of these PQs is determined during the
on-site activity. At the same time, given the differing nature of national- and airport-level security systems among States,
USAP-CMA auditors should, to the extent practicable, apply an outcome-based approach and be open to different
means of compliance that are not explicitly addressed by the USAP-CMA PQs but are implemented by States to achieve
the same outcome.

6.3.20 During the conduct of the USAP-CMA audit, TMs take comprehensive notes and assess the applicable
PQs, which will be used in developing the draft USAP-CMA audit report, including the findings. Each finding is related to
one relevant PQ. The USAP-CMA audit team records the finding, marks the status of the associated PQ as not
satisfactory and clearly indicates how and why they were made. Absence of evidence will normally be reflected as a
finding. The State is required to propose a CAP to address each finding.

6.3.21 The TL will provide the TMs with blank copies of PQ Worksheets in their respective areas of responsibility
within the scope of the USAP-CMA audit. TMs shall submit their duly completed PQ Worksheets to the TL. The
USAP-CMA audit team should review all findings to ensure that they are objective, clear and concise and associated
with the relevant PQ.
Universal Security Audit Programme
6-10 Continuous Monitoring Manual

Post-audit debriefing

6.3.22 At the end of the USAP-CMA on-site audit, the audit team will meet with State officials for a post-audit
debriefing to present a preliminary list of findings and recommendations addressing areas that require improvement.
Furthermore, before the post-audit debriefing, the TL will meet with the NC to undertake a final review of the preliminary
list of findings and recommendations and those significant elements to be addressed during the post-audit debriefing. If
applicable, any preliminary SSeCs identified in the course of the audit will be described to the NC and State officials.

6.3.23 The post-audit debriefing provides high-level State representatives with information related to the
USAP-CMA audit team’s conclusions regarding the status of implementation of the CEs of the State’s aviation security
oversight system and the compliance with Annex 17 Standards and security-related provisions of Annex 9. The
post-audit debriefing emphasizes the most significant security issues, and concisely presents the USAP-CMA audit
team’s findings and recommendations regarding the effectiveness of the State’s aviation security oversight system.

6.3.24 The post-audit debriefing should be a review of the issues already covered in the daily briefings with the
State NC. All identified deficiencies and findings should have already been discussed in the daily briefings and well
understood by everyone attending the post-audit debriefing. Any preliminary SSeCs should have also been discussed
and well understood by everyone before the post-audit debriefing. While the State may choose to further discuss or
debate the identified findings and deficiencies, including any preliminary SSeCs, during the post-audit debriefing, the
State should have presented all available evidence to the USAP-CMA audit team before the post-audit debriefing.

6.3.25 At the post-audit debriefing, the TL provides a draft paper copy of preliminary findings and
recommendations to the State. Each recommendation describes the corrective action to be implemented by the State,
as well as identifies the relevant PQ, CE, SARP and the priority of each corrective action.

6.3.26 During the post-audit debriefing, the TL should:

a) thank officials of the Member State and any persons directly involved in the USAP-CMA audit for their
cooperation;

b) reintroduce the USAP-CMA audit team, if any State officials present did not attend the national
briefing;

c) briefly review the objective and scope of the USAP-CMA audit;

d) provide a verbal overview of the effectiveness of the State’s aviation security oversight system and
capabilities and overall findings for each CE assessed, focusing first on positive aspects and then on
identified deficiencies that need to be addressed;

e) provide a preliminary list of findings and recommendations concerning the degree of compliance with
Annex 17 Standards and security-related provisions of Annex 9, highlighting the priorities of
recommendations requiring short-, medium and long-term corrective actions;

f) present preliminary SSeCs, if applicable, and explain that the SSeC Validation Committee at ICAO
Headquarters will review and confirm the validity of any preliminary SSeCs;

g) ensure that State officials clearly understand the USAP-CMA audit results and encourage TMs to
provide additional clarification, as required, to resolve any uncertainty the State officials may have;

h) invite comments from State officials on the USAP-CMA audit results;


Chapter 6. USAP-CMA activity phases and procedures 6-11

i) remind State officials that the preliminary list of findings and recommendations is being provided solely
to allow the State to begin working on its corrective actions and that these will undergo a technical and
editorial review by ASA before being forwarded to the State in the form of a final USAP-CMA audit
report;

j) remind the State about post-audit reporting actions to be performed by ICAO and the State, including
target dates for issuing the USAP-CMA audit report to the State and for receipt of the State’s CAP;

k) remind the State about confidentiality provisions; and

l) remind the State about the availability of urgent and immediate assistance through ISD-SEC, and
longer term assistance through TCB.

6.3.27 Specialist meetings of the USAP-CMA audit team and the State’s technical counterparts may be held prior
to or following the post-audit debriefing at the discretion of the TL and the State authorities.

6.3.28 The TL will meet with the TMs both before and after the post-audit debriefing in order to review and assess
the entire audit process. All audit team participants should be asked to express their views about the audit performed.

6.3.29 Prior to the post-audit debriefing, the TL will work closely with each TM concerning their contribution to the
USAP-CMA audit report, focusing on the adequacy of completed PQ Worksheets and reviewing the preliminary list of
findings and recommendations. During the USAP-CMA audit team debriefing that is held following the post-audit
debriefing, the TL should:

a) thank the TMs for their work;

b) raise any concerns about the teamwork, the audit process and tools, or other issues;

c) reinforce rules of confidentiality;

d) collect any remaining portions of TM submissions (e.g. paper copies and electronic versions of
PQ Worksheets) and ensure that no information, including electronic copies of documents, has been
retained by any individual TM;

e) collect all audit documents, including documentation provided by the State, copies of the preliminary
list of findings and recommendations, auditor notebooks, etc.;

f) collect mission reports from TMs;

g) collect, whenever possible, a preliminary travel claim form from each TM with hotel receipts and airline
boarding passes, as well as receipts for any other official expenses;

h) collect business cards or copies of business cards obtained by TMs during the USAP-CMA audit;

i) provide guidance on the proper methods of communicating audit-related sensitive security information
to avoid accidental disclosure; and

j) confirm the departure arrangements.

6.3.30 Upon completion of an off-site audit, the TL will conduct a post-audit debriefing with the NC to provide a
summary of the results of the USAP-CMA activity. The TL will advise the NC of the next steps in the USAP-CMA activity
process and provide the State with the preliminary list of findings and recommendations.
Universal Security Audit Programme
6-12 Continuous Monitoring Manual

6.4 REPORTING PHASE

6.4.1 Each USAP-CMA activity will conclude with the preparation of a USAP-CMA audit report to be submitted to
the audited State within established time frames following the completion of the USAP-CMA audit. The USAP-CMA audit
report summarizes the level of implementation of the CEs of the State’s aviation security oversight system and provides
full details of the audit findings and recommendations. The State CAP should be based on the USAP-CMA audit report,
although the State has an opportunity to initiate its corrective actions based on the preliminary list of findings and
recommendations presented at the post-audit debriefing.

6.4.2 In accordance with the terms of the MoU between ICAO and the Member State, ICAO will submit a
USAP-CMA audit report to the audited State within 60 calendar days from the post-audit debriefing. If the ICAO working
language of the State is other than the language in which the USAP-CMA audit was conducted, an advance copy of the
USAP-CMA audit report will be sent to the State within 60 calendar days from the post-audit debriefing in the language
in which the USAP-CMA audit was conducted. The USAP-CMA audit report will then be translated into the ICAO
working language of the State and submitted to the State, and subsequent timelines will be adjusted accordingly. ASA
will retain a copy of the USAP-CMA audit report submitted to the State.

6.4.3 The USAP-CMA audit report will be confidential and made available only to the audited State and to
persons with an official need to know within ICAO. In addition, the charts depicting the level of implementation of the
CEs of an aviation security oversight system by the audited State and an indication of the degree of compliance of the
audited State with Annex 17 Standards will be made available to all Member States on the USAP secure website in
accordance with the limited level of disclosure, as indicated in 4.9.3. All other materials, notes and reports obtained or
generated during the USAP-CMA audit will be treated as strictly confidential by ICAO.

6.4.4 Access to the USAP secure website is restricted to Member State appropriate authority officials. All access
requests will be scrutinized and granted by ASA only to those with an operational need to know. Member States will
make their own decision as to whether they need to approach the audited State on a bilateral or multilateral basis to
discuss the results of the audit. The audited State has the right to publish, or otherwise distribute in any way it deems
appropriate, its audit report or its CAP.

6.4.5 The USAP-CMA audit report is an objective reflection of the results of the USAP-CMA audit. It is prepared
on the basis of the reporting principles and procedures contained in this manual. The USAP-CMA audit report is
designed to provide:

a) information to the audited State regarding its aviation security performance in terms of the level of
implementation of the CEs of the State’s aviation security oversight system, and the indicative degree
of the State’s compliance with Annex 17 Standards and security-related provisions of Annex 9;

b) prioritized recommendations to the audited State to initiate corrective actions; and

c) information to ICAO related to common deficiencies in order to define measures to assist its Member
States.

