9807 - Continuous Monitoring Manual - EN PDF
March 3, 2023 | Author: Anonymous | Category: N/A
Short Description
Download 9807 - Continuous Monitoring Manual - EN PDF...
Description
Doc 9807 Universal Security Audit Programme Continuous Monitoring Manual Second Edition, 2016
Approved by and published under the authority of the Secretary General
INTERNATIONAL INTERNATIONA L CIVIL AVIATION ORGANIZATION
Doc 9807 Universal Security Audit Programme Continuous Monitoring Manual Second Edition, 2016
Approved by and published under the authority of the Secretary General
INTERNATIONAL CIVIL AVIATION ORGANIZATION
Published in separate English, Arabic, Chinese, French, Russian and Spanish editions by the INTERNATIONAL CIVIL AVIATION ORGANIZATION ORGANIZATION 999 Robert-Bourassa Boulevard, Montréal, Quebec, Canada H3C 5H7 5H7
For ordering information and for a complete listing of sales agents and booksellers, please go to the ICAO website at www.icao.int
First edition, 2004 Second edition, 2016
Doc 9807, Unive Universal rsal Security Audit Programme C Continuous ontinuous Monitoring Manual Order Number: 9807 ISBN 978-92-9258-039-1
© ICAO 2016 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, without prior permission in writing from the International Civil Aviation Organization.
AMENDMENTS AMENDMENTS
Amendments are announced iin n the supplements to the Products and Services Catalogue; the Catalogue; the Catalogue and its supplements are available on the ICAO website at www.icao.int. The space below is provided to keep a record of such amendments.
RECORD OF AMENDMENTS AND A ND CORRIGENDA CORRIGENDA AMENDMENTS No.
Date
CORRIGENDA
Entered by
No.
(iii)
Date
Entered by
FOREWORD
This manual is the main reference document prepared in connection with the ICAO Universal Security Audit Programme (USAP). It provides procedures, information and guidance on the management and conduct of programme activities under the Continuous Monitoring Approach (CMA). USAP-CMA procedures have been developed for the implementation of the CMA concept and methodology as part of the USAP. Within the USAP-CMA, standardized processes and procedures have been established to ensure that activities are prepared, conducted and reported in a systematic, consistent, objective and established manner. The first edition of this manual, entitled Security Audit Reference Manual Manual (Doc 9807), was developed as a result of Assembly Resolution A33-1 of the 33rd Session of the ICAO Assembly (25 September to 5 October 2001) and the decision of the ICAO Council to implement the mandatory USAP for the conduct of aviation security audits in all ICAO Member States starting in November 2002. This second edition was developed for the transition of the USAP to a continuous monitoring approach as directed under Assembly Resolution A38-15 — Consolidated statement of continuing ICAO policies related to aviation security. security. The primary objective of this manual is to assist both ICAO Member States and ICAO USAP-CMA audit teams by explaining the concept, methodology, processes and procedures for preparing, conducting and reporting various audit and monitoring activities under the USAP-CMA. This second edition is published under the authority of the Secretary General and supersedes the first edition of this manual. Comments on this manual would be appreciated from all ICAO Member States and interested parties. These comments should be addressed to: The Secretary General International Civil Aviation Organization 999 Robert-Bourassa Boulevard Montréal, Quebec Canada H3C 5H7
_____________________
(v)
TABLE TAB LE OF CONTENT CONTENTS S
Page Gloss Glo ss ary
............. ........................... ............................. ............................. ............................. ............................. ............................. ............................. ........................ ........................ ........................... .............
(ix )
Abbreviations…………………………………………………………… Abbreviations…………………………………… ……………………………………………. ……………………... .. ............ ................ .... Definitions…………………………………………………………………………………………………….
(ix) (xi)
Int ro du ct ion io n ............. ........................... ............................ ............................ ............................ ............................ ............................ ......................... ......................... .................... ......
1-1
Purpose .............. ............................ ............................ ............................ ............................. ............................. ............................ ............................ ........................ ........................ ................ References .............. ............................. ............................. ............................ ............................ ............................ ............................. .......................... ......................... ...................... ........
1-1 1-1
The ICAO Univ ersal Securi ty Audi t Prog ramm e (USAP) .... ........ ......... .......... ......... ......... ......... ......... ......... ......... .......... ......... ...... ..
2-1
Background ........................... ............................. ............................. ............................ ............................. ............................. .......................... ......................... ..................... ........ Transition to............. a Continuous Monitoring Approach (CMA) ............. ........................... ............................ ........................... ....................... .......... USAP-CMA principles .............. ............................ ............................ ............................ ............................. ............................. ............................ .......................... ................. ..... Auditing principles ............... ............................. ............................ ............................. ............................. ............................. ............................. ......................... ..................... .......... Critical elements (CEs) ............................ .......................................... ............................ ............................ ............................ ............................ ............................ ................. ... Audit areas ............... ............................. ............................ ............................. ............................. ............................. ............................. ........................ ........................ ...................... ........ USAP-CMA protocol questions (PQs) .......................... ........................................ ............................ ............................ ............................ ........................ .......... State’s aviation security performance ............ ........................... ............................. ............................ ............................ ............................ ........................ .......... Significant security concern (SSeC) .............. ............................ ............................. ............................. ............................ ............................ ........................ .......... State aviation security activity questionnaire (SASAQ) ............. ........................... ............................ ............................ ......................... ........... Compliance checklists (CCs) .............. ............................ ............................ ............................ ............................ ............................ ....................... ...................... .............
2-1 2-2 2-3 2-5 2-5 2-7 2-8 2-9 2-10 2-11 2-12
The Cont inu ous Moni tor ing App roac h (CMA) .... ......... ......... ......... .......... ......... ......... .......... ......... ......... .......... ......... ......... .......... ......... ........ ....
3-1
3.1
USAP-CMA concept ............. ........................... ............................ ............................ ............................ ............................ ............................. .......................... ..................... ..........
3-1
3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10
USAP-CMA objective ............... ............................. ............................. ............................. ............................ ............................. ............................. ........................ ................ ...... USAP-CMA process .............. ............................. ............................. ............................ ............................ ............................ ............................. .......................... ................... ........ Determination of a State-specific USAP-CMA activity ............. ........................... ............................ ............................ ........................... ............. Conduct of a State-specific USAP-CMA activity ............. ............................ ............................. ............................. ............................. .................... ...... Identification and analysis of deficiencies ............. ........................... ............................ ............................ ............................ .......................... .................. ...... Measurement of the State’s aviation security performance ............. ........................... ............................ ............................ ................... ..... Provision of prioritized recommendations.............. ............................. ............................. ............................ ............................ .......................... ................ .... Evaluation of State corrective actions to address deficiencies .............. ............................ ............................ ........................... ............. Aviation security performance-related analysis ............. ........................... ............................ ............................ ............................ ....................... .........
3-2 3-2 3-3 3-8 3-8 3-8 3-9 33-9 9 3-9
P Pro ro gr amm amme e man agem agement ent .............. ............................ ............................ ............................ ............................ ............................ .......................... ...................... ..........
4-1
General............. ........................... ............................. ............................. ............................. ............................. ............................ ............................. ............................ ......................... ............ Roles and responsibilities of ICAO ............................ .......................................... ............................ ............................ ............................. .......................... ............. Roles and responsibilities of Member States.............. ............................ ............................. ............................. ............................. ......................... .......... Roles and responsibilities of regional aviation security oversight organizations .......................... ............................. ... Memorandum of Understanding (MoU) ............... ............................. ............................. ............................. ............................ ............................. .................. ...
4-1 4-1 4-4 4-8 4-8
Chap ter 1. 1.1 1.2 Chapter 2.
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 Chapter 3.
Chap ter 4. 4.1 4.2 4.3 4.4 4.5
(vii)
Universal Security Audit Programme Continuous Monitoring Manual
(viii)
4.6 4.7 4.8 4.9 4.10 4.11
Planning and scheduling ............. ........................... ............................ ............................ ............................ ............................. ............................. ........................... ............... Programme records .............. ............................ ............................ ............................. ............................. ............................. ............................. ....................... .................... ........... Programme quality management .............. ............................. ............................. ............................. ............................. ............................. ......................... ............ .. Confidentiality ............... ............................. ............................ ............................. ............................. ............................. ............................. ........................ ........................ .................. .... Language ............... ............................. ............................ ............................ ............................ ............................. ............................. .......................... ........................ ....................... ........... Resolution of disputes ............. ........................... ............................ ............................ ............................ ............................ ............................ ........................ ................... .........
4-9 4-12 4-12 4-13 4-15 4-15
Chapter Chap ter 5.
USAP-CMA aud it team teams s ............. ........................... ............................ ............................ ........................... ........................... .......................... .......................... ................
5-1
5.1 5.2 5.3 5.4 5.5 5.6
USAP-CMA audit team composition .............. ............................ ............................ ............................. ............................. ............................ ........................ .......... Training and certification of auditors............... ............................. ............................. ............................. ............................ .......................... ....................... ........... Team leaders .............. ............................ ............................ ............................. ............................. ............................. ............................. ......................... ......................... .................. .... Team members ............. ............................ ............................. ............................. ............................. ............................ ............................. ......................... ........................ ................ .. Competencies .............. ............................. ............................. ............................ ............................ ............................ ............................. ......................... ........................ .................. .... Code of Conduct ............. ........................... ............................ ............................ ............................ ............................ ............................. ......................... ........................ ................ ..
5-1 5-2 5-2 5-4 5-5 5-6
USAP-CMA act iv it y ph ases and pr oc edu res ............. ........................... ............................ ............................ ........................... .................... .......
6-1
6.1 6.2
USAP-CMA activity phases ............. ........................... ............................ ............................ ............................ ............................ ............................ ......................... ........... Preparation phase .............. ............................. ............................. ............................. ............................. ............................ ............................. ......................... ..................... ...........
6-1 6-1
6.3 6.4
Conduct phase ............. ........................... ............................ ............................ ............................ ............................ ............................. .......................... ......................... .................. .... Reporting phase ............. ........................... ............................ ............................. ............................. ............................ ............................ ......................... ......................... ................ ..
6-5 6-12
Chap ter 6.
Appen Ap pen di x A.
Gener ic Mem or and um of Und ers tan di ng (MoU) ..... ................... ............................ ............................ ............................. ................... ....
App A-1
Appen Ap pen di x B. B.
Cri ter ia f or certi cer ti fi ficat cat io n as an ICAO USAP-CMA au di to r ........................... ......................................... .......................... ............
App B-1
Appen Ap pen di x C.
Gui Guidan dan ce f or Stat es o on n devel d evelop op in g CAPs ............ .......................... ............................ ............................. ............................. ..................... .......
App Ap p C-1
Appen Ap pen di x D.
ICAO Cod e of Con du ct f or Audi Au di to rs ....................... ..................................... ............................ ............................ ........................... .................... .......
App Ap p D-1
______________________
GLOSSARY
ABB REVIATIONS When the following abbreviations are used in this manual, they have the meanings indicated below: ASA ASITF AUI BSITF C/ASA CAP CC CC CE CGO CMA CMA DSA EB EI EID FAL ICAO IFS ISD-SEC LEG LEI MoU NC NCASP NCASTP NQCP OJT OPS PAX PQ QCF RO ROASF SARPs SASAQ SSeC SSG TCB TL TLO TM TRG
Aviation Security Audit Section Advanced Security in the Field Field Response to acts of unlawful interference interference Basic Security in the Field Field Chief, Aviation Security Audit Section Corrective action plan Compliance checklist Critical element Cargo, catering and mail security Continuous Monitoring Approach Daily subsistence allowance Electronic Bulletin Effective implementation Estimated implementation date Security aspects of facilitation International Civil Aviation Organization Aircraft and in-flight security Implementation Support and Development – Security Section Regulatory framework and the national civil aviation security system Lack of effective implementation Memorandum of Understanding National Coordinator National Civil Aviation Security Programme National Civil Aviation Security Training Programme National Civil Aviation Security Quality Control Programme On-the-job training Airport operations Passenger and baggage security Protocol question Quality control functions Regional Office Regional Officer, Aviation Security and Facilitation Facilitation Standards and Recommended Practices State aviation security activity questionnaire Significant security concern Secretariat Study Group Technical Cooperation Bureau Team leader Technical Liaison Officer Team member Training of aviation security personnel
(ix)
Universal Security Audit Programme Continuous Monitoring Manual
(x)
UIC USAP USOAP
Committee on Unlawful Interference Universal Security Audit Programme Programme Universal Safety Oversight Audit Programme
Glossary
(xi)
DEFINITIONS When the following terms are used in this manual, they have the meanings indicated below: Adequ Ad equ ate. The state of fulfilling minimal requirements: satisfactory; acceptable; sufficient. operations based largely on experience and professional professional judgement. Ass essm ent . An appraisal of procedures or operations Audi Au di t area. area. One of nine audit areas pertaining to the USAP-CMA, i.e. regulatory framework and the national civil aviation security system (LEG); training of aviation security personnel (TRG); quality control functions (QCF); airport operations (OPS); aircraft and in-flight security (IFS); passenger and baggage security (PAX); cargo, catering and mail security (CGO); response to acts of unlawful interference (AUI); and security aspects of facilitation (FAL). An ICAO Member State that is the subject of a USAP-CMA audit. Audi Au di ted State. State. An Certification. The process of determining that a person possesses the key competencies and personal attributes required of an ICAO USAP-CMA auditor. Compliance. The state of meeting the requirements of an ICAO Standard. Compliance checklist (CC). (CC). A tool designed to assist the State in ascertaining the status of implementation of Annex 17 SARPs and Annex 9 security-related provisions and in identifying any difference that may exist between the national regulations and practices and the relevant provisions in Annex 17 and Annex 9 to the Chicago Convention. Corrective action plan (CAP). An action plan submitted to ICAO by an audited State, detailing the specific action that the State proposes to take to correct deficiencies identified during the USAP-CMA USAP -CMA audit. A USAP-CMA audit for which the cost c ost of transportation to and from the State, local transportation Cost-recovery audit. audit. A and the daily subsistence allowance (DSA) of the ICAO audit team members (TMs) is covered by the State requesting such an audit. audit. Critical elements (CEs). (CEs). The building blocks, encompassing the whole spectrum of civil aviation security activities, upon which an effective aviation security oversight system is based. The level of effective implementation (EI) of the CEs is an indication of a State’s capability for aviation security oversight. Deficiency. A Deficiency. A condition where the State’s aviation security oversight system does not satisfactorily address a protocol question (PQ) used to measure the EI of the CEs and the degree of compliance with Standards of Annex 17 or security-related provisions of Annex 9. As a result, the status of the associated PQ is marked not satisfactory. satisfactory. One or more related deficiencies may be grouped together to identify a finding. Effective implementation (EI). (EI). A measure of a State’s aviation security oversight and compliance capabilities, calculated for each CE, each audit area, each Annex 17 Standard and Annex 9 security-related provision or as an overall value for all USAP-CMA PQs. The EI is expressed as a percentage. A higher EI indicates that a State’s aviation security and oversight systems have a greater degree of compliance with ICAO security-related provisions. Finding. A deficiency or a group of deficiencies generated in a USAP-CMA activity as a result of a lack of compliance with Annex 17 Standards and/or security-related provisions of Annex 9, or a lack of application of ICAO guidance material or good aviation security practices. Mitigating measure. measure. The implementation of defences or preventive controls to lower the severity and/or likelihood of a threat’s projected consequence.
Universal Security Audit Programme Continuous Monitoring Manual
(xii)
National briefing. A meeting of the ICAO USAP-CMA audit team and representatives of the audited State at the beginning of the USAP-CMA on-site audit, the purpose of which is to provide State authorities with information on the USAP-CMA audit scope, processes and procedures. Off-site activity. A activity. A USAP-CMA documentation-based audit of a State conducted by an ICAO USAP-CMA team leader (TL) at ICAO Headquarters without an on-site visit to the State. On-site activity. activity. A A USAP-CMA activity requiring a USAP-CMA audit team to travel to a State State and conduct a USAP-CMA on-site audit. Oversight. The active control of the aviation industry and service providers by the appropriate authority for aviation security or other relevant national-level entities, as designated by the State, to ensure that the State’s international obligations and national requirements are met. Post-audit debriefing. A meeting of the ICAO USAP-CMA audit team and representatives of the audited State at the end of the USAP-CMA audit, the purpose of which is to provide State authorities with a briefing on the audit findings and proposed recommendations to enable the State S tate to begin development of its corrective action plan (CAP). (CAP). Procedure. A series of steps followed in a methodical manner to complete an activity or a process, describing what Procedure. should be done, when and by whom; where and how each step should be carried out; what information, documentation and resources should be used; and how it should all be controlled. Process. A set of interrelated or interacting activities that transforms inputs into outputs. Processes within an Process. organization or programme are generally planned and carried out under controlled conditions to add value. Protocol question (PQ). (PQ). The primary tool used in the USAP-CMA USA P-CMA for assessing the level of implementation of CEs of a State’s aviation security oversight system and the degree of a State’s compliance with Annex 17 Standards and security-related provisions of Annex 9. 9. Recertification . The process whereby certified USAP-CMA auditors periodically undergo recurrent training and demonstrate that they continue to possess the key competencies and personal attributes required of an ICAO USAP-CMA auditor. activity. Scope. A set of PQs addressed and covered in a USAP-CMA activity. Scope. A Non-public information relating to capabilities and/or deficiencies of a State’s aviation Sensitive Se nsitive security information. information. Non-public security and oversight systems. Significant security concern (SSeC). Occurs when the appropriate authority responsible for aviation security in the State permits aviation activities to continue, despite a lack of effective implementation (LEI) of the minimum security requirements established by the State and by the provisions set forth in Annex 17 related to critical aviation security controls, including, but not limited to, the screening and the protection from unauthorized interference of passengers, cabin and hold baggage; the security of cargo and catering; access control to restricted and security-restricted areas of airports; and the security of departing aircraft resulting in an immediate security risk to international civil aviation. aviation. SSeC SSeC Va Validatio lidatio n Comm ittee. ittee. A A high-level Secretariat Committee responsible for the review, r eview, confirmation and validation of the SSeC and its resolution.
Glossary
(xiii)
State aviation security activity questionnaire (SASAQ). A (SASAQ). A document that provides the USAP-CMA audit team with information on the security organization of a Member State, identifying the departments, agencies and other organizations of the State, both private and public, responsible for the implementation of various aspects of the National Civil Aviation Security Programme (NCASP). (NCASP).
State’s aviation security performance. performance. A State’s aviation security capability defined as the State’s level of implementation of the CEs of an aviation security oversight system and the State’s degree of compliance with Annex 17 Standards and security-related security-related provisions of Annex 9. 9. State’s aviation security performance indicators. A indicators. A set of parameters used for measuring a State’s aviation security performance. performance. USAP-CMA audit. A USAP-CMA on-site or off-site activity during which ICAO conducts a systematic and objective evaluation of a Member State’s aviation security and oversight systems to assess the level of implementation of the CEs of a State’s aviation security oversight system and to determine the degree of compliance with Annex 17 Standards and security-related provisions of Annex 9, as well as associated procedures, guidance material and security-related practices. USAP-CMA audit activities. activities . Those activities and procedures by which information is obtained to verify the audited State’s level of implementation of the CEs of an aviation security oversight system and the degree of compliance with Standards of Annex 17 and security-related provisions of Annex 9. Such activities may include, but are not limited to, interviews, observations and the review of documents. details of the the findings and USAP-CMA USAP-CM A aud it report . A confidential formal report of a USAP-CMA activity containing full details recommendations. USAP-CMA audit team briefing. An on-site pre-audit briefing provided to TMs by the TL, the purpose of which is to provide information and instructions directly related to the conduct of an audit in a specific State. USAP-CMA audit team leader. The individual designated by the Chief, Aviation Security Audit Section (C/ASA) to be responsible for the preparation and conduct of a USAP-CMA activity, including the consolidation and completion of the USAP-CMA audit report. Verification. The independent review, examination, measurement, checking, observation and monitoring to establish and document that the products, processes, practices, services includes evaluating effectiveness of management systems.and documents conform to specified standards. This Note.— Definitions of security-related terms applicable to the USAP-CMA activity process may be found in Annex 17 — Security — Safeguarding International Civil Aviation Against Acts of Unlawful Interference Interference,, Annex 9 — Facilitation,, the Aviation Facilitation the Aviation Security Manual Manual (Doc (Doc 8973 — Restricted) and the Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation Security Oversight System System (Doc (Doc 10047).
______________________ ______________________
Chapter 1 INTRODUCTION 1.1
PURPOSE
1.1.1 The primary purpose of this manual is to describe the Universal Security Audit Programme Continuous Monitoring Approach (USAP-CMA) and to provide guidance to ICAO Member States (hereinafter referred to as Member States or States), recognized organizations, USAP-CMA audit team leaders (TLs) and audit team members (TMs) and support staff involved in the planning, preparation, conduct and reporting of USAP-CMA activities. 1.1.2 It also provides information on the background and evolution of the USAP, along with an explanation of its management and various components and standardized processes and procedures which ensure that USAP-CMA activities are conducted in a systematic and consistent c onsistent manner.
1.2
REFERENCES
1.2.1 The USAP-CMA references the Convention on International Civil Aviation (Doc Aviation (Doc 7300) (hereinafter referred to as the Chicago Convention), ICAO Standards and Recommended Practices (SARPs) of Annex 17 — Security — Safeguarding International Civil Aviation Against Acts of Unlawful Interference Interference and security-related provisions of Annex 9 — Facilitation to the Chicago Convention and related guidance material, including but not limited to: a) Aviation Aviation Security Manual (Doc Manual (Doc 8973 — Restricted); Restricted) ; and b) Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation Security Oversight System (Doc System (Doc 10047). 1.2.2 Together, these documents provide guidance material on how States can comply with the various SARPs of Annex 17, as well as describe the requirements and guidelines for the establishment and management of an effective aviation security and oversight systems by States. This implementation will be continuously monitored under the USAP-CMA framework and verified during USAP-CMA USA P-CMA activities. 1.2.3 In support of the Programme, ICAO has also developed training materials for regional USAP-CMA seminars and USAP auditor training and certification courses. Note.— The Products and Services Catalogue provides a complete list of ICAO guidance material available to States to support the requirements of security-related provisions contained in the Annexes to the Chicago Convention.
______________________
1-1
Chapter 2 THE ICAO UNIVERSAL SECURITY AUDIT PROGRAMME PROGRA MME (USAP)
2.1
BACKGROUND
2.1.1 The 33rd Session of the ICAO Assembly, held in Montreal from 25 September to 5 October 2001, adopted Resolution A33-1, Declaration on misuse of civil aircraft as weapons of destruction and other terrorist acts involving civil aviation,, which directed the Council and Secretary General to consider the establishment of an ICAO Universal Security aviation Audit Programme (USAP) relating to, inter alia, sec urity programmes. alia, airport security arrangements and civil aviation security 2.1.2 Pursuant to Assembly Resolution A33-1, a High-level, Ministerial Conference on Aviation Security was convened in Montreal on 19 and 20 February 2002, with the objectives of preventing, combating and eradicating acts of terrorism involving civil aviation and strengthening ICAO’s role in the adoption of security-related SARPs and the audit of their implementation. 2.1.3 The Conference endorsed a global strategy for strengthening aviation security worldwide, adopted a number of conclusions and recommendations, and issued a public declaration. dec laration. A central element of the strategy was the ICAO Aviation Security Plan of Action, which included, inter alia, the establishment of a comprehensive programme of regular, mandatory, systematic and harmonized audits to be carried out by ICAO for the evaluation of aviation security in all ICAO Member States. 2.1.4 Consistent with the outcomes of the 33rd Session of the Assembly and the High-level, Ministerial Conference on Aviation Security, the Council, at its 166th Session, adopted the Aviation Security Plan of Action in June 2002. Project 3 of the Plan of Action provided for the promotion of global aviation security through auditing of Member States. Thus, the ICAO USAP was launched in November 2002. Subsequent sessions of the Council and the Committee on Unlawful Interference (UIC) endorsed the audit methodology which was developed for the USAP in close consultation with the Aviation Security Panel, including a model Memorandum of Understanding (MoU) between ICAO and audited States, airport selection criteria, and certification criteria for auditors, and established a practice of regularly monitoring the progress of the USAP through the review of progress reports prepared by the Secretariat. 2.1.5 Assembly Resolution A35-9, Consolidated statement of continuing ICAO policies related to the safeguarding of international civil aviation against acts of unlawful interference , directed the Secretary General to continue the USAP, comprising regular, mandatory, systematic and harmonized aviation security audits of all Member States, with such audits conducted at both national and airport levels in order to evaluate the aviation security oversight capabilities of States as well as the actual security measures in place at selected s elected key airports. 2.1.6 From 2002 to 2007, 181 Member States benefited from ICAO audits under the first cycle of the USAP. The objective of the Programme was to promote global aviation security through the auditing of Member States on a regular basis to determine the status of implementation of ICAO security Standards. The USAP first-cycle audits were designed to determine the degree of compliance of a State in implementing Annex 17 Standards and the extent to which a State's implementation of its aviation security system is sustainable through the establishment of appropriate legislation and an aviation security authority with inspection and enforcement capabilities. The USAP methodology provided for a significant portion of the ICAO audit to be dedicated to making actual observations of security measures and procedures
at airports in situ, in order to have direct evidence of the degree of implementation of each Annex 17 Standard. This
2-1
Universal Security Audit Programme Continuous Monitoring Manual
2-2
approach provided a comprehensive picture of the overall aviation security posture of States and resulted in recommendations for improvement that could be directed at all facets of the aviation security systems of States. 2.1.7 In accordance with the programme of audit follow-up visits initiated in 2005, follow-up visits were conducted to validate the implementation of the corrective action plans (CAPs) of States and to provide support to States in remedying deficiencies identified during the USAP first-cycle audits. These visits were normally conducted in the second year following the initial audit. The programme of audit follow-up visits, under which 172 Member States received follow-up visits, was completed in 2009. 2.1.8 Recognizing that the USAP proved to be instrumental in identifying aviation security concerns and providing recommendations for their resolution, the 36th Session of the Assembly, in Resolution A36-20, requested the Council to ensure the continuation of the USAP U SAP following the initial cycle of audits at the end of 2007 focusing, wherever possible, on a State’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation (EI) of the critical elements (CEs) of an aviation security oversight system and expanding future audits to include relevant security-related provisions of Annex 9 — Facilitation Facilitation to to the Chicago Convention. 2.1.9 Aviation security audits under the second cycle of the USAP commenced in January 2008 and were completed in June 2013. The objective of the USAP second-cycle audits was to promote global aviation security through the auditing of Member States, on a regular basis, to determine their capability for aviation security oversight by assessing the EI of the CEs of an aviation securityguidance oversightmaterial system and status of States’ implementation securityrelated ICAO SARPs, associated procedures, andthe security-related practices. In total,ofaudits of 177 ICAO Member States and one Special Administrative Region were conducted under the USAP second cycle, as well as an assessment of the European Commission aviation security inspection system. 2.1.10 Detailed information on the results of the audits of the USAP first and second cycle is contained in the supplementary document entitled Universal Security Audit Programme — Analysis of Audit Results, Results, Fifth Edition — 2013. This document is available through the USAP secure website: http://portallogin.icao.int.
2.2
TRANSITION TO A CONTINUOUS MONITORING APPROACH (CMA)
2.2.1 In order to prepare for the continuation of the USAP beyond 2013, the 37th Session of the Assembly (Resolution A37-17, Appendix E refers) requested the Council to assess the feasibility of extending the Continuous Monitoring Approach (CMA) being applied by the Universal Safety Oversight Audit Programme (USOAP) to the USAP after the conclusion of the USAP second cycle of audits. Accordingly, the Council at its 187th Session, directed the Secretary General to study the feasibility of applying a CMA to the USAP. 2.2.2
2.2.3
A study on the application of a CMA to the USAP was initiated by the Secretariat with a view to: •
adopting a more comprehensive an and d proactive approach whi which ch may allow fo forr fut future ure audit activities to be prioritized and better focused on identification of deficiencies in the aviation security systems of Member States while maintaining the principle of universality;
•
ensuring ongoing compliance of Member States with ICAO security-related provisions while assessing the aviation security oversight capabilities of States; and
•
making more effective and e efficient fficient use of the resources available to the Programme.
A Secretariat Study Group (SSG) was established in 2011 in order to assist the Secretariat in evaluating
this study and in considering options for the evolution and future direction of the USAP beyond the end of its second cycle, in line with the Council’s decision. After considering a number of options for the evolution of the USAP, the SSG
Chapter 2.