6.4.6 The draft USAP-CMA audit report is compiled by the TL based on submissions received from the TMs.
TMs are expected to prepare their PQ Worksheets during the on-site audit on a daily basis. Prior to the return of the TMs
to their home States at the conclusion of an on-site audit, the TL reviews and coordinates their individual submissions
and discusses them with the TM concerned. The TL is required to submit the draft USAP-CMA audit report to C/ASA
within seven working days of the date of his/her return to ICAO Headquarters following the post-audit debriefing. If the
TL’s mission includes more than one USAP-CMA on-site audit, the timelines for submission of draft audit reports will be
adjusted accordingly.
Chapter 6. USAP-CMA activity phases and procedures 6-13

6.4.7 The draft USAP-CMA audit report is then subjected to a technical and editorial review by ASA, in
accordance with the USAP-CMA quality management procedures. The TL, in coordination with ASA, is responsible for
verifying and ensuring the technical content and the overall accuracy of the USAP-CMA audit report throughout the
report production phase. ASA shall consult with the TL during the report production process for questions or
clarifications related to the report content. The final USAP-CMA audit report is submitted to C/ASA for approval.

6.4.8 The key principles that guide the development of a USAP-CMA audit report are as follows:

a) the TL should consolidate the contributions of the TMs and finalize the draft audit report;

b) audit findings should be presented in an objective manner;

c) the audit report should be confined to facts only, not suppositions or opinions, i.e. what was observed
and found to be deficient;

d) findings and recommendations in the post-audit debriefing and the USAP-CMA audit report should be
consistent;

e) findings and recommendations should be described in a clear, concise and consistent manner;

f) each recommendation should be related to an identified deficiency, specifically detailing what


corrective action is required from the State;

g) recommendations should be prioritized as “Low”, “Medium”, “High” and “Very high” based on the
nature of the deficiencies they address, with a view to assisting the State in preparing an effective
CAP for short-, medium- and long-term corrective actions for the resolution of deficiencies identified
during the USAP-CMA audit;

h) all conclusions should be substantiated with references;

i) generalities and vague observations should be avoided;

j) only widely accepted international civil aviation terminology should be used, avoiding acronyms and
jargon; and

k) criticism of individuals or positions should be avoided.

6.4.9 The USAP-CMA audit report is prepared following a standard reporting format developed by ASA. This
format permits input from a confidential electronic database, facilitating the retrieval of information for the purpose of
analysis and follow-up activities.

6.4.10 The content of the USAP-CMA audit report is as follows:

• Introduction

• Objectives of the USAP-CMA audit

• Summary of the USAP-CMA audit results

• Appendix 1. Analysis of the USAP-CMA Audit Results by CE

• Appendix 2. USAP-CMA Audit Findings and Recommendations


Universal Security Audit Programme
6-14 Continuous Monitoring Manual

6.4.11 The first two parts of the USAP-CMA audit report (introduction and objectives of the USAP-CMA audit)
contain background information on the USAP and the objective of the USAP-CMA, the USAP-CMA audit team
composition, overview of the USAP-CMA activity scope and the visits to industry and service providers, if applicable.
The summary of the USAP-CMA audit results contains textual and graphical information on the State’s aviation security
performance in the form of the State’s:

a) Oversight Indicator: average EI of the eight CEs of the State’s aviation security oversight system;

b) Compliance Indicator: average compliance of the State with Annex 17 Standards and average
compliance of the State with security-related provisions of Annex 9; and

c) USAP-CMA PQ Indicator: percentage of USAP-CMA PQs found satisfactory during the USAP-CMA
audit of the State.

The summary of the USAP-CMA audit results also contains information on the existence of SSeCs, if any, and the
current status of such SSeCs.

6.4.12 Appendix 1 of the USAP-CMA audit report provides an analysis of the State’s aviation security oversight
system, highlighting the EI and LEI of each CE, as well as the graphical depiction of the EI for each CE. Appendix 2 of
the USAP-CMA audit report contains a detailed list of the USAP-CMA audit findings and recommendations, together
with associated PQs found not satisfactory, related CEs, SARPs and the priorities assigned to these recommendations.

6.4.13 Upon receipt of the USAP-CMA audit report, the State will have 30 calendar days to submit comments and
feedback on the report. The USAP-CMA audit report may be revised as a result of this feedback. In all cases, comments
submitted by the State will become part of the information related to the USAP-CMA activity conducted in the State.

6.4.14 In the event that action for improvement is recommended by ICAO following completion of a USAP-CMA
audit, the State is responsible for developing an acceptable CAP defining the action the State plans to take to resolve
deficiencies in its aviation security and oversight systems identified by the USAP-CMA audit. Guidance on the
development of the CAP by the State will be provided by the TL during the post-audit debriefing. Appendix C provides
guidance for States on developing CAPs.

6.4.15 The audited State should provide ASA with a CAP within 60 calendar days after receiving the USAP-CMA
audit report in the ICAO working language of the State (i.e. approximately at least 120 days following the post-audit
debriefing), using the CAP template provided by ICAO together with the USAP-CMA audit report. In accordance with the
terms of the MoU agreed to by the State, the CAP should show how the improvements will be achieved by addressing
the findings and recommendations of the USAP-CMA audit report, providing specific actions, indicating the entities
responsible for the implementation of such actions, and providing deadlines for the correction of the deficiencies
identified during the USAP-CMA audit. Corrective actions and deadlines for implementation should be established to
address each of the ICAO recommendations contained in the USAP-CMA audit report.

6.4.16 The CAP should contain detailed and specific measures that the State has taken or proposes to take to
implement the ICAO recommendations. All corrective actions should consider the various aspects that may affect their
implementation. Due to the complexity for implementing new aviation security requirements and given the resources
available, consideration should be given to setting starting and completion dates that are as feasible and practicable as
possible. In developing the CAP, corrective actions should be established by phases of implementation or by short-,
medium- and long-term goals based on the priorities of the recommendations contained in the USAP-CMA audit report.

6.4.17 ICAO will provide the State with feedback on the acceptability of the proposed CAP. If any proposed
corrective actions do not fully address the associated findings and recommendations, the State will be notified
accordingly and requested to resubmit its CAP. In any case where the audited State proposes not to implement a
recommendation because it disagrees with the finding of the USAP-CMA audit team or with the audit team’s
Chapter 6. USAP-CMA activity phases and procedures 6-15

interpretation of the relevant ICAO Standard or security-related provision, the State should cooperate with ICAO to
resolve this disagreement. If such cooperation results in a proposal by the State to modify its CAP, C/ASA should be
provided with the modified CAP at the earliest opportunity.

6.4.18 USAP-CMA audit team participants will prepare separate mission reports describing the conduct of the
audit and any difficulties encountered. The USAP-CMA mission reports may also advance proposals for improving the
future planning and execution of USAP-CMA activities. The USAP-CMA mission reports provide feedback on the
conduct of the audit, from planning to completion. The mission reports are an integral part of the USAP-CMA quality
assurance process and will be used by ASA to improve the USAP-CMA. ASA will maintain a record of all feedback,
recommendations and any action taken to address concerns raised. Should the USAP-CMA mission report identify
issues that could be addressed by amending Annex 17 SARPs or security-related provisions of Annex 9, this information
will be relayed to the ICAO Aviation Security Panel or Facilitation Panel, as appropriate.

6.4.19 A State USAP-CMA Activity Feedback Form will be provided to the State together with the USAP-CMA
audit report. The purpose of this form is to allow the State to advise ICAO on aspects of preparation and conduct of the
USAP-CMA audit for the purpose of ensuring continuous improvement of the USAP-CMA.

6.4.20 C/ASA will periodically prepare a report on the progress of the USAP-CMA to be submitted to the
Secretary General and subsequently distributed to the ICAO Council and other appropriate ICAO bodies, as required. All
necessary steps will be taken to ensure these reports are in a form that maintains the confidentiality of State-specific
capabilities and/or deficiencies. USAP-CMA progress reports include, but are not limited to:

a) names of States that accepted USAP-CMA activities, including the dates of each activity and the
names of airports visited, if applicable;

b) the status of confidential USAP-CMA audit reports completed and submitted to audited States;

c) the number of State CAPs that have been received and accepted;

d) States that are over 60 days late in submitting their CAPs;

e) progress made by States in implementing their CAPs;

f) a summary of feedback received from audited States on the USAP-CMA audit process;

g) common deficiencies identified so that any trend in significant deficiencies experienced by States can
be assessed to enable ICAO to study possible solutions as part of the remedial action process;

h) USAP-CMA regional seminars and USAP-CMA auditor training and certification courses planned and
conducted; and

i) information regarding a refusal by a State to undergo a USAP-CMA audit, a deferral of the audit, or a
refusal to comply with the terms of the relevant MoU.

______________________
Appendix A

GENERIC MEMORANDUM OF UNDERSTANDING (MOU)

Memorandum of Understanding (MoU) between


the International Civil Aviation Organization and State [formal name]
regarding the Universal Security Audit Programme Continuous Monitoring Approach

Whereas the 33rd Session of the Assembly of the International Civil Aviation Organization (ICAO) in
Assembly Resolution A33-1 directed the Council and the Secretary General to consider the establishment of an ICAO
Universal Security Audit Programme (USAP);

Whereas the Council during its 166th Session approved the Aviation Security Plan of Action, including the
establishment of the USAP, and agreed that priority be given to undertaking audits;

Whereas the 35th Session of the Assembly of ICAO in Assembly Resolution A35-9 requested the
Secretary General to continue the USAP, and urged all Member States to agree to audits to be carried out upon ICAO’s
initiative by signing a bilateral MoU and to accept the audit missions as scheduled by the Organization;

Whereas the Council during its 176th and 181st Sessions agreed that future audits be guided by the
principle of universality, while recognizing that not all States need to be audited at the same frequency; focus, wherever
possible, on a State’s capability to provide appropriate national oversight of its aviation security activities through the
effective implementation of the critical elements of a security oversight system; and be expanded to include relevant
security-related provisions of Annex 9 — Facilitation;

Whereas the Council, during its 187th Session, recognized the need to determine the future nature and
direction of the USAP and directed the Secretariat to study the feasibility of applying a continuous monitoring approach
(CMA) to the USAP after the conclusion of the second cycle of audits in 2013;

Whereas the 197th Session of the Council formally approved the concept of the USAP Continuous
Monitoring Approach (USAP-CMA) and the associated transition plan;

Whereas the 38th Session of the Assembly in Assembly Resolution A38-15 endorsed the Council’s
decision to extend the CMA to the USAP in 2015, and requested the Council to oversee the activities of the USAP-CMA;

Whereas the 38th Session of the Assembly urged all Member States to give full support to ICAO by
accepting USAP-CMA missions as scheduled by the Organization, facilitating the work of the USAP-CMA teams, and
preparing and submitting to ICAO all required documentation;

Recognizing that the effective implementation of State corrective action plans to address deficiencies
identified through USAP-CMA activities is an integral and crucial part of the monitoring process in order to achieve the
overall objective of enhancing global aviation security; and

Recalling that the ultimate responsibility for the security of civil aviation rests with Member States;

App A-1
Universal Security Audit Programme
App A-2 Continuous Monitoring Manual

IT IS AGREED AS FOLLOWS:

PART I — USAP-CMA ACTIVITIES — GENERAL

1. State [formal name], hereinafter referred to as State [abbreviated name], hereby agrees to participate fully
in the USAP-CMA by taking part in all USAP-CMA activities and by committing to provide information
related to the establishment and implementation of its aviation security and oversight systems as
requested by ICAO. USAP-CMA activities will cover the Convention on International Civil Aviation
(the “Chicago Convention”), Annex 17 – Security and the security-related provisions of Annex 9 —–
Facilitation.

2. State [abbreviated name] accepts that the development, implementation and maintenance of the national
civil aviation security programme required by Annex 17 remains its responsibility before, during and after
any USAP-CMA activity. State [abbreviated name] and ICAO accept that all actions taken by the parties
and activities carried out under the USAP-CMA will be conducted in accordance with established USAP
principles.

3. State [abbreviated name] agrees to facilitate USAP-CMA activities by designating an appropriate person to
act as National Coordinator (NC) on an on-going basis. The NC will act as a facilitator and primary point of
contact for ICAO with regard to all USAP-CMA processes and activities. State [abbreviated name] will be
responsible for providing ICAO with updates and information, through its NC, upon request. State
[abbreviated name] agrees to advise ICAO whenever there is a change in designated NC.

4. The types of information that ICAO may request to be submitted by State [abbreviated name] under the
USAP-CMA will vary depending on the aviation security situation in each State, but may include
completing and providing updates to the State Aviation Security Activity Questionnaire (SASAQ), status
reports on the implementation of specific USAP-CMA protocol questions (PQs), information relating to
Significant Security Concerns (SSeCs), updates to the State Corrective Action Plan (CAP) and any other
relevant security information, such as national-level aviation security legislation and airport-level aviation
security procedures and practices.

5. State [abbreviated name] agrees to complete and maintain up-to-date Compliance Checklists, which
contain information on the State’s compliance with the Annex 17 Standards and Recommended Practices
and the security-related provisions of Annex 9.

6. If a regional aviation security regulatory and/or oversight body, or any other entity, performs securityrelated
functions on behalf of State [abbreviated name], ICAO, with the consent of State [abbreviated name], may
elect to enter into a working arrangement with this regulatory and/or oversight body or entity, as
appropriate, to facilitate the monitoring of the State’s aviation security compliance and oversight
capabilities.

7. While monitoring of all ICAO Member States will be conducted on an on-going basis, specific USAP-CMA
activities will be scheduled in all States from time to time. These activities include documentation-based
audits, conducted primarily by correspondence between ICAO and the States concerned, oversight-
focused audits, compliance-focused audits and validation missions. The type of activity to be conducted in
each State will be determined by ICAO based on information available to ICAO. State [abbreviated name]
may, at any time, request that a USAP-CMA audit be conducted on a cost-recovery basis. The type, scope
and scheduling of any such cost-recovery audit shall require agreement between ICAO and the State, and
will be assessed by ICAO on a case-by-case basis. The results of these USAP-CMA audits will be treated
in the same manner as the results from regularly-scheduled USAP-CMA activities.
Appendix A. Generic Memorandum of Understanding (MoU) App A-3

8. During all USAP-CMA activities, ICAO will assess, based on the scope of the activity, a State’s capability
to provide appropriate national oversight of its aviation security activities through the effective
implementation of the critical elements of an aviation security oversight system, and will evaluate
compliance with Annex 17 Standards and relevant security-related provisions of Annex 9. Subsequent
USAP-CMA activities will include a process to validate progress made by the State in addressing any
identified deficiencies. Validation missions will be used to validate measures taken by States to resolve
SSeCs.

PART II — USAP-CMA ACTIVITIES — PREPARATION

9. ICAO will generate, distribute and publish an annual schedule of planned USAP-CMA activities for the
following 12-month period, including both on-site activities and documentation-based audits. This annual
schedule of activities will be regularly updated on the USAP secure website.

10. Direct notification of USAP-CMA activities will be provided to State [abbreviated name] by ICAO with at
least 120 calendar days’ advance notice, together with the name(s) of any designated airport(s) to be
visited, if applicable. When necessary or useful, State [abbreviated name] and ICAO may mutually agree
on a shorter notice period. Unless documented reasons lead the parties to mutually agree upon alternate
dates, State [abbreviated name] is urged to accept USAP-CMA activities as scheduled by ICAO.

11. No change to scheduled USAP-CMA activities will be allowed within 60 calendar days prior to the starting
date of an on-site activity, and no change to a scheduled documentation-based audit will be allowed within
30 calendar days of the starting date, except for a compelling reason, such as an act of God or an act of
war, submitted to the President of the Council of ICAO for his consideration. Any change made by State
[abbreviated name] to the dates of a scheduled cost-recovery activity will be made on a case-by-case
basis, with the State incurring all costs associated with such change.

12. State [abbreviated name] agrees to submit to ICAO, no later than 60 calendar days prior to the start of a
USAP-CMA activity, a completed SASAQ designed to provide ICAO with preliminary information
concerning the State’s aviation security and oversight systems.

13. The exact scope of all USAP-CMA activities, including the audit areas and PQs to be covered, will be
determined by ICAO based on pre-existing audit information and information provided by State
[abbreviated name] and will be communicated to the State at least 30 days in advance of the activity.

14. For each scheduled USAP-CMA activity, ICAO will identify one or more ICAO-certified auditors to conduct
the activity, all of whom will be experts in the field of aviation security. State [abbreviated name] will be
provided with the name(s) of the assigned auditor or audit team prior to any scheduled activity and will
have the opportunity to provide any desired feedback to ICAO. The composition of the team will be
provided to State [abbreviated name] prior to any scheduled on-site activity in sufficient time to enable it to
facilitate applications for visas and other administrative matters.

15. With the exception of cost-recovery activities, where all costs are borne by State [abbreviated name], ICAO
will be responsible for the cost of transportation to and from State [abbreviated name], as well as for the
daily subsistence allowance (DSA) of the ICAO team members.

16. In the case of a scheduled documentation-based audit, failure by State [abbreviated name] to provide
documentation as requested by ICAO will make the State ineligible for a documentation-based audit and
the State will be scheduled for an on-site USAP-CMA activity.
Universal Security Audit Programme
App A-4 Continuous Monitoring Manual

17. Without prejudice to other privileges and immunities applicable to ICAO as a Specialized Agency of the
United Nations and its personnel, all members of ICAO USAP-CMA audit teams shall be immune from
legal process in respect of words spoken or written and all acts performed by them in their official capacity.

PART III — USAP-CMA ACTIVITIES — CONDUCT

18. USAP-CMA activities will be conducted in English, French or Spanish, as requested by State [abbreviated
name]. In the case of on-site activities, if the language of correspondence of the State with ICAO is one of
the remaining three ICAO working languages, every effort will be made to ensure that at least one team
member participating in the activity has command of the ICAO working language of the State concerned.

19. The ICAO team will develop a State-specific audit plan for each USAP-CMA on-site activity in State
[abbreviated name], containing information on the conduct of the scheduled activity. The plan will be
forwarded to the NC prior to the activity to facilitate cooperation and coordination. If necessary, last-minute
and minor modifications to the State-specific audit plan may be agreed between ICAO and State
[abbreviated name] during the opening national briefing.

20. The NC will be responsible for coordinating all on-site USAP-CMA activities on behalf of State [abbreviated
name]. This includes providing the ICAO team with access to all relevant documentation, and all relevant
persons and entities responsible for aviation security and facilitation-related matters during the interview
and records-review stage of the activity, as well as securing access to areas of the airport or other facilities,
as appropriate, for observation as deemed necessary by the ICAO team during the conduct of the
USAP-CMA activity.

21. For on-site activities, State [abbreviated name] agrees to:

a) make appropriate staff from its administration responsible for the regulation and oversight of aviation
security activities and matters related to facilitation, as well as relevant staff of airport operators,
locally-based commercial air transport operators and any other entities responsible for the
implementation of aviation security measures available for interview by the ICAO team;

b) make all relevant files, records and documentation of the appropriate authority for aviation security
and those of any other relevant entities responsible for aviation security and facilitation matters,
including national legislation, programmes and regulations related to aviation security and facilitation,
quality control activity records, airport-level programmes, procedures and internal quality control
activity records, available for review by the ICAO team; and

c) provide access to aerodrome facilities and restricted areas of the airport for observation by the ICAO
team of aviation security measures implemented by all relevant entities.