The ICAO Universal Security Audit Programme (USAP)
2-3
concluded that, in order to ensure efficiency, long-term sustainability and cost effectiveness of the USAP, the Programme should move towards a CMA specific to aviation security, while incorporating risk-management elements. The study also suggested that a transition period be established prior to launching the USAP-CMA and described the necessary activities to be undertaken during this period to ensure a smooth transition. These recommendations were presented to the Twenty-third Meeting of the Aviation Security Panel, which expressed support for the concept of a USAP-CMA that combines continuous monitoring with a risk-based ris k-based approach to aviation security auditing. 2.2.4 The High-Level Conference on Aviation Security convened in Montreal in September 2012 expressed strong support for the transition of the USAP to a CMA that combines both continuous monitoring and risk-based elements while maintaining the rigour of the audit process and methodology. It was widely recognized that the USAP is an essential tool in enabling States to identify their own deficiencies and then implement corrective actions to address those deficiencies either directly or through assistance provided by other States or organizations. The Conference also supported the notion that the USAP-CMA should provide ICAO with the necessary flexibility in determining the type of audit and monitoring activity appropriate for each State based on the status of its aviation security and oversight systems and other risk indicators. 2.2.5 The Council, during its 197th Session, formally approved the USAP-CMA and the transition plan. This decision was further endorsed by the 38th Session of the Assembly (Resolution A38-15, Appendix E refers).
2.2.6 The 1½-year transition to the USAP-CMA took place from July 2013 to December 2014, and the USAP-CMA was fully launched on 1 January 2015, as scheduled and approved by the Council during its 197th Session. The USAP-CMA transition plan included numerous tasks, such as: a)
development of a new USAP-CMA activity ma management nagement and analysis software for aviation security data collection, analysis and measurement while ensuring confidentiality of sensitive security information;
b)
development of the USAP-CMA meth methodology, odology, protocol questions (PQs), tools, procedures and supporting documentation;
c)
training and certification/recertificati certification/recertification on of aviation aviation security exp experts erts and existi existing ng USAP auditors for participation in USAP-CMA on-site activities as TMs;
d)
conduct of USAP-CMA regional seminars in all ICAO regions to familiarize Member States w with ith the USAP-CMA methodology, tools, procedures and processes;
e)
conduct of USAP-CMA on-site test au audits dits in selected States; and
f)
development and expansion of agreement agreements s with relevant partners to foster coordination and cooperation.
2.3
USAP–CMA PRINCIPLES
2.3.1 The principles of the USAP were first established at the inception of the Programme in 2002. Since that time, these underlying principles have remained unchanged and valid, with the exception of the principle of confidentiality of audit results. The principle of confidentiality has been modified for the second cycle of USAP audits and further modified for the USAP-CMA, with the approval of the Council of ICAO. The USAP-CMA principles are listed below.
Universal Security Audit Programme Continuous Monitoring Manual
2-4
2.3.2 2.3.2 Sovereignty.. Every State has complete and exclusive sovereignty over the airspace above its territory. Sovereignty Accordingly, ICAO fully respects a sovereign State’s responsibility and authority for oversight of aviation security, including its decision-making powers with respect to implementing corrective actions related to identified deficiencies. 2.3.3 2.3.3 Universality . All Member States will be subject to continuous audit and monitoring activities by ICAO, in accordance with the principles, methodology, processes and procedures established for conducting such activities, and on the basis of the MoU signed between ICAO and each Member State, though the types and frequency of USAP-CMA audit and monitoring activities undertaken for each Member State may differ. 2.3.4 2.3.4 Transparency of methodology. methodology . The USAP-CMA activity procedures and processes will be made available to all Member States. 2.3.5 2.3.5 Timeliness.. Results of USAP-CMA activities will be produced and submitted on a timely basis in Timeliness accordance with a predetermined schedule for their preparation and subm ission. 2.3.6 2.3.6 All-i Al l-i nc lu si siven veness ess.. The scope of the USAP-CMA includes Annex 17 Standards and security-related provisions of Annex 9. It is expected to expand the scope of the USAP-CMA at appropriate times to include all security-related provisions contained in other Annexes to the Chicago Convention, in order to ensure their effective implementation in the civil aviation systems of Member States. 2.3.7 2.3.7 Consistency and objectivity. objectivity . USAP-CMA activities will be conducted in a consistent and objective manner. Standardization and uniformity in the scope, depth and quality of USAP-CMA activities will be assured through training and certification of all auditors, the use of standardized PQs and the provision of relevant guidance material. 2.3.8 2.3.8 Fairness.. USAP-CMA activities will be conducted in a manner such that Member States are given the Fairness opportunity to monitor, comment on and respond to the USAP-CMA processes, but must do so within an established time frame. 2.3.9 2.3.9 Quality.. The quality of USAP-CMA activities will be ensured by assigning trained and certified auditors to Quality conduct USAP-CMA activities in accordance with widely recognized auditing concepts, as well as by implementing an internal quality control system within the Aviation Security Audit Section (ASA) that continually monitors and evaluates feedback received from USAP-CMA stakeholders to ensure their ongoing satisfaction. 2.3.10 2.3.10 Confidentiality.. Sensitive security information collected as part of the USAP-CMA will be protected from Confidentiality unauthorized disclosure. Accordingly, USAP-CMA audit reports will be confidential and will only be made available to the audited State and ICAO staff on a need-to-know basis. However, in the interests of promoting global aviation security, a limited level of disclosure will apply whereby charts depicting the level of implementation of the CEs of an aviation security oversight system by a Member State and an indication of the degree of compliance by a Member State with Annex 17 Standards, as well as information pertaining to the existence of unresolved significant security concerns (SSeCs) in a Member State will be made available to all Member States on the USAP secure website. Note.— The principle of confidentiality is described in detail in 4.9. 4.9.
Chapter 2.
The ICAO Universal Security Audit Programme (USAP)
2.4
2-5
AUDITING PRINCIPLES
2.4.1 The following auditing principles apply to USAP-CMA activities, in accordance with ISO 19011:2011 — Guidelines for Auditing Management Systems. Systems. a)
Integrity: the foundation of professionalism. Auditors should: perform their work with honesty, Integrity: diligence, and responsibility; observe and comply with any applicable legal requirements; demonstrate their competence while performing their work; perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings; be sensitive to any influences that may be exerted on their judgement while carrying out an audit.
b)
Fair presentation: presentation : the obligation to report truthfully and accurately. Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit activities. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported. The communication should be truthful, accurate, objective, timely, clear and complete.
c)
Due professional care: care: the application of diligence and judgement in auditing. Auditors should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by Member States and other interested parties. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgements in all audit situations.
d)
Confidentiality: security of information. Auditors should exercise discretion in the use and protection Confidentiality: of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the proper handling of sensitive or confidential information.
e)
Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions. Independence: Auditors should be independent of the activity being audited and should in all cases act in a manner that is free from bias and conflict of interest. Auditors should maintain objectivity throughout the audit process to ensure that the audit findings and conclusions are ar e based only on the audit evidence.
f)
Evidence-based approach: approach : the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. Audit evidence should be verifiable. It will in general be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.
2.5
CRITICAL ELEMENTS (CEs)
2.5.1 CEs are the main building blocks of a State’s aviation security oversight system required for the effective implementation of security-related standards and associated procedures. Each Member State should address all CEs in its efforts to establish and implement an effective aviation security oversight system that reflects the shared responsibility of the State and the aviation community. CEs of an aviation security oversight system cover the whole spectrum of civil aviation security activities. The level of implementation of the CEs is an indication of a State's capability for aviation security oversight and compliance with security-related secur ity-related SARPs.
Universal Security Audit Programme Continuous Monitoring Manual
2-6
2.5.2 ICAO has defined the following CEs of a State’s aviation security oversight system (see the Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation Security Oversight System (Doc 10047)): CE-1. CE1.
Primary aviation security legislatio n. n. The The provision of a comprehensive and effective legislative framework, consistent with the environment and complexity of the State’s civil aviation operations, to effect the establishment and implementation of the State’s aviation security policies and requirements in conformance with Annex 17 SARPs and security-related provisions contained in other Annexes to the Chicago Convention.
CE-2. CE2.
Aviation security prog rammes and regulatio ns. ns. The provision of necessary national-level programmes and adequate regulations to address, at a minimum, national requirements emanating from the primary aviation security legislation and providing for standardized implementation procedures, equipment and infrastructures (including security management and training systems) in conformance with Annex 17 SARPs and security-related provisions contained in other Annexes to the Chicago Convention. Note.— The term “regulations” is used in a generic sense to include policies, requirements, rules, instructions, edicts, directives, orders, etc., that are enforceable in the State. The specific status given to a regulation when it is applied within the State and the penalty assigned in the event of non-compliance are internal matters subject to the discretion of individual States, taking into account their responsibilities under the Chicago Convention.
CE-3. CE3.
State appropr iate authori ty for aviation security a and nd its respons ibil ities. The designation of an appropriate national authority for aviation security supported by appropriate technical and non-technical staff and provided with adequate financial resources. The State appropriate authority must have aviation security regulatory functions, objectives and policies. This element also includes the definition and allocation of tasks and coordination of activities between government agencies and airport-level entities concerned with or responsible for the implementation of various aspects of the NCASP, as well as arranging for the supporting resources and facilities required for aviation security to be available at airports serving civil aviation.
CE-4. CE4.
Personnel qualifi cations and traini ng. ng. The establishment of minimum knowledge and experience requirements for the technical personnel performing aviation security oversight functions and the provision of appropriate training to these personnel to maintain and enhance their competence at the desired level. The training should include initial, on-the-job and recurrent training. This element also includes the provision of training to entities involved in the implementation of applicable aviation security requirements, measures and procedures. Note.— The technical personnel may be from an organization engaged by the appropriate authority to provide State oversight functions on its behalf.
CE CE-5 -5..
Provision of technical guidance, tools a and nd securitysecurity-critical critical informa information. tion. The provision of technical guidance (including processes and procedures), tools (including facilities and equipment) and security-critical information, as applicable, to the technical personnel to enable them to perform their aviation security oversight functions in accordance with established requirements and in a standardized manner. This element also includes the provision of technical
guidance by the appropriate authority to entities responsible for the implementation of applicable aviation security requirements, measures and procedures.
Chapter 2.
The ICAO Universal Security Audit Programme (USAP)
CE-6. CE6.
2-7
Certificatio n and approval oblig ations. ations. The implementation of processes and procedures to ensure that personnel and entities performing an aviation security activity meet the established requirements (such as certification systems for security screeners and aviation security instructors, and a system to ensure that entities responsible for the implementation of security measures and procedures have programmes national requirements) before theyestablished are allowed security to conduct the relevantconsistent activity. with all relevant
CE-7. CE7.
Quality cont rol oblig ations. ations. The implementation of processes, such as audits, inspections, surveys and tests, to proactively ensure that entities authorized and/or approved to perform an aviation security activity continue to meet the established requirements and operate at the level of competency and security required by the State. This includes the monitoring of designated personnel who perform security oversight functions on behalf of the appropriate authority.
CE-8. CE8.
The implementation of processes and procedures to resolve Resolution of security concern s. s. The identified deficiencies impacting aviation security, which may have been residing in the aviation security system and have been detected by the appropriate authority or other appropriate bodies. This includes the ability to analyse security deficiencies, provide recommendations, support the resolution of identified deficiencies by implementing follow-up procedures to validate the effective implementation of corrective actions, as well as take enforcement action when appropriate.
2.5.3 CEs 1 through 5 (collectively known as “establishment CEs”) are mainly related to “establishment”, i.e. they indicate that the addressed provision must be fully and effectively established within the State’s aviation security oversight system. CEs 6 through 8 (collectively known as “implementation CEs”) are related to “implementation”, i.e. they indicate that the addressed provision must be fully and effectively implemented within the State’s aviation security oversight system.
2.6
AUDIT AREAS
The following nine audit areas have been identified as functional areas for the conduct of audits under the USAP-CMA: USAP -CMA: 1.
Regulatory framework and the national civil aviation security system (LEG): the (LEG): the primary aviation security legislative framework; national aviation security requirements and amendment procedures; the National Civil Aviation Security Programme (NCASP); empowerment of national aviation security inspectors, threat evaluation and risk assessment; international cooperation; the appropriate authority for aviation security; allocation of tasks and coordination of activities;
2.
Training of aviation security personnel (TRG): (TRG): the National Civil Aviation Security Training Programme (NCASTP); training of national aviation security inspectors and airport-level aviation security personnel; certification of security screeners and aviation security instructors;
3.
Quality control functions (QCF): the (QCF): the establishment and implementation of a National Civil Aviation Security Quality Control Programme (NQCP) to determine compliance with and validate the effectiveness of the NCASP and to ensure that sustainable and appropriate corrective actions are implemented;
4. Air po rt op erat io ns (OPS): (OPS): the airport aviation security organization and administration; the airport
security programme; the supporting resources and facilities for aviation security services; access control and security control measures to the airside and security restricted areas of the air airport; port;
Universal Security Audit Programme Continuous Monitoring Manual
2-8
5. Airc Ai rc raf t and in -fl ig ht secu ri ty (IFS): (IFS): aircraft operator security programmes; aircraft protection and in-flight security measures; 6.
Passenger and baggage security (PAX): the (PAX): the measures and procedures for screening of originating and transfer/transit passengers and their cabin/hold baggage;
7.
Cargo, catering and mail security (CGO): (CGO): the supply chain security process; the measures and procedures for security controls of cargo, catering and mail;
8.
Response to acts of unlawful interference (AUI): airport-level contingency plans; national- and airport-level measures and procedures for the management of responses to acts of unlawful interference; and
9.
Security aspects of facilitation (FAL): the national air transport facilitation programme; coordination between security and facilitation activities; security and inspection of travel documents; border control measures and procedures.
2.7
USAP-CMA PROTOCOL QUESTIONS (PQs)
2.7.1 The USAP-CMA PQs serve as the primary tool for the conduct of USAP-CMA activities aimed at assessing the level of implementation of the CEs of a State’s aviation security oversight system, as well as a State’s degree of compliance with Annex 17 Standards and security-related provisions of Annex 9. The use of standardized PQs ensures transparency, consistency, reliability and fairness of the audit process, as well as enhances confidence in audit results. 2.7.2 The USAP-CMA PQs are based on Annex 17 Standards, security-related provisions of Annex 9 and associated ICAO guidance material. Each PQ refers to one Annex 17 Standard or Annex 9 security-related provision and to one CE. The PQs are divided into the nine audit areas specific to each subject covered, as described in 2.6, which assists in planning a USAP-CMA audit and facilitates effective allocation of tasks to USAP-CMA audit team participants. 2.7.3
The USAP-CMA PQs cover all elements of a State’s aviation security and oversight systems which are
subject audit and to monitoring. theasPQs servetoas a checklist items to amount be verified, the evidence required to validate to the answer each PQ Although only serves a guide ensure that aofminimum of information is consistently verified in all States. While following the best international practices derived from the ICAO relevant guidance material in terms of evidence for review/observation as an acceptable means of compliance, the USAP-CMA PQs are, at the same time, sufficiently flexible to allow for the appropriate evaluation of other means of compliance based on the scope, complexity and specifics of the aviation security activity in each State. 2.7.4 ASA amends and updates the USAP-CMA PQs on a periodic basis to reflect the latest changes in Annex 17 Standards, security-related provisions of Annex 9 and related guidance material to include emerging issues in civil aviation and to harmonize and improve PQ references and content. PQ amendments incorporate input from the ICAO Aviation Security Panel, USAP mission TM s and external stakeholders. 2.7.5 States are encouraged to use the USAP-CMA PQs to perform self-assessments. As a priority, States may conduct a self-assessment:
a)
on PQs that were found not satisfactory in a previous USAP activity;
b)
on new PQs introduced through tthe he PQ amendment process — tthese hese PQs will ha have ve an undetermined status until they are assessed through an appropriate type of USAP-CMA activity; or
Chapter 2.
The ICAO Universal Security Audit Programme (USAP)
c)
2.7.6
2-9
in case of any c changes hanges in their their aviation security system, programmes, regulat regulations ions and/or procedures procedures to determine whether these changes impact the status of any PQs.
The self-assess self-assessment ment is important for States in order to prepare for a USAP-CMA activity. Each PQ
includes information on ICAO references that helps identify a specific Annex 17 Standard or Annex 9 security-related provision related to the PQ. Each PQ also includes guidance for review and examples of what the State needs to establish and implement to comply with the ICAO provision outlined in the PQ; this is also an indication of the type of evidence that the USAP-CMA audit team will be looking for during a USAP-CMA activity. The CE linked to each PQ is also an indication for States — CEs 1 to 5 indicate that the State must establish the ICAO provision outlined in the PQ and CEs 6 to 8 indicate that the State must implement the established provision. 2.7.7 As indicated above, USAP-CMA PQs also serve as a tool for States to conduct regular self-assessments self-assessments in order to actively monitor and report the health of their aviation security and oversight systems on a continuous basis. States can use PQs to conduct scheduled internal audits of their aviation security and oversight systems. Thus, States can actively monitor their own systems in a proactive manner to identify and resolve deficiencies. Note.— The USAP-CMA PQs are available on the USAP secure website. website.
2.8
STATE’S AVIATION SECURITY PERFORMANCE
2.8.1 The State’s aviation security performance is defined as the State’s level of implementation of the CEs of an aviation security oversight system and the State’s status of implementation of Annex 17 Standards and security-related provisions of Annex 9, associated procedures, guidance material and security-related practices. 2.8.2 The EI is a measure of the State’s aviation security oversight and compliance capabilities. A higher EI indicates that a State’s aviation security and oversight systems have a greater degree of compliance with ICAO security-related provisions. provisions. The EI is calculated for any group of PQs, based on the following formula:
EI (%) =
number of satisfactory PQs within the group —————————————————— ——————————————————————————————————— ————————————————— x 100 number of satisfactory PQs + number of not satisfactory PQs within the group
2.8.3 Thus, the EI can be calculated for each CE, each audit area, each Annex 17 Standard or Annex 9 security-related provision and as an overall value for all USAP-CMA PQs. The USAP-CMA uses the following indicators to measure the State’s aviation security performance:
2.8.4
a)
Oversight Ove rsight Indicator — — average average EI of the eight CEs of a State’s aviation security oversight system; system;
b)
Compliance Indicator — — average EI of Annex 17 Standards and average EI of security-related provisions of Annex 9; and
c)
USAP-CMA PQ Indicator — EI — EI of USAP-CMA PQs, i.e. the percentage of satisfactory USAP-CMA PQs.
In addition to the EI, a lack of effective implementation (LEI) is also calculated for certain analyses. The LEI
is simply the inverse of the EI and is calculated as: LEI (%) = 100 – EI (%)
Universal Security Audit Programme Continuous Monitoring Manual
2-10
Note 1.— For the Compliance Indicator, the term “compliance” is used instead of EI. Thus, the State’s Compliance Indicator is, in other words, the average compliance with Annex 17 Standards and the average compliance with security-related provisions of Annex 9. 9. Note 2.— The Compliance Indicator provides only a picture of indicative compliance of the State with Standards of Annex 17 and security-related provisions of Annex 9 derived from observations made at the time of the USAP-CMA audit by the USAP-CMA audit team at the airport(s) selected for observation. It does not provide a definitive measure of the State’s overall compliance with Standards of Annex 17 and security-related provisions of Annex 9. 2.8.5 Aviation security performance indicators provide a system of measurement to ICAO to assess the oversight and compliance capabilities of States and serve as data trending charts to track and monitor any changes in those capabilities.
2.9
SIGNIFICANT SECURITY CONCERN (SSeC)
2.9.1 Under the USAP second-cycle audit report production process, a final aviation security audit report was forwarded to the audited State within 60 calendar days after the closing meeting of the audit. The State then had 60 calendar days to submit a CAP. However, USAP auditors sometimes encountered situations that revealed SSeCs that might pose an immediate security risk to international international civil aviation. In the absence of a mechanism mechanism to address these SSeCs in a timely manner, corrective action might not have been taken by the audited State before the CAP was submitted to ICAO approximately four months after the audit. 2.9.2 In June 2008, the ICAO Council considered a procedure, within the scope of Article 54 j) of the Chicago Convention, that would enable disclosure of information regarding a State having significant compliance shortcomings with respect to security-related SARPs, including failure to act in accordance with its security oversight obligations and failure to carry out recommendations of the Council. The Council requested that issues related to the security risk indicators and the concept of SSeC be referred to the Aviation Security Panel for discussion. 2.9.3 The Council, during its 187th Session, endorsed the Aviation Security Panel’s recommendation to establish an SSG to review and develop the security risk indicators associated with the application of Article 54 j) to aviation security and the definition of SSeC, including a mechanism to enable the rapid resolution of such concerns identified under the USAP. 2.9.4
The Council, during its 189th Session, considered and approved the proposals of the SSG related to: a)
the security risk indicators: 1)
failure or refusal to participate in significant aspects of the USAP audit p process, rocess, including, but not limited to, pre-audit, on-site and corrective action requirements;
2)
failure to resolve critical security-related deficiencies iden identified tified in the USAP process;
3)
level or nature of activity in inconsistent consistent w with ith security oversight capability; and
4)
security incidents linked to deficiencies in a State’s State’s security oversight respo responsibilities nsibilities and
obligations.
Chapter 2.
The ICAO Universal Security Audit Programme (USAP)
b)
2-11
the definition of SSeC: “A significant security concern occurs when the appropriate authority responsible for aviation security in the State permits aviation activities to continue, despite lack of effective implementation of the minimum security requirements established by the State and by the provisions set forth in Annex 17 — Security related Security related to critical aviation security controls including, but not limited to, the screening and the protection from unauthorized interference of passengers, cabin and hold baggage; the security of cargo and catering; access control to restricted and security-restricted areas of airports; and the security of departing aircraft resulting in an immediate security risk to international civil aviation.”
c)
the associated mech mechanism anism to address SSeCs identified during a USAP audit in a timely manner. The SSeC mechanism was further revised by the Council during its 208th Session based on the Aviation Security Panel’s recommendation. recommendation.
2.9.5 SSeC SSeC mechanis m. m. An An SSeC identified during the course of a USAP-CMA on-site activity will be described to the audited State as a preliminary SSeC during the post-audit debriefing, at the conclusion of the audit. If the preliminary SSeC is validated and confirmed by the SSeC Validation Committee at ICAO Headquarters, ICAO notifies the audited State, within 15 calendar days following the post-audit debriefing, by providing the State with the SSeC finding and recommendation. The State is then requested to implement, within 15 days following notification, immediate corrective action to resolve or mitigate the SSeC and advise ICAO. If no corrective action to resolve or mitigate the SSeC is implemented and provided to ICAO within the prescribed time frame, ICAO informs all Member States that an SSeC has been identified and remains unresolved, by publishing an Electronic Bulletin (EB), which includes the name of the State with an SSeC. In addition, the name of the State and the number of unresolved SSeCs are also posted on the USAP secure website. Furthermore, if the SSeCs are not resolved within three months of being posted, ICAO identifies on the USAP secure website the audit area(s) related to unresolved SSeCs. 2.9.6 The Council, during its 208th Session, endorsed the Aviation Security Panel’s recommendation, whereby the ICAO Secretariat should include the name of States with SSeCs in the EB sent to all Member States, and should identify through the USAP secure website the audit area(s) related to the SSeC(s) if these are not resolved within three months of being posted. 2.9.7 ASA has developed internal procedures describing in detail the different phases of the SSeC mechanism, including the identification, confirmation and resolution of SSeCs.
2.10
STATE AVIATION SECURITY ACTIVITY QUESTIONNAIRE (SASAQ)
2.10.1 The State aviation security activity questionnaire (SASAQ) is designed to collect comprehensive and specific information on each State’s aviation security activities, including legislative, regulatory, organizational, operational, technical and administrative details. Each State shall submit to ICAO, no later than 60 calendar days prior to the start of a USAP-CMA activity, a completed SASAQ designed to provide ICAO with preliminary information concerning the State’s aviation security and oversight systems. 2.10.2 States are required to update their SASAQ regularly in order to assist ASA in monitoring the level of aviation security activities in States related to each audit area and in prioritizing and planning USAP-CMA activities.
2.10.3
ICAO will revise the SASAQ template periodically.
Universal Security Audit Programme Continuous Monitoring Manual
2-12
2.10.4 The State Quality Control Activity Summary Form is an attachment to the SASAQ and has been created to facilitate States in the provision of information regarding their oversight activities which will be used within the framework of the USAP-CMA. Note.— The SASAQ and the State Quality Control Activity Summary Form are available on the USAP secure website. website.
2.11
COMPLIANCE CHECKLISTS (CCs)
2.11.1 States are required to complete and maintain up to date compliance checklists (CCs), which contain information on the State’s compliance with Annex 17 SARPs and security-related provisions of Annex 9. The completion of the CCs by Member States will: a)
provide authorized users with a an n overview of the level of implementati implementation on of relevant ICAO provisions; and
b)
enable Member States to identify any difference w which hich may exist between their own practices and those established by relevant ICAO Standards.
2.11.2 ICAO will revise the CCs template periodically subsequent to amendments to Annex 17 SARPs or to security-related provisions of Annex 9. Note.— The CCs are available on the USAP secure website.
______________________
Chapter 3 THE CONTINUOUS MONITORING APPROACH (CMA)
3.1
USAP-CMA CONCEPT
3.1.1 The USAP-CMA is designed to promote global aviation security through auditing and monitoring aviation security performance of Member States on an ongoing basis. 3.1.2 The USAP-CMA is a shift from the traditional cyclical audit approach, which provides only a “snapshot” of a State’s aviation security system at a given point in time, to a more continuous monitoring of a State’s oversight and compliance capabilities. This enables ICAO to develop and maintain an ongoing, updated picture of the aviation security situation in Member States. 3.1.3 The USAP-CMA incorporates a risk-based approach to auditing, by establishing the priorities and frequency of audit and monitoring activities based on various key parameters reflecting the changes in the aviation security situation in Member States, while taking into consideration any oversight activities and information provided by regional regulatory/oversight bodies. This leads to a more efficient use of resources of both ICAO and the Member States, thus ensuring long-term and cost-effective programme management for the Organization. 3.1.4 The USAP-CMA provides for a system that does not apply a one-size-fits-all approach to auditing. Rather, the USAP-CMA incorporates a performance-based approach to auditing which enables increased flexibility in determining the real needs of Member States and allows for a customized approach for each Member State. This is achieved by proposing activities of different types and scope based on aviation security performance indicators of States, which provide an indication of the level of security of the civil aviation system and the effectiveness of the aviation security oversight system in place in Member States. 3.1.5
Under the USAP-CMA, the principle of universality is maintained as all Member States are subject to
continuous audit and monitoring activities by ICAO, in accordance with the principles, methodology, processes and procedures established for conducting such activities, and on the basis of the MoU signed by ICAO and each Member State. The priorities, frequency, type and scope of such activities will vary based on each Member State’s specific circumstances. 3.1.6 The USAP-CMA forms an integral part of ICAO’s overall aviation security framework, which encompasses policy, audits and assistance. The USAP-CMA generates up-to-date State-specific and regional data which provides useful and critical information to facilitate the provision of targeted and tailored assistance to States, while also providing valuable feedback to ICAO for the development of SARPs and guidance material. The USAP-CMA, therefore, is a key driver for both the provision of effective assistance with a view to enabling States to improve their aviation security and oversight systems in compliance with ICAO security-related SARPs, and for policy development.
3-1
Universal Security Audit Programme Continuous Monitoring Manual
3-2
3.2
USAP-CMA OBJECTIVE
The objective of the USAP-CMA is to promote global aviation security through continuous auditing and monitoring the aviation security performance of Member States. This objective is achieved by: •
regularly and continuously obtaining and analysing data on the aviat aviation ion security performance of Member States;
•
identifying deficiencies in tthe he overall aviation security performance of Member Sta States tes and assessing the risks associated with such deficiencies;
•
providing prioritized recommendations to assist Member States in addressing identified deficiencies;
•
evaluating and validating corrective actions taken by Member States; and
•
re-assessing the aviation security pe performance rformance of Member Sta States tes in order tto o cont continuously inuously e enhance nhance their aviation security oversight and compliance capabilities.
3.3 3.3.1
USAP-CMA PROCESS
The USAP-CMA process consists of the following components: a)
determination of State-specific USAP-CMA activity;
b)
conduct of State-specific USAP-CMA activity;
c)
identification and analysis of deficiencies;
d)
measurement of the State’s aviation security performance;
e)
provision of prioritized recommendations; and
f)
evaluation of State corrective actions to address deficiencies.
3.3.2 These components enable ICAO to continuously audit and monitor the aviation security performance of Member States. Figure 3-1 shows the USAP-CMA process components.
Chapter 3.
The Continuous Monitoring Approach (CMA)
3-3
Determine Determine Statespecific USAP-CMA activity
Evaluate State’s corrective actions to address deficiencies
Conduct Statespecific USAP-CMA activity
Provide prioritized Provide priori tized recommendations
Identify and analyse deficiencies
Measure State’s aviation security performance
Figure 3-1 3-1..
3.4
USAP USAP-CM -CMA A pro cess compo nents
DETERMINATION OF A STATE-SPECIFIC USAP-CMA ACTIVIT ACTIVITY Y
3.4.1 The USAP-CMA takes into consideration the varying levels of development and maturity of aviation security and oversight systems of Member States, and incorporates a variety of audit and monitoring activities tailored to each Member State’s aviation security situation as part of the strategy for promoting the enhancement of global aviation security on a continuous basis. The determination of a specific type of USAP-CMA activity for a given State will be made by ASA using defined criteria based on: a)
the results of the previous USAP activity;
b)
the State’s a aviation viation security perfo performance rmance indicators, in particular the average EIs of establishment CEs and implementation CEs;
c)
updates on CAP implementation; and
d)
updated information submitted by th the e Stat State e through the SASAQ.
Universal Security Audit Programme Continuous Monitoring Manual
3-4
3.4.2
The USAP-CMA activities include: a)
documentation-based audits;
b)
oversight-focused audits;
c)
compliance-focused audits; and
d)
other audit and monitoring activities.
Documentation-based audits 3.4.3 Documentation-based audits are conducted primarily by correspondence between ICAO Headquarters and the States concerned and include increased requirements for submission of documentation by States. States identified for documentation-based audits could still receive on-site audits, as appropriate. Any specific areas of concern are identified and addressed either remotely from ICAO Headquarters or by means of a physical visit to the State concerned. Documentation-based audits may identify potential SSeCs, requiring a USAP-CMA on-site audit. 3.4.4 The scope of documentation-based audits will include a tailored set of core PQs related to the implementation of continuous processes within the State’s aviation security oversight system, such as amendment of national aviation security requirements, coordination of aviation security activities at the national and airport levels, training of aviation security personnel, certification and approval obligations, quality control activities and resolution of security concerns. This set of PQs will be augmented by additional PQs based on previous USAP audit results of the State, the updated CAP, new Annex provisions, the State quality control activity results derived from the State Quality Control Activity Summary Form, any significant change in the State’s aviation security and oversight systems and acts of unlawful interference in the State. Failure by the State to provide required documentation and information will make the State ineligible for a documentation-based audit, and the State will be scheduled for a USAP-CMA on-site audit. 3.4.5 Documentation-based audits will primarily measure the State’s aviation security oversight system, while also giving a strong indication of the State’s degree of regulatory compliance with Annex 17 Standards and security-related provisions of Annex 9 to the Chicago Convention. Certain PQs related to the operational implementation of security measures under Annex 17 and security-related provisions of Annex 9 will be marked as undetermined until their status is assessed through a USAP-CMA on-site activity.
Oversight-focused Ove rsight-focused audits 3.4.6 Oversight-focused audits are conducted by means of on-site audits similar to USAP second-cycle audits, and include the review of national-level regulations and programmes, such as the NCASP, the NCASTP and the NQCP, followed by spot checks conducted at the airport(s) selected for observation to verify the effectiveness of aviation security requirements and measures on the ground. The scope of oversight-focused audits might be full, covering all USAP-CMA audit areas, or partial, covering one or more audit areas, based on previous USAP audit results, as well as on other information available to ICAO.
Chapter 3.
The Continuous Monitoring Approach (CMA)
3-5
3.4.7 A fundamental component of oversight-focused audits is the review of the implementation of the State’s NQCP, i.e. the evaluation of the effectiveness of the State’s quality control measures which may be defined as the surveillance techniques and activities used by the State to assess its civil aviation security system and, whenever required, to resolve identified deficiencies. This review is based on the assessment of three major issues related to the implementation of the NQCP: —
the adequacy of compliance monitoring activities;
—
the effectiveness of compliance monitoring activities; and
—
the availability of national national aviation security inspectors for for compliance monitoring.
3.4.8 Adequ Ad equ acy of co mp mplili anc e mo ni to ri ng acti vi viti ties es.. Standards 3.4.5 and 3.4.6 of Annex 17 require each Contracting State to: —
ensure that the implementation of security measures is regularly subjected to verification of compliance with the NCASP; and
—
arrange for security audits, tests, surveys and inspections to be conduct conducted ed on a regular basis, to verify compliance with the NCASP and to provide for the rapid and effective rectification of any deficiencies.
3.4.9 To this end, the USAP-CMA audit should make an assessment of the frequency and scope of the State’s monitoring activities. The frequency of national monitoring activities should be established in the NQCP. The verification therefore should confirm if the NQCP does establish minimum frequencies for at least security audits and inspections. The USAP-CMA audit should also assess if the monitoring activities carried out at the national level are sufficiently frequent and if the priorities and frequency of national monitoring activities are determined on the basis of risk assessment carried out by the relevant authorities, as required by Standard 3.4.5 of Annex 17. 3.4.10 It should be noted that there is no requirement to inspect every airport every year but, as a general rule, one should consider that airports with an annual traffic volume of more than 10 million passengers should be subject to a security audit covering all aviation security standards at least every 4 years. At airports with an annual traffic volume of more than 2 million passengers, the minimum frequency for inspecting all sets of directly linked security measures in the areas of airport security, aircraft security, passenger and cabin/hold baggage security and cargo/mail security should be at least every 12 months, unless an audit has been carried out at the airport during that time. The frequency for inspecting all security measures related to airport and in-flight supplies, staff recruitment and training and security equipment may be determined based on a risk assessment. Where a State has no airport with an annual traffic volume exceeding 2 million passengers, the above requirement should apply to the airport in the State with the greatest annual traffic volume. Note.— A set of directly linked security measures is a set of two or more requirements that impact on each other so closely that achievement of the objective cannot be adequately assessed unless they are considered together. 3.4.11 The USAP-CMA audit should also assess if the monitoring activities carried out ensured a regular monitoring of all airports and entities situated in the State. Therefore, the USAP-CMA audit should assess the scope of
the State’s monitoring activities and the deployment of a variety of quality control activities, as required by Standard 3.4.6 of Annex 17. To this end, a representative sample of national quality control activity reports should be analysed for the last two years. The verification should allow to establish if all security measures were monitored at least once, if a suitable combination of compliance monitoring types (security audits, inspections and tests) were used and if the minimum frequencies for security audits and inspections were met.
Universal Security Audit Programme Continuous Monitoring Manual
3-6
3.4.12 Effectivene Effe ctiveness ss o f co mpliance monitoring activitie activities s . The USAP-CMA audit should assess if the common methodology requirements are respected, if rapid and effective rectification of deficiencies takes place and if enforcement powers are available and used whenever appropriate. 3.4.13 Regarding the common methodology, the verification of a representative sample of national quality control activity reports should confirm that: —
a standardized approach was used for the conduct of audits, inspections and tests, which included planning, preparation, on-site activity, the classification of findings, the debriefing and reporting/recording, the correction process and monitoring;
—
a systematic gathering of information by means of observations, interviews and review of documents was employed;
—
the compliance monitoring activities activities undertaken did include announced announced and unannounced activities;
—
a harmonized classification system of compliance was used; and
—
the quality control activity reports include elements such as the date and time of the activity, entity monitored, type and scope of the activity, findings with the corresponding provisions of the NCASP, classification of compliance, recommendations for remedial actions and time frame for correction, where appropriate.
3.4.14 Regarding the rapid and effective rectification of deficiencies, the assessment of the selected sample of national quality control activity reports should allow to confirm if rapid and effective rectification takes places. The USAP-CMA audit should also verify if the appropriate authority systematically requires the submission of CAPs together with a timeframe for implementation of the remedial actions and if it actively follows up on the rectification process. In addition, the visit of the airport(s) selected for observation will confirm actual rectification to be verified in the field. 3.4.15 Regarding the enforcement powers, the USAP-CMA audit should establish if the appropriate authority has been invested with enforcement powers, including the power to impose penalties, and also actually uses them whenever appropriate. Samples of enforcement actions applied during the monitoring should be analysed. The audit should also verify if a graduated and proportionate approach is established regarding deficiency correction activities and enforcement measures, and if the national aviation a viation security inspectors are provided with sufficient authority to obtain the information necessary to carry out their tasks. 3.4.16 Availabi Avai labi lit y of nati nation onal al aviati on secu rit y inspec in spec tor s for com pli ance mon ito ri ng acti vit ies. ies . An assessment of available human resources for national compliance monitoring activities needs to be conducted and should include such factors as independence, competencies, initial, on-the-job and recurrent training. To this end, the frequency of the different monitoring activities, their scope, as well as the number of follow-up activities should be analysed. An insufficient number of monitoring activities is a clear indication that the available human resources are either insufficient or used for purposes other than monitoring compliance. Hence, the number of national aviation security inspectors available, and the actual number of hours spent monitoring compliance in the field, are two crucial elements.
3.4.17 The USAP-CMA audit will validate information obtained from the SASAQ on the number of airports in the State serving civil aviation and their size in terms of passenger/cargo traffic, the number of national and foreign aircraft operators providing service from the State, as well as the number of regulated agents, known consignors, known airport and in-flight suppliers, as applicable. These figures will be used to establish if the man-days invested in national monitoring activities reflect the number of airports, aircraft operators and entities to be monitored.
Chapter 3.
The Continuous Monitoring Approach (CMA)
3-7
3.4.18 The verification of the effectivenes effectiveness s of national monitoring activities at the airport level should take place at the airport(s) selected for observation. Prior to the verification, all national monitoring reports relating to the airport should be carefully analysed to identify deficiencies previously detected and the status of deficiency rectification. The on-site verification should then establish: a)
if deficiency rectification actually took place;
b)
which areas were still deficient; and
c)
if there are any other areas wit with h shortcomings that were not identified in n national ational quality control acti activity vity reports.
Compliance-focused audits 3.4.19 Compliance-focus Compliance-focused ed audits are conducted by means of on-site audits, similar to USAP second-cycle audits, and include the review of national-level regulations and programmes, followed by more detailed observations of the implementation of security measures by various airport-level entities at the airport(s) selected for observation to assess the State’s compliance with relevant SARPs. These full-scale or partial audits will focus on a set of PQs related to CE-1 to CE-6 and include more observations of the implementation of security measures on the ground using CE-8-related PQs. The status of the PQs related to CE-7 would be determined as sati satisfactory sfactory or not satisfac satisfactory tory based on the level of maturity of the national quality control system.
Otherr audit and mon itoring activities Othe 3.4.20 Cost-recovery audits. USAP-CMA audits. USAP-CMA cost-recovery audits may be conducted at the request of a Member State and will be accommodated as resources and time permit. The methodology for USAP-CMA cost-recovery audits will be the same as for compliance-focused audits or oversight-focused audits, as applicable. However, ICAO identifies the need for compliance-focused or oversight-focused audits and determines their scope, whereas the type, scope and scheduling of any USAP-CMA cost-recovery audit will require agreement between ICAO and the State, and will be assessed by ICAO on a case-by-case basis. The results of USAP-CMA cost-recovery audits will be treated in the same manner as the results from regularly scheduled USAP-CMA activities, including the possibility of invoking the SSeC mechanism. 3.4.21 Validation missions. missions. ICAO will plan and conduct on-site validation missions to specifically assess and validate corrective actions implemented by the State to resolve or mitigate SSeCs. A State may also request ICAO to conduct an on-site cost-recovery validation mission to assess and validate the CAP implemented by the State to address previously identified deficiencies. Such cost-recovery validation missions will be considered as USAP-CMA cost-recovery audits with specific audit scope and will be accommodated as resources and time permit. 3.4.22 Referral for assistance. The assistance. The experience of the first and second cycles of USAP audits has demonstrated that a small number of States are not in a position to derive full benefit from an audit. Under the USAP-CMA, such States
will be referred to the Implementation Support and Development — Security Programme and the Technical Cooperation Programme for needs assessment surveys and for subsequent determination and provision of appropriate assistance. ASA will monitor such assistance activities in coordination with the Implementation Support and Development — Security Section (ISD-SEC) to determine the appropriate timing for a USAP-CMA activity to be conducted in those States.
Universal Security Audit Programme Continuous Monitoring Manual
3-8
3.5 3.5.1
CONDUCT OF A STATE-SPECIFIC USAP-CMA ACTIVITY
USAP-CMA activities are conducted based on available resources and in accordance with the roles,
responsibilities and procedures described throughout this manual. ASA conducts an appropriate type of USAP-CMA (on-site or off-site) activity for States included in the annual schedule of USAP-CMA activities, as determined through the planning and scheduling process described in 4.6. 3.5.2 The conduct of a State-specific USAP-CMA activity is a systematic and objective assessment of the State’s aviation security and oversight systems, using USAP-CMA PQs, which allows ASA to collect and document evidence presented and/or submitted by the State in support of the implementation of Annex 17 Standards and security-related provisions of Annex 9, as well as the CEs of a State’s aviation security oversight system. The conduct of a USAP-CMA activity serves as a data collection process necessary to evaluate the State’s aviation security performance. The conduct phase of the USAP-CMA activity is described in detail in 6.3.
3.6
IDENTIFICATION AND ANAL YSIS OF DEFICIENCIES
3.6.1 Analysis of data collected during the conduct of a USAP-CMA activity allows the identification of deficiencies, if any, in the State’s aviation security performance, which adversely affect the State’s oversight and compliance capabilities. Identified deficiencies are subjected to risk assessment in terms of their impact on the State’s aviation security and oversight systems. 3.6.2 The USAP-CMA utilizes a classification system for USAP-CMA PQs, whereby each PQ is classified based on its significance in terms of impact on aviation security. The purpose of the classification system is not to differentiate between related Annex provisions in terms of their importance, but rather to provide States with a mechanism for prioritizing their corrective actions to rectify identified deficiencies and allocate resources accordingly. The classification system uses “Low”, “Medium”, “High” and “Very high” priorities for classifying USAP-CMA PQs. 3.6.3 The deficiencies identified following a State-specific USAP-CMA activity are prioritized on the basis of associated PQs. The identified deficiencies are further subjected to analysis by ASA within the context of State-specific audit results in terms of associated risks, which may entail upgrading or downgrading the priorities of certain deficiencies.
3.7
MEASUREMENT OF THE STATE’S AVIATION SECURITY PERFORMANCE
3.7.1 The final output of the State’s aviation security performance audit and monitoring process is the measurement of the State’s aviation security performance indicators based on the analysis of data collected through the USAP-CMA activity. By analysing all pertinent data derived from the USAP-CMA activity results, the State’s aviation security performance is measured using the indicators defined in 2.8. 3.7.2
The State’s Oversight Indicator depicts the State’s overall level of implementation of the CEs of an aviation
security oversight system, while the State’s Compliance Indicator provides only a picture of indicative compliance of the State with Annex 17 Standards and security-related provisions of Annex 9. The State’s USAP-CMA PQ Indicator provides the percentage of PQs found satisfactory during the USAP-CMA USAP -CMA activity.
Chapter 3.
The Continuous Monitoring Approach (CMA)
3.8
3-9
PROVISION OF PRIORITIZED RECOMMENDATIONS
For each not satisfactory PQ, a recommendation is provided to the State for implementation in order to rectify the identified deficiency related to that PQ. Under the USAP-CMA, USAP-CMA , the recommendations are prioritized based on the nature of the deficiencies they address. This will provide States with a clear strategy to help prioritize their own corrective actions and allocation of resources to best address identified deficiencies.
3.9
EVALUA TION OF STATE CO CORRECTIVE RRECTIVE ACTIONS TO ADDRESS DEFICIENCIES
3.9.1 In the event that action for improvement is recommended by ICAO following completion of a USAP-CMA audit, the State is responsible for developing a CAP defining the corrective actions it plans to take to resolve any deficiencies identified in its aviation security and oversight systems. 3.9.2 CAP review. review. The State’s CAP will be reviewed by an ASA TL who will provide feedback on the acceptability of the CAP, as necessary. If any proposed corrective actions do not fully address the associated findings and recommendations, the State will be notified accordingly and requested to resubmit its CAP. 3.9.3 CAP evaluation. evaluation. The State’s CAP, including progress updates, will be evaluated by ASA to measure (unvalidated) progress achieved by the State in the rectification of deficiencies identified by the USAP-CMA audit. Such evaluations may result in updating the State’s USAP-CMA key parameters. States should continue sending information to ASA on the progress made in the implementation of their CAPs. 3.9.4 CAP validation. The validation. The validation of progress made by the State in the implementation of its CAP to address previously identified deficiencies will be included in the scope of the subsequent USAP-CMA activity for the State. ICAO may opt to conduct an off-site validation at ICAO Headquarters, as part of the subsequent USAP-CMA off-site activity for the State, which may typically address PQ findings associated with establishment CEs, provided that the State submits sufficient and tangible evidence of their full implementation. Corrective actions related to PQ findings associated with implementation CEs do not qualify for an off-site validation and must be assessed and validated on-site as part of the subsequent USAP-CMA on-site activity for the State. S tate.
3.9.5 The results of subsequent USAP-CMA activities for the State, including changes in the SSeC status, if any, will be reflected in the State’s aviation security performance indicators. Any such update will also result in updating the State’s USAP-CMA key parameters. Continuous improvement in the State’s oversight and compliance capabilities is measured through the monitoring of the State’s aviation security performance indicators.
3.10
AVIATION SECURITY PERFORMANCE-RELATED ANAL YSIS
3.10.1 ASA uses a dedicated USAP-CMA activity management and analysis software for recording and analysing the USAP-CMA activity results and for the production of USAP-CMA audit reports. The software allows continuous
the USAP CMA activity results and for the production of USAP CMA audit reports. The software allows continuous monitoring and reporting of security-related information received from Member States through USAP-CMA activities, including monitoring the aviation security performance indicators of States using basic quantitative data trending tools that generate graphs or charts. This enhances the effectiveness and efficiency of the USAP-CMA in identifying deficiencies and associated security risks.
Universal Security Audit Programme Continuous Monitoring Manual
3-10
3.10.2 The software also facilitates the administration and management of USAP-CMA PQs and PQ findings. As each PQ is associated with one CE and one Annex 17 Standard or one security-related provision of Annex 9, the software allows the tracking of the status of implementation of the PQs and the analysis of not satisfactory PQs by CE or by ICAO SARP. This allows ASA to conduct global, regional, sub-regional and State-specific analysis of USAP-CMA activity results by any grouping of PQs, CEs or ICAO SARPs. Such analysis enables ICAO to identify common deficiencies and define measures to assist its Mem ber States.
______________________
Chapter 4 PROGRAMME PROGR AMME MANA MANAGEMENT GEMENT
4.1
GENERAL
4.1.1 In order to effectively manage and ensure the success of the USAP-CMA, all components of the programme, including roles and responsibilities of each entity, the required resources and procedures, are clearly defined in this chapter. 4.1.2 The effective implementation of the USAP-CMA depends on partnerships, communication and exchange of information between ICAO, Member States and regional organizations, who all have a specific, defined role. 4.1.3 Implemented within the USAP-CMA, ASA’s internal procedures provide the mechanisms to effectively implement established processes, monitor and review the components of the USAP-CMA, determine the need for corrective or preventive action and identify opportunities for improvement. It also allows ICAO to collect and analyse data to measure the satisfaction level of stakeholders with the USAP-CMA and to take appropriate actions to improve USAP-CMA processes, procedures and components. Note.— The roles and responsibilities outlined in this chapter solely pertain to the USAP-CMA processes and are not intended to provide a comprehensive description of roles and responsibilities of individuals, entities and organizations beyond the scope of this manual and the USAP-CMA.
4.2
ROLES AND RESPONSIBILITIES OF ICAO
4.2.1 Within the scope of the USAP-CMA, the Secretary General of ICAO is the convening authority for USAP-CMA activities in accordance with the annual activity plan. 4.2.2 The Chief, Aviation Security Audit Section (C/ASA), in coordination with other relevant sections and ICAO Regional Offices (ROs), is responsible for the administration, implementation and management of the USAP-CMA on a day-to-day basis and for approving all USAP-CMA audit reports. 4.2.3 ASA is responsible for managing the overall development, implementation, maintenance and quality of the USAP-CMA, including, but not limited to:
a)
monitoring the State’s USAP-CMA key parameters to identify and prioritize ap appropriate propriate USAP-CMA activities;
b)
developing and updating the annual schedule of USAP-CMA act activities ivities in coordination with ROs, which includes the list of States to be subjected to USAP-CMA activities, the dates of USAP-CMA activities and the composition of USAP-CMA audit teams;
c)
providing timely notification tto o States rregarding egarding scheduled USAP-CMA activities and audit team composition;
4-1
Universal Security Audit Programme Continuous Monitoring Manual
4-2
d)
providing guidance and information to States to prepare for the conduct of USAP-CMA activities;
e)
ensuring coordination be between tween States and and ASA in a timely manner on all issues related to the USAP-CMA, including facilitating the exchange of information and documents between the TL and the National Coordinator (NC) and ensuring that all appropriate arrangements have been made for the conduct of the USAP-CMA activity;
f)
developing and conducting regional USAP-CMA seminars;
g)
developing, conducting and overseei overseeing ng USAP-CMA auditor ttraining raining a and nd certif certification ication courses;
h)
selecting and assigning appropriate appropriately ly qualified TLs and T TMs Ms to con conduct duct USAP-CMA on-site activities in accordance with the qualification standards established in this manual and in coordination with the respective ROs;
i)
maintaining a roster of certified USAP-CMA auditors;
j)
managing the conduct of USAP-CMA activities; activities;
k)
developing and impl implementing ementing the tools and processes required for implementing implementing USAP-CMA components and conducting activities;
l)
monitoring the progress of States in submitting and updating required information;
m) monitoring the status of findings and/ and/or or SSeCs; n)
assessing the acceptability of CAPs submitted by St States; ates;
o)
assessing and monitoring correcti corrective ve actions and mitigat mitigating ing measures proposed by States;
p)
updating the State’s aviation security performance indicators;
q)
developing and overseeing the implementation of information secu security rity instructions to protect sensitive security information collected through the USAP-CMA activity process from unauthorized disclosure;
r)
developing working papers and reports for the Assembly, the ICAO Council, th the e UIC and the Aviation Security Panel on the implementation of the USAP-CMA and progress made in resolving identified deficiencies, and improving the global EI of the eight CEs and the global compliance with Annex 17 Standards and security-related provisions of Annex 9 to the Chicago Convention; and
s)
facilitating and coordinating support functions for all USAP-CMA activit activities ies and performing quality
control measures of all aspects of the USAP-CMA to ensure standardization, fairness and transparency in the activities of the programme. 4.2.4 C/ASA monitors the conduct of all USAP-CMA tasks to ensure that they are carried out effectively and identifies any required corrective or preventive actions.
Chapter 4.
Programme management
4-3
Roles and and responsibilities of other sections 4.2.5
Other sections within the ICAO Secretariat provide technical support to the USAP-CMA by: a)
providing input ffor or the amendment of USAP-CMA PQs an and d the development of related guidance material;
b)
providing consultation for the review and confirmation of findings and SSeCs, when needed;
c)
developing and maintaining the USAP-CMA software;
d)
providing information to ASA regarding assistance projects projects and the readiness of States States for USAP-CMA activities; and
e)
supporting training, seminars and activities related tto o the USAP-CMA.
Roles and responsi bili ties of the ICAO Technical Cooperation Bureau (TCB) and ROs 4.2.6 Member States have a responsibility under the Chicago Convention for the security of their aviation industry, airspace and infrastructure. While the USAP-CMA assesses a State’s capability to oversee its aviation security activities and determines its degree of compliance with the applicable SARPs, ICAO also has a mandate to assist States, where possible, in establishing effective aviation security and oversight systems. 4.2.7 The ICAO Technical Cooperation Bureau (TCB) maintains prime responsibility for providing technical assistance to States, when requested and as required. In addition, ISD-SEC may provide urgent immediate technical assistance to States under the Implementation Support and Development – Security Programme. Finally, ASA, through its auditors, may also provide on-site technical advice to States. 4.2.8 The ROs play an important role in assisting with the preparation and conduct of USAP-CMA activities, facilitating effective communication between ICAO Headquarters and States and providing advice and assistance to States, as required. The relevant Regional Officer, Aviation Security and Facilitation (ROASF) may, for example, assist assis t a State in resolving identified deficiencies where requested and coordinated through ICAO Headquarters, and assist with the preparation and delivery of USAP-CMA training and certification courses and regional seminars. The key responsibilities of the ROs within the USAP-CMA with respect to the States they are accredited to, include, but are not limited to: a)
facilitating the exchange of info information rmation betwee between n ICAO Headquarters and States;
b)
providing in input put to ASA on the selecti selection on and prioritization of USAP-CMA activities;
c)
assisting in the coordination of the regional implementation of the the USAP-CMA with ICAO Headquarters;
d)
instituting follow-up discussions w with ith States on the d development evelopment and implementation of their CAPs; and
e)
ensuring that corrective actions are taken by States in their regions in a timely manner.
Universal Security Audit Programme Continuous Monitoring Manual
4-4
4.2.9 When practicable, ROASFs will be trained and subjected to the certification process as ICAO USAP-CMA auditors. This will benefit the programme by ensuring the continuing availability of expertise within the regions. ROASFs may participate in USAP-CMA audits as assigned and coordinate regional activities related to the USAP-CMA. However, given the need to maintain a strict separation between ICAO’s audit and assistance activities and to prevent any potential conflict of interests, ROASFs generally should not be involved in both audit and assistance activities for the same States within their regions.
4.3
ROLES AND RESPONSIBILITIES OF MEMBER STATES
4.3.1 The success of the USAP-CMA depends on the cooperation of States and their participation in the programme. Member States shall sign an MoU with ICAO to confirm their full support of and participation in the USAP-CMA process by taking part in all USAP-CMA activities and by committing to provide information related to the establishment and implementation of their aviation security and oversight systems, as requested by ICAO, and taking into consideration the recommendations of the USAP-CMA audit report in the development of a State-specific CAP.
4.3.2
According to the MoU, States shall: a)
complete and maintain up to date the SASAQ and the CCs;
b)
provide updates on the implementation of sp specific ecific USAP-CMA PQs;
c)
implement and provide updates and evidence re related lated to the implementation of CAPs add addressing ressing not satisfactory PQs;
d)
take app appropriate ropriate and timely action tto o resolve SSeCs; a and nd
e)
provide other rel relevant evant information, as requested by ICAO, such as national-level aviation security legislation and airport-level aviation security procedures and practices.
4.3.3 Each Member State shall facilitate USAP-CMA on-site activities by accepting the dates and scope of USAP-CMA activities and by: a)
making appropriate st staff aff from its administration responsible for the regulation and oversight of aviation security activities and matters related to facilitation, as well as relevant staff of airport operators, locally based commercial air transport operators and any other entities responsible for the implementation of aviation security measures available for interview by the USAP-CMA audit team;
b)
making all relevant files, records and documentation of the appropriate authority for a aviation viation security
and those of any other relevant entities responsible for aviation security and facilitation matters, including national legislation, programmes and regulations related to aviation security and facilitation, quality control activity records, airport-level programmes, procedures and internal quality control activity records, available for review by the USAP-CMA audit team; and c)
providing the USAP-CMA audit team access to aerodrome facilities and restricted areas of the airport for observation of aviation security measures implemented by all relevant entities.
4.3.4 The State should also facilitate the audit process by ensuring that the USAP-CMA audit team has a private work space and access to electronic communications media such as the Internet.
Chapter 4.
Programme management
4-5
Roles and responsibilities of National Coordinators (NCs) 4.3.5 In order to support the USAP-CMA and facilitate related activities, each State is responsible for designating an NC to act as a primary point of contact for all USAP-CMA processes and activities on an ongoing basis. States are responsible for providing ICAO with updates and information, through their NCs, upon request. Each State should advise ICAO whenever there is a change in a designated NC. The NC is responsible for submitting, maintaining and/or updating the information to be provided by the State to ASA on an ongoing basis, including, but not limited to: a)
PQ compliance status;
b)
CAPs;
c)
corrective actions taken by the St State ate to to resolve or mit mitigate igate SSeCs;
d)
SASAQ;
e)
CCs; and
f)
other relevant information, as requested by ICAO.