22. State [abbreviated name] agrees to provide support to the USAP-CMA on-site activities by:

a) providing interpretation services for the duration of the on-site activity or as requested by the ICAO
team;

b) assisting with administrative arrangements for the accommodation of the ICAO team for the duration
of the on-site activity;

c) arranging and meeting the cost of local and intra-State transportation when visits to various locations
within the State are required under the State-specific audit plan;
Appendix A. Generic Memorandum of Understanding (MoU) App A-5

d) providing adequate working space with privacy for the ICAO team;

e) providing access to a printer, photocopier, scanner and facsimile machine, if available;

f) providing Internet access, if available;

g) providing the ICAO team with airport identification passes for access to facilities and restricted areas
of the airport; and

h) identifying a technical liaison officer to provide security equipment-related information.

23. During on-site USAP-CMA activities, the ICAO team will assess, based on the scope of the activity, State
[abbreviated name]’s capability to provide appropriate national oversight of its aviation security activities
through the effective implementation of the critical elements of an aviation security oversight system. The
ICAO team will also evaluate State [abbreviated name]’s compliance with Annex 17 Standards and the
relevant security-related provisions of Annex 9. In addition to the review of relevant national/airport level
regulatory provisions and quality control activity records, the on-site USAP-CMA activity will include a
verification of the implementation of aviation security measures through on-site observations at the
designated airport(s).

24. During documentation-based audits, the USAP-CMA auditor will conduct a review of the documents
submitted by State [abbreviated name] beginning on the date specified in the annual activity schedule. The
auditor may request additional information and/or clarification from State [abbreviated name] and may
interview relevant personnel via telephone or other means. The NC will be made available by State
[abbreviated name] to facilitate this process and provide all information required.

25. If, at any time, the ICAO team identifies a potential SSeC during the conduct of any type of USAP-CMA
on-site activity, State [abbreviated name] will be immediately notified and the SSeC process outlined in
paragraphs 33 to 36 below will be initiated.

26. Upon completion of an on-site USAP-CMA activity, the ICAO team will conduct a post-audit debriefing in
which the team will provide a summary of the results of the USAP-CMA activity to the appropriate
government officials, as determined by State [abbreviated name]. These should include senior aviation
security management officials and other State and industry representatives responsible for the areas
covered by the scope of the USAP-CMA activity. The ICAO team will also provide a briefing on the next
steps in the USAP-CMA process. If necessary and appropriate, the post-audit debriefing will be used to
notify the State of any preliminary SSeCs identified during the activity. Before departing State [abbreviated
name] the ICAO team will also provide the appropriate authority with preliminary findings and
recommendations.

27. Upon completion of a documentation-based audit, the ICAO auditor will conduct a post-audit debriefing
with the NC to provide a summary of the results of the activity. The ICAO auditor will advise the NC of the
next steps in the USAP-CMA process and provide State [abbreviated name] with preliminary findings and
recommendations.
Universal Security Audit Programme
App A-6 Continuous Monitoring Manual

PART IV — USAP-CMA ACTIVITIES — REPORTING

28. Following completion of a USAP-CMA audit, ICAO undertakes to make available to State [abbreviated
name] a confidential report within 60 calendar days from the post-audit debriefing. If the ICAO working
language of the State is other than the language of the activity, the audit report will be translated into that
language and subsequent timelines will be adjusted accordingly. The confidential report will detail:

a) information on the level of effective implementation of the critical elements of a State’s aviation
security oversight system, as well as analysis of audit results by critical element; and

b) an indication of the State’s compliance with ICAO Annex 17 Standards and security-related provisions
of Annex 9, together with prioritized recommendations for the resolution of identified deficiencies
requiring remedial action by the State.

29. Upon receipt of the audit report, State [abbreviated name] will have 30 calendar days to submit comments
and feedback on the report. The audit report may be revised as a result of this feedback.

30. Should action be necessary to remedy deficiencies identified through the findings and recommendations
developed during an audit, State [abbreviated name] undertakes to start working on the preparation of an
appropriate CAP immediately after State [abbreviated name] has been debriefed on the audit results and
provided with preliminary findings and recommendations, as described in paragraphs 26 and 27 of this
MoU. Feedback on the development of the action plan by State [abbreviated name] will be provided during
the post-audit debriefing.

31. Should action be necessary to remedy deficiencies, State [abbreviated name] undertakes to provide ICAO
with a CAP within 60 calendar days from the date the USAP-CMA audit report has been made available to
the State. The action plan should address the findings and recommendations of the USAP-CMA audit
report, providing specific actions, entities responsible for the implementation of such actions, and deadlines
for the correction of the deficiencies identified during the audit. If the report requires translation, the
timeline for the production of a CAP starts when the State receives the translated USAP-CMA audit report.
All subsequent actions will be sequenced accordingly. ICAO will provide State [abbreviated name] with
feedback on the acceptability of any proposed CAP. If any proposed corrective actions do not fully address
the associated findings and recommendations, State [abbreviated name] will be notified accordingly and
requested to resubmit the CAP.

32. USAP-CMA audit reports will be confidential and made available to State [abbreviated name] and ICAO
staff on a need-to-know basis. Concurrently with the preparation of the report, a non-confidential audit
activity summary limited to the name of the audited State, the identity of airports visited during the audit,
and the completion date of the audit will be developed for release to all Member States. In addition, charts
depicting the level of implementation of the critical elements of an aviation security oversight system by
State [abbreviated name] and an indication of compliance by State [abbreviated name] with Annex 17
Standards will be made available to all Member States on the USAP secure website.

33. If applicable, ICAO undertakes to notify to State [abbreviated name] in writing, as soon as possible, but not
later than 15 calendar days after the last day of the USAP-CMA activity, of the existence and details of any
SSeCs requiring immediate corrective action by State [abbreviated name].
Appendix A. Generic Memorandum of Understanding (MoU) App A-7

34. In the event that any SSeCs are identified and confirmed, State [abbreviated name] undertakes to provide,
within the time frame prescribed by ICAO, but not later than 15 calendar days following the receipt by State
[abbreviated name] of the written notification from ICAO, its immediate corrective action to resolve the
SSeCs. Failure by State [abbreviated name] to implement satisfactory corrective action and to notify such
action to ICAO within the prescribed time frame will result in information pertaining to unresolved SSeCs
being made available to all Member States through the USAP secure website until resolved.

35. No report will be issued following the conduct of a USAP-CMA validation mission. However, if such a
mission reveals that one or more SSeCs have been resolved or mitigated by a State, notification of the
existence of such SSeC(s) will be removed from the USAP secure website, and the State’s charts on the
USAP secure website will be amended accordingly.

36. If requested by State [abbreviated name], ICAO will evaluate and provide, where possible, direct
assistance through relevant technical assistance and/or technical co-operation programmes. Assistance
provided through ICAO’s Technical Co-operation Programme would be funded by State [abbreviated name]
or another sponsor.

37. The ICAO Regional Office accredited to State [abbreviated name] will be actively involved in monitoring the
progress made by State [abbreviated name] towards implementing its CAP and in the provision of advice
and assistance, as required.

PART V — DISPUTE RESOLUTION

38. Any difference or dispute concerning the interpretation or the application of this Memorandum of
Understanding will be resolved by negotiation between the parties concerned.

For the International Civil For the Appropriate Authority of


Aviation Organization State [formal name]

Secretary General Name:


Title:

Date Date

______________________
Appendix B

CRITERIA FOR CERTIFICATION AS


AN ICAO USAP-CMA AUDITOR

1. INTRODUCTION

1.1 This document sets forth the criteria for initial certification of ICAO USAP-CMA auditors as required for the
conduct of aviation security audits in accordance with this manual and the MoU signed between ICAO and a Member
State. The principal objective of these criteria is to ensure that ICAO USAP-CMA activities are conducted by
appropriately qualified and experienced aviation security experts who have been trained in the specific application of
ICAO USAP-CMA methodology.

1.2 The process used in developing these criteria was to establish first the key competencies required for
ICAO USAP auditors, and then to determine the methods by which those competencies would be demonstrated and
measured.

2. LEVELS OF AUDITOR

2.1 There are two levels of auditor within the ICAO USAP-CMA:

a) ICAO USAP-CMA auditor; and

b) ICAO USAP-CMA TL.

2.2 ICAO USAP-CMA Auditor level recognizes that a candidate has met the specific competency and training
requirements for certification required for the conduct of ICAO USAP-CMA activities as a TM.

2.3 ICAO USAP-CMA TL level recognizes that a candidate has satisfied the criteria for USAP-CMA auditor
certification and, in addition, has demonstrated the competencies necessary to manage a USAP-CMA audit team and
coordinate all aspects of a complete ICAO USAP-CMA activity.