4.3.6 The TL will work directly with the NC as designated by the Member State. The NC should be familiar with all aspects of the national aviation security and oversight systems, including all programmes and requirements, and knowledgeable about the airport(s) to be visited by the USAP-CMA audit team. The NC should also be knowledgeable about the entities responsible for the implementation of the security-related provisions of Annex 9, as well as all security-related operations (e.g. access control measures, screening procedures, cargo and mail, etc.). 4.3.7 The NC will be involved in every phase of the conduct of the USAP-CMA activity and will be kept informed of the USAP-CMA audit team’s preliminary findings during daily meetings with the TL. The NC may be invited by the USAP-CMA audit team to provide assistance ass istance and clarifications but should not seek to influence the audit’s outcome. 4.3.8 For facilitation purposes, the NC may decide to delegate some of his/her duties and tasks to a local and/or airport representative (e.g. hotel reservations, escort of the USAP-CMA audit team, etc.). However, the overall responsibility remains with the NC who is the main representative of the Member State for the purpose of the USAP-CMA. 4.3.9
Prior to the USAP-CMA on-site activity, the NC will be required to: a)
act as the link between the Member State and both C/ASA and tthe he TL;
b)
ensure that the TL’ TL’s s request requests s are fully understood and met;
c)
inform and assist the USAP-CMA audit team with regard to the State’ State’s s entry requirements;
d)
ensure the availa availability bility of a Technical Liaison Officer (TLO) (see the role of a TLO in 4.3.14 – 4.3.16) for the purpose of answering any equipment-related questions;
e)
adequately inform the airport authori authority ty and other entities to be involved in the USAP-CMA activity (e.g. aircraft operators, car cargo go handlers, catering companies and/or immigration authorities, as appropriate) about the USAP-CMA activity objectives, procedures, dates and schedule;
Universal Security Audit Programme Continuous Monitoring Manual
4-6
f)
organize appointment appointments s for the USAP-CMA audit te team, am, including meetings with representatives of organizations other than the appropriate authority for aviation security that have a direct role in either oversight or implementation of the national aviation security system or implementation of the security-related provisions of Annex 9;
g)
ensure that all details of the USAP-CMA daily work plan (e.g. meetings and escorts) are arranged and confirmed before the USAP-CMA audit team’s arrival;
h)
provide the TL w with ith adequate iinformation, nformation, such as records of quality control activities, airport diagrams, flight schedules, etc;
i)
assist in making hot hotel el reservations for the USAP-CMA audit team, as requested;
j)
reserve meeting rooms for the national national briefing and post-audit debriefing;
k)
ensure coordination wit with h the airport authority and othe otherr relevant entit entities ies with regard to completion of the SASAQ and CCs;
l)
ensure that the SASAQ and CCs are completed by the Member State and sent back to C/ASA along with associated documentation in due time;
m) provide USAP-CMA audit team parti participants cipants with airport identification identification cards and access permits, permits, as applicable;
4.3.10
n)
ensure the availabili availability ty of an appropriate appropriate escort at all times during visits to the airport(s) (escort(s) should have adequate means of communication);
o)
obtain prot protective ective clothing (e.g. high-visibi high-visibility lity jackets) for USAP-CMA audit team participants according to national regulations;
p)
ensure that transportation is available for the duration of the USAP-CMA on-sit on-site e audit; and
q)
ensure that pri printing nting facilit facilities ies are available to photocopy and print, as necessary, any docu documents ments the USAP-CMA audit team might need.
During the USAP-CMA on-site activity, the NC will be required to: a)
facilitate the work of the USAP-CMA audit team (e.g. translation, interpretation and/or ensuring access to all required documentation);
b)
ensure that tthe he airport authority and other entities involved in tthe he USAP-CMA cooperate fully with the USAP-CMA audit team;
c)
escort the USAP-CMA audit team during the mission without interfering with its work and/or ensure that appropriate escorts are available when the USAP-CMA audit team requires them; and
d)
respond to the USAP-CMA aud audit it team’s requests for clarification conce concerning rning information with respect to the national/airport aviation security organization and security measures, practices and procedures.
Chapter 4.
Programme management
4-7
4.3.11 The NC should be available at all times during the USAP-CMA on-site activity. He/she will be briefed daily on the work and findings of the USAP-CMA audit team but will not attend any internal discussions of the USAP-CMA audit team. As as practicable, the TL NC will liaise to facilitate forbe the verified USAP USAP-CMA -CMA discussing anyfarinformation related to and the the USAP-CMA PQsclosely that may not bepreparation possible to prioractivity, to the USAP-CMA audit team’s arrival. 4.3.12 As far as possible, representatives from the USAP-CMA audit team will share a common language with the audited State, airport authority, aircraft operators, regulated agents, etc., being interviewed. When necessary, interpreters should be made available by the State for the duration of the USAP-CMA mission. Ideally, the interpreters should have a basic knowledge kno wledge of aviation security terminology. 4.3.13 After the USAP-CMA on-site activity, the NC should be available to clarify/confirm any information required by the TL related to the USAP-CMA activity completed.
Roles and responsibilities of Technical Liaison Officers (TLOs) 4.3.14 The Member State should identify a TLO to act as the USAP-CMA on-site audit team’s point of contact for all technical matters, such as to demonstrate to the USAP-CMA auditors technical procedures in place and provide security equipment-related information. The State may appoint more than one TLO considering the field of expertise. The technical component of the USAP-CMA on-site activity has the following objectives:
4.3.15
a)
verify whether security equipment standards, which include equipment types, performance capabilities, minimum detection settings, testing and agreed levels of performance, as well as specifications of performance test pieces, have been adopted by the Member State and the audited airport;
b)
obtain evidence tthat hat these standards are in routi routine ne use, have been implemented in a manner that complies with the national requirements, and are verified through the national quality control process; and
c)
check the evidence obtained by assessing particular pieces of equipment to ensure that they conform to the requirements.
Prior to the USAP-CMA on-site activity, the TLO will be required to: a)
organize appointments ffor or the USAP-CMA audit audit team with appropriate staff concerning technical issues;
4.3.16
b)
ensure coordination wi with th the airport authority/appropriate authority with regard to the answers to the SASAQ; and
c)
ensure that p persons ersons (e.g. re representatives presentatives of police, private security companies, etc.) to be met by the USAP-CMA audit team are informed about the objectives and procedures of the USAP-CMA USAP -CMA activity.
During the USAP-CMA on-site activity, the TLO will be required to: a)
organize a presenta presentation tion of rele relevant vant documentation and items, such as routine ttest est reports and test pieces, for/review/observation by the USAP-CMA audit team;
b)
facilitate the work of the USAP-CMA audit team (e.g. translation, etc.);
Universal Security Audit Programme Continuous Monitoring Manual
4-8
c)
escort the USAP-CMA audit team, as required, wi without thout interf interfering ering with its work;
d)
clarify any questio questions ns the USAP-CMA aud audit it team might have on the security screening equipment equipment,, performance tests, etc; and
e)
facilitate cooperation with the airport authority or other enti entities, ties, as required.
4.3.17 The TLO should be available for the USAP-CMA audit team at all times during the USAP-CMA on-site activity but will not be allowed to attend any internal discussions of the USAP-CMA audit team, such as its daily internal debriefing. After the USAP-CMA on-site activity, the TLO should be available to clarify/confirm any information required by the USAP-CMA activity TL concerning the equipment and security procedures at the audited airport.
4.4 ROLES AND RESPONSIBILITIES OF REGIONAL AVIATION SECURITY OVERSIGHT OVERSIGHT ORGANIZATIONS 4.4.1 ICAO supports the establishment of regional aviation security oversight organizations performing aviation security oversight-related activities on behalf of a group of Member States. Activities performed by such organizations may include: a)
harmonization of legislation and regulations;
b)
development of comprehensive and detailed procedures; and
c)
selection and ttraining raining of a regional core of qualified and experi experienced enced inspectors to perform a full range of aviation security oversight activities on behalf of participating States.
4.4.2 If a regional aviation security oversight organization performs security-related activities on behalf of Member States, ICAO, with the consent of participating States, may elect to enter into a working arrangement with this organization to facilitate the monitoring of those States.
4.5
MEMORANDUM OF UNDERSTANDING (MoU)
4.5.1 An MoU signed between each Member State and ICAO establishes the official agreement outlining the terms and responsibilities of the Member State and ICAO in the effective implementation and maintenance of the USAP-CMA and conduct of USAP-CMA activities. The signed MoU represents the commitment of the Member State
concerned not only to participate in USAP-CMA activities but also to take into consideration the recommendations of the USAP-CMA audit team in developing and implementing a State-specific CAP. The generic MoU, approved by the ICAO Council, is set forth in Appendix A. 4.5.2 Prior to the conduct of a USAP-CMA activity, all ICAO Member States shall return to ICAO two signed copies of the Model MoU approved by the Council (see Appendix A). These two copies will be countersigned by the Secretary General of ICAO, and one signed copy will be returned to Member States. The Model MoU is available for downloading on the ATB-USAP-MOU secure website at http://portallogin.icao.int/.
Chapter 4.
Programme management
4-9
4.5.3 The signed MoU will confirm that the USAP-CMA activities will be conducted in accordance with the terms specified in the MoU and on the basis of the criteria contained in this manual. No USAP-CMA activity will be undertaken unless an appropriately signed MoU has been returned to ICAO and further countersigned by the Secretary General of ICAO. Member States that do not sign and submit two signed copies of the MoU to ICAO shall be reported to the ICAO Council. All other Member States shall also be informed of the State’s refusal to sign the MoU and participate in the USAP-CMA.
4.6
PLANNING AND SCHEDULING
4.6.1 In accordance with the principle of universality, all Member States are subject to continuous audit and monitoring activities by ICAO, though the priorities, frequency, type and scope of such activities vary based on each Member State’s specific circumstances. Under the USAP-CMA, ASA uses defined criteria to select and prioritize States for the conduct of the appropriate type of USAP-CMA activity. These activities, as defined in 3.4, are part of the strategy for promoting the enhancement of global aviation security on a continuous basis. 4.6.2 ASA selects and prioritizes States for USAP-CMA activities through the planning and scheduling process. The USAP-CMA annual activity plan is established in accordance with criteria that use the State’s USAP-CMA key parameters. These parameters include various risk and performance indicators, as well as certain critical information, impacting on the selection and prioritization of States for USAP-CMA activities. The State’s USAP-CMA key parameters cover the following areas:
Risk information •
Level or nature of activity inconsistent with security oversight capability;
•
Security incidents linked to deficiencies in a State’s security o oversight versight responsibilities and obligations;
•
State security record - acts of unlawful interference;
•
Failure or refusal to participate in significant aspects of the USAP-CMA process, includin including, g, but not limited to, preparation, conduct and reporting requirements;
•
Failure to re resolve solve the critical security-related deficiencies identified during th the e USAP-CMA activity, such as SSeCs.
Performance Pe rformance information •
Results of the previous USAP activity;
•
State Compliance Indicator;
•
State Oversight Indicator;
•
Existing or potential SSeCs;
•
Level of acceptability of the State’s CAP;
•
State’s CAP implementation progress.
Universal Security Audit Programme Continuous Monitoring Manual
4-10
Critical information •
Number of airports in the State serving international civil aviation;
•
Number of aircraft operators providing service from the State;
•
Annual number of aircraft movements;
•
Annual number of originating and transfer passengers;
•
Annual volume of exported cargo and mail;
•
Significant development in the State's aviation security and oversight systems;
•
ICAO assistance activities in the State;
•
Time elapsed since the last USAP activity.
Note.— Risk information should not be confused with threat and risk assessment, as described in in the Aviation Security Manual (Doc Manual (Doc 8973 — Restricted), and is used for the purpose of determining the priorities in planning and scheduling of USAP-CMA activitie activities s in conjunction with performance information and critical information. information. 4.6.3 In applying the above criteria, certain operational and technical factors influence the selection and scheduling process, such as: a)
regional balance in terms of the percentage of States audit audited ed within each ICAO region;
b)
aviation security concerns and other information made known by R ROs, Os, other IICAO CAO sections or the States to be audited;
c)
State requests to be audited;
d)
information shared by recognized international organizations;
e)
geographical proximity and ease of of transportation between States;
f)
the availability of USAP-CMA TLs and TMs;
g)
field security st status atus reports from the office of the United Nations Department of Safety and Security; and
h)
the activity schedule of the ICAO USOAP-CMA an and d the audit schedules of other regional aviation security audit programmes.
4.6.4 States’ USAP-CMA key parameters will be monitored and analysed on an ongoing basis by ASA, and the priorities and frequency of USAP-CMA audit and monitoring activities for each State will be determined accordingly. 4.6.5 If a regional entity is empowered by a group of States with legal authority and responsibility to regulate and/or oversee aviation security activities in those States States,, ICAO, with the consent of those States, may elect to enter into a working arrangement with this regulatory and/or oversight entity to facilitate the monitoring of aviation security oversight and compliance capabilities of the States Members of the regional group.
Chapter 4.
Programme management
4-11
4.6.6 ICAO publishes an annual schedule of USAP-CMA activities, identifying the States that will receive USAP-CMA on-site and off-site activities. The annual schedule and its amendments are provided to States via EBs posted on the ICAO-NET and the USAP secure website. 4.6.7 4.6.7 In addition to USAP-CMA activities in the periodic schedule, ICAO will consider specific requests from States for cost-recovery audits. The type, scope and scheduling of any such cost-recovery audit shall require agreement between ICAO and the State, and will be assessed by ICAO on a case-by-case basis. The methodology for conducting USAP-CMA cost-recovery audits will be the same as for compliance-focused audits or oversightfocused audits, as applicable. The results of these cost-recovery audits will be treated in the same manner as the results from regularly scheduled USAP-CMA activities. States requesting cost-recovery audits will be expected to provide logistical assistance in making travel arrangements for the USAP-CMA audit team participants and to cover all travel-related costs, local transportation and the daily subsistence allowance (DSA). For regularly scheduled USAP-CMA on-site audits, ICAO will be responsible for the cost of transportation to and from the State, as well as for the DSA of all USAP-CMA audit team participants. Note.— The DSA is based on rates established by the United Nations and includes accommodation, meals and incidental expenses. 4.6.8 ICAO will notify selected States at least 120 calendar days prior to the scheduled USAP-CMA activity through a State notification letter signed by the Secretary General of ICAO providing the name(s) of the airport(s) selected for observation, if applicable. States are required to acknowledge receipt of the State notification letter and confirm their acceptance of the USAP-CMA activity within 30 days after receipt of the notification letter. 4.6.9 According to the MoU, Member States are urged to accept scheduled USAP-CMA activities without any changes, unless there are compelling reasons not to do so. However, should changes be required, adjustments may be made to the programme schedule to ensure the overall effectiveness and efficiency of the USAP-CMA. 4.6.10 If a State needs to make any changes to the programme schedule, the State is required to advise ICAO of its inability to accept a scheduled activity as soon as possible after ICAO publishes an annual schedule of USAP-CMA activities and, in any event, within 30 days after receipt of the State notification letter. In addition, the State shall clearly indicate the compelling reasons for not accepting or postponing the USAP-CMA activity as initially scheduled. 4.6.11 USAP-CMA activity deferrals are strongly discouraged as they have an adverse impact on the overall schedule of USAP-CMA activities and cause considerable difficulty for ICAO and other Member States affected by the schedule change. A request for deferral should be addressed to the Secretary General and should be signed by the designated appropriate authority of the State or his/her designee, clearly stating the compelling reason for not accepting the USAP-CMA activity as scheduled.
4.6.12 Although everything possible will be done to maintain the activity schedule, changes to activity dates may occur for reasons beyond ICAO’s control. Additionally, once a TL and TMs are assigned to an activity, all efforts will be made to avoid changes to the composition of the USAP-CMA audit team, specifically the TL. 4.6.13 ICAO will submit requests for the release of short-term seconded auditors by States at least 90 days before the start of the USAP-CMA on-site activity. In order to facilitate planning and scheduling, all auditors will be requested to provide their non-availability dates as early as possible.
Universal Security Audit Programme Continuous Monitoring Manual
4-12
4.7
PROGRAMME RECORDS
4.7.1 All supporting documentation, correspondence, notes, records and other information relating to USAP-CMA activities are obtained, managed and filed by ASA through an established and controlled system. 4.7.2 At the end of each mission, all TMs shall submit all supporting documentation and notes from the mission to the TL. TMs shall also ensure that at the end of the mission and before their departure, all information in electronic format is deleted from their computers. 4.7.3 TMs are responsible for their own material until it is given to the TL. The TL is also responsible for his/her notes and materials from the USAP-CMA activity, and for those handed over by TMs, as applicable, until they are submitted to ASA. 4.7.4 At the end of the mission, the TL shall submit the following documents and records to ASA (preferably an electronic version) for processing and filing according to established procedures: a)
PQ W Worksheets orksheets duly completed by tthe he TL an and d TMs;
b)
draft preliminary findings and recommendations;
c)
draft preliminary SSeCs, if applicable;
d)
supporting evidence and documentation submitted by the State, including primary aviation security legislation, programmes and regulations; and
e)
any other relevant documents used in the preparation and conduct of the USAP-CMA activity.
4.7.5 ASA maintains supporting documentation, notes and records pertaining to USAP-CMA activities for a minimum of five years. USAP-CMA activities reports are retained electronically for an indefinite period.
4.8
PROGRAMME QUAL QUALITY ITY MANAGEMENT
4.8.1 An internal quality assurance process has been established and implemented within ASA to ensure standardization, consistency and confidence of delivery of all aspects of USAP-CMA activities, including their preparation, conduct and reporting. The process encompasses the review of auditing standards and procedures and the
guidelines for their application during USAP-CMA activities, as well as a quality control review of all written materials produced by ASA. 4.8.2 ASA monitors the level of satisfaction of Member States that receive USAP-CMA activities through a State USAP-CMA activity feedback form that allows States to provide comments, complaints and suggestions f or improvement regarding the planning, coordination, conduct and reporting of the USAP-CMA activity they have received. The TL shall provide a confidential State USAP-CMA activity feedback form to the State NC at the end of the USAP-CMA activity, requesting the State to complete and return it to C/ASA. 4.8.3 ASA also obtains feedback on USAP-CMA activities through the TL and TM mission reports, which provide comments and information on the conduct of USAP-CMA activities from preparation to conduct and assist ASA in improving USAP-CMA procedures and processes. 4.8.4 ASA maintains a record of all State, TL and TM feedback forms, related recommendations and actions taken by ASA to address issues and concerns.
Chapter 4.
Programme management
4-13
4.9
CONFIDENTIALITY
4.9.1 In recognition of the special sensitivity of information related to aviation security, the USAP, from its inception, adopted the principle of confidentiality. In practice, this means that audit reports receive a security classification and are subjected to rigorous physical controls by ICAO. In accordance with established guidelines for the protection of sensitive security information, audit reports are strictly protected from release to any entity other than the appropriate authority for aviation security of the audited States and those with an operational need to know within ICAO, while the names of the States and airports audited are released to all Member States on a regular basis. All other records, notes and documents collected during, or related to an audit, remain confidential between the audited S State tate and ICAO. In keeping with the principle of confidentiality, the 36th Session of the ICAO Assembly (Assembly Resolution A36-20, Appendix E refers) encouraged all States to share their audit reports and information on a bilateral or multilateral basis in order to promote mutual confidence in the level of aviation security between States. Assembly Resolution A36-20 has been reinforced with the inclusion of Recommended Practice 2.4.5 in Annex 17, whereby each Contracting State should share, as appropriate, and consistent with its sovereignty, the results of the audit carried out by ICAO and the corrective actions taken by the audited State, if requested by another State. To facilitate the exchange of information, ICAO regularly issues an audit activity report to Member States advising of States audited and airports visited under the programme. 4.9.2 The 36th Session of the Assembly also directed the Council to consider the introduction of a limited level of disclosure with respect to aviation security audit results, balancing the need for States to be aware of unresolved security concerns with the need to keep sensitive security information out of the public realm. Accordingly, the Council approved, in June 2008, a proposal to introduce a limited level of disclosure with respect to USAP second-cycle audit results, whereby a graphical representation depicting the level of implementation of the CEs of an aviation security oversight system for each audited State was posted on the USAP secure website. 4.9.3 The principle of confidentiality continues to apply to the USAP-CMA, as amended by the Council and based on the generic MoU between ICAO and a Member State regarding the USAP-CMA approved by the Council. The confidentiality principle stipulates that sensitive security information collected as part of the USAP-CMA will be protected from unauthorized disclosure. Accordingly, USAP-CMA audit reports are confidential and are only made available to the audited State and ICAO staff on a need-to-know basis. However, in the interest of promoting global aviation security, a limited level of disclosure applies whereby charts depicting the level of implementation of the CEs of an aviation security oversight system by a Member State and the indicative degree of compliance by a Member State with Annex 17 Standards, as well as information pertaining to the existence of unresolved SSeCs in a Member State, are made available to all Member States on the USAP secure website. States can then take specific actions as they deem appropriate, such as: a)
request a copy of the re relevant levant ICAO USAP-CMA au audit dit report ffrom rom the Stat State e in question question,, on the basis
of which further action/decisions may be initiated on a bilateral basis; b)
engage in co consultations nsultations to assist the State in question in improving its security measures;
c)
instruct their aircraft operators to take extra precautions and/or apply additional security measures regarding flights to/from the State in question; and
d)
request additional security measures to be implemented by the State in question w with ith respect to specific flights.
4.9.4 All security-related information collected or generated during the USAP-CMA activity or as part of the USAP-CMA process, including answers to the SASAQ, CCs, PQ Worksheets filled in by the USAP-CMA audit team, auditor notes, and copies of the USAP-CMA audit reports will be marked as “sensitive security information”, stored and safeguarded at ICAO Headquarters with an appropriate level of protection in accordance with internal procedures developed by ASA for the protection of audit-related audit-relat ed sensitive security information. Such information will be made
Universal Security Audit Programme Continuous Monitoring Manual
4-14
available only to the Member State concerned and to those within ICAO with an operational need to know, and then only when it has been determined by C/ASA that the individual has a specific need to know the information in order to perform his/her duties with respect to the USAP-CMA activities. When the sensitive security information is not being reviewed, it will be protected against unauthorized access by securing the information in an approved container or secure database, access to which is strictly limited. A list of persons provided access to the documents will be maintained. Sensitive security information will not be reproduced except for the functioning of the USAP-CMA, and then only as authorized by C/ASA. Copies will be numbered and accounted for. 4.9.5 The State USAP-CMA file, to be kept at ICAO Headquarters, will include, but may not be limited to, the following documents: a)
completed SASAQ and associated documents;
b)
completed CCs;
c)
preliminary list of fi findings ndings and recommendations made by the USAP-CMA audit team;
d)
State’s USAP-CMA key parameters;
e)
State USAP-CMA audit report;
f)
CAP submit submitted ted by the State (if required), including feedback by ASA;
g)
any other audit documents, such as PQ Worksheets and notes made by the auditors; and
h)
national- and airport airport-level -level documentation collected during the USAP-CMA audit as evidence.
4.9.6 All material used or generated during the USAP-CMA on-site activity shall remain confidential, including personal notes and draft reports prepared by the USAP-CMA audit team. All sensitive audit documents are considered the property of ICAO and shall be returned to ICAO upon completion of the USAP-CMA on-site activity. USAP-CMA audit team participants are to maintain strict confidentiality in respect of audit-related information and in particular the content of audit reports. TMs shall not: a)
leave printed or handwritten note notes s behind when performing on-site activities and must dispose of tthem hem appropriately;
4.9.7
b)
make personal copies of any document documents s provided to them by the State, nor sh share are any informat information ion contained therein with any person other than the TL, TMs, State officials and counterparts concerned, and then only to facilitate the USAP-CMA activity;
c)
be allowed to keep any handwritten or electronic documents concerning the audit performed and are prohibited from using any information gained during the USAP-CMA activity for their own and/or national purposes.
In this respect, as with other issues relating to confidentiality of USAP-CMA activities, TMs should adhere
to The ICAO Service Code (Doc 7350/9), Staff Regulation 1.8, which states that: Staff members shall exercise the utmost discretion in regard to all matters of official business. They shall not communicate to any person any information known to them by reason of their official position which has not been made public, except in the course of their duties or by authorization of the Secretary General. They shall not at any time use such information to private advantage. These obligations do not cease upon separation from service.
Chapter 4.
Programme management
4.9.8
The ICAO Service Code (Doc 7350/9), 7350/9), Staff Regulation 1.4 states that:
4-15
Staff members shall conduct themselves at all times in a manner befitting their status as international civil servants. This is binding for all TMs with respect to all their assignments as USAP-CMA activity TMs, and is applicable to all information received in any form as a result of their association with the USAP-CMA. 4.9.9 Information regarding a refusal by a State to undergo a USAP-CMA audit, a deferral of the USAP-CMA audit, or a refusal to comply with the terms of the relevant MoU, is not not treated treated as confidential.
4.10 4.10.1
LANGUAGE
USAP-CMA activities will be conducted in English, French or Spanish. Member States shall indicate which
of these languages they wish to be used for the conduct of the scheduled USAP-CMA activities and for communicating with ASA. 4.10.2 In the case of USAP-CMA on-site activities, if the ICAO working language of the State is one of the remaining three ICAO working languages (Russian, Arabic or Chinese), every effort will be made to ensure that at least one TM participating in the activity has command of the ICAO working language of the State concerned. 4.10.3 USAP-CMA activities in Member States whose language is not one of the ICAO working languages may be conducted with the assistance of an interpreter. Note.— Use of interpreters in the USAP-CMA on-site activity with the purpose of facilitating communications between the State and the USAP-CMA audit team is at the discretion of the State. 4.10.4 Interpretation and translation support during the conduct of USAP-CMA on-site activities shall be provided by Member States. 4.10.5 To facilitate timely and effective review, any documentation submitted by a State to ASA, including primary aviation security legislation, programmes and regulations, should be in one of the ICAO working languages, but preferably in the language of the USAP-CMA activity.
4.10.6 The USAP-CMA activity report will be forwarded to the State in the ICAO working language selected by the State for the conduct of the USAP-CMA USAP -CMA activity. If the ICAO working language of the State is Russian, Arabic or Chinese, the USAP-CMA activity report will be translated into the corresponding ICAO working language of the State, and additional time will be allocated, as required.
4.11
RESOLUTION OF DISPUTES
4.11.1 In performing duties related to the USAP-CMA, all assigned personnel shall aim to prevent disputes by working closely with their State counterparts as transparently and fairly as possible. 4.11.2 Disputes may arise during a USAP-CMA activity process. For example, there could be a dispute between TMs, or a dispute between the audited State and the USAP-CMA audit team concerning the: a)
adherence to the USAP-CMA procedures;
Universal Security Audit Programme Continuous Monitoring Manual
4-16
b)
findings in the post-audit debrief a and/or nd/or USAP-CMA audit rep report; ort; a and/or nd/or
c)
recommendations in tthe he USAP-CMA audit report, whether as a resul resultt of the interpretat interpretation ion of Annex 17 Standards or security-related provisions of Annex 9, or otherwise.
4.11.3 In the case of a dispute within a USAP-CMA audit team, the TL has veto power to resolve the disagreement. If necessary, an incident report outlining the circumstances of the dispute may be attached to the TL and/or TM mission report that is forwarded to C/ASA. 4.11.4 In the case of a dispute between the audit team and the audited State at any stage of the USAP-CMA process that cannot be resolved by the assigned personnel, the dispute shall be reported to C/ASA, who will work to facilitate an amicable resolution, failing which the issue may be referred to an appropriate authority within ICAO for consideration and resolution. 4.11.5 In any case where the audited State proposes not to implement a recommendation because it disagrees with the findings of the USAP-CMA audit team or the interpretation of the Annex 17 Standards or security-related provisions of Annex 9 by the USAP-CMA audit team, it will cooperate with ICAO to resolve that disagreement. 4.11.6 In all cases, audited States are given an opportunity to submit comments and feedback on the report. The audit report may be revised as a result of this feedback.
______________________
Chapter 5 USAP-CMA AUDIT TEAMS
5.1
USAP-CMA AUDIT TEAM COMPOSITION
5.1.1 USAP-CMA audit teams are assigned by C/ASA and consist of a TL and a number of TMs, as required, covering the scope of the USAP-CMA activity to be conducted. USAP-CMA on-site audit teams normally consist of a TL and three TMs and may be augmented or reduced depending on the scope of the USAP-CMA activity and the complexity of civil aviation operations in the State. USAP-CMA off-site audit teams consist of a TL only. 5.1.2 USAP-CMA audit teams will be assigned for each USAP-CMA activity, and although the same auditors may be involved in multi-State missions, the audit team structure may change for each activity. The USAP-CMA audit team will be comprised to ensure that both a high level of expertise is available, and the requirements of objectivity and fair geographical representation are met. Prior to the commencement of a USAP-CMA activity, the State will be advised of the USAP-CMA audit team’s composition in sufficient time to have the opportunity to provide any desired feedback to ICAO and to be able to facilitate applications for visas and other administrative matters. 5.1.3 With the exception of the TL, the USAP-CMA activity TMs will remain employees of their nominating Member State. As such, it is necessary for each TM to look to his/her own insurance arrangements to ensure adequate medical coverage while participating in a USAP-CMA activity. 5.1.4 During their period of service on a USAP-CMA assignment, all TMs are considered as international officials working under the auspices of ICAO and representing only ICAO for the entire duration of the USAP-CMA activity. They must clearly understand that they are not, in any sense, serving as representatives of a national government. All TMs are entitled to privileges and immunities granted to ICAO staff on mission and are subject to The ICAO Service Code (Doc 7350/9). Each TM will be required to sign the ICAO Code of Conduct Form for Auditors set forth in Appendix D, which defines the responsibilities, including, but not limited to, confidentiality requirements undertaken by any person participating in a USAP-CMA audit team.
5.1.5 The minimum qualifications and experience requirements to be met for certification as a USAP-CMA auditor, along with the requirements for maintaining certification, are set forth in Appendix B. No individual may participate as a TL or a TM in a USAP-CMA activity unless they have met these specific requirements. 5.1.6 ASA maintains a roster of certified auditors. The members of each USAP-CMA audit team are selected from this roster based on their availability, up-to-date training status and currency to conduct USAP-CMA activities. The roster of certified auditors provides information on the qualifications, roles (as TM or TL), languages and any special skills, knowledge or abilities possessed by each auditor. It also tracks the records of their initial, on-the-job and recurrent training and the USAP activities carried out by each auditor. Such records will facilitate the assignment of auditors and help determine recurrent training requirements. The geographical location of each auditor is also indicated to facilitate planning and scheduling and to minimize travel costs for each on-site activity. 5.1.7 On occasion, ICAO may wish to include observers in the USAP-CMA on-site activity. Such observers do not participate in the USAP-CMA activity in an official capacity as TMs and shall only observe the interaction of other TMs with State counterparts. If ICAO wishes to include an observer, the State must be notified before the start of the on-site activity and must agree with the participation of the observer. Non-ICAO observers are not privy to the State’s confidential information and are not entitled to any privileges and immunities granted to staff representing ICAO while on mission.
5-1
Universal Security Audit Programme Continuous Monitoring Manual
5-2
5.2
TRAINING AND CERTIFICATION OF AUDITORS
5.2.1 Assessment of the implementation of the CEs of a State’s aviation security oversight system, Annex 17 Standards and security-related provisions of Annex 9 to the Chicago Convention requires an understanding of how each CE or ICAO provision may be implemented. USAP-CMA auditors are required to undergo training in order to standardize the working methodology used for achieving the programme’s goals, and to obtain the information and documentation required to be fully conversant with the programme. To ensure commonality of purpose among USAP-CMA auditors, each aviation security expert nominated by a State is required to successfully complete training and certification prior to any assignment as a USAP-CMA TM. 5.2.2 USAP-CMA training procedures define and establish the criteria related to the acceptable qualifications of auditors, based on a combination of their education, work experience, technical background and training. ASA conducts and oversees USAP-CMA auditor training and certification. Each aviation security expert nominated by a State will be required to successfully complete both training and certification prior to any assignment as a USAP-CMA activity TM. 5.2.3
The objective of the USAP-CMA auditor training and certification course is to provide the participants with
a thorough knowledge and understanding of the methodology, tools and techniques used by ASA for the conduct of activities under the ICAO USAP-CMA. A candidate who meets the basic minimum qualifications for a USAP-CMA auditor may be nominated to undergo the ICAO USAP-CMA auditor training and certification process. The description of the USAP-CMA auditor training and certification course, including the prerequisites for participation and criteria for initial certification, is set forth in Appendix B of this manual. 5.2.4 Auditors who have successfully completed the USAP-CMA Auditor Training and Certification Course receive on-the-job training (OJT) during the USAP-CMA on-site activity from a USAP-CMA activity TL who evaluates the auditor’s performance, competency and ability to conduct assigned tasks, and reports the OJT results to C/ASA. The TL makes a recommendation to C/ASA regarding the auditor’s readiness to participate in future USAP-CMA activities as a TM. 5.2.5 C/ASA reviews the auditor’s input to the activity results along with the TL’s report and decides on the auditor’s participation in future USAP-CMA activities as a TM. C/ASA approves auditors who have successfully completed all required training and adds them to the roster of certified auditors. Training, certification and OJT records are considered in future decisions about assignment of TM s to USAP-CMA activities. 5.2.6 ASA maintains a consolidated, current list of certified USAP-CMA auditors. This list contains records of initial and recurrent training, ICAO USAP-CMA activities performed, and any special skills, knowledge or abilities with respect to each certified auditor. Such records facilitate the assignment of auditors and help determine recurrent training
and recertification requirements. Information related to the maintenance of certification as a USAP-CMA auditor is included in Appendix B.
5.3
TEAM LEAD LEADERS ERS
5.3.1 C/ASA will appoint a USAP-CMA activity TL for each USAP-CMA activity. A USAP-CMA activity TL must be an ASA staff member, whether on a long- or short-term contract. C/ASA will take into consideration the qualifications, language abilities, experience and relations with other TMs when assigning a TL for a USAP-CMA activity.
Chapter 5.
USAP-CMA audit teams
5.3.2
The USAP-CMA activity TL assumes responsibility for all phases of the assigned USAP-CMA activity:
5-3
preparation, conduct and reporting, in accordance with guidance and instructions provided by ASA, including those found in this manual. In addition to specific tasks assigned by C/ASA, a USAP-CMA activity TL’s responsibilities include: a)
preparing for tthe he USAP-CMA activity and coordinating related related details w with ith ASA and the State NC on matters related to the conduct of the USAP-CMA activity;
b)
preparing tthe he State-speci State-specific fic USAP-CMA audit plan for for USAP-CMA on-site act activities; ivities;
c)
communicating wi with th tthe he State regarding ttechnical, echnical, administrative and logistical issues;
d)
liaising wi with th ROs or regional civil aviation aviation organi organizations, zations, if req required; uired;
e)
communicating with and informing assigned TMs regarding the preparation phase and other pertinent information;
f)
conducting a USAP-CMA on-site a audit udit team briefing ffor or the TMs prior tto o the national brief briefing ing with the State appropriate authority;
g)
conducting a national briefi briefing ng and a post-audit debrief debriefing ing with the State appropriate authority authority;;
h)
conducting a da daily ily debriefing wit with h the NC during the conduct of the USAP-CMA activity to share results of the audit to date;
i)
conducting a daily meeting with th the e USAP-CMA on-site on-site audit team to discuss the day’s activities, to identify additional needs, and to prepare for the forthcoming day;
j)
immediately notifying C/ASA of any serious concerns encountered during the USAP-CMA activity, such as potential SSeCs;
k)
collecting and consolidating TMs’ input for preparation of the USAP-CMA acti activity vity results and the draft preliminary findings and recommendations;
l)
ensuring the quality of TMs’ input and collected evidence;
m) ensuring the accuracy and quality of the contents of the draft preliminary findings and recommendations; n)
managing the USAP-CMA audit team’s workload and progress to accomplish the activi activity; ty;
o)
providing leadership, guidance and support to TMs at all times during the USAP-CMA on on-site -site activity;
p)
ensuring that tthe he USAP-CMA audit team follows the USAP-CMA procedures and the ICAO Code of Conduct for Auditors (Appendix D);
q)
collecting all evidence, contributions, notes, in information, formation, documents and forms forms from TMs and submitting them to ASA;
r)
developing and submitting to C/ASA the draf draftt USAP-CMA audit report in compliance with tthe he established timelines and requirements of ASA;
Universal Security Audit Programme Continuous Monitoring Manual
5-4
s)
providing ASA wi with th additional information and clarification during the report production phase, as required;
t)
preparing the TL’s mission report;
u)
evaluating the performance and abilit abilities ies of TMs and providing a completed evaluation form to C/ASA for each TM;
v)
providing OJT to TLs and TMs in training;
w) submitting to C/ASA all confidential d documents ocuments and notes collected during the USAP-CMA activity process; and x)
participating in USAP-CMA auditor training and cert certification ification courses as an in instructor. structor.
5.3.3 Each TL is also assigned to cover one (or more) of the audit areas within the scope of the USAP-CMA on-site activity, except in cases where the size and complexity of the State requires a large audit team and a dedicated TL.
5.4
TEAM MEMBERS
5.4.1 USAP-CMA activity TMs are assigned to a specific activity by C/ASA and are responsible to the USAP-CMA activity TL. TMs are selected from the roster of certified auditors available to C/ASA. 5.4.2 As representatives of ICAO, TMs are required to be free from bias and influences that could affect their objectivity as USAP-CMA activity TMs. They must maintain independence from the audited State. They must always remain within the scope of the USAP-CMA activity, display integrity, exercise objectivity and remain alert to any indication of evidence that may have an adverse impact on the activity result. TMs are to cooperate and comply with the TL’s requirements and instructions and to carry out their assigned duties with objectivity, confidentiali confidentiality, ty, and in an ethical manner. They must act in accordance with the ICAO Code of Conduct for Auditors (Appendix D) at all times. They must also be guided by the auditing principles described in 2.4. 5.4.3
In addition to the specific tasks assigned by C/ASA or the USAP-CMA activity TL, the USAP-CMA on-site
audit TM’s responsibilities include: a)
communicating and clarifying USAP-CMA activity requirements;
b)
planning and carrying out assigned re responsibilities sponsibilities effectively and ef efficiently; ficiently;
c)
collecting, assessing and submitting evidence;
d)
documenting all findings and observations;
e)
coordinating with and assisting other TMs;
f)
completing PQ Worksheets in their assign assigned ed audit areas and determining tthe he status of tho those se PQs;
g)
participating in, and contributing to, all bri briefings efings and meetings, including the daily presentation of work progress made in the various audit areas;
h)
providing inpu inputt to the dra draft ft preliminary preliminary findings findings and recommendations;
Chapter 5.
USAP-CMA audit teams
i)
5-5
submitting all evidence, contributions, notes, iinformation, nformation, documents and forms by the deadl deadlines ines specified by the TL at the conclusion conc lusion of the activity, in accordance with the requirements of ASA;
j)
submitting to ASA, through the the USAP-CMA activity TL, all confidential confidential documents and notes pertaining pertaining to the activity;
k)
submitting tto o C/ASA, through the USAP-CMA activity TL, a TM mission report;
l)
cooperating wi with th and assisting tthe he USAP-CMA activity TL at all ttimes imes during the preparat preparation, ion, condu conduct ct and completion of the USAP-CMA activity; and
m) responding to ASA’s queries during the report production process. 5.4.4 Although the TL is responsible overall for ensuring that tasks are completed at the appropriate time during the activity, all TMs must be vigilant and support the TL and each other in achieving the goals and objectives of USAP-CMA activities.
5.5
COMPETENCIES
5.5.1 TLs and TMs shall possess the competencies required for conducting USAP-CMA activities, performing related tasks and applying USAP-CMA tools and procedures. Required competencies shall include: a)
applying auditing principles and techniques;
b)
performing TL and TM responsibilities and functions;
c)
complying with USAP-CMA procedures and completing PQ Worksheets and mission report forms related to the conduct of USAP-CMA audits;
d)
identifying and generating findings; and
e)
identifying and reporting SSeCs.
5.5.2
TMs are expected to have: a)
recent work experience w with ith an appropriate authority as an inspector in any one of the following audit areas pertaining to USAP-CMA: 1)
OPS;
2)
IFS;
3)
PAX; and
4)
CGO.
Universal Security Audit Programme Continuous Monitoring Manual
5-6
b)
working knowledge of the Chicago Convention and thorough knowledge of the ICAO documents used in conducting the USAP-CMA activities, such as the current editions of: 1)
Annex 17 — Security Security;;
2)
Annex 9 — Facilitation Facilitation;;
3) Aviation Security Security Manual Manual (Doc (Doc 8973 — Restricted); 4) Aviation Security Oversight Manual — Manual — The Establishment and Management of a State’s Aviation Security Oversight System (Doc System (Doc 10047); and 5)
5.5.3
this manual.
c)
working knowledge and experience related to to aviation security legislation, programmes and regulations, and familiarity with internationally recognized regulatory systems;
d)
command of written and spoken English, English, French or Span Spanish; ish;
e)
ability to write clearly and concisely; and
f)
ability to use office automation equipment and con contemporary temporary computer software.
It is desirable for TMs to have the following: a)
knowledge of ICAO’s organization, functions and activities;
b)
aviation iindustry ndustry experience, such as with an airport or aircraft operat operator; or; and
c)
knowledge of one of the other working languages of ICAO (Russian, Arabic or Chinese).
5.6
CODE OF CONDUCT
5.6.1 All USAP-CMA auditors that participate in on-site activities, regardless of their role, are expected to maintain the highest standards of ethical and professional conduct, thus contributing to the effective completion of a USAP-CMA on-site activity. Their relationship with representatives of the audited State should be characterized by respect and professionalism. 5.6.2 The ICAO Code of Conduct for Auditors (Appendix D) defines the responsibilities of any person assigned to a USAP-CMA on-site audit team. It provides TMs with guidelines regarding their behaviour during and after a USAP-CMA on-site activity, such as the need for auditors to act fairly, avoid testing security measures, show respect for safety requirements, wear appropriate identification badges and maintain the confidentiality of the audit results. 5.6.3 USAP-CMA auditors should approach officials in the State undergoing the audit in a spirit of cooperation that conveys mutual concern about the potential threats to civil aviation and a desire to observe, learn, share information and work together in enhancing aviation security. USAP-CMA auditors should be sensitive to the State’s concerns, needs and resources available, and should present and conduct themselves at all times in a manner befitting their role as representatives of ICAO.
Chapter 5.
USAP-CMA audit teams
5.6.4
USAP-CMA auditors should at all times observe the laws, customs, and except in rare circumstances, the
5-7
social norms of the host country. Alleged offensive language, gestures or other distasteful actions toward the local population may result in an investigation and, if substantiated, possible ineligibility to continue as a USAP-CMA auditor. USAP-CMA auditors should be sensitive to any differences in status or rank and conduct themselves accordingly. Courtesy and diplomacy are not merely helpful qualities to the successful attainment of the USAP’s goals — they are essential. 5.6.5 For safety reasons, USAP-CMA auditors should not draw undue attention to themselves and should blend into the local environment as much as possible. They should not engage in loud conversations or flaunt their citizenship unnecessarily through their dress, actions or words. It is imperative that USAP-CMA auditors never discuss their official business in public areas, while on public transportation, or with those who do not have an official need to know. 5.6.6 USAP-CMA auditors must become as familiar as possible with the State to be visited. This includes information concerning the language, basic history and geography, social customs and current political climate. Prior coordination with the TL to confirm the proposed itinerary, passport and visa requirements, inoculations and similar administrative details is essential. 5.6.7 Climate permitting, USAP-CMA auditors should conduct their official business in appropriate business attire. The TL should provide guidance on appropriate dress for the culture and climate of the State to be visited. In most cases, appropriate dress will be the business attire normally worn in the international community. In some locations, however, traditional business attire may be less formal or otherwise different. 5.6.8 Prior to departure, the USAP-CMA auditors should become thoroughly familiar with the information regarding general security conditions at the locations to be visited. Where applicable, the local United Nations Security Coordinator should be contacted to arrange an on-site briefing at the start of the audit mission. 5.6.9 A prerequisite for official travel by United Nations system personnel is successful completion of all required training, including Basic Security in the Field (BSITF) Field (BSITF) on-line training for all official travel and Advan and Advanced ced Se Security curity in the Field Field (ASITF) on-line training for official travel to any field location. All USAP-CMA auditors are required to successfully complete the BSITF and ASITF training courses and provide ICAO with a copy of their printed course certificates. BSITF and ASITF certificates are valid for three years, at which point USAP-CMA auditors must follow the courses again to recertify. 5.6.10 USAP-CMA TMs will be briefed by the TL on security conditions in the State to be audited and are expected to act on this information while also adhering to any requirements set forth by the State.
5.6.11 USAP-CMA TMs must adhere to the itinerary provided by the TL and be on time for all meetings or appointments made by the State. Any sightseeing, shopping, personal visits or other unofficial activities that occur at the expense of the USAP’s objectives will not be tolerated. 5.6.12 As a member of an audit team tasked with conducting the USAP-CMA activity, each USAP-CMA auditor is expected to participate in the audit to his/her fullest ability. 5.6.13 Each TM is responsible for documenting all information gathered through the review of documents, interview of relevant personnel and observation of measures and procedures by completing an electronic version of PQ Worksheets. Information gathered and documented during an audit should represent the TM’s most conscientious effort at objectivity, thoroughness and good judgement.
______________________
Chapter 6 USAP-CMA ACTIVITY PHASES A ND PROCED PROCEDURES URES
6.1
USAP-CMA ACTIVITY PHASES
The USAP-CMA activity is divided into the following three phases: a)
preparation phase;
b)
conduct phase; and
c)
reporting phase.
6.2
PREPARATION PHASE
6.2.1 The USAP-CMA activity preparation phase starts when the ICAO Member State is formally notified of the conduct of a USAP-CMA activity by means of a letter signed by the ICAO Secretary General, at least 120 calendar days prior to the commencement of the planned USAP-CMA activity. The accredited ICAO RO is informed of the formal notification of a USAP-CMA activity and may be requested to follow up the initiative with the State. The notification letter specifies the dates and the type of planned USAP-CMA activity (on-site, i.e. oversight/compliance-focused audit, including the name(s) of the airport(s) selected for observation, or off-site, i.e. documentation-based audit). The USAP-CMA activity preparation phase concludes with the USAP-CMA audit team briefing prior to the opening national briefing with the State’s authorities, in the case of a USAP-CMA on-site activity, or on the starting date specified in the ICAO letter of notification, in the case of a USAP-CM A off-site activity.
6.2.2 The Member State is urged to give full support to ICAO by accepting the USAP-CMA activity as scheduled by ICAO by confirming, as soon as possible, the acceptability of the dates of the proposed USAP-CMA activity. In the notification letter, the Member State is also requested to submit to ICAO: a)
no later than 60 calendar days pri prior or to the start of the USAP-CMA activity, the duly completed SASAQ designed to provide ICAO with preliminary information concerning the State’s aviation security and oversight systems, including the duly completed State Quality Control Activity Summary Form and the schedule of quality control activities for the previous calendar year and for the current year;
b)
the duly completed CCs, refl reflecting ecting State’s compliance wi with th the SARPs of Annex 17 and security-related provisions of Annex 9 to the Chicago Convention;
c)
the updated CAP, reflecting the progress made by the State in tthe he implementation of corrective actions since the last USAP audit and addressing the status of not satisfactory PQs; and
d)
appropriate documentation that will assist in the preparation of the USAP-CMA activity, such as the State’s primary aviation security legislation, national-level aviation security programmes and regulations, and airport-level aviation security programmes and procedures.
6-1
Universal Security Audit Programme Continuous Monitoring Manual
6-2
Note.— The scope of documentation to be completed and submitted by the State may vary depending on the type of USAP-CMA activity, which will be clearly described in the notification letter to the State. State. 6.2.3 If available, the State’s primary aviation security legislation, specific aviation security regulations and national-level programmes, such as the NCASP, the NCASTP and the NQCP, should be provided at the same time as the SASAQ and CCs. This documentation should be provided in one of the official ICAO languages and preferably in the working language of the planned USAP-CMA activity. The provision of such documentation will also allow the USAP-CMA audit team to prepare and validate information prior to the conduct phase of the USAP-CMA activity. 6.2.4 C/ASA appoints a TL for each USAP-CMA activity at least six months prior to the commencement of the USAP-CMA activity. The TL is an ICAO staff member who is responsible for the: a)
preparation, conduct and reporting of the assigned USAP-CMA activity activity in accordance with guidance and instructions developed by ICAO; and
b)
provision of leadership and guidance to TMs in the case of a USAP-CMA on-site activity activity..
6.2.5 C/ASA also assigns TMs for a USAP-CMA on-site activity shortly after the appointment of the TL, normally three to six months prior to the commencement of a USAP-CMA activity. TMs are selected from the roster of ICAO-certified USAP-CMA auditors taking into consideration the geographical region, their area of expertise and the language of the USAP-CMA activity. The audit team size depends on the type and scope of the USAP-CMA activity, as well as the complexity of civil aviation activities in the State. 6.2.6 The State to be audited will be provided with the name(s) of the assigned TL and TMs approximately two months prior to any scheduled USAP-CMA activity and will have the opportunity to provide any desired feedback to ICAO. Any concerns the State may have regarding the composition of the USAP-CMA audit team may be raised and will be considered by C/ASA. The final composition of the USAP-CMA audit team will be provided to the State prior to any scheduled on-site activity in sufficient time to enable it to facilitate applications for visas and other administrative matters. Auditors nominated for participation in the USAP USAP-CMA -CMA activity will receive a clear mandate and credentials letter from ICAO in order to act as representatives of ICAO for the purpose of the USAP-CMA activity. 6.2.7
Once the TL has been appointed by C/ASA, he/she will contact the NC appointed by the Member State to
6.2.7 Once the TL has been appointed by C/ASA, he/she will contact the NC appointed by the Member State to coordinate the preparation of the USAP-CMA activity. The TL will work directly with the NC who will represent the interests of the Member State for the purpose of the USAP-CMA activity. 6.2.8 Prior to the commencement of a USAP-CMA activity, the TL will conduct a review of the information provided in the SASAQ, CCs and updated CAP, as completed by the State, as well as previous USAP audit results and any documentation provided by the State. Differences filed by the State with respect to Annex 17 SARPs and security-related provisions of Annex 9 will also be reviewed at this time. This information will be confirmed or updated during the course of the USAP-CMA activity using the CCs that contain information on the State’s compliance with Annex 17 SARPs and security-related provisions of Annex 9, which the Member State shall complete complete and maintain up to date in accordance with the MoU. It should be noted, however, that the filing of a difference by a State with respect to any particular SARP will not preclude the possibility of an audit finding and recommendation being made with regard to the SARP concerned. 6.2.9 One of the objectives of the USAP-CMA activity preparation phase is to define the scope of the activity in terms of applicable USAP-CMA PQs to be addressed during the USAP-CMA activity. The type and scope of a USAP-CMA on-site audit, as well as the complexity of civil aviation activities in the State, define the amount of work to be performed on-site, which determines the size of the USAP-CMA audit team and the duration of the USAP-CMA activity. The TL confirms the scope and number of days scheduled for the USAP-CMA on-site audit to ensure that the assigned audit team will be able to accomplish the activity’s goals. If required, the TL may request C/ASA for adjustments to the duration of the activity or assignment of additional TMs.
Chapter 6.
USAP-CMA activity phases and procedures
6-3
6.2.10 The TL determines the scope of the USAP-CMA activity in the form of a set of USAP-CMA PQs and forwards it to the NC, normally one month prior to the commencement of the USAP-CMA activity, for coordination with the State’s relevant national- and airport-level entities. These PQs may include, but are not necessarily limited to: a) b)
PQs relati relating ng to processes tthat hat Stat States es should continuously implement; new PQs added since the previous USAP audit of the St State, ate, such as PQs rela relating ting to n new ew Standards of Annex 17 or security-related provisions of Annex 9;
c)
not sat satisfactory isfactory PQs from the previous USAP audit of the the Stat State; e;
d)
not applicable PQs from the previous USAP audit of the State tto o confirm/update the current status of those PQs; and
e)
any PQs relat relating ing to information obtai obtained ned from ot other her sources that might indicate a change in the State’s USAP-CMA key parameters.
Note 1.— States may request ICAO to modify the scope of a USAP-CMA activity only in extreme circumstances circumstanc es and by providing ICAO with a valid justification. Note 2.— For USAP-CMA off-site activities, the status of certain PQs related to operational implementation of various security measures will be marked as undetermined. The status of such PQs will be assessed during USAP-CMA on-site activities. activities. 6.2.11 For USAP-CMA off-site activities, the TL forwards the scope of the USAP-CMA activity to the NC in the form of USAP-CMA PQ Worksheets. The NC coordinates with the State’s relevant national- and airport-level entities the completion of PQ Worksheets within the established scope of the USAP-CMA activity and their subsequent submission to the TL. The evaluation of completed PQ Worksheets will be conducted by the TL during the conduct phase of the USAP-CMA off-site activity. 6.2.12
For USAP-CMA on-site activities, a State-specific audit plan will be developed by the TL based on the
defined scope of the USAP-CMA activity and forwarded to the NC for coordination with State authorities prior to the commencement of the USAP-CMA activity. The TL also forwards the State-specific audit plan to all assigned TMs for information to assist them in preparing for the USAP-CMA on-site activity. The purpose of the State-specific audit plan is to outline in detail the proposed schedule of on-site activities (daily work plan), such as meetings, briefings and visits to concerned authorities, facilities and aviation security service providers, as well as to provide the State with the necessary administrative information related to the conduct of the USAP-CMA on-site activity. Last-minute modifications to the State-specific audit plan may occur, in which case the TL will inform the State authorities as soon as practicable. The daily work plan is submitted to the State for its consideration and agreement. It is approved during the national briefing with the State’s authorities. 6.2.13
The State-specific USAP-CMA audit plan will include the following information: a)
general information, such as: •
MoU signature date and audit period;
•
national briefing and post-audit debriefing venue, date and time;
•
contact details of the appropriate authority and the NC;
•
objective and scope of the audit (audit areas to be considered);
Universal Security Audit Programme Continuous Monitoring Manual
6-4
•
language tto o be used for the con conduct duct of the audit audit a and nd for the a audit udit re report; port; a and nd
•
checklist of documents submitted by the State;
b)
TMs’ names and assigned audit areas;
c)
daily work plan;
d)
list of entities to be visited under each audit area; and
e)
logistics and miscellaneous, such as: •
travel itineraries for the TL and all TMs;
•
visa information;
•
health information;
•
security information;
•
hotel reservations;
•
ICAO DSA and hotel portion; and
•
other useful travel ti tips ps (departure taxes, local currency and exchange rate to USD, time difference, etc.).
6.2.14 The TL coordinates with the NC any visits by the USAP-CMA audit team to industry or service providers. The State is responsible for arranging and coordinating domestic travel and for covering related transportation costs. The NC will be the USAP-CMA audit team’s primary point of contact for all meetings and visits during audit activities. The NC will be involved and informed at every phase of the audit but should not seek to influence the audit results. The
NC’s assistance and comments may be sought by the USAP-CMA audit team. 6.2.15 The TL, in coordination with the NC, shall determine the requirements for language interpretation services, if required, the provision of which is the State’s responsibility. 6.2.16 The TL will meet with TMs for a USAP-CMA on-site audit team briefing one day prior to the commencement of the USAP-CMA activity. The objective of the briefing is to build team synergy, provide further familiarization to TMs on the processes and tools of the USAP-CMA activity and ensure that all TMs are aware of pertinent information. The USAP-CMA audit team will discuss the USAP-CMA audit, review the completed SASAQ and CCs and develop a list of questions and/or identify additional information required by the USAP-CMA audit team. In addition to determining points of specific focus to be addressed with the Member State, the USAP-CMA audit team will review the State-specific USAP-CMA audit plan and daily schedule of audit activities (daily work plan). 6.2.17
The following elements should be addressed by the TL during the USAP-CMA on-site audit team briefing: a)
welcome all TMs and make introductions;
b)
describe objectives and methodology of the USAP-CMA activity activity;;
c)
confirm domestic arrangements, including accommodation and transportation details;
Chapter 6.
USAP-CMA activity phases and procedures
d)
provide copies of the ofand Conduct Auditors and ensure that all TMs read and sign theICAO coverCode sheet returnfor it to the TL;(Appendix D) to each TM, and
e)
reinforce the ICAO Code of Conduct for Auditors, including the confidentiality requ requirements irements relating to audit results and documents, and the policy of not accepting gifts;
f)
provide guidelines on dealing with St State ate counterpart counterparts s and external ent entities ities (such as media, reporters and labour unions);
g)
distribute al alll available documents to the audit team (completed SASAQ, CCs, documentation provided by the State, USAP-CMA audit plan, PQ Worksheets, mission reports, etc.);
h)
review the St State-specific ate-specific audit p plan, lan, scheduled daily work plan and any ad hoc arrangeme arrangements nts (e.g. transportation);
i)
review audit areas assigned to each TM;
j)
review the completed SASAQ and CCs;
k)
confirm work methods to be used during the audit, as well as the tasks, responsibilities and deliverables of TL and TMs; and
l)
clarify and confirm deadlines for the completion of individual contribut contributions ions and submission of completed PQ Worksheets to the TL.
6.3 6.3.1
6-5
CONDUCT PHASE
During this phase, a USAP-CMA audit team visits the State for the selected USAP-CMA on-site activity
within the determined scope and:
6.3.2
a)
conducts a systematic and objective assessment of the State’s aviation security oversight system and the State’s compliance with Annex 17 Standards and security-related provisions of Annex 9 using USAP-CMA PQs, and recommends the issuance of any findings and/or SSeCs to address identified deficiencies;
b)
collects and records any evidence provided by the Stat State e regarding the implementation of CAPs and the actions taken to resolve any pre-existing findings; and
c)
informs the State of the outcome o off the USAP-CMA audit during the post-audit debriefing between the USAP-CMA audit team and State authorities.