3. REQUIREMENTS FOR CERTIFICATION

3.1 Key competencies

3.1.1 Skills and knowledge requirements for USAP-CMA auditors

All ICAO USAP-CMA auditors shall, through education, work experience, auditor training and/or auditing
experience, be able to demonstrate a satisfactory level of competence in the following areas:

App B-1
Universal Security Audit Programme
App B-2 Continuous Monitoring Manual

a) knowledge of aviation security, including national-level aviation security oversight responsibilities and
operational aviation security practices and procedures;

b) ability to carry out audits of aviation security at the national (State) level and at airports;

c) knowledge of the Chicago Convention, Annex 17, the aviation security conventions, and related ICAO
guidance material;

d) ability to speak, read and write in an ICAO language;

e) ability to use office automation equipment and contemporary computer software; and

f) knowledge of ICAO auditing principles, procedures and techniques, including the ability to:

1) conduct audits in a consistent and systematic manner in varying situations and circumstances;

2) collect information through effective interviewing, listening, observing and reviewing


documentation and records;

3) verify the accuracy of collected information and confirm the sufficiency and appropriateness of
evidence to support audit findings and recommendations;

4) record audit activities through the use of appropriate work documents;

5) prepare accurate, clear and concise audit reports; and

6) communicate and interact in an international environment as part of a multinational audit team.

3.1.2 Skills and knowledge requirements for USAP-CMA TLs

TLs should have additional knowledge and skills in audit leadership to enable the management of the USAP-CMA audit
team and to ensure the overall conduct of the audit in an efficient and effective manner. Thus, the TL must satisfy all of
the knowledge and skills requirements for the USAP-CMA auditor, as set forth in 3.1.1 of this appendix, plus have a
demonstrated ability to plan, manage and lead a USAP-CMA audit team. Knowledge and skills in this area include the
ability to:

a) plan the USAP-CMA activity and make effective use of resources during the conduct of the activity;

b) represent the USAP-CMA audit team in communications with the NC and high-level State officials;

c) organize and direct USAP-CMA activity TMs;

d) lead the USAP-CMA audit team to reach audit conclusions;

e) prevent and resolve conflicts; and

f) prepare and complete the USAP-CMA audit report and related documentation.
Appendix B. Criteria for certification as an ICAO USAP-CMA auditor App B-3

3.2 Nomination by an ICAO Member State

3.2.1 All candidates for ICAO USAP-CMA auditor training and certification, other than those who are staff
members of ICAO, will be required to be nominated by an ICAO Member State. Details are contained in the State
nomination package which consists of the following two parts:

a) Part I — Nomination by Government; and

b) Part II — Nominee’s Personal History.

3.2.2 Part I — Nomination by Government. Each Member State nominating a candidate shall agree to assume
responsibility for the nominee’s transportation, accommodation and other costs to and from the auditor training course
venue. The Member State shall also certify that the nominee is medically fit and is in possession of medical insurance
coverage to meet expenses for any sickness or medical emergency during the auditor training and certification. Each
Member State shall certify that the nominee meets the following minimum qualification and experience requirements:

a) the nominee has complete fluency in an ICAO language (both spoken and written) and in the
language of instruction of the applicable ICAO USAP-CMA Auditor Training and Certification Course;

b) the nominee is an aviation security subject matter expert, with a minimum of three years’ operational
aviation security experience and extensive knowledge of aviation security using Annex 17 as a
reference;

c) appropriate background and screening checks have been conducted on the nominee to verify identity
and previous experience, including any criminal history, and the nominee has been assessed as being
suitable to have access to restricted documentation and for work in security restricted areas;

d) the State has evidence and/or personal knowledge of the truth of the statements contained in the
nominee’s personal history form regarding the nominee’s technical and specialized training record,
employment history and any auditing/technical evaluation experience;

e) the nominee is actively employed by the appropriate authority for aviation security of an ICAO Member
State in aviation security activities, and any change in this status will be notified to ASA (in certain
circumstances, nominees working for aviation industry entities, who meet all other criteria, may be
accepted as long as nominated by the government of a Member State); and

f) upon successful certification, the nominee will, as far as practicable, be made available to ICAO by the
State a minimum of once per year for at least the following two years for the purpose of conducting
USAP-CMA audits.

3.2.3 Part II — Nominee’s Personal History. Each nominee shall complete a personal history form as part of
the State nomination package and shall certify the truth of the following information:

a) relevant personal details, including language abilities;

b) technical and/or specialized training record, including diplomas and certificates acquired;

c) employment record; and

d) auditing and technical/evaluation experience.


Universal Security Audit Programme
App B-4 Continuous Monitoring Manual

3.2.4 Nomination packages will be submitted to the responsible RO who will review the packages for completeness
and perform an initial evaluation as to the suitability of candidates to participate in the training and certification process. The
nomination packages of those nominees meeting the selection criteria will be forwarded to ASA.

3.2.5 In the event that the number of nominees exceeds the space available in a particular auditor training
course, ASA shall review each nominee’s qualifications and experience and select those that it believes to be the most
qualified and suitable, while at the same time allowing for the widest geographical representation of States possible.
Nominees not accepted to a particular course due to space restrictions may resubmit their nomination for consideration
in a subsequent course.

3.2.6 In the case of candidates who are ICAO staff members and therefore not nominated by a Member State,
C/ASA shall be satisfied that the candidate meets similar experience and qualification requirements, as applicable,
(as per 3.2.2 of this appendix) prior to proceeding to training and certification, unless specially authorized by ICAO.

3.3 USAP-CMA auditor initial training and certification

3.3.1 Nominees that have been accepted by ICAO as meeting the minimum qualification and experience
requirements outlined in 3.2.2 of this appendix must successfully complete the ICAO USAP-CMA Auditor Training and
Certification Course.

3.3.2 The objectives of the USAP-CMA Auditor Training and Certification Course are to:

• provide the auditors with a thorough knowledge and understanding of the methodology, tools and
techniques used by ASA for the conduct of activities under the ICAO USAP-CMA;

• promote a shared understanding of how to evaluate the State’s aviation security and oversight
systems and the implementation of ICAO security-related SARPs;

• help auditors understand the USAP-CMA procedures and methodology;

• give the auditors the necessary information and tools to enable them to apply the USAP-CMA
methodology effectively;

• ensure awareness and the acquisition of auditing skills and techniques in an international
environment; and

• ensure consistency of performance between different audit teams.

3.3.3 The USAP-CMA Auditor Training and Certification Course is highly interactive and task-oriented, designed
to enable trainees to effectively perform selected auditing functions. Teaching methods include lectures, slides, hand-
outs, and individual and group exercises. In addition, module tests are given at the completion of each subject-matter
module in order to ensure that trainees have mastered the required skills and knowledge necessary to achieve the set
objectives of the module.

3.3.4 Due to the interactive nature of the training course, attendance will normally be limited to 15 participants.
There will be a minimum of two instructors for each course, of which at least one will be an ASA staff member. Course
instructors will normally be certified USAP auditors with extensive experience in conducting international audits and
experience in training.
Appendix B. Criteria for certification as an ICAO USAP-CMA auditor App B-5

3.3.5 In order to allow for the continual improvement of the Auditor Training and Certification Course,
participants are requested to complete and submit, on an anonymous basis, an evaluation questionnaire at the
completion of the course. Feedback is sought in the following areas:

a) the extent to which the stated course objectives were achieved;

b) the extent to which the student’s expectations for the module were met;

c) an evaluation of the class instructors;

d) an evaluation of the instructional materials and activities (including hand-out materials and module
tests); and

e) an evaluation of the facilities (classroom environment).

3.4 Certification

3.4.1 The certification process consists of four elements: module tests, exercises, a written examination and a
practical examination. Below is a description of the different elements of the certification process and how they combine
to yield each candidate’s final grade.

Module Tests

3.4.2 The candidates will be expected to complete short module tests based on modules covered. There will be
a total of 7 module tests, one each for modules 2 to 8. The purpose of these module tests is twofold:

1) as a teaching aid, they will allow the facilitators to ensure that candidates have a solid understanding
of the subject matter covered; and

2) as an evaluation tool, the combined score from these tests will provide 20 per cent of each candidate’s
final grade for the course.

Exercise

3.4.3 Module 9 of the course involves an exercise that will be used to evaluate each candidate’s knowledge, as
well as their ability to synthesize information and draft USAP audit findings and recommendations. The exercise will
provide 20 per cent of each candidate’s final grade for the course. This exercise will also provide the basis for the
practical examination outlined below.

Written Examination

3.4.4 The written examination will take place on day 6 of the training course and will be comprised of three parts:

Part I — Knowledge of aviation security (including Annex 17 SARPs and security-related provisions of
Annex 9, the Aviation Security Manual (Doc 8973 — Restricted), the Aviation Security Oversight Manual —
The Establishment and Management of a State’s Aviation Security Oversight System (Doc 10047), and
operational aviation security practices and procedures);
Universal Security Audit Programme
App B-6 Continuous Monitoring Manual

Part II — USAP-CMA methodology (principles, processes and procedures) and auditing skills and
techniques (including conflict and group management); and

Part III — Identification of security deficiencies and drafting of appropriate findings and recommendations.

3.4.5 Candidates must achieve an overall mark of at least 70 per cent on the written examination. The written
examination will provide 40 per cent of each candidate’s final grade for the course.

Practical Examination

3.4.6 The practical examination will take place immediately following the written examination. Candidates will
make presentations individually before a panel consisting of the course instructors and, whenever possible, external
members. All panel members will be certified USAP auditors.

3.4.7 The practical examination is designed to test the candidate’s knowledge and ability to react in role-playing
exercises in simulated audit conditions. Candidates will be required to conduct a post-audit debriefing and to undergo an
interview with the panel based on the completed exercises described above. During this examination, candidates will be
faced with various hypothetical scenarios and audit issues. Candidates will be evaluated according to their general
behaviour and form, the structure and content of their answers, and their ability to deal with challenges and pressure. In
addition, personal attributes and interpersonal skills, as set forth in 5.6, will be evaluated by the course instructors during
the practical examination, according to a pass/fail criterion, with particular emphasis on the display of any negative
attributes.