The State should: a)
ensure that State representatives, counterparts and staff members implicated in tthe he conduct of the USAP-CMA audit are available for interviews and discussions with the USAP-CMA audit team;
b)
make the evidence, inf information ormation and documentation request requested ed by the USAP-CMA audit team readily available and submit these to the audit team in a timely manner;
c)
facilitate and arrange visits to industry and/or service providers;
Universal Security Audit Programme Continuous Monitoring Manual
6-6
d)
provide a suitable working environment for the USAP-CMA audit tteam; eam; and
e)
arrange daily transportation and admini administrative strative support, as req required. uired.
6.3.3 The conduct of the USAP-CMA on-site audit will be focused on the systematic gathering of information by means of observation, interviews and review of documents, whenever possible. All activities undertaken by the USAP-CMA audit team will be transparent and conducted only with the approval of the State. At no time will the USAP-CMA audit team engage in activities that could be perceived as covert efforts to test or penetrate security operations. 6.3.4 For USAP-CMA off-site activities, as mentioned in 6.2.11, the TL submits a set of USAP-CMA PQ Worksheets within the defined scope of the USAP-CMA activity to the NC for coordination with the State’s relevant national- and airport-level entities for self-assessment and subsequent return to the TL. The TL evaluates the State’s answers in those PQ Worksheets received from the NC in conjunction with the documents and evidence submitted by the State that support the implementation of selected PQs, including, but not limited to, the updated CAP and associated evidence, the SASAQ, CCs and other documentation submitted by the State. The TL may request the NC to provide other relevant or necessary documentation related to the scope of the USAP-CMA activity, as applicable. The TL may request additional information and/or clarification from the State and may interview relevant personnel via telephone or other means. The NC should facilitate this process and communicate with the TL in a timely manner and provide all required information and documentation.
Na National tional briefing 6.3.5 The USAP-CMA audit TL will conduct a national briefing on the first day of the USAP-CMA on-site audit, which should be scheduled in advance and included in the State-specific audit plan. The purpose of the briefing is to: a)
introduce the USAP-CMA audit team;
b)
brief the appropriat appropriate e authority and senior officials of the State hosti hosting ng the audit on the USAP-CMA methodology, processes, procedures and scope of the USAP-CMA audit;
c)
provide an overview of the USAP-CMA audit team’s activities at the airport airport(s) (s) selected for observation, including the manner in which the collection of information surrounding the security controls and measures will occur;
d)
finalize and confirm audit plan arrangements and organizational aspects related to the USAP-CMA audit; and
e)
gather additional information, if necessary.
6.3.6 The national briefing may be co-chaired by the senior executive of the State, who may also wish to provide information and/or a briefing to the USAP-CMA audit team. T Ms should also attend the national briefing. 6.3.7
During the national briefing, the TL should: a)
thank representatives of the State and other aviation security stakeholders for their cooperation;
b)
introduce him/herself and the TMs, citing their qual qualifications ifications an and d background;
c)
reiterate the language to b be e used during the USAP-CMA audit, and notify participants of any special language skills among the USAP-CMA audit TMs;
Chapter 6.
USAP-CMA activity phases and procedures
6-7
d)
explain the objective of the USAP-CMA;
e)
review the MoU signed between ICAO and tthe he State, specif specifically ically objectives and pri principles nciples of the USAP-CMA audit (responsibilities and duties of the State and the USAP-CMA audit team);
f)
describe the USAP-CMA audit process and met methods hods of gathering in information formation (e.g. observation, discussion, review of documents) during the audit and the scope of the audit;
g)
briefly present and confirm the Stat State-specific e-specific audit pla plan n and schedule of activities, and adjust if required;
h)
outline the concluding phase of the USAP-CMA audi audit, t, including the presentati presentation on of tthe he preliminary llist ist of findings and recommendations at the post-audit debriefing, and confirm the arrangements for the debriefing (participants, location, date and time);
i)
explain the reporting system, including the USAP-CMA audit report and the CAP based on the USAP-CMA audit findings and recommendations;
j) k) l)
confirm the name of the official designated by the State to receive the USAP-CMA audit report; review and clarify, if necessary, the answers provided by the State to the SASAQ and CCs; request and clarify addition additional al information pertaining to Annex 17, security-related provisions of Annex 9 and the SASAQ, as appropriate; appropriate;
m) provide an overview of the USAP-CMA audit team’s understanding of the aviation security organization and responsibilities for implementing security measures at the airport(s) selected for observation, when necessary;
n)
note any special comments or concerns of the State State with regard to the conduct of the a audit udit or areas to be observed;
o)
confirm tthe he locati location on of the USAP-CMA audit tteam eam facil facilities; ities;
p)
confirm the iidentity dentity of the official USAP-CMA audit team escorts and th the e means of communication between the audit team and its escorts (e.g. mobile telephones);
q)
confirm the schedule of the flig flights hts selected in the audit plan for observation to determine the ttiming iming for observing airport security operations; and
r)
reinforce confident confidentiality iality provisions concerning any information or documents received by the USAP-CMA audit team.
Note.— Any clarification on answers provided in the SASAQ that could be done on site should not be sought during the national briefing, but should be directly observed by the USAP-CMA audit team instead. If no clarification can be obtained from observation, then the answer should be sought in cooperation with the NC.
Universal Security Audit Programme Continuous Monitoring Manual
6-8
Conduct of the on -site a audit udit 6.3.8 During the conduct of the USAP-CMA on-site audit, the USAP-CMA audit team will assess the level of implementation of the CEs of an aviation security oversight system and the degree of compliance of the State with Annex 17 Standards and security-related provisions of Annex 9. If the USAP USAP-CMA -CMA audit team perceives deficiencies in the implementation of the aviation security oversight system or lack of compliance with ICAO SARPs, the audit team will attempt to identify the reasons and will seek to assist the State in achieving the recommended improvements. 6.3.9 The on-site gathering of evidence should be systematic and objective, using the State-specific PQs. All audit findings should be recorded in a preliminary list of findings and recommendations in a clear, concise manner and supported by evidence, with reference made to the relevant CEs of an aviation security oversight system as well as the relevant ICAO SARPs and PQs. 6.3.10 The USAP-CMA audit team, under the leadership of the TL, collects evidence and information by examining records, reviewing documentation and relevant material, observing the implementation of security measures and conducting interviews. Depending on the scope of the USAP-CMA audit, the USAP-CMA audit team will review the State's legislative and regulatory provisions, the implementation of relevant ICAO SARPs, the application of guidance material and relevant security-related practices in use in the aviation industry. The State should provide the appropriate evidence in order to fulfil the requirements of the USAP-CMA audit being conducted. The TL provides the State with a deadline for providing evidence to be considered during the USAP-CMA on-site audit. 6.3.11 The USAP-CMA audit will also be based in part on observing security measures and practices in effect at the airport(s) selected for observation. During such visits, observation of operational measures and procedures of selected aircraft operators, cargo agents, mail authorities, catering companies, etc., will be undertaken as necessary to establish compliance with Annex 17 Standards and security-related provisions of Annex 9. By checking ch ecking records, not only in the State but also in the industry, and by looking into how the industry conducts its business in areas related to the audit, the USAP-CMA audit team is able to assess whether Annex 17 Standards and security-related provisions of Annex 9 are being implemented effectively. effectively.
6.3.12 Specific observations should include the following information: the place, company or authority visited; job titles of people met or spoken to; notes on the procedures observed; and notes on any deficiencies seen in those procedures in reference to the specific Annex 17 Standard or relevant security-related provision of Annex 9. 6.3.13 Industry visits should be conducted in the company of the appropriate authority representatives and on the basis of the State-specific audit plan already agreed upon for the USAP-CMA on-site activity. These visits are used to determine the State’s aviation security oversight capabilities or its implementation of the CAP or mitigating measures. Security concerns that may be identified during these visits can only be identified as a finding or an SSeC in regard to the State aviation security system and not in regard to the industry or service providers. 6.3.14 The audited State will determine the type of escort to be provided to the USAP-CMA audit team during the audit. The TL and TMs will be issued with airport identification badges that should be displayed in a visible place, as mandated by the national requirements. In the event of an emergency (e.g. hijacking, bomb threat, aircraft accident, etc.), the USAP-CMA audit will be suspended upon request of the audited State. In this case, arrangements should be made as soon as possible to resume or reschedule the USAP-CMA audit. 6.3.15 The USAP-CMA audit team may encounter situations during on-site activities that reveal an SSeC, resulting in an immediate security risk to international civil aviation. The mechanism established to address such SSeCs as a priority is described in 2.9. As soon as a preliminary SSeC is identified, the TL, after coordination with C/ASA, brings it to the attention of the State to allow the State to initiate corrective action immediately. The TL provides all relevant information on the preliminary SSeC to C/ASA. At this point, the identification of an SSeC is considered preliminary until it is validated and confirmed by the SSeC Validation Committee.
Chapter 6.
USAP-CMA activity phases and procedures
6-9
6.3.16 During the USAP-CMA on-site audit process, the USAP-CMA audit team must conduct an internal meeting on a daily basis to: a)
discuss the day’s activities and findings and review the audit team’s daily progress;
b)
address and resolve potent potential ial issues and delays encountered during daily tasks;
c)
identify areas of concern, including potential SSeCs;
d)
identify any part of the USAP-CMA PQs that ha has s not been addressed;
e)
determine requi required red changes in the work plan, if any; any;
f)
coordinate common areas;
g)
discuss the next day’s activities;
h)
identify any informat information ion that must be collected or clarif clarified; ied; and
i)
enhance team coordination and support.
6.3.17 The TL will meet with the NC on a daily basis to inform him/her of the preliminary findings and deficiencies identified during the ongoing audit with the objective of providing preliminary recommendations for corrective action, facilitating the post-audit debriefing, and to discuss any changes in the audit plan or new requests for meetings and/or documents. 6.3.18 Audits may result in raising the awareness and interest of several aviation bodies, some of which may request interviews with the USAP-CMA audit team. Interviews with organizations other than the State, such as the media, labour unions or other interested bodies, shall not be conducted under any circumstances by the USAP-CMA
audit team. 6.3.19 In assessing the State’s level of implementation of the CEs of an aviation security oversight system and determining the degree of compliance with Annex 17 Standards and security-related provisions of Annex 9, USAP-CMA auditors will be guided by the verification process described in the USAP-CMA PQs. Although several PQs may have been reviewed during the preparation phase of the USAP-CMA activity, the status of these PQs is determined during the on-site activity. At the same time, given the differing nature of national- and airport-level security systems among States, USAP-CMA auditors should, to the extent practicable, apply an outcome-based approach and be open to different means of compliance that are not explicitly addressed by the USAP-CMA PQs but are implemented by States to achieve the same outcome. 6.3.20 During the conduct of the USAP-CMA audit, TMs take comprehensive notes and assess the applicable PQs, which will be used in developing the draft USAP-CMA audit report, including the findings. Each finding is related to one relevant PQ. The USAP-CMA audit team records the finding, marks the status of the associated PQ as not satisfactory and clearly indicates how and why they were made. Absence of evidence will normally be reflected as a finding. The State is required to propose a CAP CA P to address each finding. 6.3.21 The TL will provide the TMs with blank copies of PQ Worksheets in their respective areas of responsibility within the scope of the USAP-CMA audit. TMs shall submit their duly completed PQ Worksheets to the TL. The USAP-CMA audit team should review all findings to ensure that they are objective, clear and concise and associated with the relevant PQ.
Universal Security Audit Programme Continuous Monitoring Manual
6-10
Post-audit Postaudit debriefing 6.3.22 At the end of the USAP-CMA on-site audit, the audit team will meet with State officials for a post-audit debriefing to present a preliminary list of findings and recommendations addressing areas that require improvement. Furthermore, before the post-audit debriefing, the TL will meet with the NC to undertake a final review of the preliminary list of findings and recommendations and those significant elements to be addressed during the post-audit debriefing. If applicable, any preliminary SSeCs identified in the course of the audit will be described to the NC and State officials. 6.3.23 The post-audit debriefing provides high-level State representatives with information related to the USAP-CMA audit team’s conclusions regarding the status of implementation of the CEs of the State’s aviation security oversight system and the compliance with Annex 17 Standards and security-related provisions of Annex 9. The post-audit debriefing emphasizes the most significant security issues, and concisely presents the USAP-CMA audit team’s findings and recommendations regarding the effectiveness of the State’s aviation security oversight system. 6.3.24 The post-audit debriefing should be a review of the issues already covered in the daily briefings with the State NC. All identified deficiencies and findings should have already been discussed in the daily briefings and well understood by everyone attending the post-audit debriefing. Any preliminary SSeCs should have also been discussed and well understood by everyone before the post-audit debriefing. While the State may choose to further discuss or debate the identified findings and deficiencies, including any preliminary SSeCs, during the post-audit debriefing, the State should have presented all available evidence to the USAP-CMA audit team before the post-audit debriefing. 6.3.25 At the post-audit debriefing, the TL provides a draft paper copy of preliminary findings and recommendations to the State. Each recommendation describes the corrective action to be implemented by the State, as well as identifies the relevant PQ, CE, SARP and the priority of each corrective action. 6.3.26
During the post-audit debriefing, the TL should: a)
thank officials of the Member State and any persons directly involved in the USAP-CMA a audit udit for th their eir
cooperation; b)
reintroduce the USAP-CMA audit team, if any Stat State e officials present did not at attend tend the natio national nal briefing;
c)
briefly review the objective and scope of the USAP-CMA audit;
d)
provide a verbal overview of the effectiveness of the State’s aviation security oversight system and capabilities and overall findings for each CE assessed, focusing first on positive aspects and then on identified deficiencies that need to be addressed;
e)
provide a p preliminary reliminary list of finding findings s and recommendations concerning the degree of compliance with Annex 17 Standards and security-related provisions of Annex 9, highlighting the priorities of recommendations requiring short-, medium and long-term corrective c orrective actions;
f)
present preliminary SSeCs, if applicable, and explain th that at the SSeC Validation Committee at ICAO Headquarters will review and confirm the validity of any preliminary SSeCs;
g)
ensure that Stat State e officials clearly understand tthe he USAP-CMA audit results and encourage TMs to provide additional clarification, as required, to resolve any uncertainty the State officials may have;
h)
invite co comments mments from State officials on the USAP-CMA audit results;
Chapter 6.
6.3.27
USAP-CMA activity phases and procedures
6-11
i)
remind Stat State e officia officials ls that the preliminary preliminary list of fi findings ndings and recommendations is being provided solely to allow the State to begin working on its corrective actions and that these will undergo a technical and editorial review by ASA before being forwarded to the State in the form of a final USAP-CMA audit report;
j)
remind the State about post-audit reporting actions to be performed by ICAO and the State, including target dates for issuing the USAP-CMA audit report to the State and for receipt of the State’s CAP;
k)
remind the State about confidentiality provisions; and
l)
remind the State about the availabi availability lity of urgent and immediate assistance through ISD-SEC, and longer term assistance through TCB.
Specialist meetings of the USAP-CMA audit team and the State’s technical counterparts may be held prior
to or following the post-audit debriefing at the discretion of the TL and the State authorities. 6.3.28 The TL will meet with the TMs both before and after the post-audit debriefing in order to review and assess the entire audit process. All audit team participants should be asked to express their views a about bout the audit performed. 6.3.29 Prior to the post-audit debriefing, the TL will work closely with each TM concerning their contribution to the USAP-CMA audit report, focusing on the adequacy of completed PQ Worksheets and reviewing the preliminary list of findings and recommendations. During the USAP-CMA audit team debriefing that is held following the post-audit debriefing, the TL should: a)
thank the TMs for their work;
b)
raise any concerns about th the e teamwork, the audit process and ttools, ools, or other issues;
c)
reinforce rules of confidentiality;
d)
collect any remaining port portions ions of TM submissions submissions (e.g. paper copies and electronic versions of PQ Worksheets) and ensure that no information, including electronic copies of documents, has been retained by any individual TM;
e)
collect all au audit dit documents, including documentation provided by the State, copies of the preliminary list of findings and recommendations, auditor notebooks, etc.;
f)
collect mission reports from TMs;
g)
collect, whenever possible, a p preliminary reliminary travel claim form from each TM with hot hotel el receipts and airline boarding passes, as well as receipts for any other official expenses;
h)
collect business cards or copies of business cards obtained by TMs during tthe he USAP-CMA audit audit;;
i)
provide gui guidance dance on the proper meth methods ods of communicating au audit-related dit-related sensitive securit security y informat information ion to avoid accidental disclosure; and
j)
confirm the departure arrangements. arrangements.
6.3.30 Upon completion of an off-site audit, the TL will conduct a post-audit debriefing with the NC to provide a summary of the results of the USAP-CMA activity. The TL will advise the NC of the next steps in the USAP-CMA activity process and provide the State with the preliminary list of findings and recommendations.
Universal Security Audit Programme Continuous Monitoring Manual
6-12
6.4
REPORTING PHASE
6.4.1 Each USAP-CMA activity will conclude with the preparation of a USAP-CMA audit report to be submitted to the audited State within established time frames following the completion of the USAP-CMA audit. The USAP-CMA audit report summarizes the level of implementation of the CEs of the State’s aviation security oversight system and provides full details of the audit findings and recommendations. The State CAP should be based on the USAP-CMA audit report, although the State has an opportunity to initiate its corrective actions based on the preliminary list of findings and recommendations presented at the post-audit debriefing. 6.4.2 In accordance with the terms of the MoU between ICAO and the Member State, ICAO will submit a USAP-CMA audit report to the audited State within 60 calendar days from the post-audit debriefing. If the ICAO working language of the State is other than the language in which the USAP-CMA audit was conducted, an advance copy of the USAP-CMA audit report will be sent to the State within 60 calendar days from the post-audit debriefing in the language in which the USAP-CMA audit was conducted. The USAP-CMA audit report will then be translated into the ICAO working language of the State and submitted to the State, and subsequent timelines will be adjusted accordingly. ASA will retain a copy of the USAP-CMA audit report submitted to the State. 6.4.3 The USAP-CMA audit report will be confidential and made available only to the audited State and to persons with an official need to know within ICAO. In addition, the charts depicting the level of implementation of the CEs of an aviation security oversight system by the audited State and an indication of the degree of compliance of the audited State with Annex 17 Standards will be made available to all Member States on the USAP secure website in accordance with the limited level of disclosure, as indicated in 4.9.3. All other materials, notes and reports obtained or generated during the USAP-CMA audit will be treated as strictly confidential by ICAO. 6.4.4 Access to the USAP secure website is restricted to Member State appropriate authority officials. All access requests will be scrutinized and granted by ASA only to those with an operational need to know. Member States will make their own decision as to whether they need to approach the audited State on a bilateral or multilateral basis to
discuss the results of the audit. The audited State has the right to publish, or otherwise distribute in any way it deems appropriate, its audit report or its CAP. 6.4.5 The USAP-CMA audit report is an objective reflection of the results of the USAP-CMA audit. It is prepared on the basis of the reporting principles and procedures contained in this manual. The USAP-CMA audit report is designed to provide: a)
information to tthe he audited Stat State e regarding its avi aviation ation security perf performance ormance in terms of the level of implementation of the CEs of the State’s aviation security oversight system, and the indicative degree of the State’s compliance with Annex 17 Standards and security-related provisions of Annex 9;
b)
prioritized recommendati recommendations ons to the audit audited ed State to init initiate iate corrective actions; and
c)
information to ICAO related to common deficiencies in order to define measures to assist its Member States.
6.4.6are expected The draft USAP-CMA audit report is during compiled by the audit TL based on submissions fromofthe TMs to prepare their PQ Worksheets the on-site on a daily basis. Prior received to the return the TMs. TMs to their home States at the conclusion of an on-site audit, the TL reviews and coordinates their individual submissions and discusses them with the TM concerned. The TL is required to submit the draft USAP-CMA audit report to C/ASA within seven working days of the date of his/her return to ICAO Headquarters following the post-audit debriefing. If the TL’s mission includes more than one USAP-CMA on-site audit, the timelines for submission of draft audit reports will be adjusted accordingly.
Chapter 6.
USAP-CMA activity phases and procedures
6-13
6.4.7 The draft USAP-CMA audit report is then subjected to a technical and editorial review by ASA, in accordance with the USAP-CMA quality management procedures. The TL, in coordination with ASA, is responsible for verifying and ensuring the technical content and the overall accuracy of the USAP-CMA audit report throughout the report production phase. ASA shall consult with the TL during the report production process for questions or clarifications related to the report content. The final USAP-CMA audit report is submitted to C/ASA for approval. 6.4.8
The key principles that guide the development of a USAP-CMA audit report are as follows: a)
the TL should consolidate the contribut contributions ions of tthe he TMs and finalize the draft audit report;
b)
audit ffindings indings should be present presented ed in an objective manner;
c)
the audit report should be confined to ffacts acts only, not suppositions or opinions, i.e. what was observed and found to be deficient;
d)
findings and recommendations in the post-audit post-audit debriefing and the USAP-CMA audit report should be consistent;
e)
findings and recommendations should be described in a clear, concise and consistent manner;
f)
each recommendation should be relat related ed to an identified deficiency, specifical specifically ly detailing what corrective action is required from the State;
g)
recommendations should be prioritized as “Low”, “Medium”, “High” and “Very high” based on the nature of the deficiencies they address, with a view to assisting the State in preparing an effective CAP for short-, medium- and long-term corrective actions for the resolution of deficiencies identified during the USAP-CMA audit;
h)
all conclusions should be substantiated with references;
i)
generalities and vague observations should be avoided;
j)
k)
only widely ac accepted cepted international civil aviation terminology should be used, avoiding acronyms and jargon; and criticism of individuals or positions should be avoided.
6.4.9 The USAP-CMA audit report is prepared following a standard reporting format developed by ASA. This format permits input from a confidential electronic database, facilitating the retrieval of information for the purpose of analysis and follow-up activities. 6.4.10
The content of the USAP-CMA audit report is as follows:
•
Introduction
•
Objectives of the USAP-CMA audit
•
Summary of the USAP-CMA audit results
•
Appendix 1. Analysis of the USAP-CMA Audit Results by CE
•
Appendix 2. USAP-CMA Audit Findings and Recommendations
Universal Security Audit Programme Continuous Monitoring Manual
6-14
6.4.11 The first two parts of the USAP-CMA audit report (introduction and objectives of the USAP-CMA audit) contain background information on the USAP and the objective of the USAP-CMA, the USAP-CMA audit team composition, overview of the USAP-CMA activity scope and the visits to industry and service providers, if applicable. The summary of the USAP-CMA audit results contains textual and graphical information on the State’s aviation security performance in the form of the State’s: a)
Oversight Indi Indicator: cator: average EI of the eight CEs of tthe he State’s aviation security oversight system;
b)
Compliance Indicator: average compliance of the State wi with th Annex 17 Stan Standards dards and average compliance of the State with security-related provisions of Annex 9; and
c)
USAP-CMA PQ IIndicator: ndicator: percent percentage age of USAP-CMA PQs found satisf satisfactory actory during the USAP-CMA audit of the State.
The summary of the USAP-CMA audit results also contains information on the existence of SSeCs, if any, and the current status of such SSeCs. 6.4.12 Appendix 1 of the USAP-CMA audit report provides an analysis of the State’s aviation security oversight system, highlighting the EI and LEI of each CE, as well as the graphical depiction of the EI for each CE. Appendix 2 of the USAP-CMA audit report contains a detailed list of the USAP-CMA audit findings and recommendations, together with associated PQs found not satisfactory, related CEs, SARPs and the priorities assigned to these recommendations. 6.4.13 Upon receipt of the USAP-CMA audit report, the State State will have 30 calendar days to submit comments and feedback on the report. The USAP-CMA audit report may be revised as a result of this feedback. In all cases, comments submitted by the State will become part of the information related to the USAP-CMA activity conducted in the State. 6.4.14
In the event that action for improvement is recommended by ICAO following completion of a USAP-CMA
audit, the State is responsible for developing an acceptable CAP defining the action the State plans to take to resolve deficiencies in its aviation security and oversight systems identified by the USAP-CMA audit. Guidance on the development of the CAP by the State will be provided by the TL during the post-audit debriefing. Appendix C provides guidance for States on developing CAPs. 6.4.15 The audited State should provide ASA with a CAP within 60 calendar days after receiving the USAP-CMA audit report in the ICAO working language of the State (i.e. approximately at least 120 days following the post-audit debriefing), using the CAP template provided by ICAO together with the USAP-CMA audit report. In accordance with the terms of the MoU agreed to by the State, the CAP should show how the improvements will be achieved by addressing the findings and recommendations of the USAP-CMA audit report, providing specific actions, indicating the entities responsible for the implementation of such actions, and providing deadlines for the correction of the deficiencies identified during the USAP-CMA audit. Corrective actions and deadlines for implementation should be established to address each of the ICAO recommendations contained in the USAP-CMA audit report. 6.4.16 The CAP should contain detailed and specific measures that the State has taken or proposes to take to implement the ICAO recommendations. All corrective actions should consider the various aspects that may affect their implementation. Due to the complexity for implementing new aviation security requirements and given the resources available, consideration should be given to setting starting and completion dates that are as feasible and practicable as possible. In developing the CAP, corrective actions should be established by phases of implementation or by short-, medium- and long-term goals based on the priorities of the recommendations contained in the USAP-CMA audit report. 6.4.17 ICAO will provide the State with feedback on the acceptability of the proposed CAP. If any proposed corrective actions do not fully address the associated findings and recommendations, the State will be notified accordingly and requested to resubmit its CAP. In any case where the audited State proposes not to implement a recommendation because it disagrees with the finding of the USAP-CMA audit team or with the audit team’s
Chapter 6.
USAP-CMA activity phases and procedures
6-15
interpretation of the relevant ICAO Standard or security-related provision, the State should cooperate with ICAO to resolve this disagreement. If such cooperation results in a proposal by the State to modify its CAP, C/ASA should be provided with the modified CAP at the earliest opportunity. 6.4.18 USAP-CMA audit team participants will prepare separate mission reports describing the conduct of the audit and any difficulties encountered. The USAP-CMA mission reports may also advance proposals for improving the future planning and execution of USAP-CMA activities. The USAP-CMA mission reports provide feedback on the conduct of the audit, from planning to completion. The mission reports are an integral part of the USAP-CMA quality assurance process and will be used by ASA to improve the USAP-CMA. ASA will maintain a record of all feedback, recommendations and any action taken to address concerns raised. Should the USAP-CMA mission report identify issues that could be addressed by amending Annex 17 SARPs or security-related provisions of Annex 9, this information will be relayed to the ICAO Aviation Security Panel or Facilitation Panel, as appropriate. 6.4.19
A State USAP-CMA Activity Feedback Form will be provided to the State together with the USAP-CMA
audit report. The purpose of this form is to allow the State to advise ICAO on aspects of preparation and conduct of the USAP-CMA audit for the purpose of ensuring ens uring continuous improvement of the USAP-CMA. 6.4.20 C/ASA will periodically prepare a report on the progress of the USAP-CMA to be submitted to the Secretary General and subsequently distributed to the ICAO Council and other appropriate ICAO bodies, as required. All necessary steps will be taken to ensure these reports are in a form that maintains the confidentiality of State-specific capabilities and/or deficiencies. USAP-CMA progress reports include, but are not limited to: a)
names of States that accepted USAP-CMA act activities, ivities, including the dates of each activity and the names of airports visited, if applicable;
b)
the status of confidential USAP-CMA audit re reports ports completed and submitted to audited States;
c)
the number of Stat State e CAPs that have been received and accepted;
d)
States tthat hat are over 60 days late in submitti submitting ng their CAPs;
e)
progress made by States in implementing their CAPs;
f)
a summary of feedback recei received ved from audited States on the USAP-CMA audit process;
g)
common deficiencies identified so that any trend in signi significant ficant deficiencie deficiencies s experienced by States can be assessed to enable ICAO to study possible solutions as part of the remedial action process;
h)
USAP-CMA regional seminars and USAP-CMA auditor training a and nd certificat certification ion courses planned and conducted; and
i)
information regarding a refusal by a St State ate to undergo a USAP-CMA audit, a deferral of the audit, or a refusal to comply with the terms of the relevant MoU.
______________________
Ap p en end dix A GENERIC MEMORANDUM OF UNDERSTANDING (MOU)
Memorandum of Unders tanding (MoU) between the International Civil Aviation Organization and State State [formal name] name] regarding the Universal Universal Security Audit Programme C Continuous ontinuous Monitoring Appro ach Whereas the 33rd Session of the Assembly of the International Civil Aviation Organization (ICAO) in Whereas Assembly Resolution A33-1 directed the Council and the Secretary General to consider the establishment of an ICAO Universal Security Audit Programme (USAP); Whereas the Whereas the Council during its 166th Session approved the Aviation Security Plan of Action, including the establishment of the USAP, and agreed that priority be given to undertaking audits; Whereas the 35th Session of the Assembly of ICAO in Assembly Resolution A35-9 requested the Whereas Secretary General to continue the USAP, and urged all Member States to agree to audits to be carried out upon ICAO’s initiative by signing a bilateral MoU and to accept the audit missions as scheduled by the Organization; Whereas the Council during its 176th and 181st Sessions agreed that future audits be guided by the Whereas
principle of universality, while recognizing that not all States need to be audited at the same frequency; focus, wherever possible, on a State’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation of the critical elements of a security oversight system; and be expanded to include relevant security-related provisions of Annex 9 — Facilitation Facilitation;; Whereas the Council, during its 187th Session, recognized the need to determine the future nature and Whereas direction of the USAP and directed the Secretariat to study the feasibility of applying a continuous monitoring approach (CMA) to the USAP after the conclusion of the second cycle of audits in 2013; Whereas the 197th Session of the Council formally approved the concept of the USAP Continuous Whereas Monitoring Approach (USAP-CMA) and the associated transition plan; Whereas the 38th Session of the Assembly in Assembly Resolution A38-15 endorsed the Council’s Whereas decision to extend the CMA to the USAP in 2015, and requested the Council to oversee the activities of the USAP-CMA; Whereas the 38th Session of the Assembly urged all Member States to give full support to ICAO by accepting USAP-CMA missions as scheduled by the Organization, facilitating the work of the USAP-CMA teams, and preparing and submitting to ICAO all required documentation; Recognizing that the effective implementation of State corrective action plans to address deficiencies Recognizing identified through USAP-CMA activities is an integral and crucial part of the monitoring process in order to achieve the overall objective of enhancing global aviation security; and Recalling that Recalling that the ultimate responsibility for the security of civil c ivil aviation rests with Member States;
App A-1
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
App A-2
IT IS AGREED AS FOLLOWS:
PART I — USAP-CMA ACTIVITIES — GENERAL 1.
State [formal name], State name], hereinafter referred to as State [abbreviated name], name], hereby agrees to participate fully in the USAP-CMA by taking part in all USAP-CMA activities and by committing to provide information related to the establishment and implementation of its aviation security and oversight systems as requested by ICAO. USAP-CMA activities will cover the Convention on International Civil Aviation (the “Chicago Convention”), Annex 17 – Security Security and the security-related provisions of Annex 9 —– Facilitation.. Facilitation
2.
State [abbreviated name] accepts that the development, implementation and maintenance of the national civil aviation security programme required by Annex 17 remains its responsibility before, during and after any USAP-CMA activity. State [abbreviated name] and ICAO accept that all actions taken by the parties and activities carried out under the USAP-CMA will be conducted in accordance with established USAP principles.
3.
State [abbreviated name] agrees to facilitate USAP-CMA activities by designating an appropriate person to act as National Coordinator (NC) on an on-going basis. The NC will act as a facilitator and primary point of contact for ICAO with regard to all USAP-CMA processes and activities. State [abbreviated name] will be responsible for providing ICAO with updates and information, through its NC, upon request. State [abbreviated name] agrees name] agrees to advise ICAO whenever there is a change in designated NC.
4.
The types of information that ICAO may request to be submitted by State [abbreviated name] under the USAP-CMA will vary depending on the aviation security situation in each State, but may include completing and providing updates to the State Aviation Security Activity Questionnaire (SASAQ), status reports on the implementation of specific USAP-CMA protocol questions (PQs), information relating to Significant Security Concerns (SSeCs), updates to the State Corrective Action Plan (CAP) and any other relevant security information, such as national-level aviation security legislation and airport-level aviation security procedures and practices.
5.
State [abbreviated name] agrees to complete and maintain up-to-date Compliance Checklists, which contain information on the State’s compliance with the Annex 17 Standards and Recommended Practices and the security-related provisions of Annex 9.
6.
If a regional aviation security regulatory and/or oversight body, or any other entity, performs securityrelated functions on behalf of State [abbreviated name], ICAO, with the consent of State [abbreviated name], name], may elect to enter into a working arrangement with this regulatory and/or oversight body or entity, as appropriate, to facilitate the monitoring of the State’s aviation security compliance and oversight capabilities.
7.
While monitoring of all ICAO Member States will be conducted on an on-going basis, specific USAP-CMA activities will be scheduled in all States from time to time. These activities include documentation-based audits, conducted primarily by correspondence between ICAO and the States concerned, oversightfocused audits, compliance-focused audits and validation missions. The type of activity to be conducted in each State will be determined by ICAO based on information available to ICAO. State [abbreviated name] name] may, at any time, request that a USAP-CM A audit be conducted on a cost-recovery c ost-recovery basis. The type, scope and scheduling of any such cost-recovery audit shall require agreement between ICAO and the State, and will be assessed by ICAO on a case-by-case basis. The results of these USAP-CMA audits will be treated in the same manner as the results from regularly-scheduled USAP-CMA activities.
Appendix A.
8.
Generic Memorandum of Understanding (MoU)
App A-3
During all USAP-CMA activities, ICAO will assess, based on the scope of the activity, a State’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation of the critical elements of an aviation security oversight system, and will evaluate compliance with Annex 17 Standards and relevant security-related provisions of Annex 9. Subsequent USAP-CMA activities will include a process to validate progress made by the State in addressing any identified deficiencies. Validation missions will be used to validate measures taken by States to resolve SSeCs.
PART II — USAP-CMA ACTIVITIES — PREPARATION 9.
ICAO will generate, distribute and publish an annual schedule of planned USAP-CMA activities for the following 12-month period, including both on-site activities and documentation-based audits. This annual schedule of activities will be regularly updated on the USAP secure website.
10.
Direct notification of USAP-CMA activities will be provided to State [abbreviated name] name] by ICAO with at least 120 calendar days’ advance notice, together with the name(s) of any designated airport(s) to be visited, if applicable. When necessary or useful, State [abbreviated name] and ICAO may mutually agree on a shorter notice period. Unless documented reasons lead the parties to mutually agree upon alternate dates, State [abbreviated name] is name] is urged to accept USAP-CMA activities as scheduled by ICAO.
11.
No change to scheduled USAP-CMA activities will be allowed within 60 calendar days prior to the starting date of an on-site activity, and no change to a scheduled documentation-based audit will be allowed within 30 calendar days of the starting date, except for a compelling reason, such as an act of God or an act of
war, submitted to the President of the Council of ICAO for his consideration. Any change made by State [abbreviated name] to the dates of a scheduled cost-recovery activity will be made on a case-by-case basis, with the State incurring all costs associated with such change. 12.
State [abbreviated name] agrees to submit to ICAO, no later than 60 calendar days prior to the start of a USAP-CMA activity, a completed SASAQ designed to provide ICAO with preliminary information concerning the State’s aviation security and oversight systems.
13.
The exact scope of all USAP-CMA activities, including the audit areas and PQs to be covered, will be determined by ICAO based on pre-existing audit information and information provided by State [abbreviated name] and will be communicated to the State at least 30 days in advance of the activity.
14.
For each scheduled USAP-CMA activity, ICAO will identify one or more ICAO-certified auditors to conduct the activity, all of whom will be experts in the field of aviation security. State [abbreviated name] will be provided with the name(s) of the assigned auditor or audit team prior to any scheduled activity and will have the opportunity to provide any desired feedback to ICAO. The composition of the team will be provided to State [abbreviated name] prior to any scheduled on-site activity in sufficient time to enable it to facilitate applications for visas and other administrative matters.
15.
With the exception of cost-recovery activities, where all costs are borne by State [abbreviated name], name], ICAO will be responsible for the cost of transportation to and from State [abbreviated name], name], as well as for the daily subsistence allowance (DSA) of the ICAO team members.
16.
In the case of a scheduled documentation-based audit, failure by State [abbreviated name] name] to provide documentation as requested by ICAO will make the State ineligible for a documentation-based audit and the State will be scheduled for an on-site USAP-CMA US AP-CMA activity.
App A-4
17.
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
Without prejudice to other privileges and immunities applicable to ICAO as a Specialized Agency of the United Nations and its personnel, all members of ICAO USAP-CMA audit teams shall be immune from legal process in respect of words spoken or written and all acts performed by them in their official capacity.
PART III — USAP-CMA ACTIVITIES A CTIVITIES — CONDUCT 18.
USAP-CMA activities will be conducted in English, French or Spanish, as requested by State [abbreviated name].. In the case of on-site activities, if the language of correspondence of the State with ICAO is one of name] the remaining three ICAO working languages, every effort will be made to ensure that at least one team member participating in the activity has command of the ICAO working language of the State concerned.
19.
The ICAO team will develop a State-specific audit plan for each USAP-CMA on-site activity in State [abbreviated name], name], containing information on the conduct of the scheduled activity. The plan will be forwarded to the NC prior to the activity to facilitate cooperation and coordination. If necessary, last-minute and minor modifications to the State-specific audit plan may be agreed between ICAO and State [abbreviated name] during name] during the opening national briefing.
20.
The NC will be responsible for coordinating all on-site USAP-CMA activities on behalf of State [abbreviated name]. This includes providing the ICAO team with access to all relevant documentation, and all relevant name]. persons and entities responsible for aviation security and facilitation-related matters during the interview and records-review stage of the activity, as well as securing access to areas of the airport or other facilities, as appropriate, for observation as deemed necessary by the ICAO team during the conduct of the
USAP-CMA activity. 21.
22.
For on-site activities, State [abbreviated name] agrees name] agrees to: a)
make appropriate staff from its administrat administration ion responsible for the regulation and oversight of aviation security activities and matters related to facilitation, as well as relevant staff of airport operators, locally-based commercial air transport operators and any other entities responsible for the implementation of aviation security measures available for interview by the ICAO team;
b)
make all relevant files, records a and nd documentation of the appropriate authority for aviation security and those of any other relevant entities responsible for aviation security and facilitation matters, including national legislation, programmes and regulations related to aviation security and facilitation, quality control activity records, airport-level programmes, procedures and internal quality control activity records, available for review by the ICAO team; and
c)
provide access to aerodrome facilities and restricted areas of th the e airport ffor or observation by the ICAO team of aviation security measures implemented by all relevant entities.
State [abbreviated name] agrees to provide support to the USAP-CMA USA P-CMA on-site activities by: a)
providing interpretation services for the du duration ration of the on-site activity or a as s requested by th the e ICAO team;
b)
assisting with administrative arrangement arrangements s for the accommodation of the ICAO team for the duration of the on-site activity;
c)
arranging and meeting the cost of llocal ocal and in intra-State tra-State transport transportation ation when visits to various locations within the State are required under the State-specific audit plan;
Appendix A.
Generic Memorandum of Understanding (MoU)
App A-5
d)
providing a adequate dequate w working orking space with privacy ffor or the ICAO tea team; m;
e)
providing access to a printer, photocopier, photocopier, scanner and facsimile machine, if available;
f)
providing Internet access, if available;
g)
providing the IICAO CAO team wi with th airport identi identification fication passes fo forr access to ffacilities acilities and restrict restricted ed areas of the airport; and
h)
identifying a technical lia liaison ison officer to provide security equipment equipment-related -related info information. rmation.
23.
During on-site USAP-CMA activities, the ICAO team will assess, based on the scope of the activity, State [abbreviated name]’s name]’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation of the critical elements of an aviation security oversight system. The ICAO team will also evaluate State [abbreviated name]’s name]’s compliance with Annex 17 Standards and the relevant security-related provisions of Annex 9. In addition to the review of relevant national/airport level regulatory provisions and quality control activity records, the on-site USAP-CMA activity will include a verification of the implementation of aviation security measures through on-site observations at the designated airport(s).
24.
During documentation-based audits, the USAP-CMA auditor will conduct a review of the documents submitted by State [abbreviated name] beginning name] beginning on the date specified in the annual activity schedule. The auditor may request additional information and/or clarification from State [abbreviated name] name] and may interview relevant personnel via telephone or other means. The NC will be made available by State
[abbreviated name] to facilitate this process and provide all information required. 25.
If, at any time, the ICAO team identifies a potential SSeC during the conduct of any type of USAP-CMA on-site activity, State [abbreviated name] will be immediately notified and the SSeC process outlined in paragraphs 33 to 36 below will be initiated.
26.
Upon completion of an on-site USAP-CMA activity, the ICAO team will conduct a post-audit debriefing in which the team will provide a summary of the results of the USAP-CMA activity to the appropriate government officials, as determined by State [abbreviated name]. name]. These should include senior aviation security management officials and other State and industry representatives responsible for the areas covered by the scope of the USAP-CMA activity. The ICAO team will also provide a briefing on the next steps in the USAP-CMA process. If necessary and appropriate, the post-audit debriefing will be used to notify the State of any preliminary SSeCs identified during the activity. Before departing State [abbreviated name] the ICAO team will also provide the appropriate authority with preliminary findings and name] recommendations.
27.
Upon completion of a documentation-based audit, the ICAO auditor will conduct a post-audit debriefing with the NC to provide a summary of the results of the activity. The ICAO auditor will advise the NC of the next steps in the USAP-CMA process and provide State [abbreviated name] with preliminary findings and recommendations.
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
App A-6
PART IV — USAP-CMA ACTIVITIES — REPORTING 28.
Following completion of a USAP-CMA audit, ICAO undertakes to make available to State [abbreviated name] a confidential report within 60 calendar days from the post-audit debriefing. If the ICAO working name] language of the State is other than the language of the activity, the audit report will be translated into that language and subsequent timelines will be adjusted accordingly. The confidential report will detail: a)
information on the level of effective implementati implementation on of the critical element elements s of a State’s aviation security oversight system, as well as analysis of audit results by critical element; and
b)
an indication of the State’s compliance with IICAO CAO Annex 17 Standards and security-related provisions of Annex 9, together with prioritized recommendations for the resolution of identified deficiencies requiring remedial action by the State.
29.
Upon receipt of the audit report, State [abbreviated name] will have 30 calendar days to submit comments and feedback on the report. The audit report m ay be revised as a result of this feedback.
30.
Should action be necessary to remedy deficiencies identified through the findings and recommendations developed during an audit, State [abbreviated name] undertakes to start working on the preparation of an appropriate CAP immediately after State [abbreviated name] has name] has been debriefed on the audit results and provided with preliminary findings and recommendations, as described in paragraphs 26 and 27 of this MoU. Feedback on the development of the action plan by State [abbreviated name] will name] will be provided during the post-audit debriefing.
31.
Should action be necessary to remedy deficiencies, State [abbreviated name] undertakes to provide ICAO with a CAP within 60 calendar days from the date the USAP-CMA audit report has been made available to the State. The action plan should address the findings and recommendations of the USAP-CMA audit report, providing specific actions, entities responsible for the implementation of such actions, and deadlines for the correction of the deficiencies identified during the audit. If the report requires translation, the timeline for the production of a CAP starts when the State receives the translated USAP-CMA audit report. All subsequent actions will be sequenced accordingly. ICAO will provide State [abbreviated name] name] with feedback on the acceptability of any proposed CAP. If any proposed corrective actions do not fully address the associated findings and recommendations, State [abbreviated name] name] will be notified accordingly and requested to resubmit the CAP.
32.
USAP-CMA audit reports will be confidential and made available to State [abbreviated name] name] and ICAO staff on a need-to-know basis. Concurrently with the preparation of the report, a non-confidential audit activity summary limited to the name of the audited State, the identity of airports visited during the audit, and the completion date of the audit will be developed for release to all Member States. In addition, charts depicting the level of implementation of the critical elements of an aviation security oversight system by State [abbreviated name] name] and an indication of compliance by State [abbreviated name] name] with Annex 17 Standards will be made available to all Member States on the USAP secure website.
33.
If applicable, ICAO undertakes to notify to State [abbreviated name] in name] in writing, as soon as possible, but not later than 15 calendar days after the last day of the USAP-CMA activity, of the existence and details of any SSeCs requiring immediate corrective action by State [abbreviated name]. name].
Appendix A.
Generic Memorandum of Understanding (MoU)
App A-7
34.
In the event that any SSeCs are identified and confirmed, State [abbreviated name] undertakes name] undertakes to provide, within the time frame prescribed by ICAO, but not later than 15 calendar days following the receipt by State [abbreviated name] name] of the written notification from ICAO, its immediate corrective action to resolve the SSeCs. Failure by State [abbreviated name] to implement satisfactory corrective action and to notify such action to ICAO within the prescribed time frame will result in information pertaining to unresolved SSeCs being made available to all Member States through the USAP secure website until resolved.
35.
No report will be issued following the conduct of a USAP-CMA validation mission. However, if such a mission reveals that one or more SSeCs have been resolved or mitigated by a State, notification of the existence of such SSeC(s) will be removed from the USAP secure website, and the State’s charts on the USAP secure website will be amended accordingly.
36.
If requested by State [abbreviated name], name], ICAO will evaluate and provide, where possible, direct assistance through relevant technical assistance and/or technical co-operation programmes. Assistance provided through ICAO’s Technical Co-operation Programme would be funded by State [abbreviated name] or another sponsor.
37.
The ICAO Regional Office accredited to State [abbreviated name] will be actively involved in monitoring the progress made by State [abbreviated name] towards implementing its CAP and in the provision of advice and assistance, as required.
PART V — DISPUTE RESOLUTION 38.
Any difference or dispute concerning the interpretation or the application of this Memorandum of Understanding will be resolved by negotiation between the parties concerned.
For the International Civil Avi ati on Org ani anizati zation on
Secretary General
For the Appropriate Authority of State [formal name] name]
Name: Title:
Date
Date
______________________
Ap p en end dix B CRITERIA FOR CERTIFICATION AS AN ICAO ICA O USAP-CMA A UDITOR
1.
INTRODUCTION
1.1 This document sets forth the criteria for initial certification of ICAO USAP-CMA auditors as required for the conduct of aviation security audits in accordance with this manual and the MoU signed between ICAO and a Member State. The principal objective of these criteria is to ensure that ICAO USAP-CMA activities are conducted by appropriately qualified and experienced aviation security experts who have been trained in the specific application of ICAO USAP-CMA methodology. 1.2 The process used in developing these criteria was to establish first the key competencies required for ICAO USAP auditors, and then to determine the methods by which those competencies would be demonstrated and measured.
2. 2.1
LEVELS OF AUDITOR
There are two levels of auditor within the ICAO USAP-CMA: a)
ICAO USAP-CMA auditor; and
b)
ICAO USAP-CMA TL.
2.2 level recognizes that a candidate has met the specific competency and training ICAO USAP-CMA Auditor level requirements for certification required for the conduct of ICAO USAP-CMA activities as a TM. 2.3 ICAO USAP-CMA TL TL level recognizes that a candidate has satisfied the criteria for USAP-CMA auditor certification and, in addition, has demonstrated the competencies necessary to manage a USAP-CMA audit team and coordinate all aspects of a complete ICAO USAP-CM A activity.
3.
REQUIREMENTS FOR CERTIFICATION
3.1 3.1.1
Key comp etencies
Skills and knowledge requirements for USAP-CMA auditors
All ICAO USAP-CMA USA P-CMA auditors shall, through education, work experience, auditor training and/or auditing experience, be able to demonstrate a satisfactory level of competence c ompetence in the following areas:
App B-1
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
App B-2
a)
knowledge of aviation security, including national national-level -level aviation security oversight responsibilities and operational aviation security practices and procedures;
b)
ability to carry out audit audits s of aviation security at the national (State) level and at airports;
c)
knowledge of the Chicago Conven Convention, tion, Annex 17, the aviation security conventions, and related ICAO guidance material;
d)
ability to speak, read and write in an ICAO language;
e)
ability tto o use office auto automation mation equipment and contemporary computer software; and
f)
knowledge o off IC ICAO AO auditing auditing principle principles, s, procedures and te techniques, chniques, in including cluding the ability to: 1)
conduct audit audits s in a consistent and systemati systematic c manner in varying situations a and nd circumstances;
2)
collect information through documentation and records;
3)
verify the accuracy of collected informat information ion and con confirm firm the sufficiency and appropriateness of evidence to support audit findings and recommendations;
effective
interviewing,
listening,
observing
and
reviewing
3.1.2
4)
record audit activities through the use of appropriat appropriate e work documents;
5)
prepare accurate, clear and concise audit reports; and
6)
communicate and interact in an international environment as part of a multinational audit team.
Skills and kn owledg e requirements for USAP USAP-CM -CMA A TLs TLs
TLs should have additional knowledge and skills in audit leadership to enable the management of the USAP-CMA audit team and to ensure the overall conduct of the audit in an efficient and effective manner. Thus, the TL must satisfy all of the knowledge and skills requirements for the USAP-CMA auditor, as set forth in 3.1.1 of this appendix, plus have a demonstrated ability to plan, manage and lead a USAP-CMA audit team. Knowledge and skills in this area include the ability to: a)
plan the USAP-CMA activity and make ef effective fective use of resources during the conduct of the activity;
b)
represent the USAP-CMA audit tteam eam in communications with the NC and high-level State offi officials; cials;
c)
organize and direct USAP-CMA activity TMs;
d)
lead the USAP-CMA audit team to reach audit conclusions;
e)
prevent and resolve conflicts; and
f)
prepare and complete the USAP-CMA audit report and related documentation.
Appendix B.
Criteria for certifi certification cation as an ICA ICAO O USAP-CMA auditor
3.2
App B-3
Nomination by a an n ICAO ICAO Member State
3.2.1 All candidates for ICAO USAP-CMA auditor training and certification, other than those who are staff members of ICAO, will be required to be nominated by an ICAO Member State. Details are contained in the State nomination package which consists of the following two parts: a)
Part I — Nomination by Government; and
b)
Part II — Nominee’s Personal History.
3.2.2 3.2.2 Part I — Nomination by Government. Government . Each Member State nominating a candidate shall agree to assume responsibility for the nominee’s transportation, accommodation and other costs to and from the auditor training course venue. The Member State shall also certify that the nominee is medically fit and is in possession of medical insurance coverage to meet expenses for any sickness or medical emergency during the auditor training and certification. Each Member State shall certify that the nominee meets the following minimum qualification and experience requirements: a)
the nominee has co complete mplete fluency in an ICAO language (bot (both h spoken and written) written) and in th the e language of instruction of the applicable ICAO USAP-CMA Auditor Training and Certification Course;
b)
the nominee iis s an aviation security subject mat matter ter expert, with a minimum of three years’ operational aviation security experience and extensive knowledge of aviation security using Annex 17 as a
reference; c)
appropriate background and screening checks have been conducted on the nominee to verify identity and previous experience, including any criminal history, and the nominee has been assessed as being suitable to have access to restricted docum entation and for work in security restricted areas;
d)
the State ha has s evidence and/or personal knowledge of the truth of the statements contained in the nominee’s personal history form regarding the nominee’s technical and specialized training record, employment history and any auditing/technical evaluation experience;
e)
the nominee is actively empl employed oyed by the appropriate authority for aviation security of an ICAO Member State in aviation security activities, and any change in this status will be notified to ASA (in certain circumstances, nominees working for aviation industry entities, who meet all other criteria, may be accepted as long as nominated by the government of a Member State); and
f)
upon successful certification, the nominee will, a as s far as practicable practicable,, be made available to ICAO by the State a minimum of once per year for at least the following two years for the purpose of conducting USAP-CMA audits.
3.2.3 3.2.3 Part II — Nominee’s Personal History. History . Each nominee shall complete a personal history form as part of the State nomination package and shall certify the truth of the following information: a)
relevant personal details, including language abilities;
b)
technical and/ and/or or specialized training record, including diplomas and certificat certificates es acquired;
c)
employment record; and
d)
auditing and technical/evaluation experience.
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
App B-4
3.2.4 Nomination packages will be submitted to the responsible RO who will review the packages for completeness and perform an initial evaluation as to the suitability of candidates to participate in the training and certification process. The nomination packages of those nominees meeting the selection criteria will be forwarded to ASA. 3.2.5 In the event that the number of nominees exceeds the space available in a particular auditor training course, ASA shall review each nominee’s qualifications and experience and select those that it believes to be the most qualified and suitable, while at the same time allowing for the widest geographical representation of States possible. Nominees not accepted to a particular course due to space restrictions may resubmit their nomination for consideration in a subsequent course. 3.2.6 In the case of candidates who are ICAO staff members and therefore not nominated by a Member State, C/ASA shall be satisfied that the candidate meets similar experience and qualification requirements, as applicable, (as per 3.2.2 of this appendix) prior to proceeding to training and certification, unless specially authorized by ICAO.
3.3
USAP USAP-CMA -CMA auditor initial traini ng and certific ation
3.3.1 Nominees that have been accepted by ICAO as meeting the minimum qualification and experience requirements outlined in 3.2.2 of this appendix must successfully complete the ICAO USAP-CMA Auditor Training and Certification Course.
3.3.2
The objectives of the USAP-CMA Auditor Training and Certification Course are to: •
provide the auditors w with ith a thorough knowledge and understanding of th the e methodology, tools and techniques used by ASA for the conduct of activities under the ICAO USAP-CM A;
•
promote a shared understanding of how to evaluate evaluate the State’s aviati aviation on security and oversight systems and the implementation of ICAO security-related SARPs;
•
help auditors understand the USAP-CMA procedures and methodology;
•
give the auditors the necessary information and tools to enabl enable e them to apply the USAP-CMA methodology effectively;
•
ensure awareness and the acquisition of audit auditing ing skills and technique techniques s in an internat international ional environment; and
•
ensure consistency of performance between different audit teams.
3.3.3 The USAP-CMA Auditor Training and Certification Course is highly interactive and task-oriented, designed to enable trainees to effectively perform selected auditing functions. Teaching methods include lectures, slides, handouts, and individual and group exercises. In addition, module tests are given at the completion of each subject-matter module in order to ensure that trainees have mastered the required skills and knowledge necessary to achieve the set objectives of the module. 3.3.4 Due to the interactive nature of the training course, attendance will normally be limited to 15 participants. There will be a minimum of two instructors for each course, of which at least one will be an ASA staff member. Course instructors will normally be certified USAP auditors with extensive experience in conducting international audits and experience in training.
Appendix B.
Criteria for certifi certification cation as an ICA ICAO O USAP-CMA auditor
App B-5
3.3.5 In order to allow for the continual improvement of the Auditor Training and Certification Course, participants are requested to complete and submit, on an anonymous basis, an evaluation questionnaire at the completion of the course. Feedback is sought in the following areas: a)
the extent to whi which ch the stated cou course rse object objectives ives were achieved;
b)
the ext extent ent to which the the student’s expectations ffor or the module were met;
c)
an evaluation of the class instructors;
d)
an evaluation of the instructional materials and act activities ivities (including hand-out materials a and nd module tests); and
e)
an evaluation of the facilities (classroom environment).
3.4
Certification
3.4.1 The certification process consists of four elements: module tests, exercises, a written examination and a practical examination. Below is a description of the different elements of the certification process and how they combine
to yield each candidate s final grade.
Module Tests Tests 3.4.2 The candidates will be expected to complete short module tests based on modules covered. There will be a total of 7 module tests, one each for modules 2 to 8. The purpose of these module tests is twofold: 1)
as a teaching aid, they w will ill allow tthe he facilitators tto o ensure that candidates have a solid understanding of the subject matter covered; and
2)
as an evaluation tool, the combined score from these tests will provide 20 per cent of each can candidate’s didate’s final grade for the course.
Exercise 3.4.3 Module 9 of the course involves an exercise that will be used to evaluate each candidate’s knowledge, as well as their ability to synthesize information and draft USAP audit findings and recommendations. The exercise will provide 20 per cent of each candidate’s final grade for the course. This exercise will also provide the basis for the practical examination outlined below.
Written Examination Examination 3.4.4
The written examination will take place on day 6 of the training course and will be comprised of three parts: Part I — Knowledge of aviation security (including Annex 17 SARPs and security-related provisions of Annex 9, the Aviation the Aviation Security Manual (Doc Manual (Doc 8973 — Restricted), Restricted), the the Aviation Aviation Security Security Oversight M Manual anual — — The Establishment and Management of a State’s Aviation Security Oversight System System (Doc 10047), and operational aviation security practices and procedures);
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
App B-6
Part II II — USAP-CMA methodology (principles, processes and procedures) and auditing skills and techniques (including conflict and group management); and Part III — III — Identification of security deficiencies and drafting of appropriate findings and recommendations. 3.4.5 Candidates must achieve an overall mark of at least 70 per cent on the written examination. The written examination will provide 40 per cent of each candidate’s final grade for the course.