3.4.8 Each member of the panel will first mark the candidate individually and will then discuss these results in
order to achieve panel consensus. Candidates must achieve an overall mark of at least 70 per cent on the practical
examination. The practical examination will provide 20 per cent of each candidate’s final grade for the course.

Grading

3.4.9 In order to be certified as an ICAO USAP-CMA auditor, a candidate must pass:

a) the written examination as well as the practical examination with a grade of at least 70 per cent in
each; and

b) all four elements of the certification process with an overall grade of at least 80 per cent.

3.4.10 All certification documents (including the written examination and the results of the practical examination)
shall be forwarded to ASA who will then proceed to evaluate the training and certification outcomes to make a
determination concerning the suitability of a candidate for certification. Nominating States will be informed, and
successful candidates will be provided certificates signed by the Secretary General of ICAO designating them as
ICAO-certified USAP-CMA auditors.

3.4.11 Candidates who do not successfully pass the required components for auditor certification will not be
precluded from retaking the auditor training and certification course if nominated again by their State in accordance with
the procedures set forth in 3.2 of this appendix. However, the nominating State shall be invited to carefully consider its
nomination, particularly in light of the fact that the space available in each Auditor Training and Certification Course is
very limited and entry to the course for this reason cannot be guaranteed.
Appendix B. Criteria for certification as an ICAO USAP-CMA auditor App B-7

3.5 Certification of TLs

3.5.1 As indicated in 3.1.2 of this appendix, USAP-CMA TLs are required to possess additional knowledge and
skills in audit management and team leadership and sufficient experience in aviation security to provide guidance to the
USAP-CMA audit team in reaching audit conclusions and formulating recommendations. Thus, in addition to satisfying
all of the requirements for an ICAO USAP-CMA certified auditor as set forth above, a USAP-CMA TL must ideally meet
the following additional requirements:

a) have additional experience in an international civil aviation environment, including extensive


operational experience in aviation security with experience in the conduct of audits/
evaluations/inspections or similar oversight responsibility;

b) be an ICAO employee, whether on short- or long-term contract; and

c) perform TL OJT under the direct supervision of an experienced TL designated by C/ASA. The OJT will
be designed to test the candidate’s abilities to plan, manage and lead a USAP-CMA audit team and
will be evaluated in accordance with the TL OJT Evaluation Form.

4. MAINTAINING CERTIFICATION

4.1 USAP-CMA auditors

In order to maintain certification, all ICAO USAP-CMA auditors shall fulfil the following requirements:

a) meet at least one of the following criteria:

1) conduct a minimum of one USAP-CMA on-site audit every two years; or

2) complete a USAP-CMA auditor recurrent training and recertification course, as required;

b) continue to fulfil the requirements of 3.2.2 e) of this appendix); and

c) continue to act in compliance with the ICAO Code of Conduct for Auditors (Appendix D).

4.2 USAP-CMA TLs

In order to maintain certification as an ICAO USAP-CMA TL, auditors shall:

a) conduct a minimum of two ICAO USAP-CMA activities per year, of which at least one is as TL;

b) remain employed by ICAO; and

c) continue to act in compliance with the ICAO Code of Conduct for Auditors (Appendix D).

______________________
Appendix C

GUIDANCE FOR STATES ON DEVELOPING CAPs

The development of the CAP primarily serves the purpose of helping the State improve its own aviation security and
oversight systems by developing a detailed and logical plan to address deficiencies identified during the USAP-CMA
activity. Once a comprehensive plan is developed and submitted to ASA, the CAP will be reviewed, and the State will be
provided with any feedback that may be of use to the State.

In order for ASA to be able to review and evaluate a CAP, States must provide CAPs that meet certain criteria.

This guidance is designed to assist States in the development of effective CAPs that meet ICAO’s requirements.

Note.— If the State disagrees with the finding issued by ICAO and does not submit a CAP for the finding,
the State must provide a clear and detailed reason in the “Comments and Observations” field.

General

• Ensure that the required information for each part of the CAP is entered in the correct field of the CAP.

• Address each recommendation individually and provide comments, a proposed corrective action, an
office assigned the responsibility to implement the corrective action, and an estimated implementation
date (EID).

CAP steps and proposed action items

• Ensure that the proposed actions in a CAP directly and fully address the ICAO recommendation
related to the not satisfactory PQ. Pay attention to the Annex SARP and the CE related to the not
satisfactory PQ when developing a corrective action to address the recommendation.

• If required, break down large action items into smaller and more manageable steps.

• Describe each proposed action in a clear and detailed manner.

• List the step-by-step corrective actions in the correct sequential and/or chronological order
(e.g. establishing a requirement before implementing it).

• Provide a good and clear working plan and adequate detail for the implementation of each proposed
action.

• For PQ recommendations associated with CEs 6, 7 and 8, i.e. implementation CEs, describe the
process of implementation by providing necessary details on implementing requirements and
procedures.

App C-1
Universal Security Audit Programme
App C-2 Continuous Monitoring Manual

Action office

• Ensure that an action office is indicated for each one of the corrective action steps.

• If more than one organization or entity is involved in each step, identify and record each one clearly.

• Ensure that the action offices identified in each step of the corrective action have the authority to
complete the action, especially with respect to the promulgation of legislation and/or regulations.

• For higher level corrective actions, such as the promulgation of primary aviation legislation, enter the
name of the entity that has the authority to complete the action.

• Spell out the acronym for the title of an action office the first time it is used in the CAP; use the
acronym thereafter.

Evidence reference

• Indicate the document containing the evidence in a clear manner.

• Provide a specific and clear reference to the page, section or paragraph of the document that contains
the information that the ICAO officer needs to review and evaluate.

• Avoid broad and generic reference to a large document. Be as specific as possible.

Estimated implementation date (EID)

• State must enter an EID (starting date and completion date) for each step.

• Ensure that the EID is realistic for the action item.

• Ensure that the EID is appropriate for the priority associated with the recommendation; for example,
the State should not indicate that it will start conducting quality control activities three years from now.

• State must prioritize its corrective actions for short-, medium- and long-term actions based on priorities
associated with the recommendations.

Note.— Some proposed actions may be required on an ongoing basis. In such cases, the word
“ongoing” should be included under the “Completion Date” column.

Responding to ASA’s review

• If ASA’s initial review of the CAP reveals that the CAP does not address or only partially addresses
the PQ-related recommendations, the State must revise the CAP based on ASA feedback, ensuring
that it addresses the shortcomings indicated by ASA.
Appendix C. Guidance for States on developing CAPs App C-3

Updating CAPs

• States must also ensure that they continuously update their CAPs by indicating the:

a) level of progress for each action item as it is being implemented; and

b) the date of completion for each action item as it is completed.

• If the initial EID of an action item has passed and the action has not been completed, the State must
indicate a new EID in the CAP and advise ASA accordingly.

______________________
Appendix D

ICAO CODE OF CONDUCT FOR AUDITORS

1. As a participant of the USAP-CMA audit team, I solemnly agree to the following:

• to exercise in all loyalty, discretion and conscience the functions entrusted to me as a participant of
the USAP-CMA audit team;

• to discharge these functions to the best of my ability;

• to conduct myself with integrity, impartiality and honesty;

• to abide by the rules, procedures, and guidance set out in the ICAO Universal Security Audit
Programme Continuous Monitoring Manual;

• not to misuse my official position as part of the USAP-CMA audit team;

• not to receive benefits of any kind from a third party which might reasonably be seen to compromise
my personal judgement or integrity;

• to understand and respect the culture, customs, habits and national laws of the country in which the
audit takes place;

• to avoid giving cause for resentment and abstain from conduct which would reflect adversely on the
USAP-CMA audit team and which would prejudice ICAO;

• not to disclose any information of a confidential nature related to the findings of the USAP-CMA audit
to any other party;

• not to disclose any of the following documents to any other party:

— SASAQ and CCs when filled in by the Member State;

— PQ Worksheets;

— Personal notes;

— USAP-CMA audit report.

App D-1
Universal Security Audit Programme
App D-2 Continuous Monitoring Manual

2. If I have reason to believe I am being required to act in a way that:

• is illegal, improper or unethical;

• is in breach of the procedures set out in the ICAO Universal Security Audit Programme Continuous
Monitoring Manual;

• may involve possible misadministration or is otherwise inconsistent with the above,

I will report this matter in writing to C/ASA.

NAME: SIGNATURE:

DATE:
Appendix D. ICAO Code of Conduct for Auditors App D-3

INTERNATIONAL CIVIL SERVICE COMMISSION

STANDARDS OF CONDUCT FOR


THE INTERNATIONAL CIVIL SERVICE

2013

Introduction

1. The United Nations and the specialized agencies embody the highest aspirations of the peoples of the
world. Their aim is to save succeeding generations from the scourge of war and to enable every man, woman and child
to live in dignity and freedom.

2. The international civil service bears responsibility for translating these ideals into reality. It relies on the
great traditions of public administration that have grown up in member States: competence, integrity, impartiality,
independence and discretion. But over and above this, international civil servants have a special calling: to serve the
ideals of peace, respect for fundamental rights, economic and social progress, and international cooperation. It is
therefore incumbent on international civil servants to adhere to the highest standards of conduct; for, ultimately, it is the
international civil service that will enable the United Nations system to bring about a just and peaceful world.