Practical Examination Examination 3.4.6 The practical examination will take place immediately following the written examination. Candidates will make presentations individually before a panel consisting of the course instructors and, whenever possible, external members. All panel members will be certified USAP auditors. 3.4.7 The practical examination is designed to test the candidate’s knowledge and ability to react in role-playing exercises in simulated audit conditions. Candidates will be required to conduct a post-audit debriefing and to undergo an interview with the panel based on the completed exercises described above. During this examination, candidates will be faced with various hypothetical scenarios and audit issues. Candidates will be evaluated according to their general behaviour and form, the structure and content of their answers, and their ability to deal with challenges and pressure. In
addition, personal attributes and interpersonal skills, as set forth in 5.6, will be evaluated by the course instructors during the practical examination, according to a pass/fail criterion, with particular emphasis on the display of any negative attributes. 3.4.8 Each member of the panel will first mark the candidate individually and will then discuss these results in order to achieve panel consensus. Candidates must achieve an overall mark of at least 70 per cent on the practical examination. The practical examination will provide 20 per cent of each candidate’s final grade for the course.
Grading Grading 3.4.9
In order to be certified as an ICAO USAP-CMA auditor, a candidate must pass: a)
the written examination as well as the practi practical cal examination with a grade of at least 70 per cent in each; and
b)
all four elements of the certif certification ication process with an overall grade of at least 80 per cent.
3.4.10 All certification documents (including the written examination and the results of the practical examination) shall be forwarded to ASA who will then proceed to evaluate the training and certification outcomes to make a determination concerning the suitability of a candidate for certification. Nominating States will be informed, and successful candidates will be provided certificates signed by the Secretary General of ICAO designating them as ICAO-certified USAP-CMA auditors. 3.4.11 Candidates who do not successfully pass the required components for auditor certification will not be precluded from retaking the auditor training and certification course if nominated again by their State in accordance with the procedures set forth in 3.2 of this appendix. However, the nominating State shall be invited to carefully consider its nomination, particularly in light of the fact that the space available in each Auditor Training and Certification Course is very limited and entry to the course for this reason cannot be guaranteed.
Appendix B.
Criteria for certifi certification cation as an ICA ICAO O USAP-CMA auditor
3.5
App B-7
Certification of TLs
3.5.1 As indicated in 3.1.2 of this appendix, USAP-CMA TLs are required to possess additional knowledge and skills in audit management and team leadership and sufficient experience in aviation security to provide guidance to the USAP-CMA audit team in reaching audit conclusions and formulating recommendations. Thus, in addition to satisfying all of the requirements for an ICAO USAP-CMA certified auditor as set forth above, a USAP-CMA TL must ideally meet the following additional requirements: a)
have additional experience in an international civil aviation environment, including extensive operational experience in aviation security with experience in the conduct of audits/ evaluations/inspections or similar oversight responsibility;
b)
be an ICAO employee, whether o on n short- or long-term contract; and
c)
perform TL OJT under the direct supervision of an experienced TL designated by C/ASA. The OJT will be designed to test the candidate’s abilities to plan, manage and lead a USAP-CMA audit team and will be evaluated in accordance with the T L OJT Evaluation Form.
4.
MAINTAINING CERTIFICATION
4.1
USAP-CM USAP-CMA A audi tor s
In order to maintain certification, all ICAO USAP-CMA auditors shall fulfil the following requirements: a)
meet at least one of the following criteria: 1)
conduct a minimum of one USAP-CMA on-site audit every two years; or
2)
complete a USAP-CMA auditor recurrent trai training ning and recertification course, as required;
b)
continue tto o fulfil the requirement requirements s of 3.2.2 e e)) of this appendix); and
c)
continue to act in compliance with the ICAO Code of Conduct for Auditors (Appendix D).
4.2
USAP-CM USAP-CMA A TLs
In order to maintain certification as an ICAO USAP-CMA USA P-CMA TL, auditors shall: a)
conduct a minimum of two ICAO USAP-CMA activities per year, of which at least one is as TL;
b)
remain employed by ICAO; and
c)
continue to act in compliance with the ICAO Code of Conduct for Auditors (Appendix D).
______________________
Ap p en end dix C GUIDANCE FOR STATES ON DEVELOPING DEVELOPING CAPs
The development of the CAP primarily serves the purpose of helping the State improve its own aviation security and oversight systems by developing a detailed and logical plan to address deficiencies identified during the USAP-CMA activity. Once a comprehensive plan is developed and submitted to ASA, the CAP will be reviewed, and the State will be provided with any feedback that may be of use to the State. In order for ASA to be able to review and evaluate a CAP, States must provide CAPs that meet certain criteria. This guidance is designed to assist States in the development of effective CAPs that meet ICAO’s requirements. Note.— If the State disagrees with the finding issued by ICAO and does not submit a CAP for the finding,
the State must provide a clear and detailed reason in the “Comments and Observations” field. field.
General •
Ensure that the required information ffor or each part of the CAP is entered in the correct field of the CAP.
•
Address each reco recommendation mmendation individually and provide comment comments, s, a pro proposed posed corrective action, an office assigned the responsibility to implement the corrective action, and an estimated implementation date (EID).
CAP steps and proposed action items •
Ensure that the proposed actions in a CAP directly and ful fully ly address the ICAO re recommendation commendation related to the not satisfactory PQ. Pay attention to the Annex SARP and the CE related to the not satisfactory PQ when developing a corrective action to address addr ess the recommendation.
•
If required, break dow down n large large act action ion items into smaller and more manageable steps.
•
Describe each proposed action in a clear and detailed manner.
•
List the step-by-step correct corrective ive actions in the correct sequent sequential ial and/or chronological order (e.g. establishing a requirement before implementing it).
•
Provide a good and clear workin working g plan and adequate detail ffor or the implementation of each proposed action.
•
For PQ recommendations associated w with ith CEs 6, 7 and 8, i.e. implementation CEs, describe the process of implementation by providing necessary details on implementing requirements and procedures.
App C-1
Universal Security Audit Programme App C-2
Continuous Monitoring Monitoring Manual Act io n o ff ic e •
Ensure tthat hat an action o office ffice is indicat indicated ed for each one of the the correcti corrective ve action steps.
•
If more than one organization or entity is involved in each step, identify a and nd record each one clearly.
•
Ensure that the action offices identi identified fied in each step of the corrective action have the authority to complete the action, especially with respect to the promulgation of legislation and/or regulations.
•
For hi higher gher level corrective actions, such as the promulg promulgation ation of primary aviation legislation, enter the name of the entity that has the authority to complete the action.
•
Spell out the acronym for the title of an action office the first ti time me it is used iin n the CAP; use tthe he acronym thereafter.
Evidence reference
Indicate the document containing the evidence in a clear manner. •
Provide a specific an and d clear reference tto o the page, section or paragraph of the document tthat hat conta contains ins the information that the ICAO officer needs to review and evaluate.
•
Avoid broad and generic reference to a large large document. document. Be as sp specific ecific as p possible. ossible.
Estimated imp lementation date (EI (EID) D) •
State must enter an EI EID D (st (starting arting date and completion date) for each step.
•
Ensure that the EID is realistic for the action item.
•
Ensure tthat hat tthe he EID is appropriat appropriate e for the pri priority ority associated with the recommendat recommendation; ion; ffor or example, the State should not indicate that it will start conducting quality control activities three years from now.
•
State must pri prioritize oritize its corrective actions for short short-, -, medium- and long-term actions based on priorities associated with the recommendations.
Note.— Some proposed actions may be required on an ongoing basis. In such cases, the word “ongoing” should be included under the “Completion Date” column.
Re Responding sponding to ASA’s review •
If ASA’s initial review of the CAP reveals that the CAP does not address or only p partially artially addre addresses sses the PQ-related recommendations, the State must revise the CAP based on ASA feedback, ensuring that it addresses the shortcomings indicated by ASA.
Appendix C.
Guidance for Stat States es on developing CAP CAPs s
App C-3
Updating CAPs •
•
States must also ensure that that they continuously update their CAPs by indicating the: a)
level of progress for each action item as it is being implement implemented; ed; and
b)
the date of completion for each action it item em as it is completed.
If the initial EI EID D of an action item has passed and the action has not been completed, the State must indicate a new EID in the CAP and advise ASA accordingly.
______________________
Ap p en end dix D ICAO CODE OF CONDUCT FOR AUDITORS 1.
As a participant of the USAP-CMA audit team, I solemnly agree to the following: •
to exercise in all loyalty, discreti discretion on and conscience the functions en entrusted trusted to me as a participant of the USAP-CMA audit team;
•
to discharge these functions to the best of my ability;
•
to conduct myself with integrity, impartiality and honesty;
•
to abide by the rules, procedures, and guidance set out in the ICAO Universal Security Audit Programme Continuous Monitoring Manual;
•
not to misuse my official position as part of the USAP-CMA audit team;
•
not to receive benefi benefits ts of any kind from a third party which might reasonably be seen to compromise my personal judgement or integrity;
•
to underst understand and and respect th the e culture, customs, ha habits bits and national laws of the count country ry in which tthe he audit takes place;
•
to avoid giving cau cause se for resentment and abstai abstain n from conduct which would re reflect flect adversely on the USAP-CMA audit team and which would prejudice ICAO;
•
not to disclose a any ny informat information ion of a confide confidential ntial natu nature re related to tthe he find findings ings of the U USAP-CMA SAP-CMA audit to any other party;
•
not to disclose any of the following documents to any other party: —
SASAQ and CCs when filled in by the Member State;
—
PQ Worksheets;
—
Personal notes;
—
USAP-CMA audit report.
App D-1
Universal Security Audit Programme App D-2 2.
Continuous Monitoring Monitoring Manual If I have reason to believe I am being required to act in a way that: •
is illegal, improper or unethical;
•
is in breach of the procedures set out in the ICAO Universal Universal Security Audit Programme Continuous Monitoring Manual;
•
may involve possible misadministration or is otherwise inconsistent with the above,
I will report this matter in writing to C/ASA.
NAME: DATE:
SIGNATURE:
Appendix D.
ICAO Code of Conduc Conductt for Auditors
App D-3
INTERNATIONAL CIVIL SERVICE COMMISSION STANDARDS OF CONDUCT FOR THE INTERNATIONAL INTERNATIONAL CIVIL SERVICE 2013
Introduction 1. The United Nations and the specialized agencies embody the highest aspirations of the peoples of the world. Their aim is to save succeeding generations from the scourge of war and to enable every man, woman and child
to live in dignity and freedom. 2. The international civil service bears responsibility for translating these ideals into reality. It relies on the great traditions of public administration that have grown up in member States: competence, integrity, impartiality, independence and discretion. But over and above this, international civil servants have a special calling: to serve the ideals of peace, respect for fundamental rights, economic and social progress, and international cooperation. It is therefore incumbent on international civil servants to adhere to the highest standards of conduct; for, ultimately, it is the international civil service that will enable the United Nations system to bring about a just and peaceful world.
Guiding principles 3. The values that are enshrined in the United Nations organizations must also be those that guide international civil servants in all their actions: fundamental human rights, social justice, the dignity and worth of the human person and respect for the equal rights of men and women and of nations great and small. 4. International civil servants should share the vision of their organizations. It is loyalty to this vision that ensures the integrity and international outlook of international civil servants; a shared vision guarantees that they will place the interests of their organization above their own and use its resources in a responsible manner. 5. The concept of integrity enshrined in the Charter of the United Nations embraces all aspects of an international civil servant’s behaviour, including such qualities as honesty, truthfulness, impartiality and incorruptibility. These qualities are as basic as those of competence and efficiency, also enshrined in the Charter. 6.
Tolerance and understanding are basic human values. They are essential for international civil servants,
who must respect all persons equally, without any distinction whatsoever. This respect fosters a climate and a working environment sensitive to the needs of all. To achieve this in a multicultural setting calls for a positive affirmation going well beyond passive acceptance. 7. International loyalty means loyalty to the whole United Nations system and not only to the organization for which one works; international civil servants have an obligation to understand and exemplify this wider loyalty. The need for a cooperative and understanding attitude towards international civil servants of other United Nations organizations is obviously most important where international civil servants of several organizations are serving in the same country or region.
App D-4
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
8. If the impartiality of the international civil service is to be maintained, international civil servants must remain independent of any authority outside their organization; their conduct must reflect that independence. In keeping with their oath of office, they should not seek nor should they accept instructions from any Government, person or entity external to the organization. It cannot be too strongly stressed that international civil servants are not, in any sense, representatives of Governments or other entities, nor are they proponents of their policies. This applies equally to those on secondment from Governments and to those whose services have been made available from elsewhere. International civil servants should be constantly aware that, through their allegiance to the Charter and the corresponding instruments of each organization, member States and their representatives are committed to respect their independent status. 9. Impartiality implies tolerance and restraint, particularly in dealing with political or religious convictions. While their personal views remain inviolate, international civil servants do not have the freedom of private persons to take sides or to express their convictions publicly on controversial matters, either individually or as members of a group, irrespective of the medium used. This can mean that, in certain situations, personal views should be expressed only with tact and discretion.
10. This does not mean that international civil servants have to give up their personal political views or national perspectives. It does mean, however, that they must at all times maintain a broad international outlook and an understanding of the international community as a whole. 11. The independence of the international civil service does not conflict with, or obscure, the fact that it is the member States that collectively make up — in some cases with other constituents — the organization. Conduct that furthers good relations with individual member States and that contributes to their trust and confidence in the organizations’ secretariat strengthens the organizations and promotes their interest. 12.
International civil servants who are responsible for projects in particular countries or regions may be called
upon to exercise special care in maintaining their independence. At times they might receive instructions from the host country but this should not compromise their independence. If at any time they consider that such instructions threaten their independence, they must consult their supervisors. 13. International civil servants at all levels are accountable and answerable for all actions carried out, as well as decisions taken, and commitments made by them in performing their functions. 14. An international outlook stems from an understanding of and loyalty to the objectives and purposes of the organizations of the United Nations system as set forth in their legal instruments. It implies, inter alia, respect for the right of others to hold different points of view and follow different cultural practices. It requires a willingness to work without bias with persons of all nationalities, religions and cultures; it calls for constant sensitivity as to how words and actions may look to others. It requires avoidance of any expressions that could be interpreted as biased or intolerant. As working methods can be different in different cultures, international civil servants should not be wedded to the attitudes, working methods or work habits of their own country or region. 15. Freedom from discrimination is a basic human right. International civil servants are expected to respect the dignity, worth and equality of all people without any distinction whatsoever. Assumptions based on stereotypes must be assiduously avoided. One of the main tenets of the Charter is the equality of men and women, and organizations should therefore do their utmost to promote gender equality.
Appendix D.
ICAO Code of Conduc Conductt for Auditors
App D-5
Working relations 16. Managers and supervisors are in positions of leadership and it is their responsibility to ensure a harmonious workplace based on mutual respect; they should be open to all views and opinions and make sure that the merits of staff are properly recognized. They need to provide support to them; this is particularly important when staff are subject to criticism arising from the performance of their duties. Managers are also responsible for guiding and motivating their staff and promoting their development. 17. Managers and supervisors serve as role models and they have therefore a special obligation to uphold the highest standards of conduct. It is quite improper for them to solicit favours, gifts or loans from their staff; they must act impartially, without favouritism and intimidation. In matters relating to the appointment or career of others, international civil servants should not try to influence colleagues for personal reasons. 18. Managers and supervisors should communicate effectively with their staff and share relevant information with them. International civil servants have a reciprocal responsibility to provide all pertinent facts and information to their supervisors and to abide by and defend any decisions taken, even when those do not accord with their personal views. vie ws.
19. International civil servants must follow the instructions they receive in connection with their official functions and, if they have doubts as to whether an instruction is consistent with the Charter or any other constitutional instrument, decisions of the governing bodies or administrative rules and regulations, they should first consult their supervisors. If the international civil servant and supervisor cannot agree, the international civil servant may ask for written instructions. These may be challenged through the proper institutional mechanisms, but any challenge should not delay carrying out the instruction. International civil servants may also record their views in official files. They should not follow verbal or written instructions that are manifestly inconsistent with their official functions or that threaten their safety or that of others.
20. International civil servants have the duty to report any breach of the organization’s regulations and rules to the official or entity within their organizations whose responsibility it is to take appropriate action, and to cooperate with duly authorized audits and investigations. An international civil servant who reports such a breach in good faith or who cooperates with an audit or investigation has the right to be protected against retaliation for doing so.
Harassment and abuse of authority 21. Harassment in any shape or form is an affront to human dignity and international civil servants must not engage in any form of harassment. International civil servants have the right to a workplace environment free of harassment or abuse. All organizations must prohibit any kind of harassment. Organizations have a duty to establish rules and provide guidance on what constitutes harassment and abuse of authority and how unacceptable behaviour will be addressed. 22.
International civil servants must not abuse their authority or use their power or position in a manner that is
offensive, humiliating, embarrassing or intimidating to another person.
Conflict of in tere terest st 23. Conflicts of interest may occur when an international civil servant’s personal interests interfere with the performance of his/her official duties or call into question the qualities of integrity, independence and impartiality required the status of an international civil servant. Conflicts of interest include circumstances in which international civil servants, directly or indirectly, may benefit improperly, or allow a third party to benefit improperly, from their association with their organization. Conflicts of interest can arise from an international civil servant’s personal or familial dealings with third parties, individuals, beneficiaries, or other institutions. If a conflict of interest or possible conflict of interest does arise,
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
App D-6
the conflict shall be disclosed, addressed and resolved in the best interest of the organization. Questions entailing a conflict of interest can be very sensitive and need to be treated with care.
Disclosure of information 24. International civil servants should avoid assisting third parties in their dealings with their organization where this might lead to actual or perceived preferential treatment. This is particularly important in procurement matters or when negotiating prospective employment. At times, international civil servants may, owing to their position or functions in accordance with the organization’s policies, be required to disclose certain personal assets if this is necessary to enable their organizations to make sure that there is no conflict. The organizations must ensure confidentiality of any information so disclosed, and must use it only for defined purposes or as authorized by the international civil servant concerned. International civil servants should also disclose in advance possible conflicts of interest that may arise in the course of carrying out their duties and seek advice on mitigation and remediation. They should perform their official duties and conduct their personal affairs in a manner that preserves and enhances public
confidence in their own integrity and that of their organization.
Use of the resources of United Nations organizations 25. International civil servants are responsible for safeguarding the resources of United Nations organizations which are to be used for the purpose of delivering an organization’s mandate and to advance the best interests of the organization. International civil servants shall use the assets, property, information and other resources of their organizations for authorized purposes only and with care. Limited personal use of the resources of an organization, such as electronic and communications resources, may be permitted by the organization in accordance with applicable policies.
Post-employment Postemployment r estrictions 26. After leaving service with organizations of the United Nations system, international civil servants should not take improper advantage of their former official functions and positions, including through unauthorized use or distribution of privileged or confidential information; nor should international civil servants, including those working in procurement services and as requisitioning officers, attempt to unduly influence the decisions of the organization in the interest or at the request of third parties with a view to seeking an opportunity to be employed by such third parties.
Role of the secretariats (headquarters and field duty stations) 27. The main function of all secretariats is to assist legislative bodies in their work and to carry out their decisions. The executive heads are responsible for directing and controlling the work of the secretariats. Accordingly, when submitting proposals or advocating positions before a legislative body or committee, international civil servants are presenting the position of the executive head, not that of an individual or organizational unit. 28. In providing services to a legislative or representative body, international civil servants should serve only the interests of the organization, not that of an individual or organizational unit. It would not be appropriate for international civil servants to prepare for Government or other international civil service representatives any speeches, arguments or proposals on questions under discussion without approval of the executive head. It could, however, be quite appropriate to provide factual information, technical advice or assistance with such tasks as the preparation of draft resolutions.
Appendix D.
ICAO Code of Conduc Conductt for Auditors
App D-7
29. It is entirely improper for international civil servants to lobby or seek support from Government representatives or members of legislative organs to obtain advancement either for themselves or for others or to block or reverse unfavourable decisions regarding their status. By adhering to the Charter and the constitutions of the organizations of the United Nations system, Governments have undertaken to safeguard the independence of the international civil service; it is therefore understood that Government representatives and members of legislative bodies will neither accede to such requests nor intervene in such matters. The proper method for an international civil servant to address such matters is through administrative channels; each organization is responsible for providing these.
Staff-management Staff-mana gement relations 30. An enabling environment is essential for constructive staff-management relations and serves the interests of the organizations. Relations between management and staff should be guided by mutual respect. Elected staff representatives have a cardinal role to play in the consideration of conditions of employment and work, as well as in matters of staff welfare. Freedom of association is a fundamental human right and international civil servants have the
right to form and join associations, unions or other groupings to promote and defend their interests. Continuing dialogue between staff and management is indispensable. Management should facilitate this dialogue. 31. Elected staff representatives enjoy rights that derive from their status; this may include the opportunity to address the legislative organs of their organization. These rights should be exercised in a manner that is consistent with the Charter of the United Nations, the Universal Declaration of Human Rights and the international covenants on human rights, and does not undermine the independence and integrity of the international civil service. In using the broad freedom of expression they enjoy, staff representatives must exercise a sense of responsibility and avoid undue criticism of the organization. 32.
Staff representatives must be protected against discriminatory or prejudicial treatment based on their
status or activities as staff representatives, both during their term of office and after it has ended. Organizations should avoid unwarranted interference in the administration of their staff unions or associations.
Relations with member States and legislative bodies 33. It is the clear duty of all international civil servants to maintain the best possible relations with Governments and avoid any action that might impair this. They should not interfere in the policies or affairs of Governments. It is unacceptable for them, either individually or collectively, to criticize or try to discredit a Government. At the same time, it is understood that international civil servants may speak freely in support of their organizations’ policies. Any activity, direct or indirect, to undermine or overthrow a Government constitutes serious misconduct. 34. International civil servants are not representatives of their countries, nor do they have authority to act as liaison agents between organizations of the United Nations system and their Governments. The executive head may, however, request an international civil servant to undertake such duties, a unique role for which international loyalty and integrity are essential. For their part, neither Governments nor organizations should place international civil servants in a position where their international and national loyalties may conflict.
Re Relations lations with the public 35. For an organization of the United Nations system to function successfully, it must have the support of the public. All international civil servants therefore have a continuing responsibility to promote a better understanding of the objectives and work of their organizations. This requires them to be well informed of the achievements of their own organizations and to familiarize themselves with the work of the United Nations system as a whole.
Universal SecurityMonitoring Audit Programme Continuous Monitorin g Manual
App D-8
36. There is a risk that on occasion international civil servants may be subject to criticism from outside their organizations; in keeping with their responsibility as international civil servants, they should respond with tact and restraint. It is the obligation of their organizations to defend them against criticism for actions taken in fulfilment of their duties. 37. It would not be proper for international civil servants to air personal grievances or criticize their organizations in public. International civil servants should endeavour at all times to promote a positive image of the international civil service, in conformity with their oath of loyalty.
Relations with the media 38. Openness and transparency in relations with the media are effective means of communicating the organizations’ messages. The organizations should have guidelines and procedures in place for which the following
principles should apply: international civil servants should regard themselves as speaking in the name of their organizations and avoid personal references and views; in no circumstances should they use the media to further their own interests, to air their own grievances, to reveal unauthorized information or attempt to influence their organizations’ policy decisions.
Use and and pro tection of infor mation 39. Because disclosure of confidential information may seriously jeopardize the efficiency and credibility of an organization, international civil servants are responsible for exercising discretion in all matters of official business. They must not divulge confidential information without authorization. International civil servants should not use information to personal advantage that has not been made public and is known to them by virtue of their official position. These obligations do not cease upon separation from service. Organizations must maintain guidelines for the use and protection of confidential information, and it is equally necessary for such guidelines to keep pace with developments in communications and other new technology. It is understood that these provisions do not affect established practices governing the exchange of information between the secretariats and member States, which ensure the fullest participation of member States in the life and work of the organizations.
Re Respect spect for different customs and culture 40. The world is home to a myriad of different peoples, languages, cultures, customs and traditions. A genuine respect for them all is a fundamental requirement for an international civil servant. Any behaviour that is not acceptable in a particular cultural context must be avoided. However, if a tradition is directly contrary to any human rights instrument adopted by the United Nations system, the international civil servant must be guided by the latter. International civil servants should avoid an ostentatious lifestyle and any display of an inflated sense of personal importance.
Security and safety 41. While an executive head assigns staff in accordance with the exigencies of the service, it is the responsibility of organizations to ensure that the health, well-being, security and lives of their staff, without any discrimination whatsoever, will not be subject to undue risk. The organizations should take measures to protect the safety of their staff and that of their family members. At the same time, it is incumbent on international civil servants to comply with all instructions designed to protect their safety.
Appendix D.
ICAO Code of Conduc Conductt for Auditors
App D-9
Pe Personal rsonal conduct 42. The private life of international civil servants is their own concern and organizations should not intrude upon it. There may be situations, however, in which the behaviour of an international civil servant may reflect on the organization. International civil servants must therefore bear in mind that their conduct and activities outside the workplace, even if unrelated to official duties, can compromise the image and the interests of the organizations. This can also result from the conduct of members of international civil servants’ households, and it is the responsibility of international civil servants to make sure that their households are fully aware of this. 43. The privileges and immunities that international civil servants enjoy are conferred upon them solely in the interests of the organizations. They do not exempt international civil servants from observing local laws, nor do they provide an excuse for ignoring private legal or financial obligations. It should be remembered that only the executive head is competent to waive the immunity accorded to international civil servants or to determine its sc scope. ope.
44. Violations of the law can range from serious criminal activities to trivial offences, and organizations may be called upon to exercise judgement depending on the nature and circumstances of individual cases. A conviction by a national court will usually, although not always, be persuasive evidence of the act for which an international civil servant was prosecuted; acts that are generally recognized as offences by national criminal laws will normally also be considered violations of the standards of conduct for the international civil service.
Outside employment and activities 45. The primary obligation of international civil servants is to devote their energies to the work of their organizations. Therefore, international civil servants should not engage, without prior authorization, in any outside activity, whether remunerated or not, that interferes with that obligation or is incompatible with their status or conflicts with the interests of the organization. Any questions about this should be referred to the executive head. 46. Subject to the above, outside activities may, of course, be beneficial both to staff members and to their organizations. Organizations should allow, encourage and facilitate the participation of international civil servants in professional activities that foster contacts with private and public bodies and thus serve to maintain and enhance their professional and technical competencies. 47. International civil servants on leave, either with or without pay, should bear in mind that they remain international civil servants in the employ of their organization and remain subject to its rules. They ma may, y, therefore, accept employment, paid or unpaid, during their leave only with proper authorization. 48. In view of the independence and impartiality that they must maintain, international civil servants, while retaining the right to vote, should not participate in political activities, such as standing for or holding local or national political office. This does not, however, preclude participation in local community or civic activities, provided that such participation is consistent with the oath of service in the United Nations system. It is necessary for international civil servants to exercise discretion in their support for a political party or campaign, and they should not accept or solicit funds, write articles or make public speeches or statements to the press. These cases require the exercise of judgement and, in case of doubt, should be referred to the executive head. 49. The significance of membership in a political party varies from country to country and it is difficult to formulate standards that will apply in all cases. In general, international civil servants may be members of a political party, provided its prevailing views and the obligations imposed on its members are consistent with the oath of service in the United Nations system.
App D-10
Universal Security Audit Programme Continuous Monitoring Monitoring Manual
Gifts, honours and remuneration from outside sou rces 50. To protect the international civil service from any appearance of impropriety, international civil servants must not accept, without authorization from the executive head, any honour, decoration, gift, remuneration, favour or economic benefit of more than nominal value from any source external to their organizations; it is understood that this includes Governments as well as commercial firms and other entities. 51. International civil servants should not accept supplementary payments or other subsidies from a Government or any other source prior to, during or after their assignment with an organization of the United Nations system if the payment is related to that assignment. Balancing this requirement, it is understood that Governments or other entities, recognizing that they are at variance with the spirit of the Charter and the constitutions of the organizations of the United Nations system, should not make or offer such payments.
Conclusion 52. The attainment of the standards of conduct for the international civil service requires the highest commitment of all parties. International civil servants must be committed to the values, principles and standards set forth herein. They are expected to uphold them in a positive and active manner. They should feel responsible for contributing to the broad ideals to which they dedicated themselves in joining the United Nations system. Organizations have the obligation to implement these standards through their policy framework, including rules, regulations and other administrative instruments. For their part, member States are expected, through their allegiance to the Charter and other constituent instruments, to preserve the independence and impartiality of the international civil service. 53. For these standards to be effectively applied, it is essential that they be widely disseminated and that measures be taken and mechanisms put in place to ensure that their scope and importance are understood throughout the international civil service, the member States and the organizations of the United Nations system. 54. Respect for these standards assures that the international civil service will continue to be an effective instrument in fulfilling its responsibilities and in meeting the aspirations of the peoples of the world.
— END —
View more...
Comments