Guiding principles

3. The values that are enshrined in the United Nations organizations must also be those that guide
international civil servants in all their actions: fundamental human rights, social justice, the dignity and worth of the
human person and respect for the equal rights of men and women and of nations great and small.

4. International civil servants should share the vision of their organizations. It is loyalty to this vision that
ensures the integrity and international outlook of international civil servants; a shared vision guarantees that they will
place the interests of their organization above their own and use its resources in a responsible manner.

5. The concept of integrity enshrined in the Charter of the United Nations embraces all aspects of an
international civil servant’s behaviour, including such qualities as honesty, truthfulness, impartiality and incorruptibility.
These qualities are as basic as those of competence and efficiency, also enshrined in the Charter.

6. Tolerance and understanding are basic human values. They are essential for international civil servants,
who must respect all persons equally, without any distinction whatsoever. This respect fosters a climate and a working
environment sensitive to the needs of all. To achieve this in a multicultural setting calls for a positive affirmation going
well beyond passive acceptance.

7. International loyalty means loyalty to the whole United Nations system and not only to the organization for
which one works; international civil servants have an obligation to understand and exemplify this wider loyalty. The need
for a cooperative and understanding attitude towards international civil servants of other United Nations organizations is
obviously most important where international civil servants of several organizations are serving in the same country or
region.
Universal Security Audit Programme
App D-4 Continuous Monitoring Manual

8. If the impartiality of the international civil service is to be maintained, international civil servants must
remain independent of any authority outside their organization; their conduct must reflect that independence. In keeping
with their oath of office, they should not seek nor should they accept instructions from any Government, person or entity
external to the organization. It cannot be too strongly stressed that international civil servants are not, in any sense,
representatives of Governments or other entities, nor are they proponents of their policies. This applies equally to those
on secondment from Governments and to those whose services have been made available from elsewhere.
International civil servants should be constantly aware that, through their allegiance to the Charter and the
corresponding instruments of each organization, member States and their representatives are committed to respect their
independent status.

9. Impartiality implies tolerance and restraint, particularly in dealing with political or religious convictions.
While their personal views remain inviolate, international civil servants do not have the freedom of private persons to
take sides or to express their convictions publicly on controversial matters, either individually or as members of a group,
irrespective of the medium used. This can mean that, in certain situations, personal views should be expressed only with
tact and discretion.

10. This does not mean that international civil servants have to give up their personal political views or national
perspectives. It does mean, however, that they must at all times maintain a broad international outlook and an
understanding of the international community as a whole.

11. The independence of the international civil service does not conflict with, or obscure, the fact that it is the
member States that collectively make up — in some cases with other constituents — the organization. Conduct that
furthers good relations with individual member States and that contributes to their trust and confidence in the
organizations’ secretariat strengthens the organizations and promotes their interest.

12. International civil servants who are responsible for projects in particular countries or regions may be called
upon to exercise special care in maintaining their independence. At times they might receive instructions from the host
country but this should not compromise their independence. If at any time they consider that such instructions threaten
their independence, they must consult their supervisors.

13. International civil servants at all levels are accountable and answerable for all actions carried out, as well
as decisions taken, and commitments made by them in performing their functions.

14. An international outlook stems from an understanding of and loyalty to the objectives and purposes of the
organizations of the United Nations system as set forth in their legal instruments. It implies, inter alia, respect for the
right of others to hold different points of view and follow different cultural practices. It requires a willingness to work
without bias with persons of all nationalities, religions and cultures; it calls for constant sensitivity as to how words and
actions may look to others. It requires avoidance of any expressions that could be interpreted as biased or intolerant. As
working methods can be different in different cultures, international civil servants should not be wedded to the attitudes,
working methods or work habits of their own country or region.

15. Freedom from discrimination is a basic human right. International civil servants are expected to respect the
dignity, worth and equality of all people without any distinction whatsoever. Assumptions based on stereotypes must be
assiduously avoided. One of the main tenets of the Charter is the equality of men and women, and organizations should
therefore do their utmost to promote gender equality.
Appendix D. ICAO Code of Conduct for Auditors App D-5

Working relations

16. Managers and supervisors are in positions of leadership and it is their responsibility to ensure a
harmonious workplace based on mutual respect; they should be open to all views and opinions and make sure that the
merits of staff are properly recognized. They need to provide support to them; this is particularly important when staff are
subject to criticism arising from the performance of their duties. Managers are also responsible for guiding and
motivating their staff and promoting their development.

17. Managers and supervisors serve as role models and they have therefore a special obligation to uphold the
highest standards of conduct. It is quite improper for them to solicit favours, gifts or loans from their staff; they must act
impartially, without favouritism and intimidation. In matters relating to the appointment or career of others, international
civil servants should not try to influence colleagues for personal reasons.

18. Managers and supervisors should communicate effectively with their staff and share relevant information
with them. International civil servants have a reciprocal responsibility to provide all pertinent facts and information to their
supervisors and to abide by and defend any decisions taken, even when those do not accord with their personal views.

19. International civil servants must follow the instructions they receive in connection with their official functions
and, if they have doubts as to whether an instruction is consistent with the Charter or any other constitutional instrument,
decisions of the governing bodies or administrative rules and regulations, they should first consult their supervisors. If
the international civil servant and supervisor cannot agree, the international civil servant may ask for written instructions.
These may be challenged through the proper institutional mechanisms, but any challenge should not delay carrying out
the instruction. International civil servants may also record their views in official files. They should not follow verbal or
written instructions that are manifestly inconsistent with their official functions or that threaten their safety or that of
others.

20. International civil servants have the duty to report any breach of the organization’s regulations and rules to
the official or entity within their organizations whose responsibility it is to take appropriate action, and to cooperate with
duly authorized audits and investigations. An international civil servant who reports such a breach in good faith or who
cooperates with an audit or investigation has the right to be protected against retaliation for doing so.

Harassment and abuse of authority

21. Harassment in any shape or form is an affront to human dignity and international civil servants must not
engage in any form of harassment. International civil servants have the right to a workplace environment free of
harassment or abuse. All organizations must prohibit any kind of harassment. Organizations have a duty to establish
rules and provide guidance on what constitutes harassment and abuse of authority and how unacceptable behaviour will
be addressed.

22. International civil servants must not abuse their authority or use their power or position in a manner that is
offensive, humiliating, embarrassing or intimidating to another person.

Conflict of interest

23. Conflicts of interest may occur when an international civil servant’s personal interests interfere with the
performance of his/her official duties or call into question the qualities of integrity, independence and impartiality required
the status of an international civil servant. Conflicts of interest include circumstances in which international civil servants,
directly or indirectly, may benefit improperly, or allow a third party to benefit improperly, from their association with their
organization. Conflicts of interest can arise from an international civil servant’s personal or familial dealings with third
parties, individuals, beneficiaries, or other institutions. If a conflict of interest or possible conflict of interest does arise,
Universal Security Audit Programme
App D-6 Continuous Monitoring Manual

the conflict shall be disclosed, addressed and resolved in the best interest of the organization. Questions entailing a
conflict of interest can be very sensitive and need to be treated with care.

Disclosure of information

24. International civil servants should avoid assisting third parties in their dealings with their organization
where this might lead to actual or perceived preferential treatment. This is particularly important in procurement matters
or when negotiating prospective employment. At times, international civil servants may, owing to their position or
functions in accordance with the organization’s policies, be required to disclose certain personal assets if this is
necessary to enable their organizations to make sure that there is no conflict. The organizations must ensure
confidentiality of any information so disclosed, and must use it only for defined purposes or as authorized by the
international civil servant concerned. International civil servants should also disclose in advance possible conflicts of
interest that may arise in the course of carrying out their duties and seek advice on mitigation and remediation. They
should perform their official duties and conduct their personal affairs in a manner that preserves and enhances public
confidence in their own integrity and that of their organization.

Use of the resources of United Nations organizations

25. International civil servants are responsible for safeguarding the resources of United Nations organizations
which are to be used for the purpose of delivering an organization’s mandate and to advance the best interests of the
organization. International civil servants shall use the assets, property, information and other resources of their
organizations for authorized purposes only and with care. Limited personal use of the resources of an organization, such
as electronic and communications resources, may be permitted by the organization in accordance with applicable
policies.

Post-employment restrictions

26. After leaving service with organizations of the United Nations system, international civil servants should not
take improper advantage of their former official functions and positions, including through unauthorized use or
distribution of privileged or confidential information; nor should international civil servants, including those working in
procurement services and as requisitioning officers, attempt to unduly influence the decisions of the organization in the
interest or at the request of third parties with a view to seeking an opportunity to be employed by such third parties.

Role of the secretariats (headquarters and field duty stations)

27. The main function of all secretariats is to assist legislative bodies in their work and to carry out their
decisions. The executive heads are responsible for directing and controlling the work of the secretariats. Accordingly,
when submitting proposals or advocating positions before a legislative body or committee, international civil servants are
presenting the position of the executive head, not that of an individual or organizational unit.

28. In providing services to a legislative or representative body, international civil servants should serve only
the interests of the organization, not that of an individual or organizational unit. It would not be appropriate for
international civil servants to prepare for Government or other international civil service representatives any speeches,
arguments or proposals on questions under discussion without approval of the executive head. It could, however, be
quite appropriate to provide factual information, technical advice or assistance with such tasks as the preparation of draft
resolutions.
Appendix D. ICAO Code of Conduct for Auditors App D-7

29. It is entirely improper for international civil servants to lobby or seek support from Government
representatives or members of legislative organs to obtain advancement either for themselves or for others or to block or
reverse unfavourable decisions regarding their status. By adhering to the Charter and the constitutions of the
organizations of the United Nations system, Governments have undertaken to safeguard the independence of the
international civil service; it is therefore understood that Government representatives and members of legislative bodies
will neither accede to such requests nor intervene in such matters. The proper method for an international civil servant to
address such matters is through administrative channels; each organization is responsible for providing these.

Staff-management relations

30. An enabling environment is essential for constructive staff-management relations and serves the interests
of the organizations. Relations between management and staff should be guided by mutual respect. Elected staff
representatives have a cardinal role to play in the consideration of conditions of employment and work, as well as in
matters of staff welfare. Freedom of association is a fundamental human right and international civil servants have the
right to form and join associations, unions or other groupings to promote and defend their interests. Continuing dialogue
between staff and management is indispensable. Management should facilitate this dialogue.

31. Elected staff representatives enjoy rights that derive from their status; this may include the opportunity to
address the legislative organs of their organization. These rights should be exercised in a manner that is consistent with
the Charter of the United Nations, the Universal Declaration of Human Rights and the international covenants on human
rights, and does not undermine the independence and integrity of the international civil service. In using the broad
freedom of expression they enjoy, staff representatives must exercise a sense of responsibility and avoid undue criticism
of the organization.

32. Staff representatives must be protected against discriminatory or prejudicial treatment based on their
status or activities as staff representatives, both during their term of office and after it has ended. Organizations should
avoid unwarranted interference in the administration of their staff unions or associations.

Relations with member States and legislative bodies

33. It is the clear duty of all international civil servants to maintain the best possible relations with Governments
and avoid any action that might impair this. They should not interfere in the policies or affairs of Governments. It is
unacceptable for them, either individually or collectively, to criticize or try to discredit a Government. At the same time, it
is understood that international civil servants may speak freely in support of their organizations’ policies. Any activity,
direct or indirect, to undermine or overthrow a Government constitutes serious misconduct.

34. International civil servants are not representatives of their countries, nor do they have authority to act as
liaison agents between organizations of the United Nations system and their Governments. The executive head may,
however, request an international civil servant to undertake such duties, a unique role for which international loyalty and
integrity are essential. For their part, neither Governments nor organizations should place international civil servants in a
position where their international and national loyalties may conflict.

Relations with the public

35. For an organization of the United Nations system to function successfully, it must have the support of the
public. All international civil servants therefore have a continuing responsibility to promote a better understanding of the
objectives and work of their organizations. This requires them to be well informed of the achievements of their own
organizations and to familiarize themselves with the work of the United Nations system as a whole.
Universal Security Audit Programme
App D-8 Continuous Monitoring Manual

36. There is a risk that on occasion international civil servants may be subject to criticism from outside their
organizations; in keeping with their responsibility as international civil servants, they should respond with tact and
restraint. It is the obligation of their organizations to defend them against criticism for actions taken in fulfilment of their
duties.

37. It would not be proper for international civil servants to air personal grievances or criticize their
organizations in public. International civil servants should endeavour at all times to promote a positive image of the
international civil service, in conformity with their oath of loyalty.

Relations with the media

38. Openness and transparency in relations with the media are effective means of communicating the
organizations’ messages. The organizations should have guidelines and procedures in place for which the following
principles should apply: international civil servants should regard themselves as speaking in the name of their
organizations and avoid personal references and views; in no circumstances should they use the media to further their
own interests, to air their own grievances, to reveal unauthorized information or attempt to influence their organizations’
policy decisions.

Use and protection of information

39. Because disclosure of confidential information may seriously jeopardize the efficiency and credibility of an
organization, international civil servants are responsible for exercising discretion in all matters of official business. They
must not divulge confidential information without authorization. International civil servants should not use information to
personal advantage that has not been made public and is known to them by virtue of their official position. These
obligations do not cease upon separation from service. Organizations must maintain guidelines for the use and
protection of confidential information, and it is equally necessary for such guidelines to keep pace with developments in
communications and other new technology. It is understood that these provisions do not affect established practices
governing the exchange of information between the secretariats and member States, which ensure the fullest
participation of member States in the life and work of the organizations.

Respect for different customs and culture

40. The world is home to a myriad of different peoples, languages, cultures, customs and traditions. A genuine
respect for them all is a fundamental requirement for an international civil servant. Any behaviour that is not acceptable
in a particular cultural context must be avoided. However, if a tradition is directly contrary to any human rights instrument
adopted by the United Nations system, the international civil servant must be guided by the latter. International civil
servants should avoid an ostentatious lifestyle and any display of an inflated sense of personal importance.

Security and safety

41. While an executive head assigns staff in accordance with the exigencies of the service, it is the
responsibility of organizations to ensure that the health, well-being, security and lives of their staff, without any
discrimination whatsoever, will not be subject to undue risk. The organizations should take measures to protect the
safety of their staff and that of their family members. At the same time, it is incumbent on international civil servants to
comply with all instructions designed to protect their safety.
Appendix D. ICAO Code of Conduct for Auditors App D-9

Personal conduct

42. The private life of international civil servants is their own concern and organizations should not intrude
upon it. There may be situations, however, in which the behaviour of an international civil servant may reflect on the
organization. International civil servants must therefore bear in mind that their conduct and activities outside the
workplace, even if unrelated to official duties, can compromise the image and the interests of the organizations. This can
also result from the conduct of members of international civil servants’ households, and it is the responsibility of
international civil servants to make sure that their households are fully aware of this.

43. The privileges and immunities that international civil servants enjoy are conferred upon them solely in the
interests of the organizations. They do not exempt international civil servants from observing local laws, nor do they
provide an excuse for ignoring private legal or financial obligations. It should be remembered that only the executive
head is competent to waive the immunity accorded to international civil servants or to determine its scope.

44. Violations of the law can range from serious criminal activities to trivial offences, and organizations may be
called upon to exercise judgement depending on the nature and circumstances of individual cases. A conviction by a
national court will usually, although not always, be persuasive evidence of the act for which an international civil servant
was prosecuted; acts that are generally recognized as offences by national criminal laws will normally also be
considered violations of the standards of conduct for the international civil service.

Outside employment and activities

45. The primary obligation of international civil servants is to devote their energies to the work of their
organizations. Therefore, international civil servants should not engage, without prior authorization, in any outside
activity, whether remunerated or not, that interferes with that obligation or is incompatible with their status or conflicts
with the interests of the organization. Any questions about this should be referred to the executive head.

46. Subject to the above, outside activities may, of course, be beneficial both to staff members and to their
organizations. Organizations should allow, encourage and facilitate the participation of international civil servants in
professional activities that foster contacts with private and public bodies and thus serve to maintain and enhance their
professional and technical competencies.

47. International civil servants on leave, either with or without pay, should bear in mind that they remain
international civil servants in the employ of their organization and remain subject to its rules. They may, therefore, accept
employment, paid or unpaid, during their leave only with proper authorization.

48. In view of the independence and impartiality that they must maintain, international civil servants, while
retaining the right to vote, should not participate in political activities, such as standing for or holding local or national
political office. This does not, however, preclude participation in local community or civic activities, provided that such
participation is consistent with the oath of service in the United Nations system. It is necessary for international civil
servants to exercise discretion in their support for a political party or campaign, and they should not accept or solicit
funds, write articles or make public speeches or statements to the press. These cases require the exercise of judgement
and, in case of doubt, should be referred to the executive head.

49. The significance of membership in a political party varies from country to country and it is difficult to
formulate standards that will apply in all cases. In general, international civil servants may be members of a political
party, provided its prevailing views and the obligations imposed on its members are consistent with the oath of service in
the United Nations system.
Universal Security Audit Programme
App D-10 Continuous Monitoring Manual

Gifts, honours and remuneration from outside sources

50. To protect the international civil service from any appearance of impropriety, international civil servants
must not accept, without authorization from the executive head, any honour, decoration, gift, remuneration, favour or
economic benefit of more than nominal value from any source external to their organizations; it is understood that this
includes Governments as well as commercial firms and other entities.

51. International civil servants should not accept supplementary payments or other subsidies from a
Government or any other source prior to, during or after their assignment with an organization of the United Nations
system if the payment is related to that assignment. Balancing this requirement, it is understood that Governments or
other entities, recognizing that they are at variance with the spirit of the Charter and the constitutions of the
organizations of the United Nations system, should not make or offer such payments.

Conclusion

52. The attainment of the standards of conduct for the international civil service requires the highest
commitment of all parties. International civil servants must be committed to the values, principles and standards set forth
herein. They are expected to uphold them in a positive and active manner. They should feel responsible for contributing
to the broad ideals to which they dedicated themselves in joining the United Nations system. Organizations have the
obligation to implement these standards through their policy framework, including rules, regulations and other
administrative instruments. For their part, member States are expected, through their allegiance to the Charter and other
constituent instruments, to preserve the independence and impartiality of the international civil service.

53. For these standards to be effectively applied, it is essential that they be widely disseminated and that
measures be taken and mechanisms put in place to ensure that their scope and importance are understood throughout
the international civil service, the member States and the organizations of the United Nations system.

54. Respect for these standards assures that the international civil service will continue to be an effective
instrument in fulfilling its responsibilities and in meeting the aspirations of the peoples of the world.

— END —

You might also like